Last updated
Last updated
Authority is a medium-difficulty Windows machine that highlights the dangers of misconfigurations, password reuse, storing credentials on shares, and demonstrates how default settings in Active Directory (such as the ability for all domain users to add up to 10 computers to the domain) can be combined with other issues (vulnerable AD CS certificate templates) to take over a domain.
Nmap Scan
Summary
hosts file
After discovering open ports and updating /etc/hosts file, I will move to enumerate the services running one by one.
HTTP Enumeration
Visiting http://authority.htb/ shows me normal IIS webpage
When I tried to fuzz the website, I didn't get anything for both directories and files, So I will move to webapp at 8443 port
When I visit the site at http://authority.htb:8443/, It tells me it needs TLS, So I will try access it using https
When I visit the same URL but with https, I'm redirected to https://authority.htb:8443/pwm/private/login
This message states that the
Webappis inConfiguration modewhich allows updating the configuration without LDAP authentication
There are also two buttons here and both of them leading to the same page
I can see LDAP distinguished name here with username of svc_pwm and DC of htb.corp
When I tried to authenticate with *:* (for ldap injection testing), I get this error that reveals another username svc_ldap. Also, I get the same error using any other credentials
From here, I can't do many things, So I will move to other services (SMB, Kerberos, ..etc)
Kerberos Enumeration
Unluckily, this user can't be asrepoasted
SMB & RPC Enumeration
No data from RPC
Here I can see I have READ access on Development share
There are several files in this share but with no use and I can see ADCS folder, So It might be indicator to PKI existence
I found several files containing passwords not non of them worked
Under PWN/defaults/, there is file containing ansible secrets
I run the command and it asked for a password, So I supplied Welcome1 (found before) as a password but it gave me this error
I released I made something wrong which is I should get the hashes of these secrets and crack them to get the correct password
Modify the output hashes to match this format:
Crack with hashcat using auto-detect hash mode gives me the same password for all the three hashes
I followed this post to decrypt the secrets:
first I need to install ansbile package to use ansible-vault command
I tried several combination of usernames and passwords. This one only worked
I checked for lab access and get access denied
I released that it's dead end because svc_pwn can't authenticate to ldap, either. I will try the credential to the webapp on 8443 port.
The password worked on Configuraiton Manager tab only not the main login-form
Under Confgiuration Editor, there is Connection tab that has several field and I can see that svc_ldap user's credentials is stored on the server and connect to ldaps://authority.authority.htb:636, So If I change this value to my host's IP, I can get the credentials.
And then click on Test LDAP Profile
Now I have valid domain account, access to winRM and know that ADCS exists.
User Flag: 394683251efed7605f3dfa7c20d37ad1
Since ADCS exists, I will check for vulnerable templates with Certipy
Domain Computers can abuse ESC1 to get domain admins privileges by specifing "subject alternative name" to privileged user in the domain (Administrator) and I can create one if the machine account qoute is not set to Zero.
The value is 10, So I can add new Computer account
Request Certificate as Administrator
I get
KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)that means PKINIT authentication is not implemented, but fortunatelyCertipyhas-ldap-shell option
I changed the password of the dc machine account to instead of administrator to minimize the damage
Dump ntds secrets to get administrator hash
Access the machine now :))
Root Flag: 1c920b7d7e0303262573017ecc5e09d0
