impacket

March 16, 2024

Manager – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec Active Directory, Active Directory Certificate Services, AD CS, Bruteforce RID, Certificates, certipy, crackmapexec, ESC7, HackTheBox, HTB, impacket, kerbrute, MSSQLclient, Password Spraying, TGT, user-enumeration, Windows 0

Machine Name: Manager
IP: 10.10.11.236
Difficulty: Medium

Summary

Manager is a medium difficulty machine that starts with enumerating usernames and password spraying them to login to MSSQL shell. The MSSQL shell was used to fetch a configuration file containing user credentials that were used to obtain the user shell. Privilege Escalation consisted of abusing the Active Directory Certificate Services (AD CS) misconfiguration to issue an administrator certificate that was used to obtain the TGT hash and authenticate as administrator.

August 8, 2023

Forest – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec aclpwn, Active Directory, Active Directory 101, AS-REP Roast, BloodHound, crackmapexec, DCSync, GenericAll, GetNPUsers, impacket, Kerberoasting, kerberos, LDAP, mimikatz, pass the hash, powershell-credential-object, PowerView, PSCredential, psexec, rpcclient, secretsdump, windapsearch, Windows, WriteDACL 0

Machine Name: Forest
IP: 10.10.10.161
Difficulty: Easy

Summary

Forest is a easy machine that starts with enumerating usernames through LDAP and performing Kerberoasting on that user. After cracking the TGT hash, we obtain the user shell. The privilege escalation involved mapping the Active Directory domain and understanding the group memberships and permissions that could be exploited. WriteDACL permissions were discovered for one of the groups which was abused to perform the DCSync attack to dump the hashes and finally pass them to gain the administrator shell.

October 3, 2022

Scrambled – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec decompilation, dnSpy, HackTheBox, hashcat, HTB, impacket, Infosec, kerberos, MSSQL, password-spraying, powercat, powershell-credential-object, serialization, silver-ticket, SMB Enumeration, TGS Cracking, user-enumeration, Windows Box, ysoserial 0

Machine Name: Scrambled
IP: 10.10.11.168
Difficulty: Medium

Summary

Scrambled is a medium machine that requires an understanding of how Kerberos works. It includes enumerating users using Kerberos’ authentication protocol’s error message and password spraying to obtain valid credentials of the found users. The obtained credentials are used to get a TGT through which the SPN and TGS are obtained. The TGS was cracked and new credentials were obtained. The new credentials did not work when logging into MsSQL Client. The TGT ticket was used to enumerate the SMB share where a PDF with information about imposed access controls was found. Only administrator accounts can access the SQL database. A Silver ticket attack was performed in order to gain access to the database where more credentials were found and a shell could be obtained. After gaining the user shell, a DLL file found was decompiled and analysed. A serialization method was being called which was exploited by crafting a payload using ysoserial to gain a administrator shell.