HackTheBox Endgame Xen Writeup Part 4 – Owned (Flag 06 /06)
HackTheBox EndGame Xen Writeup Series
- PART 1 – HackTheBox Endgame Xen Writeup Part 1 – Breach (Flag 01/06)
- PART 2 – HackTheBox Endgame Xen Writeup Part 2 – Deploy and Ghost (Flag 02 and 3/06)
- PART 3 – HackTheBox Endgame Xen Writeup Part 3 – Camouflage and Doppelgänger (Flag 04 and 5/06)
- PART 4 – HackTheBox Endgame Xen Writeup Part 4 – Owned (Flag 06 /06)
When it comes to windows exploit, it is my favorite and the active directory exploit is always comes the first. This final part of the Xen writeup of Owned Flag is something I always love to do.
Enabling RDP and RDPing The Domain Controller
I can see the flag in the corner of the road, I’m taking a bit of time to fully understand attack vectors. I made some enumeration and found the backup-svc user is able to RDP to the domain controller however, I wasn’t able to connect even after several tries.
So to make sure my attempts are corect I decided to use Carlos Perez’s getgui script, which enables Remote Desktop and so that I can log into to the system.
Then I made a port foraward my local port 3389 to domain controller (172.16.249.200) RDP port 3389.
Using Remmina To Get RDP on The Domain Controller
Ok everything is ready to be RDP the Domain controller on 172.16.249.200, I fired up the Remmina and use the port forwarded IP and RDP port. I immediately got back the connection.
And I’m in. I run the whomai/ priv to to display the privilege, I can see only SeChaneNotifyPrivilege permission is enabled for the user svc-backup.
As I was backing up the things, I realized that I need a shell to download the files I backed up, I tried PowerShell but it didn’t work. So the only way I thought would work is Evil-WinRM. I copied the copy of Evil-WinRM to XEN directory. Then I made a port forward to DC WinRM port.
Then, update the WinRM and saved it and running the script I got the shell as backup-svc.
Preparing A System Copy Using Diskshadow Command
With referring this article (https://docs.datacore.com/WIK-WebHelp/VSS/DiskShadow_Commands_Example.htm) I made a copy of the system so that I could copy ntds.dit and SAM Hash.
Then enabled the privilege with the help of this article:https://github.com/giuliano108/SeBackupPrivilege. First, I import both files into a temp directory. And run the invoke Module command. Then enabled SeBackupPrivilege
Then I made a dump of HKLM\SAM
Once all done, I run tEvil-WinRM download feature to download the files.
Using the SecretsDump.py I manage to crack the hash. Now I have complete list of hashes of the users in the htb.local domain.
After obtaining the hash, I tried to crack the hash using John, but john failed me forthe first time.
My next approch is to use XFreeRDP to RDP the box suing PassTheHash method.
So thats the end of the story of Endgame Xen. What a great journey. Thank you for dropping by and reading.