Post

Contempt

Challenge

Unintended

It was found very early in the competition that this system was vulnerable to ZeroLogon that when exploited can reset the Domain Controller System Administrator password. See the following writeups detailing this unintended:

  • https://github.com/LazyTitan33/CTF-Writeups/blob/main/HTB%20-%20Business%20CTF%202023/FullPwn/Contempt.md
  • https://github.com/LazyTitan33/CTF-Writeups/blob/main/HTB%20-%20Business%20CTF%202023/FullPwn/Contempt%20-%20Revenge.md

Recon

Connect to the HTB VPN via sudo openvpn <vpntoken>.ovpn

Running an nmap scan on the target, identify a website running at nextcloud.contempt.htb, and a Windows Server 2016 Domain Controller running DNS/LDAP/Kerberos/SMB:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Nmap scan report for contempt.htb (10.129.251.205)
Host is up (0.021s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2023-07-18 10:15:04Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: contempt.htb, Site: Default-First-Site-Name)
443/tcp   open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2023-07-18T10:16:32+00:00; 0s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=contempt.htb/organizationName=Contempt
| Subject Alternative Name: DNS:nextcloud.contempt.htb
| Issuer: commonName=contempt-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-18T17:43:41
| Not valid after:  2073-05-18T17:53:41
| MD5:   ed1a:f45e:8acf:2fd5:95fc:3d5f:7258:896d
|_SHA-1: 2168:1396:d6a3:d892:b709:32db:9a56:078c:c3bc:0b5a
445/tcp   open                    Windows Server 2016 Standard 14393 microsoft-ds (workgroup: CONTEMPT)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
2179/tcp  open  vmrdp?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: contempt.htb, Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
9389/tcp  open  mc-nmf            .NET Message Framing
49666/tcp open  msrpc             Microsoft Windows RPC
49668/tcp open  msrpc             Microsoft Windows RPC
49669/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc             Microsoft Windows RPC
49719/tcp open  msrpc             Microsoft Windows RPC
49738/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: dc01
|   NetBIOS computer name: DC01\x00
|   Domain name: contempt.htb
|   Forest name: contempt.htb
|   FQDN: dc01.contempt.htb
|_  System time: 2023-07-18T03:15:56-07:00
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2023-07-18T10:15:53
|_  start_date: 2023-07-18T10:13:17
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_clock-skew: mean: 1h45m01s, deviation: 3h30m02s, median: 0s

Make sure you account for the 1 hour clock skew as Kerberos requires a time sync within 5 minutes!

Add contempt.htb and nextcloud.contempt.htb to your /etc/hosts file for local DNS resolution.

Leveraging crackmapexec we can identify the Domain Controller name:

1
2
$ cme smb contempt.htb
SMB         contempt.htb    445    DC01             [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:contempt.htb) (signing:True) (SMBv1:True)

Add dc01.contempt.htb to your /etc/hosts file for local DNS resolution.

There was an ASREPRoastable User named orion.swift on the contempt.htb domain.

NextCloud

A nextcloud instance was accessible at https://nextcloud.contempt.htb/apps/user_saml/saml/selectUserBackEnd?redirectUrl= that enabled two different authentication options, Single-Sign-On (SSO) and Direct Login. ![contempt_1](](/assets/img/contempt_1.png) The NextCloud version was identified to be 26.0.1.

Going to the SSO For Operators, lead to a request to adfs.contempt.htb at https://adfs.contempt.htb/adfs/ls/idpinitiatedsignon.aspx?SAMLRequest=nZJbbxoxEIXf%2BRWR39kbm4VYgERCL0gUUCB9yEvkXc8GS7u26xm35N938bbNRUoeOg%2BWfDzn08yRpyjaxvKFp6O%2BhR8ekAYXXZ3aRiMPjzPmneZGoEKuRQvIqeL7xbc1z6KEW2fIVKZhb2wfuwQiOFJG97bVcsa2m0%2Fr7ZfV5mFSFJM0L7KrIktEWeRSijKp0gRSCcVoNBFXl3VdZnlv%2FQ4OO86MdVg26GmIHlYaSWjq9CQbDZPxMJ0c0jG%2FHPM8v%2B%2Bty25ZpQUF%2B5HIIo9jIWuMKqMJWkvRkcqgxA3GSlqlFSlBIFE9aqMjgfbUs3Z%2FYrhWWir9%2BPH2Zd%2BE%2FOvhsBvutvtDD1n8TeXGaPQtuD24n6qCu9v184AaTlQ1xss3U1qLse%2F8D%2Bf043CICtk8kKfnOw%2FBuPl%2FkFogIQWJafwS9Iy2fNNtuVruTKOqp6Cf67NxraD3w0ijNChKDuvQyr1GC5WqFUj2D7NoGvPrxkGX%2FIyR88Au4vmgn%2BX1353%2FBg%3D%3D&RelayState=https%3A%2F%2Fnextcloud.contempt.htb%2Fapps%2Fuser_saml%2Fsaml%2Flogin Add adfs.contempt.htb to your /etc/hosts file for local DNS resolution.

The following users were in the nextcloud Domain Group, matrix.cross, viper.hollow, zero.summers, and cipher.stone.

On the nextcloud Hyper-V Virtual Machine :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
nc -nlvp 4444
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.251.205:49676.
bash: cannot set terminal process group (735): Inappropriate ioctl for device
bash: no job control in this shell
[root@nextcloud ~]#
[root@nextcloud ~]# ls -la
total 40
dr-xr-x---.  3 root root 4096 Jul 18 13:33 .
dr-xr-xr-x. 18 root root  251 Jul 18 13:27 ..
lrwxrwxrwx.  1 root root    9 May 25 08:43 .bash_history -> /dev/null
-rw-r--r--.  1 root root   18 May 11  2022 .bash_logout
-rw-r--r--.  1 root root  141 May 11  2022 .bash_profile
-rw-r--r--.  1 root root  429 May 11  2022 .bashrc
-rw-r--r--.  1 root root  100 May 11  2022 .cshrc
-rw-------.  1 root root   20 May 18 15:27 .lesshst
lrwxrwxrwx.  1 root root    9 May 25 08:42 .mysql_history -> /dev/null
drwx------.  2 root root    6 Jul 18 13:26 .ssh
-rw-r--r--.  1 root root  129 May 11  2022 .tcshrc
-rw-------.  1 root root  850 Jul 15 10:47 .viminfo
-rw-------.  1 root root 1156 May 16 13:03 anaconda-ks.cfg
-rw-r-----.  1 root root   41 Jul 15 10:47 user.txt
[root@nextcloud ~]# cat user.txt
HTB{1_nEveR_cL41m3D_t0_Be_4n_ss0_exPERt}

User Flag: HTB{1_nEveR_cL41m3D_t0_Be_4n_ss0_exPERt}

CVE-2023-21608 Adobe Reader Phishing Document

Phishing a Adobe Reader PDF document exploiting CVE-2023-21608 that was opened automatically by a aria.frost a domain administrative user.

The mail.contempt.htb was the mailserver.

CVE-2023-21608 Proof-of-Concept / Blog: https://github.com/hacksysteam/CVE-2023-21608/ https://hacksys.io/blogs/adobe-reader-resetform-cagg-rce-cve-2023-21608

The Adobe Reader Version: ![contempt_2](](/assets/img/contempt_2.png)

The following PowerShell script was running from C:\users\aria.frost\Documents\adobe.ps1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$directory = "C:\users\aria.frost\documents\reports\"

$pdfFiles = Get-ChildItem -Path $directory -Filter *.pdf

if ((Get-Scheduledtask -TaskName "Adobe Acrobat Update Task").State -ne "Disabled") {
    Disable-ScheduledTask -TaskName "Adobe Acrobat Update Task"
    }

if ((Get-Service -ServiceName "Adobe Acrobat Update Service" | select StartType) -ne "Disabled") {
    Set-Service -Name "AdobeARMservice" -StartupType Disabled
    }

foreach ($pdfFile in $pdfFiles) {
    & "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" $directory$pdfFile
    sleep 25
    Stop-Process -id (Get-Process -Name AcroRd32).Id
    sleep 1
    rm -Force $directory$pdfFile
}

Post-DA:

1
2
C:\users>type C:\users\Administrator\Desktop\root.txt
HTB{HeY_iv3_g0n3_phIsHINg_leav3_4_meSs4g3}

Root Flag: HTB{HeY_iv3_g0n3_phIsHINg_leav3_4_meSs4g3}

DNS ?

The administrator had a Powershell DNS cleanup script was running from C:\users\Administrator\Documents\dns_clean.ps1, so potentially a DNS exploitation was intended for something …

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
$zoneName = "contempt.htb"
$recordName = "dc01"
$recordIPAddress = "172.16.20.1"

$dnsService = Get-Service -Name "DNS"
$maxRetries = 10
$retryInterval = 5  # seconds
$retryCount = 0

# Wait for DNS service to start
while (($dnsService.Status -ne "Running") -and ($retryCount -lt $maxRetries)) {
    Write-Host "Waiting for DNS service to start..."
    Start-Sleep -Seconds $retryInterval
    $dnsService.Refresh()
    $retryCount++
}

if ($dnsService.Status -eq "Running") {
    $zone = Get-DnsServerZone -Name $zoneName

    if ($zone) {
        $record = Get-DnsServerResourceRecord -ZoneName $zone.ZoneName -RRType A -Name $recordName

        if ($record) {
            if ($record.RecordData.IPv4Address.IpAddressToString.Contains($recordIPAddress)) {
                Remove-DnsServerResourceRecord -ZoneName $zone.ZoneName -RRType A -Name $recordName -RecordData $recordIPAddress -Force
                Write-Host "A record deleted successfully."
            } else {
                Write-Host "A record not found in the specified zone."
            }
        } else {
            Write-Host "A record not found in the specified zone."
        }
    } else {
        Write-Host "Zone '$zoneName' not found."
    }
} else {
    Write-Host "DNS service did not start within the specified time."
}

Path Forward

Hopefully HTB releases this box so we can fully document the intentional path ! DM me if you have more notes/information on this machine.

This post is licensed under CC BY 4.0 by the author.