Middle Camp
K2 - Are you able to make your way through the mountain? - by hadrian3689
Last updated
K2 - Are you able to make your way through the mountain? - by hadrian3689
Last updated
The following post by 0xb0b is licensed under CC BY 4.0
We stop the first machine and start the second. Our enumeration process starts all over again. We run another Nmap scan. And find several related ports to windows. This time we don't have a website. This seems to be a pure AD machine.
The ports include SMB, RDP, LDAP and Kerberos. After a default service and script scan, we can determine the name of the machine K2SERVER. We add K2SERVER.K2.THM to our /etc/host file.
As already mentioned on the main page, this is worthy of a network. The machines are related to each other. And we need to pay attention to the note in the Room description.
Use all of the information gathered from your previous findings in order to keep making your way to the top.
A good resources to follow a methodology on Active Directory enumeration is the orange- cyberdefense mindmap: https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg
So, what information do we have? We know the first and last names of at least two users. We can create a word list of possible usernames and use it to enumerate the different users using kerbrute.
After running kerbrute with the created wordlist we are able to spot two valid usernames.
In this writeup, I switch between the different tools because I'm not that experienced with this topic yet, and depending on the version or fork of a tool, the syntax may differ.
As well as users, we also found a lot of passwords. We now spray these onto the target with the two users we found. We realize that the password we found in /home/rose/bash_history applies to r.bud.
Using evil-winrm, we can now log in to the machine with the username and password combination we determined. We have foothold but do not find a flag, but two notes.
But with our Foothold, we can already answer the second question.
In the notes, we find a password policy and the previously used password of j.smith. Furthermore, we get the information that the password for j.smith had to be changed. Since the user was unable to remember a new password, the old one was simply adapted to match the policy. Since the original one only contained characters, a number and a special character had to be added.
We write a script to prepend and append different permutations of numbers and special characters to create a word list, alternatively johntheripper could be used to mangle a password list.
We generate the wordlist and use it with kerbrute for user j.bold.
And we have the password for j.bold. Unfortunately, we cannot access the system as j.smith using evil-winrm. As you can see from the note, RDP is also blocked for this user.
Now we use bloodhound-python. BloodHound-python is a tool used to gather Active Directory data, focusing on relationships and attack paths between users, groups, and computers. It collects information such as group memberships and user privileges, which can be visualized to help identify potential privilege escalation opportunities.
Since we could get problems with the name server using the tool that it does not work properly, we use dnschef. DNSChef is a DNS proxy tool used for DNS spoofing, allowing users to intercept and modify DNS requests. It can be used in penetration testing to redirect traffic or simulate malicious DNS responses for specific domains.
After setting up DNSChef, we use the following call to bloodhound-python with the credentials from r.bud to gather Active Directory data to find an exploit path.
Next, we start our bloodhound python to review the files.
We drop thos in, that we have extracted.
And we find an interesing relation. The user j.bold is member of the IT STAFF 1 and has GenericAll permissions on j.smith.
By right clicking on the edge Generic all we can view at the Linux abuse tap how to make use of it. In short we can force a password change with a rpc call.
We copy the suggested command of bloodhound.
And adpat this to set a new password for j.smith using the credentials of j.bold
After changing the password we are able to log in as j.smith with the new set password using evil.winrm. On the Desktop of the user we find the user flag.
The privilege escalation vector could already be found using bloodhound and the data set we already retrieved. But is also locally possible.
With acces as j.smith we query the privileges we have now with whoami /priv. That user has the SeBackupPrivilege permission.
This allow access to the SAM and SYSTEM hive, which holds valuable hashes.
Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group can’t be renamed, deleted, or removed. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers.
With the following commands we save those hashes and use evil-winrm to download the hives.
Next, we use impacket-secretsdump to dump the hashes. We get the local administrator hash, and can use the second half to log in using evil-winrm. With that output we are able to answer the foruth question of task 2.
Via Pass-The-Hash we log in as administrator and are able to retieve the final flag.
Furthermore we are able to retrieve the cleartext password of the administrator using netexec with the --dpapi switch, which could be interesting for later use. See Hikers writeup:
DPAPI (Data Protection API) is a Windows feature used to securely encrypt sensitive data like passwords, certificates, and encryption keys. An exploit targeting DPAPI involves retrieving encrypted data from a compromised system and then decrypting it using the system's master keys, which can often be extracted if administrative or elevated privileges are obtained.
