In this post, I would like to share a walkthrough of the Search Machine from Hack the Box
This room has been considered difficulty rated as a Hard machine on Hack The box
What will you gain from Search machine?
For the user flag, you will use LDAP enumeration and are also required to unlock the excel file without a password to get credentials where later you will be used to access via smbclient.
As for the root flag, you need to abuse the Active Directory’s attack which will be leading to root privileges.
Information Gathering on Search Machine
Once we have started the VPN connection which requires download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
# Nmap 7.92 scan initiated Sat Jan 8 02:34:21 2022 as: nmap -sC -sV -oA intial -PN 10.10.11.129 Nmap scan report for search.htb (10.10.11.129) Host is up (0.20s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Search — Just Testing IIS |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-08 02:51:20Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=research | Not valid before: 2020-08-11T08:13:35 |_Not valid after: 2030-08-09T08:13:35 |_ssl-date: 2022-01-08T02:52:43+00:00; +16m41s from scanner time. 443/tcp open ssl/http Microsoft IIS httpd 10.0 |_http-title: Search — Just Testing IIS | ssl-cert: Subject: commonName=research | Not valid before: 2020-08-11T08:13:35 |_Not valid after: 2030-08-09T08:13:35 | tls-alpn: |_ http/1.1 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_ssl-date: 2022-01-08T02:52:42+00:00; +16m41s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=research | Not valid before: 2020-08-11T08:13:35 |_Not valid after: 2030-08-09T08:13:35 |_ssl-date: 2022-01-08T02:52:42+00:00; +16m41s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=research | Not valid before: 2020-08-11T08:13:35 |_Not valid after: 2030-08-09T08:13:35 |_ssl-date: 2022-01-08T02:52:43+00:00; +16m41s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name) |_ssl-date: 2022-01-08T02:52:42+00:00; +16m41s from scanner time. | ssl-cert: Subject: commonName=research | Not valid before: 2020-08-11T08:13:35 |_Not valid after: 2030-08-09T08:13:35 Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 16m40s, deviation: 0s, median: 16m40s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | smb2-time: | date: 2022-01-08T02:52:05 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jan 8 02:36:05 2022 -- 1 IP address (1 host up) scanned in 104.26 seconds
Let’s access the website interface to find any vulnerability that we can exploit
The website interface will only show a login page, but we didn’t manage to obtain any credentials at all.
Let’s enumerate the website directory using gobuster tool.
Sadly, we didn’t notice any useful directories that we can use for further escalation.
Let’s roam the website again where we might find any hint to proceed further.
Finding any credentials available
We managed to sight a couple of names that we can use at least one of the credentials later.
Let’s see the source code of the website which contains a huge hint.
(Control + U is a shortcut to see the source code)
I have notice there’s a few jpg file that resides under /images/ directory. I was curious with those jpg file and decided to check the file.
The screenshot above is taken from Images/slide_1.jpg
The screenshot above is taken from Images/slide_2.jpg
I have noticed Hope Sharp is a new potential Username that we can add to the user’s list and the IsolationIsKey? can be considered as the password.
Therefore, we can obtain some information on Hope Sharp shares by running the command “crackmapexec smb search.htb -u Hope.Sharp -p ‘IsolationIsKey?’ –shares“
Why i decided to use crackmapexec tool to obtain information?
I use crackmapexec because it’s a windows machine and the only tool that comes to my mind whenever I play windows machine.
Finally, we managed to access smb (Samba) via Hope Sharp Credentials.
There is a lot of usernames but sadly we cannot access any of that folder.
Bloodhound used to enumerate the shares on the search machine
We need to obtain information on Active Directory by using the Bloodhound tool.
Aside of that, we also notice that there’s a vhost “research” that is connected to the LDAP server.
We can use json file to see the graph on Bloodhound
We are required to start neo4j before we can use the Bloodhound tools
As a result, we have a wealth of information on the domain that we can analyze over here.
Let’s try to obtain information related to Service Principal’s Name using the Hope.Sharp Information is shown below
However, the result from that is giving us an error saying, “Clock skew too great“. We need to fix the error so that we can proceed with the next step.
We need to use “ntpdate <IP of DC>” command to fix the error.
As a result, we can get the web_svc hash as shown above
Let’s crack the hash by copy-paste the hash into a new file which later we will use hashcat
It depended on your computer on the duration of the crack
We managed to obtain @3ONEmillionbaby as a password for a certain username which you can verify successfully username via crackmapexec.
Moving fast forward, we can access the smb service via edgar.jacobs with the password that we found earlier.
Nothing useful inside the Download Directory
There’s an excel file called Phishing_Attempt.xlsx that is saved inside Edgar.Jacobs Desktop.
Let’s download the file into our own machine.
Phishing Attempt on Search Machine
The file is a Microsoft Excel 2007 with Marco used.
Let’s open the excel file and try to see what’s stored inside the file.
The file only username with firstname and lastname has been stored inside. However, the file is well-protected with the password.
We can retrieve the password by zipping the xlsx file format and unzip back that file which we will get something such as below
Based on my experience doing Pentesting, there should be an interesting file stored at /xl/worksheets/
Let’s open the file and see whether we can modify it so that we can read the Phishing_Attempt file without the password
I notice that there’s a sheetProtection which we can remove from the sheet2.xml file
Once we have finished removing the sheetProtection line, we can zip back the file by using the command “zip -r Phishing_unlock.xlsx .”
(Actually, the filename doesn’t have to be Phishing_unlock.it can be anything you like)
The file has been saved as a new file as shown in the screenshot above.
It’s a decisive moment. I hope that we can read the password on the excel file without a password request
Finally, we managed to see the password.
Let’s enumerate the shares which can be used with the user ‘sierra.frye‘ credential
Voila! I have successfully accessed the smb using the sierra.frye credential.
Uwu! We found the user.txt when we accessed the sierra.frye folder
At last, we can read the user flag if you download the user flag via smb (mget user.txt)
Another method of obtaining the user flag
However, there’s another method that we can use to obtain the user flag
When we access the Sierra Frye Downloads folder, another folder is called Backups. There are two files that I am not sure about the extension that they used.
As a result, let’s download the file into our own machine to read the content of the file.
Oh wow! I never aware of the extension of data
Sadly, a credential is required so that the staff.pfx can be unlocked.
Let’s do some research on how to convert the pfx into a file that we can use to crack the password. At last, I did manage to find out the tool that can be used to convert it over here
Therefore, we can see the result of converting as shown above.
Let’s execute the john cracking tool to retrieve the file password which is misspissy.
Let’s try to import the staff.pfx into our browser Certificate Manager.
We can enter the password earlier so that the browser can accept it.
On the browser, we can try to access the website URL (https://10.10.11.129/staff) which later a pop-up message will appear, and we can proceed by pressing the OK button.
A login page will appear just like shown in the screenshot above. We need to enter the Username, Password, and Computer name so that we can access the dashboard.
The credential which is required here is Siera Frye while research is the information on the computer name.
If we click the New Session, a new interface will be showing as below:
A windows PowerShell has been provided to us just shown above.
Escalate to Root Privileges on Search Machine
Based on the research from the BloodHound previously, we can assume there’s an Attack related to BIR-ASDF-GMSA
Let’s do some research on the attack’s method on the internet
The command shown above will be used to abuse Tristan.Davies Privileges Access.
At last, the Tristan.Davies password has been changed by us previously.
The root flag has been stored inside the Desktop Folder.
We can read the root flag by downloading the file into our machine and using the normal command.
Happy Learning Guys!
We can use the secretdump.py command such as below so that we can unlock and read the write-up