hi, can someone help or advice me on the first question?
I’m stumped on where to go with Q1, I’ve cracked the IMPI hash in the findings but haven’t found a place to use the credentials. I have jumped onto DEV01 but haven’t found anything that I think could help. A nudge in the right direction would be greatly appreciated.
I was busting my a*s off last night, for accomplishing the skill assessment which I’ve just got it done now.
For people who are struggling to initiate, you don’t need to gain the “admin” account access. You could just leverage a account with admin rights, which was my approach.
Read the “Components of a Report” section and try to use some of the tools he used. You will get a admin level user with his password hash, which you can crack in your own machine or on the PwnBox.
There are different ways you could gain access to the NTLM hashes and to the NTDS file.
- Once you gain admin level access to the DC, you can get the local registry hives, transfer them to your machine and dump the hashes with a impacket tool.
- For the NTDS.dit file, you can’t transfer it because it’s in use. So one way you can transfer the file is making a shadow copy of the drive and transferring it after. After getting the file to your machine, you can dump it with the same impacket tool
For a easier way… There is also a tool which is used in the module that can leverage all that information in a blink of an eye.
I would suggest reading the “Components of a Report” section a couple of times and trying some of the stuff there.
If you guys are still struggling, hit me up. I could give another tip.
1 Like
Finished the lab - very nice. Just the Box was super slow at some steps, so it was a bit painful to work from there but okay.
I completed the module but wanted to know if anyone was able to root the Linux box. I found the LFI vulnerability and got in as www-data, and tried all steps noted in a Linux priv esc module. Is it possible to root the Linux box? (Just want to know if it is possible but not the details). I found the overall module lab to be good practice so far before I hit the final module.
If anyone struggled like me:
- Introduction to AD will be a good starter module but may not be enough to complete this assessment.
- Run nmap. Take notes.
- For the initial foothold, use responder tool with the options specified in “Components of a Report” section. You will catch a hash right there. Crack it.
- Then, use these credentials to login to Domain controller not the other hosts.
- Save the ntds.dit file and system key. Use secretsdump.py to extract hashes. (Password attacks module contains everthing you need for number 5.)
- Lastly, query the svc_reporting user’s local group membership using cmd/PS.
Don’t forget: local and domain group memberships are different things.
3 Likes
Hey guys, I am done with the exercises of the module but I really want to try and write the report and send it to the HTB staff for feedback. However, I am stuck finding the command injection vulnerability. I found LFI on the Linux box but I cannot seem to leverage it for a reverse shell. php filters do not seem to work for me. Is the command injection on this box at all? I also see http port 80 open on the FILE01 host but I can’t seem to access that page. So I guess I have 2 questions:
- Is the Linux box supposed to be rooted?
- Any tips for the command injection?
Cheers
I don’t think you have to root linux machine, you should follow the questions.
For who is stuck, my advice is: read again the page Components of a Report under detailed reproduction steps for this attack chain are as follows, and you should have done the module on Active Directory Enumeration & Attacks.
The first question is: submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host. Have you identified the IP of DC01? After you did that, you can start to enumerate user accounts configured with Service Principal Names (SPNs), there are some example on page 4 Components of a Report under detailed reproduction steps for this attack chain are as follows. You should also enumerate the domain and create a visual representation with bloodhound to find an user with local administrator rights over the hos DC01.inlanefreight. Once found this user, you can perform a Kerberoasting attack to retrieve the Kerberos TGS ticket and crack it offline.
To answer the fourth questions just write the user’s name on bloodhound and see which group belong to.
Thank you !!!
Hi, thanks for the comments. I found some users, that crackmapexec verifies as valid users with creds to login to DC01. But when trying to access via evil-winrm or xfreerdp, can’t perform the connection. What is missing for me? Thanks
I got stucked i caught the hash for dc user in responder when i am trying to crack it with rockyou.txt
nothing match
Status…: Exhausted
again never mind
BALkan_BAndit
Did you find the command injection vulnerability?
I did all of the other work items. Just like you I am stuck on the command injection vulnerability.
I have been reading about FileZilla and any possible remote code execution vulnerability. But no luck so far. Based on the notes above from dannoura it sounds like one can use LFI to get code execution on the target.
Thanks for any thoughts and hints.
Continent
I hope this helps somebody.
The first time I did the skills assessment I was overwhelmed.
Realize right away that I do not know enough about AD enumeration. So I stopped and did several of the AD modules. I actually completed the AD Enumeration Batch.
As a minimum you should complete the AD Enumeration and Attack Module.
So, that took at least 6 to 8 weeks.
Then I returned to this module and did much of the AD part of the assignment. It took probably 30 hours to do the AD part.
Then I got stack again on the LFI/Command Injection.
Then I needed to ask for help on the Discord channel. Thanks god I asked the right person who gave me the answer/hint I needed to complete the LFI/Command Injection part.
That part is an LFI that leads to a command injection. So, to complete the assignment really understand the LFI that then leads you to command injection which will give you remote shell on the machine
To do the LFI assignment for this module you should have done the LFI Academy Module.
When you do the LFI, read files like /etc/passwd and /etc/hosts.
Next play around and see whether you an read other files on the machine.
One of f the files you want to read is the index.php file itself.
Once you have the index.php file read it and understand it.
You will need to inject one of the oneline reverse shells; but you need to URL encode it for the command to be executed on by the index.php file.
Solving the last LFI/Command injection vulnerability was the last thing I needed to do to complete the pentest final report.
The pentest final report took me at least 30 full hours.
So, just for me, adding up all the hours I spend on the module is probably close to 80 hours.
I hope this helps somebody.
Continent
I had to re-read for several hours.
Can you help me, i dont know how to start, i use the credentials in all machines and i cant connect.