In this post, I would like to share a walkthrough of the Search Machine from Hack the Box


This room has been considered difficulty rated as a Hard machine on Hack The box

What will you gain from Search machine?


For the user flag, you will use LDAP enumeration and are also required to unlock the excel file without a password to get credentials where later you will be used to access via smbclient.


As for the root flag, you need to abuse the Active Directory’s attack which will be leading to root privileges.

Information Gathering on Search Machine


Once we have started the VPN connection which requires download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

# Nmap 7.92 scan initiated Sat Jan  8 02:34:21 2022 as: nmap -sC -sV -oA intial -PN 10.10.11.129
Nmap scan report for search.htb (10.10.11.129)
Host is up (0.20s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Search &mdash; Just Testing IIS
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-08 02:51:20Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-01-08T02:52:43+00:00; +16m41s from scanner time.
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-title: Search &mdash; Just Testing IIS
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
| tls-alpn: 
|_  http/1.1
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_ssl-date: 2022-01-08T02:52:42+00:00; +16m41s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-01-08T02:52:42+00:00; +16m41s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-01-08T02:52:43+00:00; +16m41s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-01-08T02:52:42+00:00; +16m41s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 16m40s, deviation: 0s, median: 16m40s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-01-08T02:52:05
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan  8 02:36:05 2022 -- 1 IP address (1 host up) scanned in 104.26 seconds

Let’s access the website interface to find any vulnerability that we can exploit 


The website interface will only show a login page, but we didn’t manage to obtain any credentials at all.


Let’s enumerate the website directory using gobuster tool.


Sadly, we didn’t notice any useful directories that we can use for further escalation.


Let’s roam the website again where we might find any hint to proceed further.

Finding any credentials available


We managed to sight a couple of names that we can use at least one of the credentials later.

Let’s see the source code of the website which contains a huge hint.

(Control + U is a shortcut to see the source code)


I have notice there’s a few jpg file that resides under /images/ directory. I was curious with those jpg file and decided to check the file.

The screenshot above is taken from Images/slide_1.jpg

The screenshot above is taken from Images/slide_2.jpg


I have noticed Hope Sharp is a new potential Username that we can add to the user’s list and the IsolationIsKey? can be considered as the password.


Therefore, we can obtain some information on Hope Sharp shares by running the command “crackmapexec smb search.htb -u Hope.Sharp -p ‘IsolationIsKey?’ –shares

Why i decided to use crackmapexec tool to obtain information?


I use crackmapexec because it’s a windows machine and the only tool that comes to my mind whenever I play windows machine.


Finally, we managed to access smb (Samba) via Hope Sharp Credentials.


There is a lot of usernames but sadly we cannot access any of that folder.

Bloodhound used to enumerate the shares on the search machine


We need to obtain information on Active Directory by using the Bloodhound tool.


Aside of that, we also notice that there’s a vhost “research” that is connected to the LDAP server.


We can use json file to see the graph on Bloodhound


We are required to start neo4j before we can use the Bloodhound tools


As a result, we have a wealth of information on the domain that we can analyze over here.


Let’s try to obtain information related to Service Principal’s Name using the Hope.Sharp Information is shown below


However, the result from that is giving us an error saying, “Clock skew too great“. We need to fix the error so that we can proceed with the next step.


We need to use “ntpdate <IP of DC>” command to fix the error.


As a result, we can get the web_svc hash as shown above


Let’s crack the hash by copy-paste the hash into a new file which later we will use hashcat


It depended on your computer on the duration of the crack


We managed to obtain @3ONEmillionbaby as a password for a certain username which you can verify successfully username via crackmapexec.


Moving fast forward, we can access the smb service via edgar.jacobs with the password that we found earlier.


Nothing useful inside the Download Directory


There’s an excel file called Phishing_Attempt.xlsx that is saved inside Edgar.Jacobs Desktop.


Let’s download the file into our own machine.

Phishing Attempt on Search Machine


The file is a Microsoft Excel 2007 with Marco used.


Let’s open the excel file and try to see what’s stored inside the file.


The file only username with firstname and lastname has been stored inside. However, the file is well-protected with the password.


We can retrieve the password by zipping the xlsx file format and unzip back that file which we will get something such as below


Based on my experience doing Pentesting, there should be an interesting file stored at /xl/worksheets/


Let’s open the file and see whether we can modify it so that we can read the Phishing_Attempt file without the password


I notice that there’s a sheetProtection which we can remove from the sheet2.xml file


Once we have finished removing the sheetProtection line, we can zip back the file by using the command “zip -r Phishing_unlock.xlsx .

(Actually, the filename doesn’t have to be Phishing_unlock.it can be anything you like)


The file has been saved as a new file as shown in the screenshot above.


It’s a decisive moment. I hope that we can read the password on the excel file without a password request


Finally, we managed to see the password.


Let’s enumerate the shares which can be used with the user ‘sierra.frye‘ credential


Voila! I have successfully accessed the smb using the sierra.frye credential.


Uwu! We found the user.txt when we accessed the sierra.frye folder


At last, we can read the user flag if you download the user flag via smb (mget user.txt)

Another method of obtaining the user flag


However, there’s another method that we can use to obtain the user flag


When we access the Sierra Frye Downloads folder, another folder is called Backups. There are two files that I am not sure about the extension that they used.


As a result, let’s download the file into our own machine to read the content of the file.


Oh wow! I never aware of the extension of data


Sadly, a credential is required so that the staff.pfx can be unlocked.


Let’s do some research on how to convert the pfx into a file that we can use to crack the password. At last, I did manage to find out the tool that can be used to convert it over here


Therefore, we can see the result of converting as shown above.

Image

Let’s execute the john cracking tool to retrieve the file password which is misspissy.


Let’s try to import the staff.pfx into our browser Certificate Manager.


We can enter the password earlier so that the browser can accept it.


On the browser, we can try to access the website URL (https://10.10.11.129/staff) which later a pop-up message will appear, and we can proceed by pressing the OK button.


A login page will appear just like shown in the screenshot above. We need to enter the Username, Password, and Computer name so that we can access the dashboard.


The credential which is required here is Siera Frye while research is the information on the computer name.


If we click the New Session, a new interface will be showing as below:


A windows PowerShell has been provided to us just shown above.

Escalate to Root Privileges on Search Machine


Based on the research from the BloodHound previously, we can assume there’s an Attack related to BIR-ASDF-GMSA


Let’s do some research on the attack’s method on the internet


The website above will be able to access here (credits to PayloadAllTheThing)


The command shown above will be used to abuse Tristan.Davies Privileges Access.


At last, the Tristan.Davies password has been changed by us previously.


The root flag has been stored inside the Desktop Folder.


We can read the root flag by downloading the file into our machine and using the normal command.


-THE END-


Happy Learning Guys!

Extra Information


We can use the secretdump.py command such as below so that we can unlock and read the write-up