Myles Nieman
← All writeups

Search

Overview

Search is a hard Windows / Active Directory box with a surprisingly long enumeration chain. An employee’s password is visible in an image on the corporate website — credentials for hope.sharp. With those in hand, SMB Kerberoasting yields the hash for web_svc, and cracking it opens the web console. A follow-on password spray catches edgar.jacobs, whose RedirectedFolders share contains an Excel spreadsheet storing passwords for fourteen staff accounts in plaintext. One of them — Sierra.Frye — has the user flag, and her backup folder holds a PFX certificate. Cracking the PFX and importing it into the browser grants access to a privileged web interface.

Path: password in webpage image → hope.sharp → Kerberoast web_svc → password spray → edgar.jacobs → spreadsheet credentials → Sierra.Frye (user flag) → crack staff.pfx → certificate import → privileged web access.

Enumeration

The scan shows the familiar domain-controller fingerprint: DNS, Kerberos, LDAP, SMB, and MSRPC — a Windows AD environment.

$ nmap -A -T4 -p- 10.10.10.233
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds

Nmap results confirming a Windows domain controller

The web server is the obvious first target — directory busting turns up several endpoints, though most return nothing interesting.

Dirbusting the web server

Dirbusting results — most paths are empty

One discovered path stands out; navigating to it reveals a corporate staff page with employee photos.

Discovered staff page with employee images

A closer look at one of the staff images

Examining the images closely, one of them has a password written on a sticky note or whiteboard in the background: IsolationIsKey?. Cross-referencing against the employee names listed on the page, the likely owner is hope.sharp.

Staff image revealing the password IsolationIsKey?

Foothold — SMB and Kerberoasting

Confirming the credentials against SMB:

$ smbclient -L //search.htb/ -U "search.htb\hope.sharp%IsolationIsKey?"

SMBclient confirms hope.sharp credentials are valid

The share listing includes a share full of certificates and, separately, a full user list.

Certificate share and user listing

With a valid domain account and a user list, running GetUserSPNs.py against the domain finds a Kerberoastable account:

$ GetUserSPNs.py search.htb/hope.sharp:"IsolationIsKey?" -dc-ip 10.10.10.233 -request

GetUserSPNs finds the web_svc SPN and retrieves its hash

Kerberoast hash retrieved for web_svc

Cracking the ticket against rockyou.txt recovers the password almost immediately:

$ hashcat -m 13100 web_svc.hash /usr/share/wordlists/rockyou.txt

Hashcat cracks the web_svc Kerberoast hash

The cracked password is @3ONEmillionbaby, giving us web_svc:@3ONEmillionbaby.

Lateral Movement — Password Spraying to edgar.jacobs

Logging into the web console with web_svc works, but the account doesn’t have much reach. Rather than dig further into the web app immediately, spraying @3ONEmillionbaby across the domain user list with CrackMapExec catches another match:

$ crackmapexec smb search.htb -u users.txt -p "@3ONEmillionbaby" --continue-on-success

Password spray identifies edgar.jacobs as sharing the password

edgar.jacobs confirmed with the sprayed password

CrackMapExec spray results

edgar.jacobs reuses @3ONEmillionbaby.

edgar.jacobs access via SMB

User — Spreadsheet Credentials and Sierra.Frye

The RedirectedFolders share — a roaming profile share — is accessible with edgar.jacobs’s credentials. His folder is mostly empty, but inside it there is a spreadsheet:

RedirectedFolders share contents for edgar.jacobs

Column C of that spreadsheet contains plaintext passwords for fourteen domain accounts:

UsernamePassword
Payton.Harmon;;36!cried!INDIA!year!50;;
Cortez.Hickman..10-time-TALK-proud-66..
Bobby.Wolf??47beforeWORLDsurprise91??
Margaret.Robinson//51+mountain+DEAR+noise+83//
Scarlett.Parks++47|building|WARSAW|gave|60++
Eliezer.Jordan!!05_goes_SEVEN_offer_83!!
Hunter.Kirby~~27%when%VILLAGE%full%00~~
Sierra.Frye$$49=wide=STRAIGHT=jordan=28$$18
Annabelle.Wells==95~~pass~~QUIET~~austria~~77==
Eve.Galvan//61!banker!FANCY!measure!25//
Jeramiah.Fritz??40:student:MAYOR:been:66??
Abby.Gonzalez&&75:major:RADIO:state:93&&
Joy.Costa**30_venus_BALL_office_42**
Vincent.Sutton**24&moment&BRAZIL&members&66**

Cycling through these accounts with SMB access, Sierra.Frye’s desktop holds the user flag. Her Backups folder inside RedirectedFolders also contains a PFX certificate: staff.pfx.

Sierra.Frye’s RedirectedFolders share and the staff.pfx backup

Privilege Escalation — Cracking the PFX Certificate

The staff.pfx is password-protected. Running pfx2john to extract a hash and cracking it:

$ pfx2john staff.pfx > staff.hash
$ john staff.hash --wordlist=/usr/share/wordlists/rockyou.txt

pfx2john extracts the PFX hash for cracking

john cracks the PFX password

The password cracks successfully.

Root — Certificate Import and Privileged Web Access

With the PFX unlocked, the certificate and private key are imported into Firefox’s certificate store:

Importing staff.pfx into Firefox certificate manager

Firefox prompting for the PFX import password

Certificate successfully imported into Firefox

Navigating to the privileged web endpoint after certificate import

The web interface now accessible with the client certificate

The browser presents the certificate when challenged, granting access to a privileged section of the web interface.

Privileged web portal unlocked by the staff certificate

Additional privileged content accessible via the certificate

Root flag retrieved via the certificate-authenticated interface

Takeaways

  • Credentials in images are real credentials. A password visible in a staff photo is as exploitable as one in a config file — image-based OSINT is a legitimate attack vector.
  • Plaintext passwords in accessible SMB shares are catastrophic. A single lateral-movement step from web_svc to edgar.jacobs exposed fourteen accounts worth of credentials in a single spreadsheet.