HTB | Authority
This is a Windows box. You can find it here.
Skill Learned
Cracking Ansible vaults
Exploiting PWM
Enumerating & Exploiting AD CS
ESC1
NMAP
IP: 10.10.11.222
SMB
There was a folder in Development Share which contains files of ADCS, LDAP, PWM and SHARE.
let's download everything
while looking for sensitive information we found passwords
LDAP
Port 80
Port 8443
let's try https://IP:8443
it redirects to /pwn/private/login which appears to be an instance of an open-source password self-service application that can be used with LDAP in Active Directory environments.
The application is called PWM. When visiting the site, we get a popup showing that the application is in Configuration Mode
Foothold/shell
On login page, there are 2 options "Configuration Manager" and "Configuration Editor"
when clicking on either of these we saw a page which asked for the password
Shell as svc_ldap
we saw password Welcome1 on ansible_inventory with username administrator When we enumerated the SMB shares
let's validate the credentials via crackmapexec
It didn't work. While looking more in deep we found some hashed password In defaults/main.yml.
Format and crack hashes
Let's try to crack these hashes
For this we need to copy the hash values and use ansible2john
now let's try to crack the hash value since we are using username:password we have to use --user
They all have the same password, !@#$%^&*, which makes sense since they are encrypted in the same Ansible file.
Decrypt
pipx install ansible-core installs a bunch of ansible tools, including ansible-vault, which can decrypt the blobs with passwords:
Configuration Manager and Editor
with the pwn_admin_passowrd we were inside the configuration manager
with the same credentials, we were in the configuration editor
In the configuration editor we found the hostname and username
Capture LDAP Creds
There are some cached credentials stored. To recover them, I’ll edit the URL to point at me, using cleartext LDAP rather than LDAPS (and using the default LDAP port 389):
I’ll listen with nc on 389 and click “Test LDAP Profile”:
or we can use a responder
let's try to authenticate via netexec
and we are in
found user.txt
Priv Esc
Shell as Administrator
ADCS
It’s always worth enumerating ADCS on a Windows DC.
I will use certipy, refer to this article for a better understanding of ADCS and how to exploit them.
I’ll use the find command to identify templates, and with -vulnerable that will only show vulnerable templates:
At the bottom, it identifies a template named CorpVPN that is vulnerable to ESC1. In our case, Domain Computers can enroll with this template.
Create a fake computer
So we will add a fake computer, but before moving on, we can confirm quickly that the MachineAccountQuota is set to the default value of 10 , so we should have no problem adding a computer account.
Having verified the MachineAccountQuota , we now add a computer account using addcomputer.py from Impacket.
Create Certificate
Since we have a computer on the domain, we can use certipy to create the certificate
Now we have the private key for the administrator user, we will use auth command to get the NTLM hash of the administrator.
according to this GitHub comment the domain controller does not support PKINIT authentication (Kerberos authentication with a certificate). We can still authenticate through LDAPS (authentication through TLS) with the command: certipy auth -ldap-shell
from the various commnads we will use add_user_to_group and add svc_ldaps to administrators group
Now we have to reconnect evil-winrm and here we can see svc_ldap is in administrators
and we can type root.txt
Last updated