Hack The Box: Forest
Walkthrough
- Nmap
- Enumerate Users through RPC NullSession
- AS-REP Roast and Hash cracking
- Login with Evil-Winrm
- Domain enumeration with bloodhound
- ACL Abuse to grant DCSync permissions
Getting Foothold
Nmap
First of all I performed a nmap port scan to reveal all open ports
Kerberos Port 88 indicates that this box is a Windows Domain Controller
Further investigation of ldap port 389 reveils the machines hostname and also the domains FQDN. Both names were added to to the attackers /etc/hosts file.
Since there is no website running we are left with other services. I commonly start to look at the SMB, RPC and LDAP ports first.
Firstly I to logon using null sessions where I try to logon without a user and password. We can do RPC enumeration manually or using enum4linux.
For manual enumeration rpcclient is used and I was able to logon using a null session using the following command
rpcclient -U '' -N forest.htb.local
To enumerate valid domain users the Command enumdomusers was used which revealed all domain users. Now I can create a username list with the gained information.
Now we have a list of valid usernames but no credentials. A password spray didnt got us more information, so the next thing I tried was AS-REP Roasting using impacket.
impacket-GetNPUsers htb.local/ -u usernames.txt -format hashcat -dc-ip 10.10.10.161
This resulted in getting a hash for the user svc-alfresco@htb.local
So I copied that hash into a local file and tried to crack it with hashcat using rockyou.txt
Cracking the hash was successful so we now have valid credentials for a domain user.
And after a quick check if we can authenticate to any service using this credentials it was confirmed that we now have winrm access to the machine.
Using evil-winrm we can now access the machine and retrieve the user flag
Escalating Privileges
The user doesnt have any interesting privileges but is a member of a few active directory groups. To explore the AD environment, SharpHound and Bloodhound was used.
Using evil-winrm the SharpHound dump was downloaded and afterwards uploaded into bloodhound.
Here we can already mark SVC-ALFRESCO@HTB.LOCAL as owned. Viewing its group memberships we can see that SVC-ALFRESCO@HTB.LOCAL is a member of the service accounts group SERVICE ACCOUNTS@HTB.LOCAL
This group is part of the group PRIVILEGED IT ACCOUNTS@HTB.LOCAL which is part of the Account Operators group ACCOUNT OPERATORS@HTB.LOCAL which is able to modify the EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL group.
This group has permissions to write a DACL to the Domain which would allow us to give a certain user DCSync Rights.
So lets do it.
At first we need to modify the EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL group and add a new user to this group. Since svc-alfresco is a member to ACCOUNT OPERATORS@HTB.LOCAL, he should be able to write the newly created user MHT into that group.
We can do this by issuing a simply net group command
net group "EXCHANGE WINDOWS PERMISSIONS" MHT /add /domain
After that we can add a new ACL to the Domain granting the new User MHT DCSync Rights.
net user MHT co3WrEIt /add /domain
net group "EXCHANGE WINDOWS PERMISSIONS" MHT /add /domain
$SecPassword = ConvertTo-SecureString 'co3WrEIt' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb.local\\MHT', $SecPassword)
Add-DomainObjectAcl -TargetIdentity 'DC=htb,DC=local' -PrincipalIdentity MHT -Rights DCSync -PrincipalDomain htb.local -TargetDomain htb.local -Cred $Cred
And now we can DCSync with that credentilas resulting in fully owning the Domain.
impacket-secretsdump htb.local/MHT:co3WrEIt@10.10.10.161
Now that we have the Domain Administrators NTLM Hash we can use Pass-The-Hash to get Domain-Administrator Access and obtain root.txt
impacket-psexec htb.local/Administrator@10.10.10.161 -hashes :32693b11e6aa90eb43d32c72a07ceea6
Nicely written, and executed,So by re-writing the already using the new administration new user with the original net group command it allows new user with already logged in credentials, correct?
Leave a comment