ℹ️
Just a note that my experience getting a foothold on this box was terrible due to the number of people competing for access at the same time.
Frequent resets, and the lengthy startup of the web server on
Frequent resets, and the lengthy startup of the web server on
tcp/80
made this a frustrating box.Initial Foothold Hint
- You can tell by looking at the port signature that this is an Active Directory Domain Controller, so your enumeration steps should follow the typical AD playbook
- On the web application on
tcp/80
, you'll note the application is split into two user types, be sure to explore the application from both perspectives- If you're having trouble logging in as one of the user types, think about something you could do to reset your account
- You should explore the application's full feature set. One user type has a particularly interesting feature enabled
- Look at the URL this feature points to and think about how you might be able to manipulate the URL to gain unintended access
- Once you've gained privileged access to the system, you should see a debug tool that should interest you
- Do some Googling about how you might abuse features and privileges of the system running in this debug tool
- If you research carefully, you should find a way to give yourself elevated access by way of impersonation
Privilege Escalation Hint
- Again, with this being an Active Directory Domain Controller, you'll need to focus on users with different access levels
- So, multiple lateral pivots before you can reach Domain Admin
- Again, you'll want to leverage your Active Directory playbook here, hunt for credentials and spray them around, see where you can get to next
- At one point, you'll also be looking at a memory dump analysis
- I'm going to be extra generous with this hint, because this was massive point of suffering for me. I simply could not get
volatility3
running on Kali, perhaps due to some Python conflicts.- You have some options:
- Look at the
MemProcFS
tool to mount the.dmp
file to a directory on Kali and useimpacket-secretsdump
to dump locally from registry hives. This was the easiest path for me, as it allowed me to accomplish the mission without leaving Kali. - Transfer the dump file to a Windows VM and use
windbg
andmimilib.dll
to extract the information fromlsass.exe
process in memory, but this ultimately didn't get me the information I needed. You could try loading a differentwindbg
extension to extract strings from the memory dump.
- Look at the
- You have some options:
- I'm going to be extra generous with this hint, because this was massive point of suffering for me. I simply could not get
- You should consider using Bloodhound to get an idea of any interesting permissions your next user has
- Googling the user's inherited permissions should bring up some interesting results
- If you're still struggling, see how you might be able to Delegate yourself some permissions and impersonate a privileged user
- From there, it should be simple enough to become domain admin by passing something around
Nmap Results
# Nmap 7.94SVN scan initiated Tue Jun 4 01:43:54 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.10.11.5
Nmap scan report for 10.10.11.5
Host is up (0.011s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
|_http-server-header: nginx/1.25.5
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-04 10:45:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
57551/tcp open msrpc Microsoft Windows RPC
57555/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4h59m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-06-04T10:45:54
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 4 01:46:34 2024 -- 1 IP address (1 host up) scanned in 160.12 seconds
Looking at the ports running on the machine, this is looking like a Windows Domain Controller, so we'll also be employing the typical Active Directory enumeration playbook.
We can see the redirect to http://freelancer.htb
in the tcp/80
output, so let's go ahead and get that added to our /etc/hosts
file.
echo -e '10.10.11.5\tfreelancer.htb' | sudo tee -a /etc/hosts
⛔
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.