In this post, I would like to share a walkthrough of the Authority Machine from Hack the Box
This room will be considered a Medium machine on Hack the Box
What will you gain from the Authority machine?
For the user flag, you will need to I will access accessible shares through SMB to locate certain Ansible playbooks. Following that, I’ll decrypt certain fields to obtain credentials for a PWM instance. This PWM instance will be in configuration mode, allowing me to attempt authentication to my box via LDAP using plain text credentials. Utilizing these credentials, I’ll then proceed to enumerate active directory certificate services to determine if they are susceptible to ESC1, albeit with a unique approach.
As for the root flag, you need to abuse of vulnerability that allows any user to enroll with the template, it’s specifically open to any domain computer. I will incorporate a counterfeit computer into the domain and leverage it to acquire a certificate for the DC. Although the certificate itself doesn’t directly function, I can execute a pass-the-cert attack to extract hashes and gain administrative access
For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvInformation Gathering on Authority Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Documents/htb/Authority]
└──╼ $ nmap -sV -sC 10.10.11.222 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-19 06:47 EDT
Nmap scan report for 10.10.11.222
Host is up (0.014s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-19 14:47:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername:<unsupported>, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2023-07-19T14:48:22+00:00; +4h00m01s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-07-19T14:48:22+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername:<unsupported>, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername:<unsupported>, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2023-07-19T14:48:22+00:00; +4h00m01s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername:<unsupported>, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2023-07-19T14:48:22+00:00; +4h00m00s from scanner time.
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.1 200
| Content-Type: text/html;charset=ISO-8859-1
| Content-Length: 82
| Date: Wed, 19 Jul 2023 14:47:37 GMT
| Connection: close
| <html><head><meta http-equiv="refresh" content="0;URL='/pwm'"/></head></html>
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET, HEAD, POST, OPTIONS
| Content-Length: 0
| Date: Wed, 19 Jul 2023 14:47:37 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1936
| Date: Wed, 19 Jul 2023 14:47:44 GMT
| Connection: close
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.26 secondsLet’s access the website interface
However, the website shows the IIS default page.
SMBclient enumeration
As a result, let’s access the smbclient which is open publicly to us.
There’s one yml file that is stored inside the machine.
Let’s download the file into our attacker’s machine.
Analyse the yml file
Inside the file, we managed to see the content that looked something like the above.
We should convert all Ansible formats into a format that can be readable on cracker tools.
It will look something as shown above.
Boom! We managed to obtain the password as ansible
Unlocking the vault password
We managed to unlock all three vaults with the password that we found earlier.
Let’s access another website that is hosted with port 8443 and enter the credentials that we found earlier.
We managed to access the configuration page with one of the passwords that we found while unlocking the vault.
We should download the configuration file into our attacker’s machine.
The source code above is stored inside the configuration and we notice that we should retrieve the information via LDAP service.
LDAP enumeration on Authority machine
Let’s start our responder by listening to any useful information like credentials or another packet.
We should upload the file that we modified earlier into the configuration
It will take a while to complete the process
At last, we found a cleartext of username and password
We can clarify the credentials by using the crackmapexec tool
Let’s access the machine via evil-winrm using the credentials that we found by using the responder
We can read the user flag by typing the “type user.txt” command
Escalate to Root Privileges Access
Firstly, let’s dig into the svc_ldap information such as group access and others.
From a glance, we managed to notice there’s a Certs folder which means that we should be able to play the certification
As a result, let’s upload the certify.exe into our victim’s machine
We managed to find the vulnerable in the machine
Therefore, let’s add the computer as shown above. Sadly, we encountered an error in the activity
After a while, we managed to solve the issues by adding the hostname on our /etc/hosts
However, an error appears when trying to execute the command
Finally, we managed to obtain the certification as administrator
We should explore the key and cert into our attacker’s machine
Let’s download the passthecert script to take advantage of the certification previously
Let’s execute the command above.
Because I’m still not aware of the command, we should read the help manual
Let’s add the administrator group to the svc_ldap access
We should re-access the machine so that the command has been updated
At last, we have assigned the Administrator’s group access
We can read the root flag by typing the “type root.txt” command
SHAQ
Mind blown on how simple the writeup were and it’s super clear on what’s going on. Loving it! Keep it up! 👍👍👍