HackTheBox - Pathfinder Writeup
Contents
Box author | egotisticalSW
Enumeration
- scan top 1000 ports
|
|
- the result
|
|
- scan all ports
|
|
- the result
|
|
Open Ports
- Well, that’s a lot of open port
- with quick scan. Looks like this is
Domain Controller
Hosts
- First, I’m gonna add
MEGACORP.LOCAL
into/etc/hosts
file
LDAP
Description
The
Lightweight Directory Access Protocol
is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.LDAPsearch
- Enumerate LDAP (Lightweight Directory Access Protocol)
- By using the tool called
ldapsearch
LDAP QUERY [ldapsearch]
- Let’s query this LDAP by using
ldapsearch
- By using this command
- Source
|
|
- the result
LDAP DUMP [ldapsearch]
- Let’s dump all with this command
- Source
|
|
- the result
- well, the operation was error
- lucky for me. I’ve got
sandra
credentials from previous box shield - let’s try bind it with those creds
|
|
- the result
- the output pretty much crazy and crazy
- above was the snippet of it ;)
- so, I’m gonna save it in file called
ldump_all
LDAP DUMP USER [ldapsearch]
- Let’s dump all the user and save it in file called
ldump_users
- Source
|
|
- the result
|
|
- Finally, we’ve got all the users
- Well, I can’t find anything usefull
- So, I went to the internet for searching tool for dumping user from
LDAP
- Finally, I found one that can work
LDAP DUMP [ldapdomaindump]
- Let’s dump all the user
- Before, I run the command. I’m gonna make a folder real quick called
ldap_dumps
- Source
|
|
- the command above is dumping all in folder called
ldap_dumps
- the result, we’ve got a lot of file
- let’s take a look at
domain_users.html
Kerberos
Description
Kerberos
(/ˈkɜːrbərɒs/) is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
The protocol was named after the character Kerberos (or Cerberus) from Greek mythology, the ferocious three-headed guard dog of Hades.Kerberos - [DONT_REQ_PREAUTH]
Impacket [GetNPUsers.py]
Note
This script will attempt to list and get TGTs for those users that have the property
Do not require Kerberos preauthentication
set (UF_DONT_REQUIRE_PREAUTH).svc_bes
user have very unique flags that stateDONT_REQ_PREAUTH
- with those flags. I’m gonna use this impacket tool called
GetNPUsers.py
- the output will save in file called
svc_bes.hash
in John-The-Ripper[JtR] format.
|
|
John-The-Ripper
- Use
JtR
for cracking the file - the result
- Now, We’ve got the
svc_bes
user password
Foothold/Gaining Access
Evil-Winrm
- Nmap scan show us
winrm
port is open [port 5985] - Source
- Let’s try connect into this machine with those creds
- By using
Evil-winrm
- Source
|
|
User Flag
Privilege Escalation
DCSync Attack
Description
DCSync
is a credential dumping technique that can lead to the compromise of individual user credentials, and more seriously as a prelude to the creation of a Golden Ticket, as DCSync
can be used to compromise the krbtgt
account’s password.- Source
Impacket [SecretsDump.py]
Description
Performs various techniques to dump hashes from the remote machine without executing any agent there.
- Source
- I’m gonna run
secretsdump.py
with this command
|
|
- the result
-
We manage to dump all the users hash
-
The most important hash is the
Administrator hash
-
Do we crack it?
- Actually… We can login as
Administrator
by usingpassword hashes
- Actually… We can login as
-
By using another
Impacket
script calledpsexec.py
Impacket [psexec.py]
Description
PSEXEC
like functionality example using RemComSvc, with the help of python script we can use this module for connecting host machine remotely.-
Source
- IppSec - Performing a Pass The Hash with the administrator user using PSExec
- IppSec - Performing SecretsDump to perform a DCSync and extract hashes, then PSEXEC with Administrator to gain access
- Hacking Articles - Remote Code Execution Using Impacket
- InfosecMatter - RCE on Windows from Linux Part 1: Impacket
-
I will run this command
|
|
- the result
Admin flag
Conclusion
I’ve learned a lot today. I’m new to the AD/Domain Controller Hacks
or whatever you want to call it :)
. This machine is so fun and I’ve gained a lot of knowledge about it. Do not rely on one tool only. You need to explore and find another tool and understanding it. Lastly, it is important to configure the user correctly and securely. Before I forgot, again do not put any credentials on the non-secure machine. Even tho it’s happened, quickly change the password.
I have a fun time doing this machine and I hope you guys do too. Bye ;)