In this post, I would like to share a walkthrough of the Absolute Machine from Hack the Box


This room will be considered an Insane machine on Hack the Box

What will you gain from the Absolute machine?


For the user flag, you will need to abuse the vulnerability with AS-REP-Roast to retrieve credentials and figure out the username format. We are required to perform an enumeration on LDAP service on the machine in which we found a new credential. As a result, we should use Linux commands to add the user(m.lovegod) into the network group in the domain controller.


As for the root flag, you only need to use a bunch of tools such as KrbRelayUP ,Rubues, and RunasCS to finally obtain the admin account hashes which we will use it in evil-winrm process

Information Gathering on Absolute Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Document/htb/Absolute]
└──╼ $sudo nmap -sC -sV 10.10.11.181 -oA initial 
[sudo] password for darknite: 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-04 06:34 EDT
Nmap scan report for 10.10.11.181
Host is up (0.17s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Absolute
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-04-04 17:34:53Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2022-06-09T08:14:24
|_Not valid after:  2023-06-09T08:14:24
|_ssl-date: 2023-04-04T17:35:45+00:00; +7h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-04-04T17:35:46+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2022-06-09T08:14:24
|_Not valid after:  2023-06-09T08:14:24
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-04-04T17:35:45+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2022-06-09T08:14:24
|_Not valid after:  2023-06-09T08:14:24
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2022-06-09T08:14:24
|_Not valid after:  2023-06-09T08:14:24
|_ssl-date: 2023-04-04T17:35:46+00:00; +7h00m00s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-04-04T17:35:39
|_  start_date: N/A
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

There are a few ports that we can investigate but let’s access the website interface first


There is nothing to see on the website interface at all.


Therefore, let’s try to find all the hero images on the website itself.

Enumerate the username and password


The screenshot above shows the author of the image that we just downloaded earlier.


As a result, we should be getting a list of potential usernames as those shown above.

┌──[darknite@parrot]─[/opt/CrackMapExec]
└──╼ $poetry run crackmapexec smb absolute.htb
SMB         absolute.htb    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)

The command of crackmapexec above shows the smb information on the machine.

Graphical user interface, text, application

Description automatically generated

We should be getting some random user’s hashes by running the impact-GetNPUsers tool.

Text

Description automatically generated

As a result, the hashes should look something as shown above.

Text

Description automatically generated

At last, we managed to obtain the password for d.klay by executing the John the Ripper

Brute-force a valid Active Directory account using Kerbrute


Therefore, we should be using the kerbrute for this activity.


The screenshot above shows only if the tool works properly on our attacker’s machine.


Sadly, the tool doesn’t work because we didn’t whitelist the Activity Directory’s domain on our /etc/hosts


However, we didn’t retrieve any useful information on any valid username.


We also get an error saying “Status_Account_Restriction” when looking with crackmapexec on smb service.


As a result, we need to update the ntpdate for the domain.


We should get a d.klay.ccache ticket by running the command above.


We managed to get the svc_smb password by running the ldapsearch command


Again, we should be saving the ticket ccache


Therefore, let’s export the ticket the KRB5CNAME.


We also get the smbclient tool


We should be getting the /shares

Text

Description automatically generated

There are two files that are stored inside the shared directory.


Let’s download those files on the

Bloodhound analyze


We should get the bloodhound running by using those commands above.


The analysis from the bloodhound is that user (m.lovegod) is own the Network Audit groups but the user is not a member of the Network Audit group. As a result, we should add the user (m.lovegod into the group where the permission will have the GenericWrite on winrm_user. Therefore, we can use the pyWhisker in the next stage to add the new KeyCredential from m.lovegod to winrm_users’ msDS-KeyCredentialLink attribute. By using gettgtpkinit.py script, we can request a TGT with the Kerberos PKINIT for the winrm_user.

Using the Python script to obtain the foothold on an Absolute Machine


There have two methods of obtaining a foothold on the machine which depend on the attacker’s usage

$dc_domain="ABSOLUTE.HTB"
$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('ABSOLUTE.HTB\m.lovegod', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController DC.ABSOLUTE.HTB  -principalidentity "m.lovegod"
Add-ADPrincipalGroupMembership -Identity  m.lovegod -MemberOf  'Network Audit' -Credential $Cred -Server DC.ABSOLUTE.HTB
Get-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController DC.ABSOLUTE.HTB -Credential $cred

The command above can be used on Windows Operating System. In my case, I’m using the Linux Operating System to obtain a foothold


Firstly, we can execute the script above to where we should be able to change an object’s owner


Another script that we should use would be dacledit which we can manipulate the DACL for the machine


We should be able to verify that the dacl has been compiled


The command above will add the user to the Network Audit Group Policy


Normally, we should execute the command above to create the ticket


Therefore, we can export the ticket


Finally, we can access the user by running the evil-winrm command above within the absolute machine


We can read the user flag by running the “cat user.txt” command

Escalate to Root Privileges Access


I notice that there has an Administrator who resides in one domain admin that might look so easy to verify the target. As we already access the domain controller, let’s escalate the privileges access in the computer which we can abuse by performing a full dump of the NTDS.


After a while, we managed to find a few methods which require to use of tools such as KrbRelayUp, Rubues, and RunasCS which can be downloaded from SharpCollection


The domain controller has validated the requisites and m.lovegod is validated one of those.


For those who want to obtain further on the privileges escalation which can be found here


Therefore, let’s execute the RunasCS.exe command above to obtain the Rubeus.exe command which we use in the next step.


At last, we managed to obtain NTLM hashes which we obtain on the other hashes


We can use the secretdump to dump the hashes


At last, we managed to access the Windows Machine via evil-winrm


We can read the root flag by typing the “type root.txt” command