Reel2 — HackTheBox Writeup

6 min readMar 15, 2021

Reel2 is a Windows machine that involves stealing NetNTLMv2 hash on Outlook Web application, bypassing restricted powershell, taking advantage of a JEA (Just Enough Administration) command to read restricted files on the machine and use mysql queries to gain administrator/root access on the machine.

Initial Reconnaissance and Enumeration

I performed an nmap aggressive scan to get detailed information regarding the operating system of the target host and the open ports/services.

The port 80 only contains the default page of the IIS web server so I focused on ports 443 and 8080. The port 443 contains an Outlook Web Application

To easily identify the OWA’s version or service pack you can check out the page’s source code and as you can see on the image below the version/service pack is 14.0.639.21

On port 8080, there’s a Wallstant application running which is an open source social media network built using PHP programming language.

I ran another directory scan on port 8080 to see if there are any interesting directories that will help me get an initial entry point on the target host. I immediately went to the /_database directory but it only has the prerequisite database file that needs to be imported to successfully install the web application.

I used gobuster tool to ran a directory scan on the web application

I signed-up on the web application and I found potential users that might have an account on the Outlook Web application which can be targeted for phishing or brute-forcing their accounts.

I made a list of possible user combinations that might be applicable for brute-forcing accounts on Outlook web application.

I noticed that the user cube and svensson quoted the same post “2020”. If you have experience on playing CTF challenges or have been playing for a long time, you know that it might be a password hint and there are common passwords that always starts with a year or season. So I thought maybe the users on the image above might be using a password that contains the following words:

summer
2020
fika

I used ruler to brute-force the web app. It is a tool that allows you to interact with Exchange servers remotely and has multiple functions like enumerating valid users, create client-side mail rules, etc.

I had to lower the threads since the target host cancels the connection

II. Stealing user’s NTLM hash through Outlook Web App and bypassing Powershell Constrained Language

I was able to login on OWA using s.svensson’s account and as you can see on the image below the default language was set to Swedish. I’m using FireFox ESR and it doesn’t have a built-in translator like Chrome so I installed a translator extension to easily navigate the web app.

I didn’t find any emails in the inbox. So I used responder and sent phishing emails to all users in the Global Address Lists.

After sending the phishing email, in a minute I received the Net-NTLMv2 hash for user k.svensson.

Then I immediately cracked k.svensson’s hash using John The Ripper.

I used the credentials to remotely login on the target host using evil-winrm, however, it gave me an error so I used PSSession through pwsh on my local machine.

Entering basic commands gave me an error:

I realized that I might be restricted by Just Enough Administration (JEA) because there’s a user called jea_test_account on the address list. According to Microsoft’s documentation, JEA is a security technology that enables delegated administration for anything managed by PowerShell, with JEA, a system administrator can:

Reduce the number of administrators on your machines by granting them specific privileges
Limit what users can do by specifying which cmdlets, functions, and external commands they can run.

As you can see on the image below, I can only use limited commands and I’m on a ConstrainedLanguage mode.

According to the Constrained Language documentation, “All elements of the PowerShell scripting language are permitted.” So I tried creating a function with a basic command inside it and it worked.

I escaped this restriction by creating a function that will download an nc.exe file from my machine and execute it inside the remote machine.

Inside k.svensson’s Documents folder, there are two JEA configuration files. The first one (.psrc) defines the session configuration of user jea_test_account. The second one (.pssc)defines the set of capabilities of user jea_test_account.

According to the .psrc file, the defined role for jea_test_account is set to RunAsVirtualAccount. Basically it means that jea_test_account will have administrative capabilities. In addition, the session was configured in NoLanguage mode meaning no script text of any form is permitted so the method I used to bypass the ConstrainedLanguage won’t work.

While on the .pssc file, jea_test_account user can use the custom function that can read contents from the D:\ drive and the C:\ProgramData directory. But before I can use this function, I have to login first as jea_test_account.

FunctionDefinitions = @{‘Name’ = ‘Check-File’
‘ScriptBlock’ = {param($Path,$ComputerName=$env:COMPUTERNAME) [bool]$Check=$Path -like “D:\*” -or $Path -like “C:\ProgramData\*” ; if($check) {get-content $Path}} }

There’s a sticky notes file on k.svensson’s desktop directory. People tend to store credentials in a sticky note.

By going through the AppData directory which is where application data are usually stored. I checked the contents of the log file and displayed it as hex values then it showed the credentials of jea_test_account.

Now that I got jea_test_account’s credential. This is where I used the custom command Check-File to read files that cannot be access by user k.svensson.

For the root shell, I’ll write a separate writeup when I have time. Thank you for reading!

Reel2 — HackTheBox Writeup

Initial Reconnaissance and Enumeration

II. Stealing user’s NTLM hash through Outlook Web App and bypassing Powershell Constrained Language

References:

Written by device

No responses yet