AKasec CTF 2024 ( English Writeup )

Version English

BOXS

Description

-> Start Recon by Scan port open , services are open

Result :

After trying through ports 3268 LDAP, and port 80, it is static web. (Possible RFC for the following)

Test the SMB service by logging in as an anonymous user because it is possible but without opening the share so there is nothing

-> Try Brute Force Username of Kerberos, tool used: kerbrute

Partial brute force results

These usernames are valid, meaning they exist in the Active Directory system of the aka.sex domain. This means that these accounts may exist and can be used to attempt other attack techniques, such as password brute-force or attacks through other security vulnerabilities.

However, not every user can have a background connection that needs to be tested through the users found here Valid User Found :joseph.hughes@aka.sex

How to Test : Use impacket's toolkit, specifically impacket-GetNPUsers, to extract user Kerberos login information (tickets) in an Active Directory (AD) environment.

Get the hash of user joseph.hughes

There is this user's hash to crack (you can use john or hashcat), here I have finished cracking so I will show it:

Look for vulnerable certificate templates that can be exploited :

certipy-ad find -scheme ldap -username joseph.hughes -password '!!fth!!692!!gyh!!67t!ha' -dc-ip 172.200.160.57 -stdout -vulnerable

Note : on Windows, it runs certipy, but Kali has a tool set called certipy-ad

Full Result :

Take advantage of vulnerabilities in: ESC1 and ESC3

  • ESC1 (Enrollment Services Configuration 1):

    • Description: This vulnerability occurs when any user in the Domain Users group has permission to request a certificate from this template, and the template allows the requester to provide the Subject of the certificate. This may result in the issuance of certificates for Client Authentication purposes.

    • Affected Templates:

      • 5777eb13-5939-4a48-8d46-8ae561da870a

      • e4bf4d28-76f8-4b2f-b491-7843c4223a92 (This template is currently not enabled - Enabled: False)

  • ESC3 (Enrollment Services Configuration 3):

    • MΓ΄ tαΊ£: Lα»— hα»•ng nΓ y xαΊ£y ra khi bαΊ₯t kα»³ người dΓΉng nΓ o trong nhΓ³m Domain Users cΓ³ quyền yΓͺu cαΊ§u chα»©ng chỉ tα»« template nΓ y, vΓ  template nΓ y cΓ³ Certificate Request Agent EKU được Δ‘αΊ·t. Điều nΓ y cΓ³ thể cho phΓ©p người yΓͺu cαΊ§u chα»©ng chỉ thα»±c hiện cΓ‘c hΓ nh Δ‘α»™ng yΓͺu cαΊ§u chα»©ng chỉ khΓ‘c thay mαΊ·t cho người khΓ‘c.

    • Templates bα»‹ αΊ£nh hưởng:

      • 014ca453-3bea-405a-a9be-fbbada9e1d5a

I will request a certificate from the template 5777eb13-5939-4a48-8d46-8ae561da870a:

Obtain cert form .pfx :

  • Authenticate to AD:

Use the PFX certificate to authenticate to the Active Directory environment of the aka.sex domain through the Domain Controller at the post's IP address 172.200.160.57.

After having the hash, you can now log in with this hash to the server:

You can use impacker-smbexec to login or crackmapexec is also possible

Pwned !!!

The necessary flag will be in the User kexa folder in the Desktop folder:

PreviousAKasec CTF 2024NextPwnable.VN

Last updated