This is a write-up for the easy-difficulty “Building Magic” machine from Hack Smarter’s new lab platform. This room is located at courses.hacksmarter.org and is available on a “pay what you can” basis as of the time of writing. I am documenting the process I used to find all information in this writeup WITHOUT including any flags, in the spirit of the game. However, following this process exactly should result in a full compromise of the target system.
Recon, Scanning, and Enumeration #
My first step was to ping the box to ensure that it was alive and ready for enumeration.
Next, I added the machine’s hostname and domain name to my /etc/hosts file, as recommended by the instructions:
Next, I ran a quick nmap scan to see which ports were responding on the host:
This looks (mostly) like basic domain controller stuff, so I’ll move on to working with the database dump provided in the instructions:
id username full_name role password
1 r.widdleton Ron Widdleton Intern Builder c4a21c4d438819d73d24851e7966229c
2 n.bottomsworth Neville Bottomsworth Plannner 61ee643c5043eadbcdc6c9d1e3ebd298
3 l.layman Luna Layman Planner 8960516f904051176cc5ef67869de88f
4 c.smith Chen Smith Builder bbd151e24516a48790b2cd5845e7f148
5 d.thomas Dean Thomas Builder 4d14ff3e264f6a9891aa6cea1cfa17cb
6 s.winnigan Samuel Winnigan HR Manager 078576a0569f4e0b758aedf650cb6d9a
7 p.jackson Parvati Jackson Shift Lead eada74b2fa7f5e142ac412d767831b54
8 b.builder Bob Builder Electrician dd4137bab3b52b55f99f18b7cd595448
9 t.ren Theodore Ren Safety Officer bfaf794a81438488e57ee3954c27cd75
10 e.macmillan Ernest Macmillan Surveyor 47d23284395f618bea1959e710bc68ef
To create a list of potential users, I am going to use the cut command to clean up this list a bit:
We can use kerbrute to check which of these usernames are valid domain users:
Since we now know we only have one user to worry about, we can just focus on cracking this user’s hash, which will crack easily with ‘hashcat’ and ‘rockyou.txt’, and we can confirm these credentials using ’netexec’:
Lateral Movement and Initial Machine Access #
Now that we have valid domain user credentials, we can run a ‘BloodHound’ collector like ‘bloodhound-ce-python’:
We’ll save this data to use in a moment. Next, we can check for Kerberoastable users with ‘impacket-GetUserSPNs’:
We can crack this user, again with ‘hashcat’ and ‘rockyou.txt’:
Now we can use ‘BloodHound’ to view paths from owned objects:
MATCH p=shortestPath((s:Base)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|ClaimSpecialIdentity|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|ContainsIdentity|PropagatesACEsTo|GPOAppliesTo|CanApplyGPO|HasTrustKeys|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation*1..]->(t:Base))
WHERE COALESCE(s.system_tags, '') CONTAINS 'owned' AND s<>t
RETURN p
LIMIT 1000
We can use a tool of our choosing (I like bloodyAD) to change the “h.potch” user’s password:
Now that we have unlocked another user, it’s time to see what we can do with their access. It looks like the “h.potch” user has read/write access to a file share:
However, it seems like this share is currently empty:
However, there are a handful of watering-hole attacks we can pull off with write access to a share. This one uses the slinky module in netexec to write a malicious .LNK file to the share:
When a user opens the share, we can force the user into accidentally authenticating to a responder listener and capture a NetNTLMv2 hash for this user:
Again, this hash cracks with hashcat and rockyou.txt:
Because the “h.grangon” user is a member of the “Remote Management Users” group, we are able to connect to the domain controller using WinRM:
Escalating Privileges #
With a quick privilege check, we can see that the “h.grangon” user has SeBackupPrivilege. We can use this permission to back up the HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SAM hives, allowing us to dump the machine’s SAM offline:
Curiously, the “Administrator” user’s hash does not appear to work, even when attempting --local-auth:
Rechecking our domain users in BloodHound, we see that we have one remaining user, the “a.flatch” user, who is a member of the “Administrators” group:
If we pass the “Administrator” hash from the SAM to our user, we are able to log in successfully. Because this user is a member of the Administrators group, we are able to dump the NTDS.dit file, containing the hashes for all domain users:
With the “Administrator” user’s true hash (or with a.flatch, it doesn’t matter), we can WinRM into the machine and claim the root flag:
Thank you to Hack Smarter and the lab creators, Noah Heroldt and Haik Isikbay, for the development and distribution of this challenge!