HTB Helpline writeup

Thanks egre55. I've learned a lot from this machine!

Also, big thanks to ATK and Senn for helping me to solve this challenge!

Overview

- Even with the highest priv, the flags were not visible
--> EFS encrypted. Two ways to decrypt. Even in constraint language mode, you can still decrypt the file. 
- There is a harder way to get the flag

http://blackpentesters.blogspot.com/2017/01/decrypting-efs-encrypted-files.html

https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files

- schtasks is your firend ; bypass UAC

"Attack tree"-ish mind map

 Port Scan

root@kali:~/hackthebox/Helpline# nmap -A -p- 10.10.10.132

135/tcp   open  msrpc         Microsoft Windows RPC

445/tcp   open  microsoft-ds?

5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

8080/tcp  open  http-proxy    -

_http-title: ManageEngine ServiceDesk Plus

SMB didn't give out any information. In such cases, I always look into Web applications. 

Web application authentication bypass

Quickly google the application and the version; found the seemingly working exploit. By the way, never ever run exploits blindly without reading the code carefully!

 Logged in as "guest"

replace the cookies with the ones shown in the exploit

Admin!

I found "Custom Schedule" with "Executor" function. Seemed that OS commands could be run there.

At this point, no idea with what kind of priv the application was running. Worth trying if the outbound connection is allowed.

powershell in-memory attack

I used my favorite "Nishang".

nishang

https://github.com/samratashok/nishang

SYSTEM priv? Hmm... strange. Too good to be true.

Anyway, where are the flags?

PS C:\Users> get-childitem -recurse      Directory: C:\Users     Directory: C:\Users\Administrator\Desktop Mode                LastWriteTime         Length Name                                                                  ----                -------------         ------ ----                                                                  -ar---       12/20/2018  11:09 PM             32 root.txt                                                                  Directory: C:\Users\leo\Desktop Mode                LastWriteTime         Length Name                                                                  ----                -------------         ------ ----                                                                  -a----        1/15/2019  12:18 AM            526 admin-pass.xml                                                              Directory: C:\Users\tolu\Desktop  Mode                LastWriteTime         Length Name                                                                  ----                -------------         ------ ----                                                                  -a----       12/20/2018  11:12 PM             32 user.txt

See? This is definitely a big problem!  

Darn, EFS. Honestly, I'm not good at openssl mumbo-jumbo.

Token impersonation

The quickest way for decryption is a token impersonation.
I confirmed that leo's process is running.

The admin-pass.xml has long digits. After some googling, I realized it is securestring.

Powershell Secure string

There are two ways to decrypt the powershell securestring. The first one didn't work due to constraint language mode.

GetNetworkCredential worked.

Getting root.txt

I could log on to the target via psexec.py, but the "whoami" still showed "SYSTEM". So decided to use schtasks. Believe or not, the good and old technique still works!

Getting user.txt

zachary belongs to "Event Log Readers". Seems the author want me to read event log. Let's compile all the logs into a single text file and grep "tolu".

$logfile=gc .\test.txt

Yeah, there it is.

After putting "tolu" into local admin, the rest is the same as above.