Mantis_Assessment

Current Assessment

---

Although I went over pretty much everything as the james user, I was unable to proceed forward.

• The RDP is disabled on the target host although the james user is part of the Remote Desktop Users group
• Successful Kerberoasting the machine account, mantis$, leads nowhere as the TGS ticket hash is not crackable

I felt like there isn’t much option left to work with.

But then I realized that I was looking at the whole thing from the conventional and none-exploit-required angle. (misconfiguration, bad GPOs, OU privileges, etc from BloodHound edges)

There are some critical AD vulnerabilities out there, which can be exploited remotely. This has always been in the back of my head but I was never actively looking at it for a PrivEsc vector

That is because the chance of these exploit working is pretty slim as they get picked and patched quick

But here we are

crackmapexec

---

CrackMapExec is such an amazing tool. I mostly use “CME” for brute-forcing and validating credentials.

But it has a feature called Module that performs specific scans for known vulnerabilities against targets. Below is some of the flags to work with the CMD modules

• -L: lists available modules
• -M: module to use
• -o: module options

┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ crackmapexec smb -L
[*] Get-ComputerDetails       Enumerates sysinfo
[*] bh_owned                  Set pwned computer as owned in Bloodhound
[*] bloodhound                Executes the BloodHound recon script on the target and retreives the results to the attackers' machine
[*] drop-sc                   Drop a searchConnector-ms file on each writable share
[*] empire_exec               Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] enum_avproducts           Gathers information on all endpoint protection solutions installed on the the remote host(s) via WMI
[*] enum_chrome               Decrypts saved Chrome passwords using Get-ChromeDump
[*] enum_dns                  Uses WMI to dump DNS from an AD DNS Server
[*] get_keystrokes            Logs keys pressed, time and the active window
[*] get_netdomaincontroller   Enumerates all domain controllers
[*] get_netrdpsession         Enumerates all active RDP sessions
[*] get_timedscreenshot       Takes screenshots at a regular interval
[*] gpp_autologin             Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password              Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
[*] handlekatz                Get lsass dump using handlekatz64 and parse the result with pypykatz
[*] invoke_sessiongopher      Digs up saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using SessionGopher
[*] invoke_vnc                Injects a VNC client in memory
[*] ioxidresolver             Thie module helps you to identify hosts that have additional active interfaces
[*] lsassy                    Dump lsass and parse the result remotely with lsassy
[*] met_inject                Downloads the Meterpreter stager and injects it into memory
[*] mimikatz                  Dumps all logon credentials from memory
[*] mimikatz_enum_chrome      Decrypts saved Chrome passwords using Mimikatz
[*] mimikatz_enum_vault_creds Decrypts saved credentials in Windows Vault/Credential Manager
[*] mimikittenz               Executes Mimikittenz
[*] ms17-010                  MS17-010, /!\ not tested oustide home lab
[*] multirdp                  Patches terminal services in memory to allow multiple RDP users
[*] nanodump                  Get lsass dump using nanodump and parse the result with pypykatz
[*] netripper                 Capture's credentials by using API hooking
[*] nopac                     Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
[*] pe_inject                 Downloads the specified DLL/EXE and injects it into memory
[*] petitpotam                Module to check if the DC is vulnerable to PetitPotam, credit to @topotam
[*] procdump                  Get lsass dump using procdump64 and parse the result with pypykatz
[*] rdp                       Enables/Disables RDP
[*] rid_hijack                Executes the RID hijacking persistence hook.
[*] runasppl                  Check if the registry value RunAsPPL is set or not
[*] scuffy                    Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares
[*] shellcode_inject          Downloads the specified raw shellcode and injects it into memory
[*] slinky                    Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions
[*] spider_plus               List files on the target server (excluding `DIR` directories and `EXT` extensions) and save them to the `OUTPUT` directory if they are smaller then `SIZE`
[*] spooler                   Detect if print spooler is enabled or not
[*] test_connection           Pings a host
[*] tokens                    Enumerates available tokens
[*] uac                       Checks UAC status
[*] wdigest                   Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1
[*] web_delivery              Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
[*] webdav                    Checks whether the WebClient service is running on the target
[*] wireless                  Get key of all wireless interfaces
[*] zerologon                 Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472

There are a few modules that appear useful for a PrivEsc vector

zerologon (CVE-2020-1472)

---

┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ crackmapexec smb $IP -d htb.local -u james -p 'J@m3s_P@ssW0rd!' -M zerologon
smb         10.10.10.52     445    mantis           [*] windows server 2008 r2 standard 7601 service pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
smb         10.10.10.52     445    mantis           [+] htb.local\james:J@m3s_P@ssW0rd! 
ZEROLOGO... 10.10.10.52     445    MANTIS           VULNERABLE
zerologo... 10.10.10.52     445    mantis           next step: https://github.com/dirkjanm/CVE-2020-1472

the scanning for the zerologon vulnerability returned positive for the target system crackmapexec also points to a github repo that contains the exploit itself

Moving on to the Exploitation phase

noPac

---

┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ crackmapexec smb $IP -d htb.local -u james -p 'J@m3s_P@ssW0rd!' -M nopac
SMB         10.10.10.52     445    MANTIS           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.10.10.52     445    MANTIS           [+] htb.local\james:J@m3s_P@ssW0rd! 
NOPAC       10.10.10.52     445    MANTIS           TGT with PAC size 1372
NOPAC       10.10.10.52     445    MANTIS           TGT without PAC size 679
NOPAC       10.10.10.52     445    MANTIS           
NOPAC       10.10.10.52     445    MANTIS           VULNEABLE
NOPAC       10.10.10.52     445    MANTIS           Next step: https://github.com/Ridter/noPac

The scanning for the noPac exploit returned positive for the target system CrackMapExec also points to a GitHub repo that contains the exploit itself

Moving on to the Exploitation phase

spooler

---

┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ crackmapexec smb $IP -d htb.local -u james -p 'J@m3s_P@ssW0rd!' -M spooler
SMB         10.10.10.52     445    MANTIS           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.10.10.52     445    MANTIS           [+] htb.local\james:J@m3s_P@ssW0rd! 
SPOOLER     10.10.10.52     445    MANTIS           Spooler service enabled

CrackMapExec confirmed that Windows Spooler service is enabled.