Heist

Writeup for Heist from offsec Proving Grounds

Information Gathering

sudo nmapAutomator.sh 192.168.220.165 all

Service Enumeration

SMB (Port 139/445)

Doesn't seem like we have access

HTTP (Port 8080)

We can try querying ourselves by supplying our own IP, we see a response on our listener.

We can then make use of SSRF and try to steam a NTLMv2 hash using responder.

sudo responder -I tun0 -v

Exploit

evil-winrm -i 192.168.220.165 -u enox -p california

Privesc

Upon manual enumeration, we see that there is svc_apache$ user.

We can use the Get-ADPrincipalGroupMembership cmdlet to check what groups this user is in.

Group Managed Service Accounts are managed domain accounts that administrators use to help secure services. These service accounts are hence given automatically generated passwords. If they are granted certain permissions, we can retrieve these password hashes from Active Directory. We can use the Get-ADServiceAccount cmdlet and look up the PrincipalsAllowedToRetrieveManagedPassword property on the account.

We see that the group Web Admin has such a privilege over the svc_apache$ account.

We then try to see if we can retrieve the password hash.

Looks like we have the ReadGMSAPassword privilege over the svc_apache$ service account.

We upload GMSAPasswordReader.exe and execute it with the svc_apache account name.

Now we can do a PTH attack and gain access as svc_apache$ user.

Upon manual enumeration, we see that this account has the SeRestorePrivilege enabled.

SeRestorePrivilege allows file content modification, even if the security descriptor on the file might not grant such access. This function can also be used to change the owner and protection.

We can make use of the EnableSeRestorePrivilege.ps1 script the enable this privilege.

Utilman.exe is the utility program that is launched when the "Ease of Access" button on the login screen is clicked. This is vulnerable to being replaced by cmd.exe, allowing an attacker to simply reset any user password since the tool is executed with admin rights.

We can take advantage of the fact that we have write access to the system directory System32 to replace utilman.exe with cmd.exe.