password-spraying » THOVITI SIDDHARTH

October 3, 2022

Scrambled – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec decompilation, dnSpy, HackTheBox, hashcat, HTB, impacket, Infosec, kerberos, MSSQL, password-spraying, powercat, powershell-credential-object, serialization, silver-ticket, SMB Enumeration, TGS Cracking, user-enumeration, Windows Box, ysoserial 0

Machine Name: Scrambled
IP: 10.10.11.168
Difficulty: Medium

Summary

Scrambled is a medium machine that requires an understanding of how Kerberos works. It includes enumerating users using Kerberos’ authentication protocol’s error message and password spraying to obtain valid credentials of the found users. The obtained credentials are used to get a TGT through which the SPN and TGS are obtained. The TGS was cracked and new credentials were obtained. The new credentials did not work when logging into MsSQL Client. The TGT ticket was used to enumerate the SMB share where a PDF with information about imposed access controls was found. Only administrator accounts can access the SQL database. A Silver ticket attack was performed in order to gain access to the database where more credentials were found and a shell could be obtained. After gaining the user shell, a DLL file found was decompiled and analysed. A serialization method was being called which was exploited by crafting a payload using ysoserial to gain a administrator shell.