Initial Foothold Hint
- The target is an Active Directory domain controller, so the typical AD playbook will apply here
- You don't have to be a web assembly expert to find the exploit
- Instead, focus on the interesting files your client has access to. You should see them in your proxy history. These are not your typical web files.
- Keep in mind that WASM is a way to provide lower-level system access via the web browser. So, you're looking at compiled binaries.
- Instead, focus on the interesting files your client has access to. You should see them in your proxy history. These are not your typical web files.
- Once you gain access to the admin part of the web server, pay careful attention to the wording on the landing page
Privilege Escalation Hint
- Depending on the extent and quality of your post-exploit enumeration, you may find several early hints on the file system pointing to your next moves
- Remember, this is an Active Directory domain controller, so focus on enumeration steps with this in mind
- Lateral Pivot 1
- This will be a test of your enumeration, look all around the host for access your current user has
- Think about some specific features that might be useful when a user logs in
- Lateral Pivot 2
- Did you notice anything interesting in your earlier Bloodhound enumeration?
- It should be pretty obvious how you become admin from here
ℹ️
For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.
Nmap Results
# Nmap 7.94SVN scan initiated Tue Jul 2 14:59:10 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.10.11.22
Nmap scan report for 10.10.11.22
Host is up (0.020s latency).
Not shown: 65507 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://blazorized.htb
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-02 19:00:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1115.00; RC0+
| ms-sql-info:
| 10.10.11.22\BLAZORIZED:
| Instance name: BLAZORIZED
| Version:
| name: Microsoft SQL Server 2022 RC0+
| number: 16.00.1115.00
| Product: Microsoft SQL Server 2022
| Service pack level: RC0
| Post-SP patches applied: true
| TCP port: 1433
|_ Clustered: false
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-07-02T06:33:04
|_Not valid after: 2054-07-02T06:33:04
| ms-sql-ntlm-info:
| 10.10.11.22\BLAZORIZED:
| Target_Name: BLAZORIZED
| NetBIOS_Domain_Name: BLAZORIZED
| NetBIOS_Computer_Name: DC1
| DNS_Domain_Name: blazorized.htb
| DNS_Computer_Name: DC1.blazorized.htb
| DNS_Tree_Name: blazorized.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2024-07-02T19:01:43+00:00; +1s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49707/tcp open msrpc Microsoft Windows RPC
49776/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1115.00; RC0+
| ms-sql-info:
| 10.10.11.22:49776:
| Version:
| name: Microsoft SQL Server 2022 RC0+
| number: 16.00.1115.00
| Product: Microsoft SQL Server 2022
| Service pack level: RC0
| Post-SP patches applied: true
|_ TCP port: 49776
| ms-sql-ntlm-info:
| 10.10.11.22:49776:
| Target_Name: BLAZORIZED
| NetBIOS_Domain_Name: BLAZORIZED
| NetBIOS_Computer_Name: DC1
| DNS_Domain_Name: blazorized.htb
| DNS_Computer_Name: DC1.blazorized.htb
| DNS_Tree_Name: blazorized.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2024-07-02T19:01:43+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-07-02T06:33:04
|_Not valid after: 2054-07-02T06:33:04
59169/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-07-02T19:01:35
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul 2 15:01:44 2024 -- 1 IP address (1 host up) scanned in 153.30 seconds
💡
Looking at the ports on the box, it's obvious that this is a domain controller. We also see some references to
blazorized.htb
and DC1.blazorized.htb
, so let's go ahead and get that added to our /etc/hosts
file.echo -e '10.10.11.22\tDC1.blazorized.htb blazorized.htb' | sudo tee -a /etc/hosts
⛔
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.