Let’s talk about Infiltrator
. Please do not share any flags or writeups.
I cracked a hash.
$krb5asrep$23$l.clark@infiltrator.htb@INFILTRATOR.HTB:ecef063f47a7e6d193c18d4efb0adfd5$77d5f91039e8d1378a4d141d2a714ffb5441ceaadd3443c5a36b87452322a380546b06b0ba4cac8e355d6505d39c91fc05dd41d8316da6fac4f699d910be181fd3ff94839b7c2d6764f0c50423d13b33d5aa5b59aba2ad332544c619beee14a7cd94e9030d6287f80c0056cf123286bfceac3fe2164e00c048126e948c4c95aaccc29a31ddf44369445f6219e42b4dbf05b85dbe35f6f7b8790f990d2b19f558d4ac2789ef8b00b3cd52f64912a523b75bb5701e1848829359cfee7654ed5926123f97bc9a9b0d3f43c2eaf17afc23ca69d53981634c89ab1503495a3e8866271cf617e9c77e80b19d2028a02fe5fbb1b6f6:WAT?watismypass!
Can you give me hint?
k.turner has a werid description but it didn’t help.
1. Obtain the Password for d.anderson
Perform a password spray attack with the password we cracked earlier to find the password for d.anderson
.
2. Obtain a Ticket-Granting Ticket (TGT) for d.anderson
A Ticket-Granting Ticket (TGT) for the user d.anderson
is requested using a provided password. This TGT is essential for authenticating future actions.
3. Write Delegation Access Control List (DACL)
The environment is configured to use the d.anderson
TGT. Permissions are written to grant d.anderson
full control rights over a specified directory.
4. Change Password for e.rodriguez
Using GenericAll Privileges
Using d.anderson
’s credentials, the password for e.rodriguez
is changed to match d.anderson
’s password. This grants control over the e.rodriguez
account.
5. Add e.rodriguez
to the CHIEFS MARKETING
Group
e.rodriguez
is added to the CHIEFS MARKETING
group, providing additional privileges associated with this group.
6. Change Password for m.harris
Using ForceChangePassword Privileges
With e.rodriguez
’s credentials, the password for m.harris
is changed. This action is intended to gain control over the m.harris
account.
7. Obtain a TGT for m.harris
A TGT for m.harris
is requested using the new password. This TGT is required for further authentication tasks.
8. Access the System Using m.harris
’s Credentials
Read the user.txt
file located on m.harris
’s Desktop to confirm successful access.
9. MySQL Credentials
Navigate to C:\ProgramData\Output Messenger Server\Temp
and inspect the files to find the MySQL credentials. These credentials will be used to access the MySQL service.
10. Port Forwarding
Forward the MySQL port to the local machine using chisel
to access the MySQL service running on port 14406.
11. root.txt
File (Unintended Path)
After connecting to the MySQL service, execute a SQL query to read the root.txt
file located on the Administrator’s Desktop. Retrieve the file’s hash value to confirm successful access.
This is just a high-level overview of the challenge. The exact commands or detailed steps are not shared to maintain the challenge’s integrity. DM me if you need more help.
How did you work out that this was possible? I get STATUS_ACCOUNT_RESTRICTION as the result when I try cme/nxc on any protocol. Once I tried I did get a TGT for this user using the password though. What have I missed in my enumeration?
His password is required to obtain his TGT token. You can retrieve it like this.
impacket-getTGT <domain>/<username>:'<password>'
As mentioned, his password is in this thread — the cracked hash.
Thanks, I got the ticket. However, when I tried the password spray I only got STATUS_ACCOUNT_RESTRICTION. Is that just an indication that the credential was potentially valid?
There are different circumstances that might lead to STATUS_ACCOUNT_RESTRICTION
. However, if you try entering a different password, you will likely get a different error code. So, yes.
Yeah it’s confusing but you can use Kerbrute to verify that his password is correct.
how do you enumerate the users.
how did you find the credential of winrm_svg
I did not need it. Check the OutputMysql.ini
file inside the OutputMessengerMysql.zip
archive. That file contains the root MySQL password. After logging in to MySQL, you can directly read the root.txt
file but this is not the intended method. This method may be fixed. I am not sure.
Enumerating with BloodHound
hey, can u explain how u get the password (im noob)
I don’t understand why neither bloodhound or impacket don’t work if anyone know how to resolve this
┌──(root㉿kali)-[/home/kali]
└─# sudo bloodhound-python -c ALL -u l.clark -p 'WAT?watismypass!' -d dc01.infiltrator.htb -ns 10.10.11.31
Traceback (most recent call last):
File "/usr/bin/bloodhound-python", line 33, in <module>
sys.exit(load_entry_point('bloodhound==1.7.2', 'console_scripts', 'bloodhound-python')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/bloodhound/__init__.py", line 308, in main
ad.dns_resolve(domain=args.domain, options=args)
File "/usr/lib/python3/dist-packages/bloodhound/ad/domain.py", line 698, in dns_resolve
q = self.dnsresolver.query(query, 'SRV', tcp=self.dns_tcp)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1364, in query
return self.resolve(
^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1321, in resolve
timeout = self._compute_timeout(start, lifetime, resolution.errors)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1075, in _compute_timeout
raise LifetimeTimeout(timeout=duration, errors=errors)
dns.resolver.LifetimeTimeout: The resolution lifetime expired after 3.102 seconds: Server Do53:10.10.11.31@53 answered The DNS operation timed out.
┌──(root㉿kali)-[/home/kali]
└─# impacket-getTGT dc01.infiltrator.htb/d.anderson:'WAT?watismypass!'
Impacket v0.12.0.dev1+20240827.104624.763808d0 - Copyright 2023 Fortra
Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use)