HTB - LogonShell Writeup

Liam Geyer
  2024-07-18 2024-07-18 Created   2024-09-10 21:05:23 2024-09-10 21:05:23 Updated    

πŸ‘Ύ Machine Overview

LogonShell is a very easy difficulty machine from HTB that features well-known vulnerabilities in Microsoft Exchange.

πŸ” Enumeration

I started by running an initial nmap scan of the machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
nmap -sV -sC 10.129.227.141    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 09:26 EDT
Nmap scan report for 10.129.227.141
Host is up (0.23s latency).
Not shown: 973 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          Microsoft Exchange smtpd
| ssl-cert: Subject: commonName=dc
| Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb
| Not valid before: 2022-10-30T13:36:06
|_Not valid after:  2027-10-30T13:36:06
| smtp-commands: dc.edelweiss.htb Hello [10.10.14.3], SIZE 37748736, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, SMTPUTF8, XRDST
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
81/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: 403 - Forbidden: Access is denied.
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-29 13:27:35Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: edelweiss.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc
| Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb
| Not valid before: 2022-10-30T13:36:06
|_Not valid after:  2027-10-30T13:36:06
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
| ssl-cert: Subject: commonName=dc
| Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb
| Not valid before: 2022-10-30T13:36:06
|_Not valid after:  2027-10-30T13:36:06
|_http-server-header: Microsoft-IIS/10.0
444/tcp  open  ssl/http      Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Runtime Error
| ssl-cert: Subject: commonName=dc
| Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb
| Not valid before: 2022-10-30T13:36:06
|_Not valid after:  2027-10-30T13:36:06
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
587/tcp  open  smtp          Microsoft Exchange smtpd
|_smtp-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=dc
| Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb
| Not valid before: 2022-10-30T13:36:06
|_Not valid after:  2027-10-30T13:36:06
| smtp-commands: dc.edelweiss.htb Hello [10.10.14.3], SIZE 37748736, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, SMTPUTF8
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: edelweiss.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc
| Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb
| Not valid before: 2022-10-30T13:36:06
|_Not valid after:  2027-10-30T13:36:06
808/tcp  open  ccproxy-http?
1801/tcp open  msmq?
2103/tcp open  msrpc         Microsoft Windows RPC
2105/tcp open  msrpc         Microsoft Windows RPC
2107/tcp open  msrpc         Microsoft Windows RPC
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: edelweiss.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc
| Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb
| Not valid before: 2022-10-30T13:36:06
|_Not valid after:  2027-10-30T13:36:06
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: edelweiss.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc
| Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb
| Not valid before: 2022-10-30T13:36:06
|_Not valid after:  2027-10-30T13:36:06
6001/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
6502/tcp open  msrpc         Microsoft Windows RPC
6543/tcp open  msrpc         Microsoft Windows RPC
6565/tcp open  msrpc         Microsoft Windows RPC
6689/tcp open  msrpc         Microsoft Windows RPC
Service Info: Hosts: dc.edelweiss.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 3s
| smb2-time: 
|   date: 2024-05-29T13:28:35
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 177.55 seconds

It appears to be a domain controller for edelweiss.htb, running exchange.

Anonymous SMB and LDAP had little to nothing.

OWA Login

The website on port 443 has an OWA login page.

Error Page

The website on port 444 brings us to an error page.

I wasn’t able to enumerate the version of the exchange server, tried via nc etc.

1
2
3
nc -vn 10.129.227.141 25
(UNKNOWN) [10.129.227.141] 25 (smtp) open
220 dc.edelweiss.htb Microsoft ESMTP MAIL Service ready at Sat, 13 Jul 2024 21:10:07 -0700

The name of the machine makes me want to try ProxyLogon, which results in pre-authenticated RCE. The issue is that this requires a valid email on the domain, which we don’t currently have.

MSF Check

The metasploit module scanner/http/exchange_proxylogon confirmed that this host should be vulnerable.

πŸ“Œ Exploitation

I decided to give ProxyShell and ProxyLogon a shot, becuase ProxyShell doesn’t need a valid email, and I was hoping it might be able to enumerate some emails.

ProxyShell Attempt

Sadly that was not the case. I decided to try ProxyLogon with a couple emails that could potentially be valid. We don’t have any username information, but [email protected] and [email protected] are a pretty safe bet.

ProxyLogon Success

windows/http/exchange_proxylogon_rce was successfully able to pop a meterpreter session using the [email protected] email. The session starts as NT AUTHORITY\SYSTEM, so I used it to grab both flags.

Running as SYSTEM

Grabbing the Flags

  • Title: HTB - LogonShell Writeup
  • Author: Liam Geyer
  • Created at : 2024-07-18 00:00:00
  • Updated at : 2024-09-10 21:05:23
  • Link: https://lfgberg.org/2024/07/18/htb/logon-shell/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
HTB - LogonShell Writeup
  1. πŸ‘Ύ Machine Overview
  2. πŸ” Enumeration
  3. πŸ“Œ Exploitation