Contempt
Challenge
- CTF: HTB Business CTF 2023: The Great Escape
- Name: Contempt
- Category: Fullpwn
- Difficulty: Hard
- Points: 2000
- Description: N/A
Unintended
It was found very early in the competition that this system was vulnerable to ZeroLogon that when exploited can reset the Domain Controller System Administrator password. See the following writeups detailing this unintended:
- https://github.com/LazyTitan33/CTF-Writeups/blob/main/HTB%20-%20Business%20CTF%202023/FullPwn/Contempt.md
- https://github.com/LazyTitan33/CTF-Writeups/blob/main/HTB%20-%20Business%20CTF%202023/FullPwn/Contempt%20-%20Revenge.md
Recon
Connect to the HTB VPN via sudo openvpn <vpntoken>.ovpn
Running an nmap scan on the target, identify a website running at nextcloud.contempt.htb, and a Windows Server 2016 Domain Controller running DNS/LDAP/Kerberos/SMB:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Nmap scan report for contempt.htb (10.129.251.205)
Host is up (0.021s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-18 10:15:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: contempt.htb, Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2023-07-18T10:16:32+00:00; 0s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=contempt.htb/organizationName=Contempt
| Subject Alternative Name: DNS:nextcloud.contempt.htb
| Issuer: commonName=contempt-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-18T17:43:41
| Not valid after: 2073-05-18T17:53:41
| MD5: ed1a:f45e:8acf:2fd5:95fc:3d5f:7258:896d
|_SHA-1: 2168:1396:d6a3:d892:b709:32db:9a56:078c:c3bc:0b5a
445/tcp open Windows Server 2016 Standard 14393 microsoft-ds (workgroup: CONTEMPT)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: contempt.htb, Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49719/tcp open msrpc Microsoft Windows RPC
49738/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: dc01
| NetBIOS computer name: DC01\x00
| Domain name: contempt.htb
| Forest name: contempt.htb
| FQDN: dc01.contempt.htb
|_ System time: 2023-07-18T03:15:56-07:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-07-18T10:15:53
|_ start_date: 2023-07-18T10:13:17
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 1h45m01s, deviation: 3h30m02s, median: 0s
Make sure you account for the 1 hour clock skew as Kerberos requires a time sync within 5 minutes!
Add contempt.htb and nextcloud.contempt.htb to your /etc/hosts file for local DNS resolution.
Leveraging crackmapexec we can identify the Domain Controller name:
1
2
$ cme smb contempt.htb
SMB contempt.htb 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:contempt.htb) (signing:True) (SMBv1:True)
Add dc01.contempt.htb to your /etc/hosts file for local DNS resolution.
There was an ASREPRoastable User named orion.swift on the contempt.htb domain.
NextCloud
A nextcloud instance was accessible at https://nextcloud.contempt.htb/apps/user_saml/saml/selectUserBackEnd?redirectUrl= that enabled two different authentication options, Single-Sign-On (SSO) and Direct Login.  The NextCloud version was identified to be 26.0.1.
Going to the SSO For Operators, lead to a request to adfs.contempt.htb at https://adfs.contempt.htb/adfs/ls/idpinitiatedsignon.aspx?SAMLRequest=nZJbbxoxEIXf%2BRWR39kbm4VYgERCL0gUUCB9yEvkXc8GS7u26xm35N938bbNRUoeOg%2BWfDzn08yRpyjaxvKFp6O%2BhR8ekAYXXZ3aRiMPjzPmneZGoEKuRQvIqeL7xbc1z6KEW2fIVKZhb2wfuwQiOFJG97bVcsa2m0%2Fr7ZfV5mFSFJM0L7KrIktEWeRSijKp0gRSCcVoNBFXl3VdZnlv%2FQ4OO86MdVg26GmIHlYaSWjq9CQbDZPxMJ0c0jG%2FHPM8v%2B%2Bty25ZpQUF%2B5HIIo9jIWuMKqMJWkvRkcqgxA3GSlqlFSlBIFE9aqMjgfbUs3Z%2FYrhWWir9%2BPH2Zd%2BE%2FOvhsBvutvtDD1n8TeXGaPQtuD24n6qCu9v184AaTlQ1xss3U1qLse%2F8D%2Bf043CICtk8kKfnOw%2FBuPl%2FkFogIQWJafwS9Iy2fNNtuVruTKOqp6Cf67NxraD3w0ijNChKDuvQyr1GC5WqFUj2D7NoGvPrxkGX%2FIyR88Au4vmgn%2BX1353%2FBg%3D%3D&RelayState=https%3A%2F%2Fnextcloud.contempt.htb%2Fapps%2Fuser_saml%2Fsaml%2Flogin Add adfs.contempt.htb to your /etc/hosts file for local DNS resolution.
The following users were in the nextcloud Domain Group, matrix.cross, viper.hollow, zero.summers, and cipher.stone.
On the nextcloud Hyper-V Virtual Machine :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
nc -nlvp 4444
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.251.205:49676.
bash: cannot set terminal process group (735): Inappropriate ioctl for device
bash: no job control in this shell
[root@nextcloud ~]#
[root@nextcloud ~]# ls -la
total 40
dr-xr-x---. 3 root root 4096 Jul 18 13:33 .
dr-xr-xr-x. 18 root root 251 Jul 18 13:27 ..
lrwxrwxrwx. 1 root root 9 May 25 08:43 .bash_history -> /dev/null
-rw-r--r--. 1 root root 18 May 11 2022 .bash_logout
-rw-r--r--. 1 root root 141 May 11 2022 .bash_profile
-rw-r--r--. 1 root root 429 May 11 2022 .bashrc
-rw-r--r--. 1 root root 100 May 11 2022 .cshrc
-rw-------. 1 root root 20 May 18 15:27 .lesshst
lrwxrwxrwx. 1 root root 9 May 25 08:42 .mysql_history -> /dev/null
drwx------. 2 root root 6 Jul 18 13:26 .ssh
-rw-r--r--. 1 root root 129 May 11 2022 .tcshrc
-rw-------. 1 root root 850 Jul 15 10:47 .viminfo
-rw-------. 1 root root 1156 May 16 13:03 anaconda-ks.cfg
-rw-r-----. 1 root root 41 Jul 15 10:47 user.txt
[root@nextcloud ~]# cat user.txt
HTB{1_nEveR_cL41m3D_t0_Be_4n_ss0_exPERt}
User Flag: HTB{1_nEveR_cL41m3D_t0_Be_4n_ss0_exPERt}
CVE-2023-21608 Adobe Reader Phishing Document
Phishing a Adobe Reader PDF document exploiting CVE-2023-21608 that was opened automatically by a aria.frost a domain administrative user.
The mail.contempt.htb was the mailserver.
CVE-2023-21608 Proof-of-Concept / Blog: https://github.com/hacksysteam/CVE-2023-21608/ https://hacksys.io/blogs/adobe-reader-resetform-cagg-rce-cve-2023-21608
The Adobe Reader Version: 
The following PowerShell script was running from C:\users\aria.frost\Documents\adobe.ps1:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$directory = "C:\users\aria.frost\documents\reports\"
$pdfFiles = Get-ChildItem -Path $directory -Filter *.pdf
if ((Get-Scheduledtask -TaskName "Adobe Acrobat Update Task").State -ne "Disabled") {
Disable-ScheduledTask -TaskName "Adobe Acrobat Update Task"
}
if ((Get-Service -ServiceName "Adobe Acrobat Update Service" | select StartType) -ne "Disabled") {
Set-Service -Name "AdobeARMservice" -StartupType Disabled
}
foreach ($pdfFile in $pdfFiles) {
& "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" $directory$pdfFile
sleep 25
Stop-Process -id (Get-Process -Name AcroRd32).Id
sleep 1
rm -Force $directory$pdfFile
}
Post-DA:
1
2
C:\users>type C:\users\Administrator\Desktop\root.txt
HTB{HeY_iv3_g0n3_phIsHINg_leav3_4_meSs4g3}
Root Flag: HTB{HeY_iv3_g0n3_phIsHINg_leav3_4_meSs4g3}
DNS ?
The administrator had a Powershell DNS cleanup script was running from C:\users\Administrator\Documents\dns_clean.ps1, so potentially a DNS exploitation was intended for something …
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
$zoneName = "contempt.htb"
$recordName = "dc01"
$recordIPAddress = "172.16.20.1"
$dnsService = Get-Service -Name "DNS"
$maxRetries = 10
$retryInterval = 5 # seconds
$retryCount = 0
# Wait for DNS service to start
while (($dnsService.Status -ne "Running") -and ($retryCount -lt $maxRetries)) {
Write-Host "Waiting for DNS service to start..."
Start-Sleep -Seconds $retryInterval
$dnsService.Refresh()
$retryCount++
}
if ($dnsService.Status -eq "Running") {
$zone = Get-DnsServerZone -Name $zoneName
if ($zone) {
$record = Get-DnsServerResourceRecord -ZoneName $zone.ZoneName -RRType A -Name $recordName
if ($record) {
if ($record.RecordData.IPv4Address.IpAddressToString.Contains($recordIPAddress)) {
Remove-DnsServerResourceRecord -ZoneName $zone.ZoneName -RRType A -Name $recordName -RecordData $recordIPAddress -Force
Write-Host "A record deleted successfully."
} else {
Write-Host "A record not found in the specified zone."
}
} else {
Write-Host "A record not found in the specified zone."
}
} else {
Write-Host "Zone '$zoneName' not found."
}
} else {
Write-Host "DNS service did not start within the specified time."
}
Path Forward
Hopefully HTB releases this box so we can fully document the intentional path ! DM me if you have more notes/information on this machine.