Oren [Boot2Root]
Last updated
Last updated
For the first time, SherpaSec had its own physical CTF! But wait, what is SherpaSec? Well according to ChatGPT, SherpaSec is a Malaysian volunteer-based cybersecurity community dedicated to creating a sustainable ecosystem for cybersecurity. It brings together students, professionals, and enthusiasts to share knowledge, build skills, and foster collaboration. The organisation regularly hosts events like sharing sessions, workshops, and for the very first time, a Capture The Flag (CTF) competition, SherpaCTF!
Now, like PwC Hackaday CTF 2024, what is my goal? Dominate Boot2Roots. However, Red Teamers were shocked to know that the Boot2Roots weren’t normal Linux or Windows boxes, it was Active Directory, my playground. By the way, what made the Boot2Roots scary was that we knew who was the challenge creator beforehand. It was the legendary H0j3n!
In context, a virtual machine was provided to us for the challenge. So, with that, a host scan denoted by the -sn switch was needed to find out what was the IP address of the virtual machine. As shown in the results, it’s 192.168.138.143 as our attacker machine has the IP Address of 192.168.138.129.
Now that we know the IP address of the target, a full port scan was done on the target. What was noteworthy in the scan was the 3 web servers hosted on port 80, 8080 and 8530. Only the web server on port 8080 showed something of interest.
On the web server running on port 8080, a page indicating the site was under maintenance was displayed.
Performing directory bruteforcing on all 3 of the web servers, the web server on port 8080 was the only one that showed interesting directories.
Going into admin.php, a login page was displayed. However, after exhausting SQLmap and Hydra to bruteforce it, I turned my head to phpinfo.php.
Right here, a goldmine of information can be found such as the target’s operating system and the web application’s PHP version.
Quickly googling the PHP version along with the word “exploit” showed that there were proof of concepts (POCs) for exploiting this PHP version that will lead to remote code execution. However, using some of the POCs did not work.
With that, I googled for the CVE, which led to a Git repository from WatchTowr which had a Python exploit. (THANK GOD FOR PYTHON EXPLOITS)
So, after cloning the repository, I executed the script with the -h switch to see what arguments can be parsed in. The script takes in the URL of the web application with the --target switch followed by the command we want to run wrapped around PHP tags with the -c switch.
Using the example command from the help menu, replaced with the target’s IP address and port number followed by a PowerShell command to callback to my Python server reveals a callback!
So, repeating the steps before, I replaced the command that will be executed with a PowerShell reverse shell command encoded in Base64.
And as expected, we received a reverse shell!
To make my life easier, I will be using the Sliver C2. An implant was generated and a listener was started.
Then, on the PowerShell reverse shell, the implant was downloaded and executed.
As you can see here, I have a session!
Now, as shown before there was a admin.php file which we saw before on the web page. Analysing it, we found our first set of credentials! However, we will not be using it.
So, the first thing to do when you have user access, is to CHECK YOUR PRIVILEGES! As you can see here, we have SeImpersonatePrivilege which is exploitable with PrintSpoofer through named pipes. PrintSpoofer is vulnerable to Windows Server 2019 which we have identified in phpinfo.php.
So, PrintSpoofer is uploaded on the target, and executed with the parameter of the implant that was uploaded just now with the -c switch.
As shown here, we have gained machine access, which is higher than NT Authority System!
Now I have the highest authority, let’s get the flag. As the user webadmin, I can view the files in my directory.
On the Desktop of the webadmin, there are 3 files. A user.zip which has the user flag, an encrypted password and a PowerShell script to decrypt the password.
However, user.zip is password protected. So, with the information that we gathered, it can be assumed that the PowerShell script is used to decrypt the encrypted password file which will reveal the password to user.zip. However, the PowerShell script only works if you are the current user as shown in the PowerShell script above. it uses the user’s DPAPI secret to decrypt the file. To elaborate on this, you can only decrypt the password if you are logged in as the user that encrypted the file.
Using that script we have the password for user.zip!
We got the user flag!
Now continuing our red team assessment, I mean CTF challenge, time for post-exploitation. mimikatz.exe was uploaded and the SAM account passwords were dumped using that.
Looking at the Administrator’s Desktop, we had the same exact files as the user account except this time there is a root.zip file. At this point, I had every account. The Administrator account, the machine account and the user account. However, the PowerShell script did not work for some reason even though I am logged in as the user that encrypted the file. So, I raised a ticket and the issue was resolved.
The resolution for this error was to give us a password.zip file which was password protected by the Administrator’s hash.
So, using the results from mimikatz.exe, the zip file was decrypted and we got the password for root.zip.
From there, we got the root flag!
BUT WAIT, what if I told you the way I did the privilege escalation was an unintended way? Remember the credentials we got? The first thing to do when you get domain credentials is to run Bloodhound.
So, using the credentials, I ran bloodhound-python to query the LDAP server on the Active Directory for all Domain objects.
Note that in my opinion
bloodhound-pythonis not recommended for red team assessments or basically any advanced red team certifications mainly because it does not pick up every Domain object such as Active Directory Certificate Services (ADCS). For this reason, Sharphound is recommended.
When we have the Domain objects, I loaded up neo4j, the database for Bloodhound and of course, the Bloodhound GUI. So, what do we do from here? As John Hammond would put it, CLICK EVERYTHING. However, my methodology is to check the outbound permissions of the compromised user first. As you can see the webadmin user is part of the WEB_ADMINISTRATOR group.
Looking at the WEB_ADMINISTRATOR group, it can add itself to the GPO_MANAGER group.
So, by using net group "GPO_MANAGER" webadmin /add /domain, the user webadmin is now in the GPO_Manager group!
Looking at the outbound permissions of the GPO_Manager group, it is shown that it has full read and write permissions on the ACCESS_FILES Group Policy!
From here, SharpGPOAbuse is used to add the webadmin user as a local administrator.
Finally, NetExec can be used to dump the SAM account passwords.
Overall, I think this box is a good Active Directory box, despite some hiccups and the unintended way. It constrains you to be a certain user to get the flag and also uses some access control lists or ACLs to get Domain Admin. If you wanna try one of H0j3n’s Active Directory boxes, here is one which at the time of writing is still available and was created for Wargames 2022. I really enjoyed this CTF as we as a team did not intend to get 2nd place in the open category as well as the best presentation for the creative category. I hope SherpaSec can organise another physical CTF next for the open category as well! Till then, peace out!
