All about how to befool Kerberos.

ENUMERATION

Add mantis.htb.local to /etc/hosts

RPC ENUMERATION

Anonymous login allowed but no info

SMB ENUMERATION

NMAP Fullport Scan

Got Nothing Juicy after enumerating ports so decided for a Fullport nmap scan

PORT 1337 ENUMERATION

Visiting website gives us

Nothing juicy in source code

Time for Fuzzing directories, use WFUZZ

Visiting web.config shows nothing . When I did a gobuster scan I found web.conf requires some data, in format web.conf:$DATA , so this is for now of no use to us.

dev_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt. Visiting this shows

Also lets see what name contains

This is again some hash, which did not crack to anything . Let’s pass it directly to admin

Did not work for login on port 8080/admin
did not work for mysql or winrm or smb

Also not worked for web.conf. So let’s see the format and crack it. It is hex string, https://md5hashing.net/hash_type_checker

Using mssqlclient.py from impacket

All tables are listed below

We will use Userpart record table as it sounds juicy

Since we get all Columns , but this data seems messy. So we will filter out columns of our use

Username : admin &&& Password : AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==

Username : James &&& Password : J@m3s_P@ssW0rd! &&& Email : james@htb.local

SMB login

We see we can login using these creds to smb

But we cannot enum anything, listing is disabled for this user, Winrm Login Failed

MSSQL Login -Failed

We can exploit Kerberos MS14–068 with this, cause it seems PAC is enabled. The Privileged Attribute Certificate (PAC) is an extension to Kerberos tickets that contains useful information about a user’s privileges. This information is added to Kerberos tickets by a domain controller when a user authenticates within an Active Directory domain

https://labs.f-secure.com/archive/digging-into-ms14-068-exploitation-and-defence/

We will use Goldenpac.py from impacket

The Golden PAC module included in Impacket makes post exploitation easier by performing it automatically for you. Once a TGT containing a forged PAC has been created it is used to create an SMB connection to the domain controller and the PsExec technique is used to gain command execution

We are already Nt AUTHORITY/SYSTEM , no need for priv escalation

getting flags …

ROOTED!!!

OSCP | CEH | Cyber Security Enthusiast.