HOME CHALLENGES GUIDES PROJECTS TAGS ABOUT

OSCP, AD-C

- Challenge Info: Platform: OSCP, Type: Boot2Root, OS: Windows

- Summary: AD mock exam for OSCP.

- Tags: Password Sprating

August 10, 2023

This machine is from the OSCP labs.

Due to the rules set by Offensive Security in relation to OSCP certification, this content will be kept private.

Environment description
In this challenge, we are provided with three machines: One DC (DC01) and two workstations (MS01 and MS02).

The three machines are connected through an internal network and just MS01 is on the same network as our attacking machine.

Reconnaissance
As MS01 is the only reachable machine, we will start by performing a nmap enumeration on it:

nmap -v -p- -Pn --min-rate=1000 -T4 -oN <OUPUT_FILE> <HOST>

nmap -v -A -p <PORTS_OF_INTEREST> -Pn -oN <OUPUT_FILE> <HOST>

SSH on port 22 (default port): Nothing to do here without credentials.

RPC on port 135 (default port): As anonymous login is not enabled this is another cut road.
 SMB on port 445 (default port): Same response as with RPC, same consequence.

A mysterious service running on port 5040 which means that further research has to be performed here.

WinRM on ports 5985 and 47001 (default and common ports): The same as with SSH.

HTTP on port 8000: Web services are a common entry point so it deserves a deeper inspection.

All this said, we only can take two different approaches: The HTTP service and the mysterious one.

HTTP enumeration
The main page is the default IIS server page. To see if there is something more we have to fuzz for hidden endpoints:

feroxbuster -u <URL> -s <STATUS_CODES>

(URLs are case sensitive so, although the same endpoints written with different capitalization usually redirect to the same endpoint, it
may not be the case)

Some endpoints are revealed. Among them, the most interesting ones are:

/partner/changelog:

Contains the text “Moved partner portal to correct VHOST”. This can mean that we have to use another VHOST instead of the
raw IP.

/partener/db:

Contains a SQLite database.

At this initial point we don’t have any possible hostname to use as VHOST so we will focus on the database file.

Carving into the database

To know how to interact with the sqlite3 database we can check the following post: Command Line Shell For SQLite.

sqlite3 <DB_FILE>

1. We can start by checking the databases we have:

.databases

Just our db database.

2. Then the tables inside the database:

.tables

Just one table called partners.

3. Once we have our target table we can retrieve its columns:

PRAGMA table_info(<TABLE>);

Hummm… looks promissing.

4. Finally, we can dump the whole table:

select * from <TABLE>

Four user-hash combinations, not that bad!

Hashes cracking and Spraying

With the help of Crackstation two of the four hashes can be cracked.
Now, with these credentials, the next step is to spray them all over the different services our machine has available:

For SSH:

hydra [-t <NUMBER_OF_THREADS>] -V -L <USERS_FILE> -P <PASSWORDS_FILE> ssh://<TARGET>

For SMB and WinRM:

crackmapexec <PROTOCOL> <TARGET> -u <USERS_FILE> -p <PASSWORDS_FILE> --continue-on-success

We have been lucky as the credentials provided for user support are valid to login through SSH.

Two important points to mention here:

We have two hashes that we have not been able to crack. At this point it would be recommended to try spraying them as we
have done with the passwords.
When spraying both passwords and hashes through domain machines it is important to spray those credentials trying both
domain and non-domain usernames.

Foothold an initial enumeration

Once we logged into the remote machine with the retrieved credentials we have a shell as the local user ms01\support.

To enumerate the machine I will use WinPEAS:

Launching WinPEAS we can retrieve the following relevant information:

The following local users: Administrator, Administrator.OSCP, Mary.Williams, celia.almeda and web_svc.

An executable called admintool.exe inside support home folder.

Privilege escalation
If we try to run admintool.exe we will be prompted to enter the administrator password, after what, the tool returns an error
which contains both: our hashed password and the NTLM hash of the administrator:

As we have already done earlier, with CrackStation we can crack the administrator hash thus obtaining its password.

With this credentials we can get SSH access to MS01 as local ms01\administrator.

Credentials enumeration
Once we are administrator on a machine the job has not ended. We have to focus our efforts in retriving as much credentials as
we can from wherever they could be stored.

As ms01\adminsitrator we can launch WinPEAS again. This time, as our rights are more powerfull, we can have access to
information that when it was executed as the ms01\support user.

A piece of information that was hidden was the PowerShell history file of the ms01\administrator:

This file, that has been revealed by WinPEAS, can also be obtained following the steps enumerated in the Carve in the PowerShell
history section from the Windows Privilege Escalation guide.

Also, another mandatory task to perform as administrator is to inspect the lssas process and SAM database in search of
credentials. For this, the quintessential tool is Mimikatz.
In this case:

The are no other NTLM hashes and passwords stored in the LSASS process apart from the ones we already have.

[privilege::debug]
sekurlsa::logonpasswords

Some TGTs and TGs are stored in LSASS:

ksekurlsa::tickets /export

Creating a VPN like network

To being able to access the internal hosts (DC01 and MS02) we will use ligolo-ng to create a VPN like network. The instruction
can be taken from the VPN like networking section from the Port forwarding (tunneling) techniques guide.

1. The ligolo agent is transferred to the remote machine:

2. A new TAPTUN interface is created and set up on our local host:

3. The ligolo proxy is started:

 4. The agent is connected to the proxy:

5. The newly created session is selected and started:

6. A new route rule is added so the intended traffic is directed to the newly created interface:

© 2024 myhomeisquintoc.com.